Login to BatWeb
Forgot your password?
BatMUD Forums > Inform > Password incident (background information)
Regarding the Password incident;
Just wanted to clarify a couple of points regarding the incident that became
public on Saturday, 13th of October 2007. As everyone should (by now) know,
there was a "huge" password-list (or actually a list of usernames with the
so called MD5-hashes of the actual passwords) published on the net.
While it is nothing new for this kind of lists to circulate around the
"scene" - this time the list also contained BatMUD players' usernames and
password hashes.
A password hash means that it is not the actual password in clear text
format (such as Favorit would have "muumi"), but encrypted. Now this MD5 is
not a strong encryption, as it can be brute forced open with a sufficient
amount of computing power. Besides this also an algorithm exists, which in
many cases makes "opening" these hashes much faster. But the most usual way
is to simply have a program re-create password hashes based on a huge
dictionary and see if there is a match - this is pretty easy if you have
a list of 87000 usernames and hashes, some guy already did this and found
alledgely 91 "perkele"'s (Finnish curseword) in that list as people's
passwords.
We received first notification through e-mail at 13:29 EET regarding a
security issue on our website from a known Finnish hacker, which was
preceded/followed by a Player's contact regarding the list.
How these were acquired by the (yet unknown) hackers is quite clear (even
though yet unconfirmed). There was an SQL injection exploitable script on
http://www.bat.org/ website, which could be abused by an offending party.
In some terms, it is quite ironic, that I had just queried Gore about a
month ago on the status of these "addons" to the www.bat.org website. As
what is usual, not even updating to latest versions helps if the software
is still flawed.
Sadly, our www.bat.org project got postponed (now in hands of Favorit)
already a year ago. You may remember, that about 6 months ago we did a very
small revamp on the colour-scheme, but nothing else. So all other
development in code-wise terms was halted.
Also the Finnish Communications Regulatory Authority, CERT contacted us late
this evening regarding the issue, but we had already reacted (thanks to
Durand, Blitzer and Ulath) on the matter.
For more information on the Incident:
First (well known) Link to the password file:
http://www.finnchan.fi/b/t106785.html
First (well known) extrenal Discussion regarding the password file:
http://keskustelu.plaza.fi/muropaketti/bbs/t507132
First Security Company's take on the Incident:
http://www.f-secure.com/weblog/
Yours,
Amarth Shadowstring
on behalf of the B.A.T. ry board
Just wanted to clarify a couple of points regarding the incident that became
public on Saturday, 13th of October 2007. As everyone should (by now) know,
there was a "huge" password-list (or actually a list of usernames with the
so called MD5-hashes of the actual passwords) published on the net.
While it is nothing new for this kind of lists to circulate around the
"scene" - this time the list also contained BatMUD players' usernames and
password hashes.
A password hash means that it is not the actual password in clear text
format (such as Favorit would have "muumi"), but encrypted. Now this MD5 is
not a strong encryption, as it can be brute forced open with a sufficient
amount of computing power. Besides this also an algorithm exists, which in
many cases makes "opening" these hashes much faster. But the most usual way
is to simply have a program re-create password hashes based on a huge
dictionary and see if there is a match - this is pretty easy if you have
a list of 87000 usernames and hashes, some guy already did this and found
alledgely 91 "perkele"'s (Finnish curseword) in that list as people's
passwords.
We received first notification through e-mail at 13:29 EET regarding a
security issue on our website from a known Finnish hacker, which was
preceded/followed by a Player's contact regarding the list.
How these were acquired by the (yet unknown) hackers is quite clear (even
though yet unconfirmed). There was an SQL injection exploitable script on
http://www.bat.org/ website, which could be abused by an offending party.
In some terms, it is quite ironic, that I had just queried Gore about a
month ago on the status of these "addons" to the www.bat.org website. As
what is usual, not even updating to latest versions helps if the software
is still flawed.
Sadly, our www.bat.org project got postponed (now in hands of Favorit)
already a year ago. You may remember, that about 6 months ago we did a very
small revamp on the colour-scheme, but nothing else. So all other
development in code-wise terms was halted.
Also the Finnish Communications Regulatory Authority, CERT contacted us late
this evening regarding the issue, but we had already reacted (thanks to
Durand, Blitzer and Ulath) on the matter.
For more information on the Incident:
First (well known) Link to the password file:
http://www.finnchan.fi/b/t106785.html
First (well known) extrenal Discussion regarding the password file:
http://keskustelu.plaza.fi/muropaketti/bbs/t507132
First Security Company's take on the Incident:
http://www.f-secure.com/weblog/
Yours,
Amarth Shadowstring
on behalf of the B.A.T. ry board
Amarth
A r c h w i z a r d
7y, 280d, 15h, 40m, 51s old
Level:
600 [Wizard] © 1990-2024 Balanced Alternative Techniques ry. All rights reserved. BatMUD™ is a registered trademark of Balanced Alternative Techniques ry.
The individual comments are the property of their posters, and may not reflect the views or opinions of the administration.