blogs.perl.org security breach

We regret to announce that blogs.perl.org was recently the subject of a data breach.

An attacker gained access to the database that runs the site, and was able to take a copy of all users’ hashed passwords. We’ve therefore cleared all users’ passwords as a precaution.

If you have an account on the site, you should have received an email telling you how to reset your password. If you haven’t received it soon, please let us know.

Even though the passwords were stored in a hashed form, rather than as plaintext, the blogging software we use (Movable Type) uses a relatively weak hashing algorithm, so the attacker may be able to determine your old password.

It is therefore very important that, if you used the same password on any system other than blogs.perl.org, you change the password you use there, too.

We apologise sincerely for the inconvenience this has caused our users, and for failing to live up to the trust that the Perl community has placed in us.

We were alerted to the breach in the morning of 22 January 2014 (UTC). Our immediate response was to disable all dynamic code execution on the site, to give us chance to investigate the situation and make the necessary repairs. From that point on until a few moments ago, the dynamic parts of the site returned a “404 Not found” error.

Our investigation has revealed that the attacker used a security vulnerability in Movable Type to upload a tool that allowed them to deface the site, and to take the contents of the mt_author table (which contains names, email addresses, and hashed passwords). The contents of that table were then leaked on a publicly-accessible site.

We have deleted the attacker’s tool, and reinstalled Movable Type from a known-good copy. We’ve also applied a patch that fixes the underlying MT vulnerability; that patch was issued out-of-band, without the release of a fixed version of the software.

Finally, we’ve applied a custom patch to Movable Type that makes it use SHA-512 (with 96 bits of high-grade entropy as a salt) rather than the Triple-DES hash it uses by default. (We’d’ve preferred to use something like bcrypt or scrypt instead, but Movable Type’s architecture made that a prohibitively difficult choice, given our desire to return the site to normal operation as soon as possible.)

This means that, to the best of our knowledge, the attacker will not be able to break in again; and even in the event of a similar breach in the future, it would be much harder for someone to recover a plain-text password from the password hash.

We’re also looking actively into replacing Movable Type in the near future, partly because it hasn’t been meeting our needs well. We hope to have more to announce on that front soon.

We reiterate our apologies for this. Please let us know if you have any further questions.

Update: You can reset your password here. Thanks to Ken Williams (in the comments) for suggesting adding this link.

9 Comments

I am happy with the way this was handled. In this case, the focus should be on how it was handled once discovered and how it was dealt with. I think these guys reacted well and have handled it professionally. Thanks for the work the admins put into making this blog possible.

A couple comments:

  • It would be handy to include the link for resetting one's password in this article.
  • The new stronger hashing scheme is good, but it will still leave weak passwords just as vulnerable to dictionary attacks. Users choosing new passwords should take care to use unique, strong passwords.

Thanks for the response to the attack. You might want to look at OWASP to future proof from web application attacks. They have guidelines and tutorials.

Aaron and Dave, thanks for handling it so quickly!

I'l talk to the folks here at WhiteHat and see if I can talk them into giving the site one of our security assessments so we can see if there's anything else that might bite us again.

Thanks to all involved for prompt notification and professional handling of the situation.

Is there a current project aimed at replacing the MT install? I'd like to register my involvement even if it happens I have nothing useful to contribute... :)

Congratulations from me, too, about the great response.

I agree with everyone else that I have no complaints about the speedy, professional way that the breach was handled. I do wish that it hadn't taken this level of problem to get things moving on a switch away from MT, which has been super-wonky ever since I've been here, and not that impressive when it's working as designed. But, hey: if that's the outcome, then I choose to look at this as a positive thing. :-)

Well a move has been in discussion for a very long time. The problem is that while all of four us running b.p.o want to get off it post haste if possible, none of us has the slack to make it a priority project. And now that the site has been brought back online, the urgency is already lessening again. As long as the site is at least limping along, any big change will be slow going.

And personally I don’t want us to just do something, anything to get away from where we are now – that is the exact strategy that landed us in this bind in the first place. (We didn’t have the time but 6A donated theirs so we took it. (To be fair, the others did not yet have negative experiences with MT at the time, and none of us could foresee how the handling of the enterprise edition would turn out on top of that. (I must add that in spite of everything, we are still in 6A’s debt and I am very grateful to them. It is well likely that b.p.o would never have come to be without their donation, and however troubled a gift it has been, a large part of those troubles is due to the company going under, which they cannot be faulted for not foreseeing at the time they helped us out. Had the company survived, b.p.o’s history would almost certainly have turned out very differently. So whatever I say about MT may be said with regrets but also with anything but bitterness.)))

If we’re going to be busy without getting into a fundamentally better position, we might as well do nothing. At YAPC::EU we bandied about some ideas for how to address this state of neglect. The events of last week have me seriously considering some of them again…

Leave a comment