How was Pprune hacked?
Nice-but-dim
Joined: Sep 2001
Posts: 640
Likes: 0
From: Rural Yorkshire
I understand 25F's curosity. I think that a detailed reply was not expected, just whether or not it was a DOS attack, or something more specfiic and malicious.
I'd be interested to know just why the site was targetted however.
I'd be interested to know just why the site was targetted however.
Joined: Jan 2003
Posts: 68
Likes: 0
From: Manchester
You will probably find that the attack was directed not at PPrune as such but at the software the board was programmed in.
PPrune is - if I am correct - a vBulletin board written in php/sql.
SQL has had a hard time of late with a concerted attack by hackers to force errors in applications and allow an unauthorised user to gain access to the admin functions.
Some of the electronics forum that I subscribe to use phpBB, another php/sql board, and have been attacked in a similar manner. One had 6GB wiped off the drive.
Once the hacker finds a way to exploit what is generally an untested error then they just troll the web looking for boards to attack. After the first one has been done then someone is working on a fix but that can take a bit of time.
The short answer as to why is... pot luck.
PPrune is - if I am correct - a vBulletin board written in php/sql.
SQL has had a hard time of late with a concerted attack by hackers to force errors in applications and allow an unauthorised user to gain access to the admin functions.
Some of the electronics forum that I subscribe to use phpBB, another php/sql board, and have been attacked in a similar manner. One had 6GB wiped off the drive.
Once the hacker finds a way to exploit what is generally an untested error then they just troll the web looking for boards to attack. After the first one has been done then someone is working on a fix but that can take a bit of time.
The short answer as to why is... pot luck.
Thread Starter
Joined: Mar 2000
Posts: 357
Likes: 14
Thanks Ronbmy, I take it it was basically an SQL injection attack then. Yes, vBulletin runs on PHP / MySQL. So do my websites. This is why I want, nay, need to know. Confirmation from the "chief pilot " that the hole was vBulletin specific would be comforting.
gofer, the "how" needs to be published. This is how we build secure systems. "Security through obscurity" has been thoroughly discredited. Yes, you give people a short time to patch their systems, but then you publish.
You (I don't mean you in particular, gofer) may find it counter-intuitive, but yes, by making your security mechanisms as public as possible, you end up with better security. This has been a hard-earned lesson in the world of computers, and I believe it holds true in the real world too. The difference with computers is that once you've learnt how to hack one system, it is trivial to do as many (similar systems) as you like. On the other hand if you've worked out a method of robbing a bank or hijacking a plane, the subsequent banks and planes are still going to take quite a lot of effort. This is probably why OBL's fanatics decided to go for four at once: they knew that their actions would change the security model.
There is a frequent cry of "stop giving things away" when (airline) security is discussed on Pprune. I think this is misguided. By exposing the model to public scrutiny there is a greater chance of a flaw being discovered by a "good guy" (and reported in good time to the right people) than by a "bad guy".
Meanwhile, it is extremely naive to think that Al'BadGuy cannot find out what the security mechanisms are, either willingly from somebody that works in the industry, or unwillingly from somebody, via coercion, or by social engineering, or some other method.
End rant.
gofer, the "how" needs to be published. This is how we build secure systems. "Security through obscurity" has been thoroughly discredited. Yes, you give people a short time to patch their systems, but then you publish.
You (I don't mean you in particular, gofer) may find it counter-intuitive, but yes, by making your security mechanisms as public as possible, you end up with better security. This has been a hard-earned lesson in the world of computers, and I believe it holds true in the real world too. The difference with computers is that once you've learnt how to hack one system, it is trivial to do as many (similar systems) as you like. On the other hand if you've worked out a method of robbing a bank or hijacking a plane, the subsequent banks and planes are still going to take quite a lot of effort. This is probably why OBL's fanatics decided to go for four at once: they knew that their actions would change the security model.
There is a frequent cry of "stop giving things away" when (airline) security is discussed on Pprune. I think this is misguided. By exposing the model to public scrutiny there is a greater chance of a flaw being discovered by a "good guy" (and reported in good time to the right people) than by a "bad guy".
Meanwhile, it is extremely naive to think that Al'BadGuy cannot find out what the security mechanisms are, either willingly from somebody that works in the industry, or unwillingly from somebody, via coercion, or by social engineering, or some other method.
End rant.
