Opensuse forums hacked and info leaked

Opensuse, the popular Linux distro, have recently posted a news bulletin to their blog, confirming that a hacker was able to exploit a vulnerability in their forum software and upload files to the site. This allowed the hacker to circumvent security and gave him access to the forum's database.

OpenSuse has said that passwords are still safe as they use a single sign on system called Access Manager from NetIQ, so the passwords were not actually stored in the database itself but the hacker will have had access to all the email address stored in the database. The hacker had confirmed he had managed to access passwords but they were just random automatically set strings that are in no way connected to the users' real passwords.

The organization has confirmed that, due to the nature of the attack, there are no known fixes or workarounds to fix the exploit. So to make it safe for all users they have decided to take the site offline.

A notice on the OpenSuse forum confirms that there was a security hole in one of the plugins that was being used and they have now disabled the plugin. The message boards will remain offline until they're able to clean up the fallout from the hack. The site also confirmed that they have made changes to their files to better enhance security but this may have unwanted side efects on existing links in search engines and bookmarks the users have saved.

Even though no passwords have been leaked users that have used the same email and password combo on any other sites should change their log-in info just to be on the safe side.

Source: OpenSuse | Image courtesy of Seguridadexpertos

Report a problem with article
Previous Story

NeoBytes :) Trolling gamertag causes mischief on Xbox Live

Next Story

Happy Birthday iPhone!

44 Comments

Commenting is disabled on this article.

So Linux is unbreakable? Or perhaps they hosted the database on Windows ?
No flaming intended, internet is a jungle and people should be careful.

No system is unbreakable, and in this case it wasn't linux or windows fault, it was a plugin they used which caused the security hole

Then its safe to say Linux ain't better than Windows security-wise. Its the plugins wich cripple an OS , 3rd party addons and software. This is for those claiming otherwise.
I forgot to add /s to my first comment.

I'd be surprised if OpenSUSE forums used Oracle's Unbreakable Linux (tm) distro. That would actually be ironic on so many levels.

Decebalvs Rex said,
Then its safe to say Linux ain't better than Windows security-wise. Its the plugins wich cripple an OS , 3rd party addons and software. This is for those claiming otherwise.
I forgot to add /s to my first comment.

Huh?

If someone's saying "Linux is more secure than Windows", that's normally assumed to be a comparison of two operating systems, not the software running on top of them.

If the Neowin forums (Invision Power Board) were hacked, would you honestly say that was because of a Windows security flaw?

IMO, you're comparing apples to oranges here.

Yes, third party software with a security flaw will can of course expose passwords or whatever, but this is not relevant to operating system security.

Edited by Northgrove, Jan 10 2014, 4:01pm :

I am trying to say that Windows and Linux depend on 3rd party software security-wise. None of them are unbreakable as people claim Linux is more secure.
For example, the most secure OS is not that secure anymore due to 3rd party programs flaws. My point.. there is no secure OS, a bunch of people yelling about Linux as untouchable.

It was vBulletin and it is PHP/SQL, and they didn't exploit the OS, just the software, and collected email addresses. If there's a vuln/injection attack on a piece of software, it doesn't matter what platform hosts it.

Privilege escalation, and using one hole to chain exploits to get to other software, on the other hand, is a different story. They never got any deeper than exploiting vBulletin.

Decebalvs Rex said,
I am trying to say that Windows and Linux depend on 3rd party software security-wise. None of them are unbreakable as people claim Linux is more secure.
For example, the most secure OS is not that secure anymore due to 3rd party programs flaws. My point.. there is no secure OS, a bunch of people yelling about Linux as untouchable.

Linux is MORE secure, but you're right, that no OS is unbreakable. Linux typically updates ALL software on your system versus Windows which requires you to update each program unless they have an update mechanism built-in.

I also don't see people saying Linux is untouchable.

This is an old discussion wich leads to a different topic , however Linux is not "MORE" secure because of its protective features but because of small audience. Windows already steps forth towards updating its programs trough the Store now, a feature yet to evolve. If you don't see people praising Linux as untouchable, you are either one of them or you just don't bother reading comments on different forums and chat bays.
I cannot count how many I've seen living with the false promise of an untouchable linux OS.

