Hacking

cobz

New member
I read today that Ukclimbing had been hacked and some data taken.

Now I have highlighted this perhaps UKC can take defensive steps.

Cobz
 

Badlad

Administrator
Staff member
[admin]Thanks cobz. We do take security seriously at ukcaving and have a dedicated IT specialist to keep an eye on things. I'm sure he will take note of your comment. We hold very little personal details anyway of course.[/admin]

Cheers
Tim
 

andrewmcleod

Well-known member
Doesn't look like they took much (other than email addresses/names, which is mostly annoying without additional info).

It's the usual stuff... hashing passwords with SHA-2 is lazy when better options are available (although I think probably adequate for most things if the bit size is large enough?), but a lot better than not hashing them!

This is why everyone should use a password manager like LastPass (or various other equivalents) rather than using the same password in each site. The 'good' sites will hash your password so even they don't know what it is (provided they use a sufficiently robust hashing algorithm) so that if they are compromised, the bad guys don't learn your password. But it's amazing there aren't more malicious sites out there giving you free stuff in exchange for an email address and password combination which they can then plug into your email account, and then hit 'forgot password' on all your other sites...
 

JoshW

Well-known member
andrewmc said:
Doesn't look like they took much (other than email addresses/names, which is mostly annoying without additional info).

It's the usual stuff... hashing passwords with SHA-2 is lazy when better options are available (although I think probably adequate for most things if the bit size is large enough?), but a lot better than not hashing them!

This is why everyone should use a password manager like LastPass (or various other equivalents) rather than using the same password in each site. The 'good' sites will hash your password so even they don't know what it is (provided they use a sufficiently robust hashing algorithm) so that if they are compromised, the bad guys don't learn your password. But it's amazing there aren't more malicious sites out there giving you free stuff in exchange for an email address and password combination which they can then plug into your email account, and then hit 'forgot password' on all your other sites...

Was going to post similar to this, and basically say the only data UKC will have is your passwords, and that you should avoid having similar/same passwords for all your websites, and password managers (iOS has one built in there is plenty available on app stores) are an absolute godsend.
 

Pitlamp

Well-known member
In case anyone wants details, here's the announcement:

https://www.ukhillwalking.com/news/2020/10/ukcukhrockfax_server_attack_-_information_for_users-72581

Seems a pretty comprehensive response.
 

andrewmcleod

Well-known member
JoshW said:
Was going to post similar to this, and basically say the only data UKC will have is your passwords, and that you should avoid having similar/same passwords for all your websites, and password managers (iOS has one built in there is plenty available on app stores) are an absolute godsend.

This is where clever maths happens :)

The 'good' sites won't even store your password; no-where in the UKClimbing database were passwords stored so if you have been affected by the hack then your password _shouldn't_ actually be leaked. Obviously you can't trust sites not to store your passwords insecurely, and some sites may be malicious or be hacked to store passwords. So you should still use a password manager.

So how do good sites verify your password when they don't store it?

Instead they store a 'hash' of your password, mixed with a 'salt' (which is basically a site password). A 'hashing' function takes an input and produces an output with little to some computational effort. So if your password was 'mypassword' and the salt was 'UKCsecretpassword', you could combine the two to get 'mypasswordUKCsecretpassword', and then after running the hash you get something like 'SDfshtdshFDSgds9585tsdg5'.

The key is that a good hashing function is one-way - if you give me the input, I can easily generate the output, but I cannot easily generate the input from the output. So UKC can ask for your password, add their salt, and then hash it - and then compare to the hash they have one file. If it matches, then you have the correct password. But the bad guys who have stolen your hashed password cannot find out your password from the hash.

Some older hashing functions have been broken or are weak; if a website has used one of these then the bad guys might be able to crack your password from the hash. But if the website is using a good modern hashing function (and using it properly), the bad guys cannot ever work out your password (because it is just too much computational effort).

Why use the salt? It just makes the passwords longer and therefore more secure. People have generated tables of common hashing functions, so they have basically made a list of all the common possible passwords (words, words with a number 1 on the end, words with a number 1 and a ! on the end, see the Michael McIntyre sketch) and calculated the hashed. This takes a very long time, but it would mean people could rapidly look up common passwords from stolen password hash lists - they wouldn't get everyone's password, but they would get some. In reality the salt will be a reasonable length random number, so pre-calculated tables won't include those possibilities. Even if the bad guys find out the site's salt, it would still be a lot of computational effort to recalculate a table.
 
Top