# The Recent Attack - A pragmatic FAQ from a Security Professional [Updated]



## Resua (May 23, 2016)

Pragmatic means practical, realistic.  As in, the actual fallout and effect for most cases.  I have been involved in both IT and web security for over a decade and a half. I have written up dozens of security breaches, including some for major credit card processors, health insurance companies, and credit unions.

Some commonly asked questions below:

Q) OH GOD, MY EMAIL BEEN LEAKED!!1 HAKERZZ GOT MUH INFO!
A) You give your email out to people all the time. This is no different. You may see an uptick in spam, or phishing attacks. This is the usual internet flotsam for most of us.  Standard precautions you should take regarding any email should protect from this.

Q) My password was leaked, ALL IS LOST.
A) Pretty much rule one of the internet, listed on every password page, and repeated by every person in IT, on every webpage about internet safety, and on every last article about protecting your online privacy. Don't reuse the same password. If other accounts are compromised because of this leak, that is on YOU. Go change any other site's passwords to something else if you have been an irresponsible internet denizen and used your FA password elsewhere.

Q) I had a really long password, is it safe?
A) It doesn't matter, change it anywhere you used it.

Q) No, really...
A) Really, change your password if it was used ANYWHERE else. Not just on FA, Everywhere you used it.

Q) But...
A) Do it.

Q) Is FA particularly at fault for this hack?
A) On the face of it, No. In some ways, yes. This is not simple question. The basics are this: A software exploit (ImageTragik) targeted a well known, used all over the internet software package. FA patched in a REASONABLE amount of time, and was probably dependent on its upstream package provider to provide the patch.  There were potential configurations of ImageMagik that could have POSSIBLY prevented the exploit, along with potential, intricate server software configurations, security packages, etc.  Very few servers as implemented actually are setup to use these options.  However, by the time the exploit was made generally known and patches released, attackers had already used it, and downloaded all of (or a chunk of) FA's code. FA is not entirely culpable, up to this point. After this point, there had to be vulnerabilities in FA's code or configuration of supporting software packages that allowed the database table dump and drop (the 'attack' or hack.) That IS FA's fault, but it is generally accepted that a unique, custom, closed source application will have vulnerabilities, and suddenly dumping the code into the open would, naturally, invite people to explore those.  Hindsight is 20/20.

Q) How secure is the new password hash, do you trust it?
A) Very secure, and I Sure do.  Here is a hash done with bcrypt: '$2a$12$.pu9IAgzLDCaqv22.2fsPuXvpm3CLjHqHwtZhXI/sCdneSD3Jeo4O'  it contains an email and a 23 digit random string.  If you crack it within the next 6 months, send the string to the email in the hash, along with what you used to do it, and I will send you 10 bitcoin.  That's around 4500 dollars US.

Q) Why have we not heard about the police being called?  What about the FBI?
A) Which department do you notify?  The ones where FA is incorporated, the one near the datacenter, the one near the con, the one near the attacker?  Then what?  If you have literally 0 leads to offer the police, then there isn't much you or they can do. Does Random Police Department have a cybercrimes division at all?

Lets take a look at the FBI. I have worked with the FBI many times, and they have what's called the 'investigation loss amount threshold.' Basically, a certain amount of money, value, or assets must be lost. While you can say 'My data is worth X' the FBI has its own standards. The threshold at many field offices is 100,000 dollars in REALIZED losses. Some offices are set at 500,000. I doubt you can prove, to the FBI's standards, that 100k in damage has occurred, let alone 500k.

If there ARE leads, then we, the public at large, should NOT be made privy to them. Not even their very existence, as that would compromise any investigation. There may already be law enforcement involved, and if done correctly, we would not be permitted to know.

Q)I'm going to sue [FA/Hacker/Someone]!  (That's not a question...)
A)The basic requirement of a lawsuit is having a 'standing' with which to file. Unless you are specifically harmed, for an actual amount or other verifiable damage, you could not even articulate a lawsuit, let alone file it. You have to ACTUALLY be harmed.

