Rainbow tables, SQL injection, and why you want to use a different password for e-mail
by Pixeleen Mistral, National Affairs desk
The new Try All Your Chance blog details the frightening extent of the BanLink security problems that led to the Second Life ban list sharing site's apparent demise - and suggests that BanLink user passwords might as well have been stored in plain text given the lack of site security.
"Names, passwords, email addresses; 100% of the data the site had, anyone could view and even modify. Even without access to the members area of the site."
BanLink was a popular shared Second Life ban list service that was ultimately neglected by its creators and afflicted with fundamental serious security issues - a story the Herald broke in September after being tipped to the fact that certain URLs caused the BanLink site to share supposedly secret ban information with world+dog on teh interwebs.
The Try All Your Chance coverage is notable for a lucid discussion of the moral dilemma that is responsible disclosure of exploits - followed by a hands-on detective story that explains exactly how poorly protected BanLink user passwords were and how the BanLink web site was ultimately put in perma-maintenance mode.
When data is at risk and the administrators are missing, it can be hard to figure out a moral course of action. Ignoring it and doing nothing leaves all the users unknowingly at risk, but disclosing it publicly potentially exposes them to even more risk. Even when the administrators aren't missing, it can be hard to spur them into action without hard evidence of a serious problem. I knew that word was already spreading, and that the Herald was about to go public with the information, so I set out to see how much I could get the site to give me.
The philosophical discussion is followed by a step-by-step how-to guide illustrating worst practices in web site security. By crafting URLs with embedded database queries - a technique known as SQL injection - the author deduces the database structure, locates the table with user accounts, e-mail addresses, and passwords. With access to the password table, the weak encryption is almost immediately broken by use of pre-computed password hashes known as rainbow tables.
"BanLink stored unsalted MD5 hashes of passwords, which is about as good as storing them in plain text."
Wrapping up the cautionary tale with practical advice, Try All Your Chance points out that using the password for your e-mail account for any other service is a very bad idea - since most sites will reset passwords by sending a message to your e-mail.
With practical, lucid of coverage of interwebs and metaverse deep tech, Try All Your Chance is a must-read blog for 2010.
Great, great, just fine, but the real question is: how do we take down the "back end services that are still running"? Running now with corrupted data. Banlink is now a griefing device.
Posted by: unsalted | December 27, 2009 at 06:56 PM
Oh wow, a bunch of stupid furries who spend their day worrying about how to ban griefers can't code worth a shit, who'd have thunk it?
Posted by: The Wiggles | December 27, 2009 at 08:01 PM
Glad to see you're back to reporting meaningful stuff.
Posted by: Kate M. | December 27, 2009 at 10:54 PM
I propose trying to log in to everyone's SL accounts with the same passwords to see how many of them are dumb enough to use the same details.
Posted by: Alyx Stoklitsky | December 28, 2009 at 02:07 PM
When wasn't BanLink a greifing device, though? The very concept was a walking community-standards violation to start with, and I'm surprised it took that long for it to die.
Posted by: Baloo Uriza | January 16, 2010 at 08:14 PM