You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2012-01-21 1:59 am
- Katana
- Member
- Registered: 2009-08-18
- Posts: 1,886
Dreamhost compromised
Dreamhost passwords have apparently been compromised, heads up everyone.
It also seems that they are storing their manager passwords as either plaintext or using two-way encryption (NOT HASHED, AS IS CLAIMED, AND AS SHOULD BE DONE).
20:13 < auraka> wow...dreamhost comprimised
20:15 < kyhwana> yup
20:15 < kyhwana> auraka: passwords are plaintext too, btw
20:16 < auraka> why would you say that
20:16 < bob2> they say ftp/sftp passwords only?
20:17 < kyhwana> auraka: "Forgotten your password?" *hit buttons* "Oh hai we just emailed you your password in plaintext, enjoy!"
20:17 < kyhwana> bob2: they say.. and how many people would use the same passwords?
20:17 < bob2> i always used random then set up keys
20:17 < auraka> kyhwana: that doesn't mean they aren't encrypted....they could just be using their own encryption key and decrypting them....still stupid but it doesn't automatically mean plain text passwords
20:20 < kyhwana> auraka: hmm, true.. but they still gotta store that encryption key somewhere
20:20 < auraka> yes they do
20:21 < kyhwana> tho I suppose if you hacked just the DB and not the rest of the machine, you (hopefully) wouldn't get that key
20:21 < auraka> they say they hashed them....
20:21 < auraka> i think they lie....
20:22 < kyhwana> auraka: They don't has the panel passwords..
20:22 < kyhwana> which I guess is different from the ftp/sftp passwords
20:22 < kyhwana> But still..
20:22 < kyhwana> If they don't hash the panel passwords... (it's not a proper hash if it's reversable)
20:32 < EugeneKay> It's not a hash at all if it's reversible.
20:32 < EugeneKay> It's an encryption.
20:54 < Katana> kyhwana: wait, they /mailed/ you what it was?
20:54 < kyhwana> Katana: yup
20:54 < Katana> not like, here's what we just reset it to, bu what it *was*?
20:54 < kyhwana> "oh, here's your passweord"
20:54 < Katana> plaintext or two-way encryption. secfail.
20:54 < kyhwana> Indeed
seeing as how dreamhost doesn't know what they're doing when it comes to security (NEVER ENCRYPT PASSWORDS, ALWAYS USE ONE-WAY CRYPTOGRAPHIC HASHING ALGORITHMS), it'd probably be best to start looking for hosting elsewhere, those of you who use them currently.
うるさいうるさいうるさい!
Offline
#2 2012-01-21 4:07 am
- Papa Parrot
- Member
- From: Mexico
- Registered: 2011-08-19
- Posts: 1,826
- Website
Re: Dreamhost compromised
Thats interesting, I had been thinking about starting a account/service with them,..Are they going to try to fix it ?
Hmm, The sales rep was really nice, I was impressed, and kind of hopeing to start useing them ,later this month,..
Hope you keep us informed on this,
from Garry
Offline
#3 2012-01-21 7:25 am
- Zonic Mirage
- Member
- From: Under your bed
- Registered: 2011-06-15
- Posts: 12
Re: Dreamhost compromised
When I used Dream Host, they displayed the database password. In the admin control panel, in plain text. This kind of thing doesn't surprise me. 
... and that's why it looks so small.
Offline
#4 2012-01-22 3:53 pm
- Maikuolan
- Member
- From: Perth, Western Australia
- Registered: 2011-08-09
- Posts: 799
- Website
Re: Dreamhost compromised
Not the worst I've ever seen.
I once had dealings with a webhosting company that authenticated sessions based on nothing other than the accessing user's IP address.
Discovered this when one day, I attempted to access their website and had a "Welcome back David!" on the top of the page. A bit of digging to confirm I wasn't misinterpreting things, but.. Yeah. I hastily sent them an email, containing something roughly along the lines of "Hai thar. I'm working for a client that uses your hosting service. I'm immediately advising them to move elsewhere. Your security sucks. Especially because of dynamic IPs. BTW, my name isn't David. Bai."
I won't mention who it was, seeing as they were good in swiftly fixing the problem and hiring better people that knew what they were doing, and to avoid their embarrassment.
But anyhow, that's unrelated. Thanks for the heads up. I don't use DreamHost, but I'll be sure to pass the message onto anyone I find that does. 
Offline
#5 2012-01-22 5:20 pm
- lisati
- Member
- From: Porirua, New Zealand
- Registered: 2011-04-14
- Posts: 340
Re: Dreamhost compromised
I once had dealings with a webhosting company that authenticated sessions based on nothing other than the accessing user's IP address.
One I visited used the city information discovered from a GeoIP lookup. The trouble is that it wasn't particularly accurate: the static IP my ISP assigned me tends to show a city 600km away when checked in this way!
Offline
#6 2012-01-22 6:12 pm
- Alex Kemp
- Moderator
- From: Nottingham, England
- Registered: 2009-12-02
- Posts: 2,422
- Website
Re: Dreamhost compromised
the static IP my ISP assigned me tends to show a city 600km away
It's a routing issue.
The GeoIP is probably based on the NoC, or some such. Your ISP may be routing you there from far away. I get a similar issue with the BBC website. It shows me London preferences, even though I am based in Nottingham.
Offline
#7 2012-01-23 2:21 am
- zaphod
- Jägermonster
- From: USA
- Registered: 2008-11-22
- Posts: 2,985
- Website
Re: Dreamhost compromised
The trouble is that it wasn't particularly accurate: the static IP my ISP assigned me tends to show a city 600km away when checked in this way!
Meh, GeoIP, or some other database regularly assigns me to a ghost town... seriously, a town of once 1500, reduced to a few maintenance sheds kept for the Wyoming Highway Department.
Zap 
P.S. Even funnier when I see all these beautiful datable babes living there on some ad from a dating site! It's hillarious 
Get Protected, Stay Protected...
With ZB Block, GNU/GPL Freeware Anti-Spam/Anti-Hack protection for your php based website.
Little boxes in the server farm, little boxes running php...
Offline
Pages: 1