If you do sue, please give me a call!  I'll be happy to be an expert witness.  Wont even charge.  I really want to be there during deposition when you say 'Well, I've been using the same password for my (paypal/bank/credit) account as I did for browsing furry porn, and then...'

Theoretical/opinion stuff:

Q) THEORETICALLY SPEAKING.... could my long password be recovered?
A) If your password was over 12 or so characters and with enough entropy, it would be a long, slow road to recover.   modern tools have intelligent masks and dictionary attacks that combine with brute forcing to greatly reduce the entropy of most passwords.  batteryhorsecorrectstaple would have a VERY low entropy against a mask-attack, as it consists of 4 dictionary words.  In fact, if I knew your password was 4 dictionary words, that would only be 144,000 potential hashes to check.  On a modern, well built attack rig, i could run 144k hashes in less than one NANOSECOND.  Yes, 1/1000000th of a second (my hashing rig runs 170 BILLION hashes per second.)  When I asked, Dragoneer had a high confidence the passwords were salted and hashed. I have had an ear to the ground and have not found the database dump listed on any of the usual sites, or for sale anywhere. I have put out feelers specifically seeking it for research. None of this matters.  Never use that password again anyway, because that hashed and salted password list may be out there forever, and compute systems are getting faster and faster...

Q) Do you think FA is safe now?
A) Truthfully, I don't know. I suspect it is no more, or less, secure than just about any other Furry art site out there.  It's just a more attractive target.  Many of the measures reported are indeed sound.  The captcha is annoying, but will temporarily slow down bots attempting automated logins with the old passwords.  The improved password hashing is a plus, if implemented correctly.  I APPLAUD the administration staff not re-allowing the potentially compromised passwords.  In the end, I generally treat the internet at large as 'unsafe.' FA is not a bank, credit card processor, or even a payment system user. They do not make tons of money, they do not get audited, and they do not really have the resources to have full time staff on board to search for code vulnerabilities. Hell, it seems they sometimes barely have a regular CODER on staff. It's a community guys, based around a fandom for some, and pornographic fetishes for most. Don't get your panties in a knot over this. If you followed BASIC internet privacy rules, you're perfectly safe.


----------



## Ricky (May 23, 2016)

Hey, since you are a security expert can you tell me, was this 'ImageTragik' flaw a buffer overflow in the image metadata or something? (the improper handling of the data via ImageMagik I mean, of course)


----------



## Resua (May 23, 2016)

Ricky said:


> Hey, since you are a security expert can you tell me, was this 'ImageTragik' flaw a buffer overflow in the image metadata or something?



It's a combination of several things.  ImageTragick is a catchy name some people came up with for a stack of vulnerabilities.  What it actually is would be a rather technical for the discussion we are having here, but you can cruise on over and read the CVEs.  CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3716, and CVE-2016-3717.

To simplify, some flaws in ImageMagick allow commands to be injected and executed under the permission level/user of the web server application due to insufficient parameter filtering under the 'delegate' feature of imagemagick.  This is the most likely attack used, CVE-2016-3714


----------



## Ricky (May 23, 2016)

No, that makes sense. I don't think it's that complicated; it's just not cleaning up control characters.

A buffer overflow would be more complicated to exploit.


----------



## Resua (May 23, 2016)

Ricky said:


> No, that makes sense. I don't think it's that complicated; it's just not cleaning up control characters.
> 
> A buffer overflow would be more complicated to exploit.



As an attack, it's actually simple to exploit.  I could do it in about 4 lines of plain text.  I more meant it wasn't entirely pragmatic to explain it, crossing over the straightforward 'what does this mean' intent of the topic.


----------



## Felixpath (May 23, 2016)

Thanks, Resua....pragmatism is sorely lacking right now. FA is a loosely-run community that is completely free for us to use, and obviously many furries take it for granted too much.


