Dear GBAtemp members and visitors,

It has come to our attention that over the past two days, a person has somehow been able to access a few user accounts on our forums. Shortly after, rumors started blossoming regarding a possible site/forum/database hack or a password leak. After an extensive search into server logs and lookup tools we have no reason to believe that any part of our site has been compromised.

At this point, as several people have suggested already, we believe that the reason this intrusion happened is because another site (an illegal ROM/ISO download site) was recently hacked and the password database was exposed to the public. Since a portion of our members was also registered on that site, possibly using the same password, this could explain the recent scare.

Even though we have no reason to believe our site has been compromised, we have taken a series of measures to reinforce account security on GBAtemp. Firstly, we have reviewed security on the server and all components of our site to make sure everything is up to date and secure. Some components of the forum software have been updated and following this update, one or two add-ons have ceased functioning. If you see anything that isn't working as expected, please use our Site discussions and suggestions forum to report the issue.

At this point, we recommend all our members to change their password and enable two-factor authentication. We are sending out e-mails to all our members to inform them of this situation and to recommend them to change their password. We strongly recommend using a unique and complex password, not just here but on every site you are registered to.

If you have any information that may help us get a better grasp on the situation, please get in touch with a member of the staff. Thank you for your understanding!

The staff

 

[lolboy]

I admit that hacking/exploiting games and consoles can be fun but hacking GBATemp accounts is sad.

This forum (many of its users) have provided many goods to the community of gaming and have spend time on helping others.


I changed my password the moment I saw this post and hope all others have done that aswel.

 

[Deleted User]

Is it a glitch that I can't see my toolbar when going into a thread? I can only see my name.

 

[Asia81]

Didn't LastPass get hacked? I thought I read that somewhere, but I think it was a while ago.

Really? I didn't know it.

--------------------- MERGED ---------------------------

Is it a glitch that I can't see my toolbar when going into a thread? I can only see my name.

same for me, but only when i am in a thread.
in the main forum it's normal

 

[DinohScene]

Time to update all me passwords.

 

[The Catboy]

I got hacked too, but I have my account back.
Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.

I am glad to see that you got your account back. I could tell it was the hacked the second the person who hacked you posted.

 

[Costello]

Is it a glitch that I can't see my toolbar when going into a thread? I can only see my name.

this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
so try Ctrl+F5 a few times and it should be OK. At least it's OK for me

 

[The Catboy]

this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
so try Ctrl+F5 a few times and it should be OK. At least it's OK for me

Glitch seems fixed for me (Latest Chrome on Ubuntu 16.10)

 

[hobbledehoy899]

this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
so try Ctrl+F5 a few times and it should be OK. At least it's OK for me

With Pale Moon 27.0.3 running on Linux Mint 18.1 the site seems to running just fine and as usual!

 

[Minox]

I got hacked too, but I have my account back.
Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.

That was my doing after noticing someone had tampered with your account.

 

[mathieulh]

So, you think 2FA is a good idea for a padlock on, say, a storage box? Not at all overkill? Meanwhile, where is U2F actually used? And how much does it help if I (likely) leave it in my computer all the time for the "convenience issue"? The only way that someone should be able to get my passwords on my end is precisely through the same sort of attack that would render U2F mostly (if not entirely) ineffective. Finally, if centralizing passwords is a bad idea, what would you recommend? Not having passwords? Because intrinsically if I remember all my passwords, I'm centralizing them all.

BTW, a quick check and it sounds like U2F would be vulnerable to side channel attacks. The only known way to mitigate that kind of attack consistently, even when you know of the channel of attack, is through consistent timing of events. Ie, a trade off of security over performance. So, uh, what sort of system do you run?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Let's be realistic here, to perform a side channel attack on your U2F token (assuming the attacker puts the time, money and effort) and capture it's ECC private key,
an attacker would have to physically posess your token for an extended period of time (at the very least a week, more realistically a month). There is no way,
unless you are incapacitated that you would not notice your U2F token missing, once you do, it can be revoked.