I'd say capability based security is more simply and widely implemented and robust in Linux and its applications. Barely anyone is developing with this in mind on Windows and implementing it.

Hark! I sense a wall of text from Mobius Enigma coming that will start yet another exchange which he will stop responding to after getting shot down.

Geezy said,
Barely anyone is developing with this in mind on Windows and implementing it.

That's rather anecdotal, never mind Window's security system is actually very robust. (IE, don't blame Microsoft if people insist on running as admin/root, you can be just as dense on a *Nix system.) Besides, statistically speaking, Linux systems don't exactly have the best track record when it comes to security either.

That's rather anecdotal, never mind Linux's security system is actually very robust. Besides, statistically speaking, Windows systems don't exactly have the best track record when it comes to security either.

You're right, anecdotes are anecdotal.

Anyway I'm not talking about people running as admin, rather processes that don't have fine grained security and are granted more access than necessarily needed for their tasks. Hence, capability based security. This is simply more widely and easily implemented in Linux, more readily available, and more supported in the ecosystem.

Geezy said,
Besides, statistically speaking, Windows systems don't exactly have the best track record when it comes to security either. Anyway I'm not talking about people running as admin

Well since we're not talking about user dumbassery, *Nix has the worse track record there, sorry. You can easily look that one up.

Geezy said,
Hence, capability based security. This is simply more widely and easily implemented in Linux, more readily available, and more supported in the ecosystem.

You're not honestly trying to say that Windows doesn't have a capability based permission system available are you? Might want to rethink that one...

It has the capability, most environments and programs don't support it. Nearly every Linux server and desktop supports it and has seen wide implementation and is incredibly robust as a result. What are some actual use cases in Windows land besides in the enterprise in specific sets of software, such as an exchange server? Most Windows machines are not protected by this!

Well since we're not talking about user dumbassery, *Nix has the worse track record there, sorry. You can easily look that one up.
So, more anecdotes? How about you easily look up that it's not the case? What are you, a clone of Mobius Enigma?

Edited by Geezy, Jan 12 2014, 3:49am :

Geezy said,
It has the capability, most environments and programs don't support it. Nearly every Linux desktop supports it. What are some actual use cases in Windows land besides the enterprise in specific sets of software, such as an exchange server?

Well now if you're going to cherry-pick to suit your argument, it's not much of a debate now is it?
So, more anecdotes?

No, proof. Since we already ruled out user stupidity (since I can just as easily trash a *Nix system as a Windows system if I can con the user sitting there), lets ignore misconfiguration issues which can happen on both, the only thing left is exploitable software vulnerabilities. And if you look at a CVE list, you'll see that Linux quite consistently has more exploitable vulnerabilities than any other OS out there. That's just the Linux kernel mind you, not the variety of services and applications running on top of it, which would obviously make that number even higher.

The burden of proof is on you. Show me what you are citing from.

Since we already ruled out user stupidity
Not only are you cherry picking, but pressing your own assertions as fact.

What's not making it much of a debate is that you are not debating the assertion that enterprise exchange servers are the only common use case. Show me otherwise. Infinitely more use cases are covered on the Linux end from desktop to server.

Geezy said,
The burden of proof is on you. Show me what you are citing from.

Google not working for you? Ok, here's one. This is reported vulnerabilities in apps and operating systems. That's all time, so before "well that's including old versions!" pick 2014. Or 2013. Or 2012...
http://www.cvedetails.com/top-50-products.php

Geezy said,
Not only are you cherry picking, but pressing your own assertions as fact.

Wait, *I'm* cherry picking when you're the one who's going "well don't use this, that and that as an example, just because it shoots holes in my arguments."

Ah reported vulnerabilities. Of course the community OS gets more. MS's security audits are internal. Bzzz try again. Linux kernel also incorporates every driver and module unlike Windows, of course the number is inflated by this. Also in-development versions are made available, so general bugs in non-final versions count in this list.