----------



## Ricky (May 23, 2016)

Can they at least update things automatically?

Not just for users (I barely use FA) but for their own good. I mean, this should really go without saying...


----------



## Resua (May 23, 2016)

Ricky said:


> Can they at least update things automatically?
> 
> Not just for users (I barely use FA) but for their own good. I mean, this should really go without saying...



They could, but for production, I generally recommend against automated updates.  Set up a process and subscribe to the security email list of your distribution.  Set up a cron script on every server (or use puppet) to check for updates regularly, and email the results.  Schedule a regular service window to perform these updates (weekly) and have test cases to ensure the site is functioning.  Preferably, automated test cases for each major feature.

This prevents automated updates from breaking things, while keeping you appraised of major developments (the mailing list) and ensuring updates get applied in a timely fashion.  People with bitchin, hard core 0-day vulnerabilities are busy doing serious damage or earning money, they are not typically after some furry porn site.

That said, I do not know enough about FA's back end to make specific recommendations.  I doubt they are on ubuntu 16.04 LTS, for example.   They could be running LFS, something commercially supported, etc.


----------



## Ricky (May 23, 2016)

Resua said:


> They could, but for production, I generally recommend against automated updates.



It looked like this was from 5/3 or something...

Even weekly should have prevented it then, I think.


----------



## Resua (May 23, 2016)

Ricky said:


> It looked like this was from 5/3 or something...
> 
> Even weekly should have prevented it then, I think.



Depends on when their upstream provided a functioning patch.  The most recent patch released isnt a 100% fix, however.  FA has amde the right move by moving away from imagemagick entirely.  They probably use GD, a built in PHP function.


----------



## Sergei Nóhomo (May 23, 2016)

Resua said:


> Q) OH GOD, MY EMAIL BEEN LEAKED!!1 HAKERZZ GOT MUH INFO!
> A) You give your email out to people all the time. This is no different. You may see an uptick in spam, or phishing attacks. This is the usual internet flotsam for most of us.  Standard precautions you should take regarding any email should protect from this.
> 
> Q) My password was leaked, ALL IS LOST.
> ...



I like this I really do

But seriously though, are people in this day and age seriously this naive when it comes to basic security? Hell we've grown up with computers and had this shit shoved down our throats.


----------



## Resua (May 23, 2016)

Sergei Nóhomo said:


> I like this I really do
> 
> But seriously though, are people in this day and age seriously this naive when it comes to basic security? Hell we've grown up with computers and had this shit shoved down our throats.



The internet was pushed to the world at large, in the form we know it as, in 1993.  Commonly called the 'Eternal September' by old computer folks.  In around 1983 Usenet admins were reminding people not to use the same passwords as their minicomputer accounts on the mainframe.  So.. about as long as the internet has existed, people have been fed these same password recommendations! :>


----------



## Wakboth (May 23, 2016)

Sergei Nóhomo said:


> But seriously though, are people in this day and age seriously this naive when it comes to basic security? Hell we've grown up with computers and had this shit shoved down our throats.


Yes, many people are just that naive. Just because we've grown up with computers, as you say, doesn't make us experts; in many ways, the average user of today probably knows a less about the inner mysteries of his system than the average user twenty years ago. (Because back then, everything was still primitive enough that you _had_ to learn how to finagle with your memory settings, for example, if you wanted to do anything interesting. These days, things just _work_, for the most part, so we don't have to understand things as closely. I know my tinkering skills have atrophied badly!)


----------



## Resua (May 23, 2016)

Wakboth said:


> Yes, many people are just that naive. Just because we've grown up with computers, as you say, doesn't make us experts; in many ways, the average user of today probably knows a less about the inner mysteries of his system than the average user twenty years ago.



It is quite entertaining when someone walks into my computer lab who is a 'computer person' and goes blank eyed looking at my setup.







