You may have read recently here on Bloody Elbow about Dana White's UG account being hacked. What you may not know is several other fighters also had their accounts hacked (Hendo and Bisping among them), or how the hacker got access. Zach Arnold at Fight Opinion posted about it recently, and I'll be going into even more detail here.
The UG, aka the MixedMartialArts.com forum, had several pretty damning failures in both security and policy causing this issue. First, and perhaps most importantly, passwords were stored using two-way encryption. This is the same type of encryption that UFC.TV/Fight Pass uses to store your passwords. It meant that anyone with an admin account could see your password in plain text. This was still the case until about 24 hours ago.
Two-way encryption is an extremely insecure way to store passwords for this reason; anyone with sufficient access to your server/site/database has access to every single user's password. The hacker of the UG, who goes by the handle MentaL, claimed that he only had access to encrypted information and used rainbow tables to get the users' passwords.
Rainbow tables are lists of passwords generated by running potential password combinations through a cryptographic process. For instance, if I put the word "password" into a specific cryptographic process, the same string would come out the other end every time. A rainbow table is a list of these strings and the associated passwords, usually billions of entries long. In this way, a hacker can find out a user password using just the string.
Proper password storage involves hashing and salting. With two-way encryption, if you know the decryption key (and the server usually holds this key), you can use it to see anyone's password by decrypting the string. With one way hashing, there is no global decryption key. There is no easy way for someone to know your password, except by using a rainbow table.
This is where salting comes in. A salt is a string of letters or numbers added to your password before hashing. The word "password" is going to be on a rainbow table somewhere. The word "password1323I34bcsh248obdcuf3" will probably not, because the computation time required to put every combination of letters and numbers that length through a cryptographic process is too massive. Attempting traditional methods of brute-forcing passwords without knowing what salt was used is essentially impossible. Even when the salt is known, rainbow tables are still essentially useless, and the attacker will have to use brute force manually to try to get your password.
Brute forcing a password refers to having a computer guess the password over and over again until it guesses correctly. For a password not found in a standard hacking dictionary, at 8 characters long, there are 26 letters and 10 numbers possible for each position. 52 and 10 If caps are treated as separate letters, and even more if symbols can be used. For simplicity, we will assume all cases are treated as equal. At 8 characters, there are 36*36*36*36*36*36*36*36 possible combinations. That's 2,821,109,907,456 combinations a hacker has to attempt, or almost 3 TRILLION. And that's assuming they have access to the salt used. If they don't, it becomes impossible for all intents and purposes.
When a password is properly hashed and salted, no one with access to the server can see your password, no matter what level of access they have. Neither the UG, nor UFC.TV does this, meaning they store your password information in an inherently insecure way. You can tell if a site is storing your password in cleartext or via two-way encryption by telling it you forgot your password; if they send your password out to you, they store it in an insecure way. If they send you a new password, or a reset link, they probably hash your password, and may even salt it. There's no way to know for sure, unfortunately.
Back to the UG. The hacker, MentaL, informed the ownership of security holes in both 2010 and 2012. In 2012 he included a screenshot proving he had access to the database of user information.
The correct course of action at this point is to take steps to secure the site, reset everyone's password, and inform people of the breach via the contact details on file. Most states require this disclosure by law. The owners of the UG neither informed people of the breach, nor reset their passwords. They also continued to store the passwords in a way that allowed them to see someone's password in plain text.
A standard action plan in the event a security breach is identified is as follows:
1. Shut down the HTTP service.
2. Run a full AV scan.
3. Run a full Anti-Rootkit scan.
4. Manually check web accessible directories for any DB dump files or other suspicious files that don't trigger #2 or #3.
5. Change/reset all account & user passwords.
6. Contact all users via the contact details on record, inform them of the data you know was accessed, the data that may have been accessed, and the data that definitely wasn't accessed.
7. Advise users on steps to take to protect themselves, e.g changing common passwords.
8. Re-examine security protocols and ensure industry best-practices are implemented as soon as possible if they are not already in place.
The owners of the UG, at the very least, failed to perform steps 5 through 8. It is unknown whether they performed the first 4 steps in 2010, 2012 or after this recent incident. As of today, the UG is working on forcing users to change their passwords and are looking at ways to update their security. As far as I am aware, they have not yet contacted all users to inform them of the breaches. To my knowledge, my account email, which was registered before the time of the database intrusion in 2012, has yet to receive any warning about the issue.
Here is a list of failures on the part of Mixed Martial Arts LLC.
1. Mixed Martial Arts LLC. failed to store passwords in a secure manner. Passwords were stored using two way encryption instead of one way salting and hashing
2. Mixed Martial Arts LLC. failed to inform users of security breaches on several occasions
3. Mixed Martial Arts LLC. failed to reset user passwords after being informed a user had unauthorized access to the database.
4. Mixed Martial Arts LLC. failed to disclose that its admins were able to, and did, read user passwords in plain text.
5. Mixed Martial Arts LLC. failed to have sufficient measures in place to prevent someone attempting to brute force passwords.
The owner of the UG, Kirik, has started a thread in which he is answering questions about the hack, and detailing the security measures being put in place since the incident. You can read it here.
I reached out to the owner of the UG on January 22nd with a detailed list of a 22 different questions, some with multiple parts. The questions ranged from questions about why the UG made the decision not to alert users, to what kind of protection was on user data at the time of the breach in 2012. You can read them at the bottom of the article. I received a reply on January 26th, saying:
As I think I mentioned, I forwarded your query to the appropriate individuals in the company.
In their opinion the questions were a blueprint for how to hack the site, and not appropriate.
So the answer is that we are aware of a security breach that has affected certain members accounts, the vulnerability used has been secured, the accounts effected have been contacted, and the appropriate authorities alerted.