I'm not cherry picking when I'm asking you what use cases there are, am I? I'm not restricting the criteria solely to my example.

Geezy said,
Ah reported vulnerabilities. Of course the community OS gets more. MS's security audits are internal. Bzzz try again.

Yea, I'm sure that's it. Yet somehow they still get reported "externally". Weird that. And that's just the core OS, again let's pretend the other systems and services don't exist right? How well did that super protection help when Kernel.org got their rootkit for example? Makes me feel a whole lot safer.

Geezy said,
Yeah no CVE is a list of *publicly known* vulns.

Ok.. and so what? It clearly shows Linux is in no better shape, nor does a different style of permission system make it inherently more secure... when it's just as easily messed with as any other operating system. Can be hacked? Yes. Vulnerable to user stupidity? Yes. Vulnerable to malware? Yes. Just like every other operating system on the planet. Using insults or buzzwords won't change that fact, sorry. The *only* reason why the desktops get less attention is the tiny marketshare, plain and simple. If Linux were some super-secure piece of magic, servers and mobile devices (which get a lot more attention) would be in a whole lot better shape dontchathink?

Now actually secure windows better, like I said, how many use cases besides exchange server are there? Linux has had this from desktop to server for a long time now. Glad to see this whole discussion was for nothing and we're back to square one.

Geezy said,
Now actually secure windows better, like I said, how many use cases besides exchange server are there? Linux has had this from desktop to server for a long time now. Glad to see this whole discussion was for nothing and we're back to square one.

Are you even paying attention? Why are you focusing on a service when we're talking about operating systems, never mind the fact that this super security model you keep going on about for some reason is still negated by the same things that affects every operating system out there? You're talking in circles and not making much sense about it... you're pretty much going "la la la I cant hear you" and saying the same nonsense over and over.

What do you expect from a person with that attitude? Arogant persons will support their claims even if they are not right, derailing subjects as much as they can.
As soon as Linux gains audience, things will change. No OS is impenetrable , they rely on 3rd party software with vulnerabilities even if they are updated from within the system.

Dude, you don't understand capability based security and you're arguing with me about OS security? Um, I'm "going on about it for some reason" because it's the issue I brought up in the first place, you're arguing against me but you don't even know what I'm talking about? http://en.m.wikipedia.org/wiki/Capability-based_security

You think I'm arguing in circles bringing up stuff that's irrelevant, and you think it's irrelevant because you don't know what it is? Now that's arrogance... and ignorance too! Why don't you start paying attention and look something up if you don't understand it? No wonder you don't get it.

Now someone else is supporting you when you don't know the basic concepts of what we're talking about? What's the matter with you? Yes no kidding no OS is impenetrable. However, fine grained security helps prevent privilege escalation through exploits as well as chained exploits by jailing processes and restricting access only to the resources and privileges they require for that specific task, that way if a process can be exploited, there's not much you can do with it because it is only going to let you access functions that the specific process had access to.

This goes for every single app/module/process/etc in the whole stack! You exploit vBulletin but you only have strict access in a sandbox with the functions that vBulletin provides. There's not much you can do with that, which is why they only were able to deface the site and get email addresses. Not even passwords or other user account information! Strict access controls are incredibly useful and much more fine grained in Linux than in Windows.

In Linux, apps chain together preexisting hardened apps that perform the specific needed function because they can be freely installed on the system, and each component is restricted to exactly the resources it needs to do its task. Now in Windows your app is overly complex and has to do everything because you can't rely on other third party apps that provide those functions to be there, they are made by a different vendor and may not necessarily be installed, so your app has to re-implement its own version of whatever functions you need. Now suddenly your huge app needs a ton of permissions and access to perform properly. If you exploit that app, you can make a much bigger mess in a lot more areas.

Linux as these profiles set up on the desktop today, as well as the server. In Windows you'll need to install all these snap-ins and create policies and access control lists and it's a lot more complex to figure out, and it's only really implemented at the enterprise level for specific use cases which is why I brought up the exchange server case. I was asking you what other implementations you could think of.

Turns out you don't even know what you're talking about. Thanks for wasting my time.

You call this nonsense? Guess you don't work in IT.

Edited by Geezy, Jan 12 2014, 3:56pm :

Geezy said,
Dude, *snip*

Well congrats for looking up a wikipedia article anyway. But after that cute wall of text.. you're telling us now that Linux is the only OS with a sandbox/chroot type of system available? Linux is the only OS where I can set up a program to run in a limited security model? Seriously? Hint, it's not.

Geezy said,
Now suddenly your huge app needs a ton of permissions and access to perform properly. If you exploit that app, you can make a much bigger mess in a lot more areas.

Ahhh.. server misconfiguration is the OS's fault, gotcha. /facepalm. Hint, you can do the exact same dumbassery in Linux too. Sounds like you know your way around a Nix box, but don't have a clue about Windows permissions, GPOs, tools etc aside from the typical rhetoric the anti-Windows people like to repeat ad-nauseum.

Geezy said,
Now in Windows your app is overly complex and has to do everything because you can't rely on other third party apps that provide those functions to be there, they are made by a different vendor and may not necessarily be installed, so your app has to re-implement its own version of whatever functions you need.

Cute. You *do* know that aside from the kernel and GNU toolchain the whole f'ing Linux OS is pretty much third party right? Different vendors, have to implement different versions of what's available depending on whatever flavor you're running, etc etc. So it's magic on Linux, wrong on Windows. Gotcha. Hypocrite.

Man I think you are way out of your league on this one. That Wikipedia article was for YOU.

I'm not saying linux is the only one, but it's the one with the most systems covered by default install. In windows it's just the enterprise, which is why I mentioned the exchange server and asked if you knew of any other cases. (Jeez you're like a brick wall)

Yes! Everything on linux is third party, but free, and rather than reinvent the wheel or reimplement the same functions in your own app, but now with YOUR own special bugs, you can instead have a large pool of pre-existing hardened versions to draw from, each one already matured for their specific purpose and figured into the capability based security system.

Geezy said,
I'm not saying linux is the only one, but it's the one with the most systems covered by default install. In windows it's just the enterprise, which is why I mentioned the exchange server and asked if you knew of any other cases. (Jeez you're like a brick wall)

Weird, my desktop versions have those available too. Speaking of brick walls...

Geezy said,
Yes! Everything on linux is third party, but free, and rather than reinvent the wheel or reimplement the same functions in your own app, but now with YOUR own special bugs, you can instead have a large pool of pre-existing hardened versions to draw from, each one already matured for their specific purpose and figured into the capability based security system.

Ah, so now it's better just because of the license model. Always something. Psst, you do know most of these 'functions' are cross platform and available on Windows too right? Just using your vBulletin example.. I can set up the exact same software, exact same services, run it locked down with no permissions aside from what it needs to run, even sandbox the thing if I so desired.. on Windows. Zero wheels reinvented. Weird that.

Geezy said,
Wow you are thick. See ya, wouldn't want to be ya. Good luck with your BS.

Yea, that's exactly what I thought... lol. Sorry you feel that truth is BS now. I get advocating an OS, but at least make sure you know all the counter-points in advance, and just for the record, not that it matters, I've been using a *Nix stack since before Linux was even created, still do, surrounded by a bunch of them now. But blind fanboyism is just silly.

macoman said,
They are, neowin just upgraded last night to the latest version of the forum software.

What's that got to do with encryption?

DesiSpark said,

I hope neowin's forums user name & password is safe and encrypted

I really hope its not encrypted, because then hackers can get the password back, like what happened with adobe a while ago. It should be salted and hashed, nothing else

Mickez said,
... It should be salted and hashed, nothing else

A salt and a hash algorithm are components to an encryption scheme, albeit a one-way cryptographic algorithm (as opposed to a two-way scheme).

Nas said,

A salt and a hash algorithm are components to an encryption scheme, albeit a one-way cryptographic algorithm (as opposed to a two-way scheme).

Encryption is always two-way: "An authorized party, however, is able to decode the ciphertext using a decryption algorithm" - http://en.wikipedia.org/wiki/Encryption