phpBB Weekly #097: Full Coverage of phpBB.com Outage and Cracked CAPTCHA
Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.
Download MP3 Episode (99.8 MB)
Episode Duration: 1:49:01
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Phil Crumm (iWisdom), Josh Woody (A_Jelly_Doughnut), Ashley Pinner (NeoThermic), and Micheal Cottingham (Techie-Micheal)
Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/
The phpBB community suffered a double-whammy this week: a hack and crack of a PHPList vulnerability (NOT a phpBB vulnerability) led to an extended outage of phpBB.com since last Saturday, and the current phpBB3 CAPTCHA (as of 3.0.4) was formally cracked, causing a significant and sudden spike in spam registrations on boards starting around the middle of the week. In this special episode, David and Douglas are joined by Phil Crumm (iWisdom), Support Team Member; Josh Woody (A_Jelly_Doughnut), MOD Team Member; Ashley Pinner (NeoThermic), Styles Team Member; and Micheal Cottingham (Techie-Micheal), Security Expert and former team member.
During this episode, we learn a number of new details about the zero-day exploit that caused the phpBB.com outage, and that also explain the reasons why it has taken so long for the teams to clean up the damage and restore the site, as well as how herculean this task really is. We also discuss some of the details of the zero-day exploit in PHPList, and some of the coding practices in PHPList that allowed these kinds of security exploits to take place. Micheal also shares a bit of his expertise on security policy and gives us a bit of an outline for what phpBB will do and other websites should do to ensure that they stay secure and avoid these kinds of attacks.
However, the most critical repercussion from this attack as far as users are concerned is the security of their passwords, particularly if they have not logged into phpBB.com since before March 2007 (which was when phpBB.com was updated to phpBB3). Due to an inferior hashing technique used by phpBB2, user passwords that have not been changed or used on phpBB.com since the phpBB2 days have been brute-forced, read, and published publicly by the attacker. Interestingly enough, an analysis of the passwords have shown that the most popular passwords on the list will poor throwaway passwords such as “password” and “123456″. We discuss in great detail the importance of having a very secure, hard to guess/remember password, changing it frequently, and (if possible) using an encrypted password manager such as 1Password. Speaking of which, the teams highly recommend that if you share any of the passwords that you have used on any of the parts of phpBB.com (forum, wiki, code forge, etc.), you should change them just in case, as well as changing your phpBB.com password as soon as it comes back online.
We then chat about the cracking of the phpBB3 CAPTCHA, which has caused a stir over a massive spike in spam registrations on phpBB boards. Interestingly enough, the teams were actually pleasantly surprised that the CAPTCHA lasted as long as it did until it got cracked (nearly two years!); pretty good for a CAPTCHA generated by open-source, freely downloadable code for one of the most widely-used bulletin board platforms on the net. While phpBB 3.0.5 will include a new functionality that introduces an optional wave distortion to the CAPTCHA, 3.0.5 will not be ready to go out the door very soon due to obvious reasons, and a number of people, including some of us, think that it’s a bit hard on some people’s eyes (see example 1, example 2). A number of admins have utilized a number of other anti-spam MODs and tools which utilize other methods to fight off spambots. We discuss some of these various options and whether they would be appropriate as part of a future default phpBB installation or not. We also describe some of the other options that admins have available, such as altering activation settings or enabling the post queue (a new feature since 3.0.3) to sequester spam posts before they are publicly visible.
Additional Links Mentioned in This Episode:
phpBB.com Downtime and Server Compromise — Details
Lessons to Learn from the Downtime
StarTrekGuide Security Class forum
Spambots Topic on Area51
Spambots Topic on StarTrekGuide
There is no MOD of the Week, Style of the Week, or Poll Question of the Week this week, however to end the show on a lighter note, we did throw in a funny Easter Egg conversation about earthquakes during the closing music. 
We’ll hopefully have a more lighthearted episode during our special Valentine’s Day show next Saturday; we hope you’ll join us.
We highly encourage you to share this episode with any other phpBB administrators you know. A lot of relevant information, some of it exclusive, is presented in this episode that will be helpful to many phpBB administrators and users. Click on the ShareThis button below to spread the word about this episode on your social network, blog, or via e-mail. Thanks for listening, and thanks for your support of phpBB Weekly.