On the surface, this might sound reasonable, however there are no security best practice guides I am aware of that encourage hiding the security policy & protocols of your site from users. On the contrary, sites that take user security seriously tend to detail exactly how user data is stored. You can see examples on Campaign Monitor and DropBox.
It's concerning when a site refuses to answer any questions about security protocols, even to a reporter trying to report on the incident. Generally if a site is confident that it is properly securing user data, it will happily explain how it goes about protecting the data. It should be noted that Mixed Martial Arts LLC chose to answer none of the questions I asked, even those not relevant to their current or previous security protocols. The list of questions can be read at the bottom of the article.
So what does this mean for you? Well,if you have an account at the UG, several people have been able to see the exact password you used. At the very least all of the admins could, at the admission of the owner. Anyone with access to the database, including people like MentaL, who hacked it, also had access to all of your personally identifiable information, such as your name and address, if you ever entered it. The owner of the UG has claimed that no credit card data is stored on site, and that all data is transmitted via SSL to a third party validator. If true, this suggests any credit card info will be safe.
Do yourself a favor, make sure you're not using the password you used on the UG anywhere else. If you are, change it immediately. Never re-use the same password on sites. If you absolutely have to do this, make sure your email password is completely different from all of your other passwords, and shares nothing in common with them. Someone with access to your email account has access to every account you signed up to with that email. Protect it.
What happened at the UG could happen to UFC.TV/Fight Pass, which is why I have been so adamant about the UFC increasing password security. UFC.TV was running with a Java error on the main page for several hours this weekend.
This shows that the programmers behind the site are far from infallible, and there are likely security vulnerabilities as a result. UFC.TV might be more difficult to hack than the UG, but the password data there is still stored using two-way encryption, and is vulnerable if a hack does take place for that reason. Sites need to start protecting passwords properly; with your email address and a password, a hacker can wreak havoc. While sites still indulge in such lax security practices, you need to do everything you can to protect yourself. Here are some basic precautions:
1.Never use the same password on more than one site.
2.Don't use passwords with relations to each other. Having your password on the UFC site be UFCPass1969, and your password on Bloody Elbow be BEPass1969 isn't as secure as you think it is.
3.Make sure your email password is ridiculously secure. Make it as long as possible and never write it down anywhere or save it on a computer anyone else could ever have access to. Your email password is the most important password you own. Treat it accordingly.
4.If you have trouble remembering passwords, just use phrases you will remember and add some related numbers. The password "youllneverguessthat21is7x3" is infinitely more secure than "hs73bfs7" and is much easier to remember, despite the lack of randomness. Deliberately misspelling words makes the password even more secure. Come up with a system that works for you, as long as it uses both letters and numbers and is as long as possible.
5.Consider using services like MaskMe to keep sites from getting your real email address and other information in the first place.
6.If you notice a site is using insecure password storage methods, complain. Email the administrator, tell sites like Plain Text Offenders and make it clear you're unhappy with the situation.
7.Assume that everything you put into any website will at some point be visible to someone with bad intentions. Limit the information you provide accordingly. Pre-paid credit/debit cards are very helpful in this regard as well.
8.Use two-factor authentication whenever the option is presented. If a site offers to send a code to your cell phone every time you log in, take it. I know it's annoying, but do it anyway. If it offers to send you an email any time you log in, take that too. Little things like this mean you'll notice that much quicker if someone is trying to hijack your identity.
If you follow those tips, even if a site like UFC.TV or the UG gets hacked, you'll be safe. Protect yourself, because you can't rely on website owners doing what they should to protect you.
Below are the exact questions I sent to Kirik that he declined to answer:
What was the nature of the security holes you were alerted to in both 2010 and 2012?
Did you have anyone perform a security audit in 2010, 2012 or after this most recent incident? What company did you use?
Did you have someone check the logs after you were alerted to the security issues in 2010 and 2012? Can you detail what the logs said in terms of what access MentaL had to the server and how he used it?
Did you have someone check the logs after last week and can you detail the findings?
What type of encryption was used on passwords in 2010, 2012, last week and what are you looking to do going forward?
Who made the decision to store passwords in cleartext and/or using two way encryption instead of the industry standard one way hashing & salting? What was the reasoning behind this decision?
Were the keys to decrypt the passwords in the database stored on the same server as the database in 2010, 2012 or during the most recent incident? Has this changed, if so, when?
Why did you decide not to reset user passwords in 2012 after being notified that someone had unauthorized access to the database? Who was involved in this decision?
MentaL has said he only had access to encrypted passwords, but also seemed to suggest that he had access to admin accounts. Do the discrepancies in his story make you question whether or not he has been entirely honest?
Is there any evidence that MentaL downloaded a dump of the database? He seemed to suggest that he did, but then backtracked. He also seemed to be able to provide the information of someone who was questioning him (sweetlilly) which would suggest that he still had access to every users information as of this week, as the chances of him having the information of that user at random seems slim.
Is it true that names and addresses were stored unencrypted in the database? Are they still unencrypted? If not, when did this change?
Why did you choose not to inform users that someone had access to their personally identifiable information in 2012?
Are/were you aware that most states require you to inform potentially affected users of any security breach that gives unauthorized access to personally identifiable information?
Did you report any of the unauthorized access in 2010, 2012 or this year to any law enforcement agencies?
How many staff members in total over the years have been able to see user passwords?
Could staff members read PMs?
Are they still able to read PMs?
How often do your staff, or outside companies, perform security audits on the site?
Can you detail how the site processes credit card payments?
Are there any plans in future to re-code the UG, as the current code is based on a very outdated platform?
Can you detail what changes you have decided to make to improve site security since the incident occurred a few days ago?
Is there any statement you would like to make about the incident to the MMA community?