Zit Seng's Blog

A Singaporean's technology and lifestyle blog

HWZ Forum Hack, Your Action Is Needed

SPH Magazines yesterday confirmed their popular community discussion platform HardwareZone Forum (HWZ Forum) suffered a security breach that resulted in the leakage of 685,000 registered user profiles. Here’s what you need to know and what you need to do.

The security breach apparently happened as far back as September 2017, before it was first noticed a few days ago on 18 February 2018. The breach was confirmed two days later on 20 February 2018.

While SPH Magazines’ official statement revealed only that user profile data, which includes name, email address, user ID, and a dozen over other data fields, were leaked, there are some suggestions that fundamentally the server database has been leaked.

The good news, according to the statement, is that there are no NRIC numbers, telephone numbers and addresses, as these data were purged in line with the Personal Data Protection Commission (PDPC) guidelines in July 2015.

It is not clear if passwords were stolen, but given the likelihood that the server database was breached, it is safe to assume that passwords in some form or other has been stolen. SPH Magazines’ statement advised all members to immediately change their forum account password. Apart from that statement, it does not appear that any specific attempt has been made to reach any of the forum members.

An important issue now is to understand how passwords are stored in the HWZ Forum system, and at what level the system was breached.

A casual search on the Internet reveals that vBulletin, the software used by HWZ Forum, stores passwords in a MD5 hash format. Weaknesses in MD5 were found as far back as 1996, and in 2005, MD5’s designer Ron Rivest himself wrote that MD5 (along with SHA1) is clearly broken. The best case scenario that the HWZ Forum’s unidentified attacker made away with MD5 password hashes from the vBulletin database is already bad enough.

The worst case scenario is that the attacker may have other system accesses that allows the collection of plaintext passwords. If you have an account on HWZ Forum, it is possible that your password is known.

If you use that password on any other systems, or a variation of that password on any other systems, your accounts in those other systems are at risk of compromise.

Although SPH Magazines only advises you to change your password on your forum account, I suggest that more importantly, you should change your password on every other system where you may have used the same password or a variant of that password. Your HWZ Forum account itself may not be extremely valuable, but it is possible that you may have a more valuable account somewhere else. For example, make sure that you don’t use the same, similar, or derivation of the password for your banking account, SingPass, or other high-value account.

The breach of HWZ Forum is of particular interest, because it was one of those hypothetical scenarios I had previously talked about. I write and speak about IT security from time to time, and many years ago, when the topic of watering hole attacks became a talking point, I used HWZ Forum as an example in Singapore. The idea is that if an attacker wanted to breach your organisation, he doesn’t necessarily need to directly attack your organisation’s IT systems. Instead, the attacker watches where people in your organisation “hang out” online outside of your own organisation’s IT systems, and attacks those websites instead.

In Singapore, HWZ Forum is an excellent watering hole. Many tech-savvy Singapore users would likely have an account in HWZ Forum. If an attacker had an interest to, say, infiltrate Mindef’s IT system, would it not be easier to breach HWZ Forum in the hope of finding an account that would also work in Mindef’s IT system? (I know Mindef and the Singapore government cut their internal networks from the Internet, which inconveniences the attacker, not necessarily prevents the attack.)

IT systems of HWZ Forum might not be considered high-value per se, and hence may not be very well protected. A potential attacker, of course, will see this very differently. A platform like HWZ Forum can be a trove of valuable account information.

This brings me to the topic of password uniqueness, and the importance thereof that you should really use different passwords on every website or online system. Some users expect sites like HWZ Forum to be better managed, not like a fly-by-night type of outfit. That’s really besides the point. Nowadays, we don’t talk about security breaches being an if, but a when. You should prepare that your accounts will be hacked, and your passwords will be leaked. Attackers are going to see your actual passwords.

Hence, password uniqueness goes far beyond just being different, but being truly unique. In the best case, your passwords are just random gibberish, every one different for every website. In practice, many users are going to devise some derivation algorithms to remember passwords to use on each website. If you do this, then you must make sure that your derivation algorithms are so obscure that a potential attacker, having known your password at one website, is not going to guess your password at a different website.

For example, if you simply append the website name to your password, then an attacker having learnt that your password at HWZ Forum is mysecretpassHWZ can reasonably guess that your DBS banking account password might be mysecretpassDBS.

I strongly recommend using password managers to help with remembering unique passwords for each and every website. Of course, this in part implies that your password manager becomes the single-point-of-failure. That’s true. But I’d argue that this is something you have more control over, than how all the numerous websites handle your passwords. You could still choose multiple password vaults, or use different password manager, or committing the highest-value account passwords to memory, so you don’t have all your eggs in one basket.

HWZ Forum’s breach of 685,000 accounts means something like over one in ten of us in Singapore are affected. It’s the largest breach to date in Singapore. If you haven’t thought much about your password security, you should start now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.