[TYPO3-english] TYPO3.ORG hacked

Andreas Becker ab.becker at web.de
Fri Nov 14 16:35:53 CET 2008


So don't worry to much Ries ;-) It only makes you older then you are.
Everyone in Germany should really worry as they propagate the glasnost
citizen.
TYPO3.org is only a small scampi in between all those sharks out there.
Yeah Lufthansa might worry as now perhaps they think people can hack their
passenger data. But actually this is already happening.

IMHO people worry much to much. don't use a password, don't forget a
password, don't even think in hiding your identity.
WE WANT TO KNOW YOU!
The fact is that the whole discussion is coming much to late and meanwhile
other CMS already provide OpenID as standard. They encrypt the passwords as
standard. They WORRY about security!






2008/11/14 ries van Twisk <typo3 at rvt.dds.nl>

> Andi,
>
> people have the right to worry about such an event,
> it's not 'just' a password, but it's more than that. With that
> password a user
> could login on my account, change my extensions and add a backdoor to
> it.
> This is something I worry about, and it's a damn good reason to be
> worried about!!!
> To put it in simple, it doesn't only mean the password was stolen,
> but also the identity of persons in general.
>
> Also...
> Remember, worrying doesn't have anything to do with blaming
> somebody!!! (sometimes that looks like it )
> 'we' just wonder/worry what the consequences are for us FE users.
>
> I do want to thank Robert for his clarification, although I don't
> fully agree with the statement that
>
> " So if someone knows the md5 hash of your password, it's almost as if
> he knows your password in plain text".
> If the password was at least hashed, then hard to guess passwords
> would have been much more difficult to guess then without the has...
> right??
>
> anyways... I they get the guy/girl ASAP..  and let him/here know it
> was an evil thing to do...
>
> I am sure we get to some point we know the consequences for us....
>
> Ries
>
> On Nov 14, 2008, at 10:04 AM, Andreas Becker wrote:
>
> > Why are you worrying so much Folks!
> > It is only a password, it is only typo3.org and it is only a very good
> > example what happens next time all over the private households and
> > sites in
> > Germany. "Bundestrojaner" and what else they call it. Don't worry be
> > happy!
> > Simply make your passwords transparent so nobody is anymore
> > interested in
> > stealing or hacking them.
> >
> > Enjoy your weekend and try to figure out the most secure password.
> > As even
> > wpa2 was hacked perhaps someone can find the best ever encryption
> > for such a
> > simple CMS as TYPO3.
> >
> > The fact is that we are worrying about a simple thing while our "big
> > brothers" are calling to sniff in any site and place they want.
> >
> > Andi
> >
> > 2008/11/14 Robert Lemke <robert at typo3.org>
> >
> >> Hi all,
> >>
> >> it is of course very unfortunate that someone unauthorized was able
> >> to
> >> login
> >> to typo3.org. I can't give an official statement or tell details
> >> about the
> >> incident, but I'd like to share my personal perspective with you.
> >>
> >> A general note: it doesn't matter much if a password is md5 hashed
> >> or not - md5 is just a hash and not encryption. Nowadays it's
> >> relatively
> >> easy to generate a password out of an md5 hash, especially if it is
> >> a weak
> >> password with few characters and without special chars.
> >>
> >> So if someone knows the md5 hash of your password, it's almost as
> >> if he
> >> knows
> >> your password in plain text. Therefore what we really need is truly
> >> encrypted
> >> passwords or, much better, a mechanism like OpenId. I know that a
> >> team is
> >> currently working on improvements in that regard.
> >>
> >> In general it is always a bad idea to use one password for several
> >> purposes.
> >> And most people are also not aware of the fact that their passwords
> >> can be sniffed during public events when using a shared WLAN with
> >> uncrypted
> >> connections during login.
> >>
> >> The main reason for many site hacks I know of were insecure
> >> passwords which
> >> were used for many purposes or were easy to guess. The reason for
> >> typo3.org
> >> being hacked is, as far as I know, not a security hole in TYPO3
> >> itself but
> >> rather the fact that someone got hold of a working login.
> >>
> >> So, as it seems we got off lightly this time (though getting some bad
> >> publicity
> >> now, of course) and I am very confident that the team behind
> >> typo3.org,
> >> the TYPO3 core team and the security team will come up with a robust
> >> solution
> >> which shows that we learned our lessons.
> >>
> >> Let's learn from it and ... better check again if you have weak or
> >> shared
> >> passwords
> >> still in use.
> >>
> >> Best,
> >> robert
> >>
> >> Am 14.11.2008 um 14:54 schrieb ries van Twisk:
> >>
> >> Luc,
> >>>
> >>> from what understand from the mail "including their passwords",
> >>> it shows that the passwords where stored as plain text and thus the
> >>> hacker
> >>> should have all our usernames and passwords.
> >>>
> >>> Ries
> >>>
> >>>
> >>> On Nov 14, 2008, at 8:45 AM, Luc Muller wrote:
> >>>
> >>> My question is : Are the FE password md5 hashed or something on
> >>>> TYPO3.org
> >>>>
> >>>> This is the mail I got :
> >>>>
> >>>> -------------------------------------------------------
> >>>>
> >>>> This is an important security warning. You are receiving it because
> >>>> your
> >>>> email address is registered on the TYPO3.org website.
> >>>>
> >>>>
> >>>>
> >>>> We have to inform you that an unauthorized person has gained
> >>>> administrative access to the TYPO3.org website.
> >>>>
> >>>>
> >>>>
> >>>> The offender had access to website user details including their
> >>>> passwords, and there have been reports of this data being used to
> >>>> access
> >>>> other websites.
> >>>>
> >>>> It also has to be expected that the data may have been disclosed to
> >>>> third parties.
> >>>>
> >>>>
> >>>>
> >>>> The attacker has been identified, and the TYPO3 Association has
> >>>> started
> >>>> to take legal action on the issue.
> >>>>
> >>>>
> >>>>
> >>>> Important!
> >>>>
> >>>> IF YOU HAVE USED THE SAME PASSWORD ON ANY OTHER SITE, PLEASE
> >>>> CHANGE IT
> >>>> IMMEDIATELY!
> >>>>
> >>>>
> >>>>
> >>>> In a first step, all login accounts on TYPO3.org have been locked
> >>>> and
> >>>> will require a new password. We are currently working on an
> >>>> improved
> >>>> login procedure and will let you know when this is ready. Until
> >>>> then,
> >>>> you will not be able to log into the Community section of
> >>>> TYPO3.org.
> >>>>
> >>>>
> >>>>
> >>>> We have set up an FAQ page at http://typo3.org/about/faq/t3org-issue/
> >>>>
> >>>> The page may be updated with new questions from time to time, so
> >>>> make
> >>>> sure to check back before replying to this mail.
> >>>>
> >>>>
> >>>>
> >>>> We apologize for the inconveniences and troubles that this might
> >>>> cause
> >>>> to you.
> >>>>
> >>>>
> >>>>
> >>>> TYPO3 Association
> >>>>
> >>>> -------------------------------------------------------
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> *Luc Muller*
> >>>> /Web Developper/
> >>>> /Formidable - Rapid Application Developpement Framework for Typo3
> >>>> <http://formidable.typo3.ug>/
> >>>> /Typo3 Ameos <http://www.ameos.com>/
> >>>> _______________________________________________
> >>>> TYPO3-english mailing list
> >>>> TYPO3-english at lists.netfielders.de
> >>>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >>>>
> >>>
> >>>
> >>>
> >>>                       regards, Ries van Twisk
> >>>
> >>>
> >>>
> >>>
> -------------------------------------------------------------------------------------------------
> >>> Ries van Twisk
> >>> tags: Freelance TYPO3 Glassfish JasperReports JasperETL Flex Blaze-
> >>> DS
> >>> WebORB PostgreSQL DB-Architect
> >>> email: ries at vantwisk.nl
> >>> web:   http://www.rvantwisk.nl/
> >>> skype: callto://r.vantwisk
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> TYPO3-english mailing list
> >>> TYPO3-english at lists.netfielders.de
> >>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >>>
> >>
> >>
> >> _______________________________________________
> >> TYPO3-english mailing list
> >> TYPO3-english at lists.netfielders.de
> >> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >>
> >
> >
> >
> > --
> > Thanks a lot! Greetings from ICT Innovation Paradise Andi Blog:
> > http://andibecker.lisandi.com Map: http://maps.lisandi.com Album:
> > http://pics.lisandi.com Videos: http://video.lisandi.com Projects:
> > http://www.t3log.info T3Pack - TYPO3 Development, TEAM 3 - Eternal
> > Project Management LisAndi Co. Ltd. - The future is within us!
> > POWER4 -
> > The empowering people!
> > _______________________________________________
> > TYPO3-english mailing list
> > TYPO3-english at lists.netfielders.de
> > http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>
>
>
>                        regards, Ries van Twisk
>
>
>
> -------------------------------------------------------------------------------------------------
> Ries van Twisk
> tags: Freelance TYPO3 Glassfish JasperReports JasperETL Flex Blaze-DS
> WebORB PostgreSQL DB-Architect
> email: ries at vantwisk.nl
> web:   http://www.rvantwisk.nl/
> skype: callto://r.vantwisk
>
>
>
>
>
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>



-- 
Thanks a lot! Greetings from ICT Innovation Paradise Andi Blog:
http://andibecker.lisandi.com Map: http://maps.lisandi.com Album:
http://pics.lisandi.com Videos: http://video.lisandi.com Projects:
http://www.t3log.info T3Pack - TYPO3 Development, TEAM 3 - Eternal
Project Management LisAndi Co. Ltd. - The future is within us! POWER4 -
The empowering people!


More information about the TYPO3-english mailing list