And that's the 'old' configuration with 4 nodes and 1 ISCSI san.  Running 12 nodes and 4 ISCSI sans now.

Knowing how to reload windows and troubleshoot the 5 basic hardware blocks of a PC doesnt make you an expert, it just means you have some good-to-know basic skills!


----------



## talarath (May 23, 2016)

Resua said:


> (my hashing rig runs 170 BILLION hashes per second.)



So your saying your hashing rig has 12 Nvidia Titan X which is ~$1300 each, or ~16-18 290x which is ~$500 each?
Additionally, your hashing rig stats are pointless because that's likely against plain MD5.  If they were using anything more recent (even a shitty SHA1) it would drop the hash/sec by 3x.


----------



## Resua (May 23, 2016)

talarath said:


> So your saying your hashing rig has 12 Nvidia Titan X which is ~$1300 each, or ~16-18 290x which is ~$500 each?
> Additionally, your hashing rig stats are pointless because that's likely against plain MD5.  If they were using anything more recent (even a shitty SHA1) it would drop the hash/sec by 3x.



48x K20s, backed by 9 titan Xs (Actually K40s.), spread across 3 rack mounted chassis and Dell C410X racks.  It is my thing, this security research stuff.  I also have a 5U chassis with intel Phi units.  These are business equipment, not sitting in my house.  My home lab is much more tame.  And less power consuming.

Edit to add: Yes, that is MD5, because I'm willing to bet that is what was used.  SHA1 would slow it down appreciably.  To, you know, 3 nanoseconds in that example.  Lets say 5 to be picky!   It remains QUITE trivial.


----------



## Samandriel Morningstar (May 23, 2016)

It's come full circle,now even the bots know where to come..


----------



## Gem-Wolf (May 23, 2016)

Gee it seems some people can't take a harmless joke


----------



## Armaetus (May 25, 2016)

If some furries are using the SAME PASSWORD as their new password prior to the breach, they're dumber than I thought. Seriously, don't.


----------



## Resua (May 25, 2016)

Glaice said:


> If some furries are using the SAME PASSWORD as their new password prior to the breach, they're dumber than I thought. Seriously, don't.



They should not be able to on FA at least.  The login page checks.  I do not know if they continue to check, or if they just toss it after the first reset.


----------



## Darklordbambi (May 25, 2016)

Glaice said:


> If some furries are using the SAME PASSWORD as their new password prior to the breach, they're dumber than I thought. Seriously, don't.


Some people use all the same passwords because it's simply easier than memorizing and remaking a bunch of passwords. Hell, I just use slight variations of the same password most of the time and I /still/ have trouble logging into accounts sometimes despite having like 3/4 different variations. Having multiple passwords carries having to have your passwords either all memorized individually, or have them listed on one document, which leaves you fucked if someone sees it or you misplace or lose it. Hence why I do a mix of the two, less memorization but no one has my password for everything just from one account.


----------



## TodoxasRogue69 (May 26, 2016)

Do you think it was an Anti-Furry group who was responsible for the hacking of FA?


----------



## Darklordbambi (May 26, 2016)

TodoxasRogue69 said:


> Do you think it was an Anti-Furry group who was responsible for the hacking of FA?


Nah, it was prolly just some people either trying to get passwords and perhaps monetary info, or some hacker(s) getting their jollies by trying out their skills. I doubt anyone actually hates furries enough to hack one of their sites and take it down. Like some people may find them cringey and annoying, but it's not like there's a lot of people out there who loathe furries like they loathe lgbt people/people of other ethnicities/Muslims/immigrants and refugees/ other political groups, etc. Furries are pretty low on the hate radar in the grand scheme of things.


