Security Breach Because of SL Blog?

Someone on Slashdot stated that the SL Blog runs on the same MySQL cluster where the main-account passwords and payment information resides. Was the zero-day exploit that led to the release of our information one that targeted the blog?

Oh, that would be so ironic. Entertainingly so.

Two issues. Both front page diggs.

But imagine if it turns out they were related.

Wow.

It would be surreal.

I've found that LL uses Wordpress for their blog. I'm searching around for recent exploits now. If anyone knows of a site that might list Wordpress exploits, post it here.

I would pee myself into oblivion. That would be fantastic.

I found information on a WordPress Paged Parameter SQL Injection Vulnerability which can be seen in detail here. It looks like it affects WordPress 2.0.2 through 2.0.5. Could this be it? I don't know enough about WordPress, SQL, or security to do anything more than speculate.

Comments from experts would be much appreciated.

Awww man you just screwed up your lovely and neat looking 1000 posts, ah well.

Well an sql injection attack in the post comment bit might have been a possible one. I dunno the details though but I found this and anyway probably best not to post hacking bits and bobs http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/
and open registration without verification could be plausable as 'guest' account. Don't quote me on that though.

No, that just refers to an account on Wordpress. Registration isn't open on the Lindenblog.

Unless they've really hacked about with WP - and I can't see any indication that they have, it looks like the standard stuff to me - I doubt this has anything to do with it at all.

Sshh!

Random searching: http://dev.mysql.com/tech-resources/interviews/ian-wilkes-linden-lab.html

im a computer idiot, i know just enuff to be dangerous...what does this part mean from Robin's post earlier?

We have gathered a significant amount of information regarding the attack and the attacker. However, because the investigation is ongoing, we cannot provide very detailed information regarding the type of attack or identity of the attacker. We can disclose that the intrusion path took advantage of a "zero-day exploit" in third-party web software.

"zero-day exploit"= A glitch (?) in their system that they used on the same day it was found, so it was very hard for them to catch it before it happened. (If I'm wrong, someone please correct me.)

I nominate this for Understatement of the Year.

zero-day exploit

- A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Ordinarily, after someone detects that a software program contains a potential exposure to exploitation by a hacker, that person or company can notify the software company and sometimes the world at large so that action can be taken to repair the exposure or defend against its exploitation. Given time, the software company can repair and distribute a fix to users. Even if potential hackers also learn of the vulnerability, it may take them some time to exploit it; meanwhile, the fix can hopefully become available first.
With experience, however, hackers are becoming faster at exploiting a vulnerability and sometimes a hacker may be the first to discover the vulnerability. In these situations, the vulnerability and the exploit may become apparent on the same day. Since the vulnerability isn't known in advance, there is no way to guard against the exploit before it happens. Companies exposed to such exploits can, however, institute procedures for early detection of an exploit.

Simply put, LL uses/used X software. X software had an exploitable security vulnerability that became known. Before the makers of X software could write a patch to take care of said security vulnerability, a hacker figured out a way to take advantige of it.

I do know that vBulletin uses MD5/Salt encryption and SL forums use an old version of vB 3.05, when it is now up to 3.6 following security updates. The forums are definitely linked to the main SL info as the password is carried across, so maybe this is how the breach occurred.

Actually, it was the software used for the SL Wiki, so I was told. MediaWikia has a superb trackrecord, but wasn't used. They're now using Lore.

Let me get this right. Linden Labs used public domain unvetted software on one of their web servers which had direct access to the main personal information database. They are idiots and if this happened at my company, both the IT director and the CTO would be fired on the spot. Heads must roll for such a basic IT security mistake with such major ramifications.

Any organisation storing customer information, has to compartmentalise the security systems, so that the web sites using public domain software only has access to the information that it needs, usually via a separate, one way, data feed.

LL have probably broken the law in Britain by failing to compartmentalise their security of personal data correctly. There is something called the Data Protection Act here.

Copying and pasting between threads is awesome.

What gives with you? I moved my original post to a more appropriate thread and you jump on it. Got nothing better to do? Geez.

in most cases your better off with open source software
ie

you write a script for whatever application, bug is found for your application, only a few billion possibilitys left

vs a script to do an application, hard tested in the real world by litterly millions of ppl, 24 hours a day - 7 days a week

hmmm ill take option #2 with offical docs



shit happens, if you can write a 100% hackproof datafarm please apply to linden labs for some posh san fran housing and free pinballl n coffee, if not....

You missed the point. the data was all kept in the same place. Thats the problem...

I told you all, blogs suck.

This is shit happens? Tell that to all the tee-ed off SL residents calling their credit card companies, changing paypal passwords etc etc.

I think he just did.

by seperating data into individual resources you only delay the possibility, on my personal play domain i seperate info, but if some lamer wants to hack into my account its all over

and my website is alll over the place as far as servers and geographical locations


i dont personally think the level of security you expect == the level of flexibility the SL system provides

in my 20 someodd years of BBS's and websites its always boiled down to...

iron fisted pita systems noone wants to use, that are still open to some dork with way too much time on their hands and no love life

or

user avaible systems with the exact same issues


least LL was smart enugh to segerate the CC info (to what extent is to be known)