Author Topic: Hacking  (Read 1188 times)

Offline cobz

  • Newbie
  • *
  • Posts: 14
Hacking
« on: October 22, 2020, 11:08:54 pm »
I read today that Ukclimbing had been hacked and some data taken.

Now I have highlighted this perhaps UKC can take defensive steps.

Cobz

Online Badlad

  • Administrator
  • forum hero
  • *****
  • Posts: 1982
Re: Hacking
« Reply #1 on: October 23, 2020, 08:44:46 am »
Administrator Comment Thanks cobz. We do take security seriously at ukcaving and have a dedicated IT specialist to keep an eye on things. I'm sure he will take note of your comment. We hold very little personal details anyway of course.

Cheers
Tim

Offline andrewmc

  • BCA ind. rep.
  • junky
  • ****
  • Posts: 939
  • EUSS, BEC, YSS, SWCC...
Re: Hacking
« Reply #2 on: October 23, 2020, 09:12:56 am »
Doesn't look like they took much (other than email addresses/names, which is mostly annoying without additional info).

It's the usual stuff... hashing passwords with SHA-2 is lazy when better options are available (although I think probably adequate for most things if the bit size is large enough?), but a lot better than not hashing them!

This is why everyone should use a password manager like LastPass (or various other equivalents) rather than using the same password in each site. The 'good' sites will hash your password so even they don't know what it is (provided they use a sufficiently robust hashing algorithm) so that if they are compromised, the bad guys don't learn your password. But it's amazing there aren't more malicious sites out there giving you free stuff in exchange for an email address and password combination which they can then plug into your email account, and then hit 'forgot password' on all your other sites...

Online JoshW

  • forum star
  • ****
  • Posts: 507
  • YSS, BCA Youth and Development, BCA Group Rep
Re: Hacking
« Reply #3 on: October 23, 2020, 09:46:21 am »
Doesn't look like they took much (other than email addresses/names, which is mostly annoying without additional info).

It's the usual stuff... hashing passwords with SHA-2 is lazy when better options are available (although I think probably adequate for most things if the bit size is large enough?), but a lot better than not hashing them!

This is why everyone should use a password manager like LastPass (or various other equivalents) rather than using the same password in each site. The 'good' sites will hash your password so even they don't know what it is (provided they use a sufficiently robust hashing algorithm) so that if they are compromised, the bad guys don't learn your password. But it's amazing there aren't more malicious sites out there giving you free stuff in exchange for an email address and password combination which they can then plug into your email account, and then hit 'forgot password' on all your other sites...

Was going to post similar to this, and basically say the only data UKC will have is your passwords, and that you should avoid having similar/same passwords for all your websites, and password managers (iOS has one built in there is plenty available on app stores) are an absolute godsend.

Offline Pitlamp

  • forum hero
  • *****
  • Posts: 5522
Re: Hacking
« Reply #4 on: October 23, 2020, 11:03:08 am »
In case anyone wants details, here's the announcement:

https://www.ukhillwalking.com/news/2020/10/ukcukhrockfax_server_attack_-_information_for_users-72581

Seems a pretty comprehensive response.

Offline 2xw

  • forum star
  • ****
  • Posts: 668
  • BPC, SUSS
Re: Hacking
« Reply #5 on: October 23, 2020, 12:39:21 pm »
They're coming to steal my dig!!!!

Offline braveduck

  • forum star
  • ****
  • Posts: 663
  • Digging Bucket maker.B.P.C. Little Green Men.
    • http://www.bpc-cave.org.uk
Re: Hacking
« Reply #6 on: October 23, 2020, 02:14:35 pm »
I will not be supplying them with my digging buckets ! :lol:

Offline andrewmc

  • BCA ind. rep.
  • junky
  • ****
  • Posts: 939
  • EUSS, BEC, YSS, SWCC...
Re: Hacking
« Reply #7 on: October 25, 2020, 01:17:45 pm »
Was going to post similar to this, and basically say the only data UKC will have is your passwords, and that you should avoid having similar/same passwords for all your websites, and password managers (iOS has one built in there is plenty available on app stores) are an absolute godsend.

This is where clever maths happens :)

The 'good' sites won't even store your password; no-where in the UKClimbing database were passwords stored so if you have been affected by the hack then your password _shouldn't_ actually be leaked. Obviously you can't trust sites not to store your passwords insecurely, and some sites may be malicious or be hacked to store passwords. So you should still use a password manager.

So how do good sites verify your password when they don't store it?

Instead they store a 'hash' of your password, mixed with a 'salt' (which is basically a site password). A 'hashing' function takes an input and produces an output with little to some computational effort. So if your password was 'mypassword' and the salt was 'UKCsecretpassword', you could combine the two to get 'mypasswordUKCsecretpassword', and then after running the hash you get something like 'SDfshtdshFDSgds9585tsdg5'.

The key is that a good hashing function is one-way - if you give me the input, I can easily generate the output, but I cannot easily generate the input from the output. So UKC can ask for your password, add their salt, and then hash it - and then compare to the hash they have one file. If it matches, then you have the correct password. But the bad guys who have stolen your hashed password cannot find out your password from the hash.

Some older hashing functions have been broken or are weak; if a website has used one of these then the bad guys might be able to crack your password from the hash. But if the website is using a good modern hashing function (and using it properly), the bad guys cannot ever work out your password (because it is just too much computational effort).

Why use the salt? It just makes the passwords longer and therefore more secure. People have generated tables of common hashing functions, so they have basically made a list of all the common possible passwords (words, words with a number 1 on the end, words with a number 1 and a ! on the end, see the Michael McIntyre sketch) and calculated the hashed. This takes a very long time, but it would mean people could rapidly look up common passwords from stolen password hash lists - they wouldn't get everyone's password, but they would get some. In reality the salt will be a reasonable length random number, so pre-calculated tables won't include those possibilities. Even if the bad guys find out the site's salt, it would still be a lot of computational effort to recalculate a table.

 

Main Menu

Forum Home Help Search