----------



## TodoxasRogue69 (May 26, 2016)

Darklordbambi said:


> Nah, it was prolly just some people either trying to get passwords and perhaps monetary info, or some hacker(s) getting their jollies by trying out their skills. I doubt anyone actually hates furries enough to hack one of their sites and take it down. Like some people may find them cringey and annoying, but it's not like there's a lot of people out there who loathe furries like they loathe lgbt people/people of other ethnicities/Muslims/immigrants and refugees/ other political groups, etc. Furries are pretty low on the hate radar in the grand scheme of things.


Based on some of the things i've heard about Anti-Furry groups, they seem pretty hateful towards us furries. What about that one attack on a group of furries that involved leaking gas into their rooms in the hotel they we're staying at? 19 members of that group had to be hospitalized after that. And the attack seemed to be intentional.


----------



## Closer-To-The-Sun (May 26, 2016)

Well, this answers most of the questions I had with what's going down. Thanks, ya'll.


----------



## Resua (May 26, 2016)

TodoxasRogue69 said:


> Do you think it was an Anti-Furry group who was responsible for the hacking of FA?



Potentially, but WHO did it doesn't particularly matter from a pragmatic point of view.  The Usernames, Emails, and Passwords were potentially leaked, the 'damage' is some spam, phishing attemps, and resetting your password as needed.

That said, I continue to have NOT been able to locate what I am looking for, which is a copy of the DB dump, for sale or freely offered.  That truthfully tells me it wasn't likely to have been random script kiddies (who would have uploaded the list as a gloat/trophy) or professional hackers working independently (The list/Table would be for sale.)  It may be individuals specifically motivated to target FA for whatever reason, assuming the database was, in fact, actually breached.

There remains, available to me as someone who does NOT work for IMVU/FA, NO INDEPENDENTLY VERIFIED cases of passwords from FA being used to compromise other accounts.


----------



## Darklordbambi (May 26, 2016)

Resua said:


> Potentially, but WHO did it doesn't particularly matter from a pragmatic point of view.  The Usernames, Emails, and Passwords were potentially leaked, the 'damage' is some spam, phishing attemps, and resetting your password as needed.
> 
> That said, I continue to have NOT been able to locate what I am looking for, which is a copy of the DB dump, for sale or freely offered.  That truthfully tells me it wasn't likely to have been random script kiddies (who would have uploaded the list as a gloat/trophy) or professional hackers working independently (The list/Table would be for sale.)  It may be individuals specifically motivated to target FA for whatever reason, assuming the database was, in fact, actually breached.
> 
> There remains, available to me as someone who does NOT work for IMVU/FA, NO INDEPENDENTLY VERIFIED cases of passwords from FA being used to compromise other accounts.


To me though, I don't see why 'script kiddies' wouldn't put it up on the deep web. Maybe it's for self gratification, and the hacker(s) felt like putting out the list to gloat knowing the deep web would be a place harder to track, as well as instill fear into the users. You may be right on FA being specifically motivated, but to me I could still see it being a case of a hacker stroking his own ego and doing careful gloating while not tipping themselves off enough as to leave too many tracks. Even infamous groups known for hacking for entertainment like Lizard Squad have had a member or two caught already. I could see the individual(s) in question not wanting to risk putting themselves out there. Then again, if they were that precise and careful, it could be argued that they wouldn't have even bothered posting the list, or would have felt secure to gloat all they wanted. I suppose it depends on the skill of the hacker and how comfortable they are in their skills to parade their achievement around.


----------



## charmander (May 27, 2016)

Resua said:


> batteryhorsecorrectstaple would have a VERY low entropy against a mask-attack, as it consists of 4 dictionary words.  In fact, if I knew your password was 4 dictionary words, that would only be 144,000 potential hashes to check.



I don’t think the typical dictionary consists of 19 and a half words.


----------



## Resua (May 27, 2016)

charmander said:


> I don’t think the typical dictionary consists of 19 and a half words.



I boogered the math for some stupid reason.  I was a bit tired and didnt go back to catch it.   it would be closer to ~ 1 trillion (Using the 1000 most common words, which would get you good results).  Which would still less than 10 seconds.


----------

