[Wine] WineHQ database compromise

Igor sprog at online.ru
Tue Oct 11 18:06:22 CDT 2011 

Hello Jwhite,

 Could you share the encryption procedure your system was using to store the hashes in the database? Was it using the secret word 
 which all so became a public domain? Was it a default Bugzilla authorization method? How much time it would require to brute force the passwords?

 In the future try to avoid using "out of the box" encryption which allows passwords to be brute forced. If an attacker wouldn't know 
 the algorithm the hash was generated with it would be nearly impossible to brute force the hashes.

 I recommend to move the authorization mechanics out of the host directories in a way which would prevent an attacker 
 who gained control over the virtual host files to read authorization algorithms. 

 How is it possible that you don't know how the passwords were stolen but you know that they were stolen? Aren't there HTTP secure log archive? 
 Check out host secure log. It's important to understand how the info leaked to close the leak. May be an attacker gained
 access to another virtual host and through that access downloaded the database. In this case you may loose information again. 

 The key to the answer HOW is apache & mysql logs, scrutinize them and you'll understand what happened. If there is an unknown bug in mysqladmin you 
 will immediately catch it. At least you will know if an attacker got DB access through your host.  


 Many people around here might be interested if it's really worth changing passwords which are at least 6 letters in length. 


 You told us that phpmyadmin was obfuscated, it excludes a scanner getting access over the database. 
 Hacking WINE bugzilla is a foul job and only a teenager kid (or an man which is still young in his soul) would ever do that.
 Kids are usually gaining access to the filesystem first. Check out if there is a change in templates... which leaked 
 the cookies or passwords in files which could be read. 

 The worst thing that could happen is that the passwords would be decrypted and added to the automatic scanners which probe 
 the online services but I doubt that kind of intelligence from a person hacking bugzillas. 


 Thanks for letting us know most of the services prefer to keep silence over these problems. 

-- 
Best regards,
 Igor                          mailto:sprog at online.ru
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111012/1a7d8050/attachment.html>

More information about the wine-users mailing list