Articles

Important Security Notice: SBM Hacked

UPDATE 2013-04-04 1:25 PM EDT: All passwords have been reset. Users will have to use the “Forgot password” function to set a new password.

UPDATE 2013-04-04 6:06 PM EDT: Those interested in knowing if one of their passwords was one of the less secure may use this tool to check their email address. No matter the result with that tool, the only way to be 100% secure is to change your password on other sites if you also used it here.

ScienceBasedMedicine.org (SBM) was recently hacked, and user account information may have been stolen: usernames, passwords, and email addresses. Most of the potentially stolen passwords were strongly encrypted — that is, extremely difficult to read. About 2000 random accounts, roughly 5% of the total, were not protected as effectively and may be at greater risk.

If your SBM password was used for any other service, website, or account, you should change that duplicate password as soon as possible. (For example: if your SBM password is the same as your password for Gmail, you should immediately go to Gmail and change your password there.)

When hackers get your password from one place, they often try to use the same password with other services and websites. Unfortunately, this is a fairly effective strategy, because many people use the same password for many of their logins. This is why all security experts strongly recommend using unique passwords for all critical services.

What exactly happened to ScienceBasedMedicine.org?

On Sunday, March 10, hackers successfully gained access to the SBM server, and attempted to use it to attack other servers. Eventually it gave itself away by using too much computing power.

On Monday, April 1, our hijacked server was shut down by the service provider. We remained offline for a full day as we repaired the damage and strengthened our protections against hackers. SBM is now back online but all users will have to reset their passwords before commenting again.

There is no way to know if the attacker actually took any data from ScienceBasedMedicine.org itself, but the safest course is to act on the assumption that they did. However, most of that data was strongly protected by encryption — standard practice for user account information on WordPress blogs for exactly this reason. (You can find details on this encryption here.)

Nevertheless, we know that some of the passwords (again, only about 5%) were less protected. (Specifically, they used an older MD5-based encryption.) Therefore, we strongly urge all SBM users to make sure they are not using their SBM password anywhere else.

SBM login is now available, and will require you to reset your password.

Posted in: Science and Medicine

Leave a Comment (40) ↓

40 thoughts on “Important Security Notice: SBM Hacked

  1. daedalus2u says:

    I have an additional security program Trusteer, which warned me that my password was being sent unencrypted when I tried to log in.

    https://en.wikipedia.org/wiki/Trusteer

  2. Chris says:

    Fortunately I had changed my email password to a ridiculously long version a while ago. But I had been using a basic one for the myriad of blogs that required a log in. Well that has changed. Along with a few other other websites. But never ever any financial data websites.

    The most important being the ISP, which twelve years ago would not let me use what I use elsewhere so I had to shorten it. That has been rectified, and it is now has a longer and more complicated password. And not the one used here.

  3. krelnik says:

    I always recommend people take an opportunity at moments like this to install a password manager such as KeePass, 1Pass or so on. These programs help you remember your passwords and store them in a secure way, and make it much easier to have a different password on every site you use. Most of the good ones have versions to run on various devices so (for instance) you can access your passwords on your phone, tablet and computer equally well.

  4. zippyfx says:

    Don’t you think you should send out an e-mail to your users?

  5. inconscious says:

    Definitely just logged in and didn’t have to change my password.

  6. Daedalus2u: thanks for letting us know about that, and I’ll run that by our techs. Ideally login forms are encrypted (https), but I don’t think it’s typical for blogs.

    Zippyfx, absolutely, and we are working on a mass emailing. We hope that will happen today.

    Inconscious: that is odd. AFAIK, password reset should certainly be required. I’ll investigate.

  7. NSC says:

    I was just able to log in without resetting as well.

  8. gears says:

    I, too, am able to login without resetting my password.

  9. Joe Fulgham says:

    Apparently the security plugin couldn’t handle forcing a reset on the amount of user accounts SBM has. We’re doing a manual password wipe soon. This will simply mangle all passwords and users will have to use the “Reset Password” function to log in again.

    This should occur very soon.

    -Joe, assisting with the defense.

  10. Chris says:

    Is this why I had to redo my password again?

  11. Joe Fulgham says:

    Yes. Sorry about that, but we had to make sure everyone changed their password.

    Email notifications are going out now as quickly as the email provider will allow.

  12. Chris says:

    No problem. I am just glad it was not something I did. Also I am glad it took the password since it was being very picky on my choices. Then I went and changed passwords on another blog, my ISP and a couple of forums. The JREF forum was a bit tricky, but it went through with a message to a moderator.

    I had changed my gmail password to a long annoying one a while ago. And the funny thing is that Comcast still has a sixteen letter limit on passwords.

  13. @krelnik +10

    I have converted my password management to 1Password, with a different password for every one of my financial and critical websites (like my blog). It also syncs with my iPhone and iPad, so I can access my passwords there too.

    Although I used a standard boring password for blogs and such, a few weeks ago, I changed that policy. I hadn’t change it here, so I’m glad I got the note and now have changed it some random stuff that I frankly can’t remember.

    With social engineering and one hacked password, if you’re not careful, a hacker can get into every single one of your accounts. Remember, most hacking is done with massive dictionary attacks. But if you create random passwords of over 13-14 characters, it takes billions of years of even the most massive computing power to break your password. Don’t make it easy for the hackers.

  14. mousethatroared says:

    Well, what a bother. I had to change my password from “password” to “0Password!”. That should fix it.

    ;)

  15. pmoran says:

    Is it a bit ridiculous to demand a 10 character complicated password for subscribers to a blog? It means either having to use the same password for many purposes, or having all one’s passwords recorded somewhere, both of which threaten personal security more than does someone else accessing a blogging account for a while.

    I also use an “identity safe” to try and get around some of the problems, but I still feel it wise to keep most of 40 odd passwords recorded elsewhere in case I lose access to that.

  16. Diane Jacobs says:

    Thank you for looking after things.
    [This was a test to make sure I re-registered successfully.]

  17. Narad says:

    Is it a bit ridiculous to demand a 10 character complicated password for subscribers to a blog?

    The bigger problem is that the demand for a combination of uppercase and lowercase letters plus numbers plus punctuation basically betrays a fundamental failure to grasp what password security (or usability) comprises. Grady Ward set this out a long time ago.

    Moreover, what’s the point? The security problem wasn’t on the users’ end, now was it?

  18. passionlessDrone says:

    @SBM Staff – Lord only knows how many servers that I have passwords stored on have been zombified, but I do know that I’ve gotten nice emails explaining the situation less than five times. Very nicely done.

    Your new pw requirements are a little bit stringent for a blog, but whatever.

  19. Wicked Lad says:

    I second passionlessDrone. IT security is my career, and it seems to me you handled this just right. Thank you.

  20. Narad says:

    But if you create random passwords of over 13-14 characters, it takes billions of years of even the most massive computing power to break your password.

    Note that for truly random passwords, for a fixed length, the requirement of numbers and punctuation actually reduces the search space for a brute-force attack. Does it reduce the entropy much? Not really, but it’s the case.

    My old SBM password, length 12, all characters, had an entropy of 42.8 bits, which is perfectly reasonable for a blog login. An easy-to-remember 20-character phrase of the “shocking nonsense” variety (which, BTW, xkcd has covererd that I sometimes use has an entropy of 74.4 bits. The 20-character, impossible-to-remember password I wound up using here has an entropy of 81 bits. The improvement in entropy is effectively meaningless.

  21. fishchick says:

    Might be a coincidence, but I had the same (not great) password for here and for my email and someone attempted to log in to my email Tuesday night. Fortunately I had the account settings to block suspicious activity and since it was from a random country where I do not reside, I was notified immediately and could change the password. Another lesson from life that I shouldn’t be so lazy.

  22. Narad, I’m sure you’re not wrong, and it’s a very interesting problem, but there are also some serious practical difficulties in implementing/enforcing passwords consisting of “shocking nonsense,” as wisely prescribed by Ward (and xkcd). Perhaps it’s putting the bar a bit high to ask a volunteer-powered blog to blaze this trail? :-) We had our hands full just getting back on the air.

    However, I sure would love to see some of the leaders in tech teaching users about saner and better password habits …

  23. elburto says:

    I think I have RSI from changing my password not once, but twice in 24hrs.

    A 20 character password (entered x3 to change/confirm/log in) involves up to 85 key presses each time when using multitap input on a phone (T9 is automatically disabled for password input). I think it was about 219 in all. Ouch. I miss computers.

    Still, I can always put some arnica gel on it. That’ll ease the pain until I can get to my acupuncturist!

  24. Narad says:

    Perhaps it’s putting the bar a bit high to ask a volunteer-powered blog to blaze this trail?

    Again, nothing has been advanced to suggest that weak user passwords were the problem in the first place. To the extent they were disclosed by a vulnerability in the back end, it wouldn’t matter one whit whether they were strong or not.

  25. elburto says:

    Damn, 219×2. Almost impressive! My reiki healer will have some strong words for me, I’m sure.

  26. Narad says:

    (And, yes, I greatly appreciate the volunteer efforts that make the site possible.)

  27. elburto says:

    Me too. Between this and Dr Gorski’s friend’s blog it’s nice to have safe space away from wooligans and science-deniers.

  28. mousethatroared says:

    @Paul Ingraham – I’m kinda surprised, doesn’t WordPress do the back end, security, hosting stuff for you all?

  29. Narad says:

    I’m kinda surprised, doesn’t WordPress do the back end, security, hosting stuff for you all?

    No; SBM uses the WordPress platform, but the hosting is on Rackspace. Securing the the site presumably rests with SBM, although I imagine Rackspace could be of some forensic assistance here. They may also offer a managed package, but I don’t know.

    Since we don’t know the details of the compromise, the two most likely options are (1) an attack vector through one of the machines used to update the site and (2) exploitation of a known vulnerability in the version of WordPress being used.

  30. mousethatroared says:

    Thanks Narad!

  31. DrRenee says:

    If it weren’t for that email telling me that my password may have been compromised, I wouldn’t have known that I had signed up on this site.

    So, now that I know my username and have a new password, maybe I’ll start commenting.

  32. Alia says:

    OK, changed my password, hopefully I will remember it.

  33. Sastra says:

    Testing…
    Looks like I finally figured out how to get my old nym back.

  34. Chris says:

    I just noticed I get a Database Error when I click on the following two links:
    http://www.sciencebasedmedicine.org/SBM-VaccineAwareness/
    http://sciencebasedmedicine.org/reference/?p=1

  35. WilliamLawrenceUtridge says:

    If anyone’s interested, here’s an article on non-expert password hacking using basic online tools:

    http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

  36. Lemons says:

    I received an email notification at 11:17 EST today that someone tried to reset my password at wordpress.com. In 2009 I created an account to make a web page I never look at and completely forgot about.

    Perhaps this is related to the recent SBM hacking. Do you know if IP addresses were stored in the database with account info?

  37. mattyp says:

    Thank you for letting me know. This seems to have been handled pretty well. Certainly better than any other blog/website I have details registered for.

  38. drspacemonkey says:

    Chris – the database connection issues have been sorted out. Thanks for bringing them to our attention.

    Lemons – it’s highly unlikely to be related. The attack vector used wasn’t related to WordPress.com at all.

  39. mattyp says:

    Hmmm. I wonder if big supplement was behind it…

Comments are closed.