[TYPO3-english] TYPO3.ORG hacked

Fri Nov 14 16:04:57 CET 2008

Why are you worrying so much Folks!
It is only a password, it is only typo3.org and it is only a very good
example what happens next time all over the private households and sites in
Germany. "Bundestrojaner" and what else they call it. Don't worry be happy!
Simply make your passwords transparent so nobody is anymore interested in
stealing or hacking them.

Enjoy your weekend and try to figure out the most secure password. As even
wpa2 was hacked perhaps someone can find the best ever encryption for such a
simple CMS as TYPO3.

The fact is that we are worrying about a simple thing while our "big
brothers" are calling to sniff in any site and place they want.

Andi

2008/11/14 Robert Lemke <robert at typo3.org>

> Hi all,
>
> it is of course very unfortunate that someone unauthorized was able to
> login
> to typo3.org. I can't give an official statement or tell details about the
> incident, but I'd like to share my personal perspective with you.
>
> A general note: it doesn't matter much if a password is md5 hashed
> or not - md5 is just a hash and not encryption. Nowadays it's relatively
> easy to generate a password out of an md5 hash, especially if it is a weak
> password with few characters and without special chars.
>
> So if someone knows the md5 hash of your password, it's almost as if he
> knows
> your password in plain text. Therefore what we really need is truly
> encrypted
> passwords or, much better, a mechanism like OpenId. I know that a team is
> currently working on improvements in that regard.
>
> In general it is always a bad idea to use one password for several
> purposes.
> And most people are also not aware of the fact that their passwords
> can be sniffed during public events when using a shared WLAN with uncrypted
> connections during login.
>
> The main reason for many site hacks I know of were insecure passwords which
> were used for many purposes or were easy to guess. The reason for
> typo3.org
> being hacked is, as far as I know, not a security hole in TYPO3 itself but
> rather the fact that someone got hold of a working login.
>
> So, as it seems we got off lightly this time (though getting some bad
> publicity
> now, of course) and I am very confident that the team behind typo3.org,
> the TYPO3 core team and the security team will come up with a robust
> solution
> which shows that we learned our lessons.
>
> Let's learn from it and ... better check again if you have weak or shared
> passwords
> still in use.
>
> Best,
> robert
>
> Am 14.11.2008 um 14:54 schrieb ries van Twisk:
>
>  Luc,
>>
>> from what understand from the mail "including their passwords",
>> it shows that the passwords where stored as plain text and thus the
>> hacker
>> should have all our usernames and passwords.
>>
>> Ries
>>
>>
>> On Nov 14, 2008, at 8:45 AM, Luc Muller wrote:
>>
>>  My question is : Are the FE password md5 hashed or something on
>>> TYPO3.org
>>>
>>> This is the mail I got :
>>>
>>> -------------------------------------------------------
>>>
>>> This is an important security warning. You are receiving it because
>>> your
>>> email address is registered on the TYPO3.org website.
>>>
>>>
>>>
>>> We have to inform you that an unauthorized person has gained
>>> administrative access to the TYPO3.org website.
>>>
>>>
>>>
>>> The offender had access to website user details including their
>>> passwords, and there have been reports of this data being used to
>>> access
>>> other websites.
>>>
>>> It also has to be expected that the data may have been disclosed to
>>> third parties.
>>>
>>>
>>>
>>> The attacker has been identified, and the TYPO3 Association has
>>> started
>>> to take legal action on the issue.
>>>
>>>
>>>
>>> Important!
>>>
>>> IF YOU HAVE USED THE SAME PASSWORD ON ANY OTHER SITE, PLEASE CHANGE IT
>>> IMMEDIATELY!
>>>
>>>
>>>
>>> In a first step, all login accounts on TYPO3.org have been locked and
>>> will require a new password. We are currently working on an improved
>>> login procedure and will let you know when this is ready. Until then,
>>> you will not be able to log into the Community section of TYPO3.org.
>>>
>>>
>>>
>>> We have set up an FAQ page at http://typo3.org/about/faq/t3org-issue/
>>>
>>> The page may be updated with new questions from time to time, so make
>>> sure to check back before replying to this mail.
>>>
>>>
>>>
>>> We apologize for the inconveniences and troubles that this might cause
>>> to you.
>>>
>>>
>>>
>>> TYPO3 Association
>>>
>>> -------------------------------------------------------
>>>
>>>
>>> --
>>>
>>> *Luc Muller*
>>> /Web Developper/
>>> /Formidable - Rapid Application Developpement Framework for Typo3
>>> <http://formidable.typo3.ug>/
>>> /Typo3 Ameos <http://www.ameos.com>/
>>> _______________________________________________
>>> TYPO3-english mailing list
>>> TYPO3-english at lists.netfielders.de
>>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>>>
>>
>>
>>
>>                        regards, Ries van Twisk
>>
>>
>>
>> -------------------------------------------------------------------------------------------------
>> Ries van Twisk
>> tags: Freelance TYPO3 Glassfish JasperReports JasperETL Flex Blaze-DS
>> WebORB PostgreSQL DB-Architect
>> email: ries at vantwisk.nl
>> web:   http://www.rvantwisk.nl/
>> skype: callto://r.vantwisk
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>>
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>

-- 
Thanks a lot! Greetings from ICT Innovation Paradise Andi Blog:
http://andibecker.lisandi.com Map: http://maps.lisandi.com Album:
http://pics.lisandi.com Videos: http://video.lisandi.com Projects:
http://www.t3log.info T3Pack - TYPO3 Development, TEAM 3 - Eternal
Project Management LisAndi Co. Ltd. - The future is within us! POWER4 -
The empowering people!