1. #1
    Bloodsail Admiral
    Join Date
    Dec 2012
    Location
    Tir ná Lia
    Posts
    1,083

    MD5 and possible security disasters around the corner or ongoing(for years).

    So, lo there...

    MD5, many people likely don't know much about what it even is, so I'll try to be brief(in a futile attempt to not come off as boring). The current website security system, is very lackluster.
    Lackluster in the sense of password encryption.

    I posted this message in another thread about a day or 2 ago(which for some reason now no longer shows up in my own post history), but it discussed the same security issue, except it was from 2014... IIRC, I bumped it for a reason(and it got closed...).

    The issue persists.

    What am I talking about? Password hashes, I did the test earlier with my dad and showed him how easy it is to crack the code once you have hands on with the actual encrypted password and it generally takes ~100 ms, aka. 0.1 seconds. He gave me his own example of his password and that's how long it took to find it from the internet databases on cracked MD5 hashes. My own, luckily isn't listed, but the length of which(the hash), is not that much longer to warrant a brute attack on it, that'd take longer than 2 days, max. Probably seconds to be fair, if you have a proper algorithmic cracker. And bear in mind, the username goes in clear-text.

    So what am I yapping on about? Your website security. HTTP. plain-text MD5 hash password transport. I'd advocate your folk to take it seriously, MitM attacks are not *that* hard to achieve, in fact. I live in a dorm(go to school, uni). And as an effective result, have successfully conducted MitM attacks on my own local subnet /23, 511 host range via ARP poisoning to bring an example.
    It was relatively cheap and easy to tunnel all the local net traffic of all the folks in the building(subnet) through my computer machine(Badly configured L2 switches, no VLAN tunneling). And from there, what exactly is the stumbling block for people being able to achieve the same relatively simply elsewhere(shitty wi-fi network ex. etc. etc.). Now, granted, that is easy peasy but the real guys, often achieve the same goal by hacking into badly secured routers instead, allowing them to sniff everything en-route, aka. between hops A-B.

    The point is, you were suggested the same stuff 3 years ago. To migrate over to TLS (v1.2), and you've still not done it.

    So when?

    And to make matters worse, it is not rare for folks to use a password in more than 1 area of their net-lives. Often is the case where quite a lot of people just use 1 password everywhere(of whom there are many) and thus get the real important places hacked(mail). I don't, so thank god for that, but knowing how insecure the current system here is, I'm just happy for my own sake that I am aware on how easy it is to infiltrate and impersonate someone and that I never used a password that matched any other account that I have.

    Because truth be told, how many times have you guys been really hacked and your password databases infiltrated without us knowing about it. Lots, I bet. One of your own former moderators confirmed it in the thread I spoke of earlier. But considering the responses the last threads OP had from the twitter posts he brought up with the actual owner AFAIK, it'll be likely that nothing will change.

    But please, take notice, especially you other folk reading out there, beware of what you enter on this website!
    And owners of this forum(of which has had a peak of near 200K+ users online at various points in time), change your encryption methods... For christ sakes.
    I work at a telecom, I've seen useage numbers(real ones), regarding nation-wide famous shows etc. 200K+ is nothing to scoff at. You are more than likely on someones radar at all times, and have likely been so, for a long time in the past as well.

    Thanks for reading.

  2. #2

  3. #3
    Bloodsail Admiral
    Join Date
    Dec 2012
    Location
    Tir ná Lia
    Posts
    1,083
    Good point, I didn't care to look in the list... :>

    EDIT: Oh wait, not the one I thought of.

    - - - Updated - - -

    This is a good example of a password, ironically everyone suggests against, but a lot of people use these simple plain text passwords anyway.

    "1234" - 81dc9bdb52d04dc20036dbd8313ed055

    Using "81dc9bdb52d04dc20036dbd8313ed055" in any MD5 database, returns a results instantly.

    But that is a blatant example. A better one is in the lines of, #text#random_number# - returns a results in approx ~600ms or so as well.

    A combo of text+number+text returns a result more rarely or not at all but is still crackable within a matter of seconds to a few days.

    All it takes, is getting a packet like this one via the attack-type I mentioned earlier or some other various/nefarious way.

    POST /login.php?do=login HTTP/1.1
    Host: www.mmo-champion.com
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 280
    Referer: http://www.mmo-champion.com/login.php?do=logout&logouthash={data hidden}
    Cookie: __cfduid={data hidden}; cdmabp=true; cdmblk=0:0:0:0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0,0:0:0 :0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0; cdmtlk=0:0:0:0:0:0:0:0:0:0:0:0:0; cdmgeo=us; cdmbaserate=2.1; cdmbaseraterow=1.1; cdmint=0; cdmblk2=0:0:0:0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0,0:0: 0:0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0,0:0:0:0:0:0:0:0:0:0:0:0:0; cdmwhtlst=true; cdmu=1497555289723; vbulletin_multiquote=46067793; editor_height=fe%23731px; mmoc_sessionhash={data hidden}
    DNT: 1
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1

    Frame 1165: 120 bytes on wire (960 bits), 120 bytes captured (960 bits) on interface 0
    Ethernet II, Src: {data hidden}
    Internet Protocol Version 4, Src: {data hidden}
    Transmission Control Protocol, Src Port: 36514, Dst Port: 80, Seq: 5107, Ack: 44191, Len: 66
    [2 Reassembled TCP Segments (1466 bytes): #1164(1400), #1165(66)]
    Hypertext Transfer Protocol
    HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "vb_login_username" = "nadefury"
    Form item: "vb_login_password" = ""
    Form item: "vb_login_password_hint" = "Password"
    Form item: "cookieuser" = "1"
    Form item: "s" = ""
    Form item: "securitytoken" = "{data hidden}"
    Form item: "do" = "login"
    Form item: "vb_login_md5password" = "{data hidden}"
    Form item: "vb_login_md5password_utf" = "{data hidden}"


    Important fields are "{data hidden}".

  4. #4
    We don't store any sensitive data and don't control if users are reusing their passwords. Will keep this in mind for future site improvements.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •