Drupal.org resets login credentials after hack exposes password data

[Erica Absetz <erica () riskbasedsecurity com>]

http://arstechnica.com/security/2013/05/drupal-org-resets-login-credentials-after-hack-exposes-password-data/

Passwords for almost one million accounts on the Drupal.org website
are being reset after hackers gained unauthorized access to sensitive
user data.

Drupal.org is the official website for the popular open-source content
management platform. The breach is the result of an attack that
exploited a vulnerability in an undisclosed third-party application
and not in Drupal itself, according to Holly Ross, executive director
of the Drupal Association, in ablog post published Wednesday. The hack
exposed usernames, e-mail addresses, country information, and
cryptographically hashed passwords, although investigators may
discover additional types of information were compromised.

"Malicious files were placed on association.drupal.org servers via a
third-party application used by that site," Ross wrote. "Upon
discovering the files during a security audit, we shut down the
association.drupal.org website to mitigate any possible ongoing
security issues related to the files. The Drupal Security Team then
began forensic evaluations and discovered that user account
information had been accessed via this vulnerability."

There's no indication credit card data was intercepted. There's also
no evidence that any unauthorized changes were made to Drupal source
code or projects.

Drupal.org administrators have responded by rebuilding production,
staging, and development systems and enhancing most servers with
grsecurity, a set of security patches for the Linux operating system.
The admins have also hardened their configuration of the Apache Web
server application and added antivirus scanning to their security
routine. Some Dupal.org subsites, particularly those with older
content, have been converted to static archives so they can't be
updated in the future.

Drupal.org account holders will be required to change their password
by visiting this link, entering their username or e-mail address, and
following the link included in the e-mail message that follows. Ross
also encouraged account holders to change login credentials on other
sites that used the same or a similar password used on Drupal.org.

Most of the passwords stored by Drupal.org were both salted and, more
importantly, passed through a cryptographic hash function multiple
times using the open-source phpass application. Some older passwords
weren't salted. If Drupal engineers followed good practices—and
there's no indication they didn't—the repeated hash iterations will go
a long way towards preventing anyone who obtains the data from quickly
cracking the hashes and exposing the underlying plaintext that
generated them. (Cryptographic salting, which appends unique
characters to each password before it's hashed, is also helpful,
although people frequently overstate the protection it provides. For
much more on password protection see the Ars feature Anatomy of a
hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.)

Ross didn't identify the exploited third-party application. Given
Drupal.org's use of Apache, it's possible the site was compromised by
the same attack that has plagued at least 20,000 other sites in recent
weeks. Researchers still don't know how attackers are gaining almost
unfettered, "root" access on these servers, but the same backdoor,
often known as Linux/Cdorked, more recentlystarted compromising sites
that run on the nginx and Lighttpd Web servers too.

The hacks are underscoring the growing vulnerability of websites to
serious malware attacks. On Tuesday, evidence emerged that servers
running the Ruby on Rails framework were beingcompromised and made
part of a botnet. The attackers in that case were exploiting an
extremely critical vulnerability that was patched in early January.

Drupal's front page states there are 967,545 people in 228 countries
(speaking 181 languages) using the platform.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.