By centralizing passwords, I mean putting those in the same place where they could be accessed by an attacker, (like an application) If you are remembering all of your passwords,
unless your mind is compromized (which actually can happen through means such as chemical induction with substances like scopolamine), these passwords are safe from being stolen directly
(instead an attacker would look into compromizing your endpoint and use software such as keyloggers)

As to what I run, it depends on how much security I need for a given task. For instance I do own a shielded air gapped computer with speakers and microphone disabled used for specific infrequent cryptographic operations.

In conjunction to this, I am using several SAM (4 Yubikey NEO, 2 Yubikey 4) for various applications, a Yubikey HSM for specific AES operations a Nitrokey HSM for my local CA and a few standalone PIV smartcards for Veracrypt. I don't trust any of my keys to be stored outside Secure Access Modules.

Spoiler: PGP Signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYeLZoAAoJEKa4nBz3AlIInXkH/1/pLHgy8D60MB4i4cyod0vI
H15wN6LZykzfh9qNdooiE6RWd76JYdvGZW9pn8kRyBau5hn235Cen1sjQI4J/gqi
LyxVXrVSzPsrC96LcimdSJzGcWsNnaePwkM4br/hCoNeaDkSBjDF9/OVu6Po0qOL
Lbrzj2LoiPa6ikOCvZY6dIxBAvrirdBaHa0QjcPIvC/sT9HYib1wxG2kPy1TUGtE
X7hEOh4YYmr3A6772daxUVTWK9xagUj8I7smihZwqH2Q8B8Lv+RtTgE8UYpdRFKW
V+hjj6J1a6iIHjbyF1H35uFJHdKTlmix4kStI/qrkvup1AuPg/HsC9dmF5fCDcE=
=xBLJ
-----END PGP SIGNATURE-----

 

[Costello]

this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
so try Ctrl+F5 a few times and it should be OK. At least it's OK for me

nevermind, actually the bug is back... for some reason. I will have to investigate!
edit: it's gone again, I think its because I was using another browser on which I forgot to rerfresh

 

[Asia81]

I am glad to see that you got your account back. I could tell it was the hacked the second the person who hacked you posted.

Did the hacker posted some message with my account?

--------------------- MERGED ---------------------------

nevermind, actually the bug is back... for some reason. I will have to investigate!

seems ok for me, latest version of firefox w10

 

[The Catboy]

Did the hacker posted some message with my account?

--------------------- MERGED ---------------------------


seems ok for me, latest version of firefox w10

I don't want to derail this thread, so I will PM you

 

[Deleted User]

I had my account password reset 2 times. Was one time me being hacked or something? I changed my password and then you guys reset my password because my account has been "compromised"

 

[kuwanger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Let's be realistic here, to perform a side channel attack on your U2F token (assuming the attacker puts the time, money and effort) and capture it's ECC private key,
an attacker would have to physically posess your token for an extended period of time (at the very least a week, more realistically a month). There is no way,
unless you are incapacitated that you would not notice your U2F token missing, once you do, it can be revoked.

By centralizing passwords, I mean putting those in the same place where they could be accessed by an attacker, (like an application) If you are remembering all of your passwords,
unless your mind is compromized (which actually can happen through means such as chemical induction with substances like scopolamine), these passwords are safe from being stolen directly
(instead an attacker would look into compromizing your endpoint and use software such as keyloggers)

As to what I run, it depends on how much security I need for a given task. For instance I do own a shielded air gapped computer with speakers and microphone disabled used for specific infrequent cryptographic operations.

In conjunction to this, I am using several SAM (4 Yubikey NEO, 2 Yubikey 4) for various applications, a Yubikey HSM for specific AES operations a Nitrokey HSM for my local CA and a few standalone PIV smartcards for Veracrypt. I don't trust any of my keys to be stored outside Secure Access Modules.

Spoiler: PGP Signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYeLZoAAoJEKa4nBz3AlIInXkH/1/pLHgy8D60MB4i4cyod0vI
H15wN6LZykzfh9qNdooiE6RWd76JYdvGZW9pn8kRyBau5hn235Cen1sjQI4J/gqi
LyxVXrVSzPsrC96LcimdSJzGcWsNnaePwkM4br/hCoNeaDkSBjDF9/OVu6Po0qOL
Lbrzj2LoiPa6ikOCvZY6dIxBAvrirdBaHa0QjcPIvC/sT9HYib1wxG2kPy1TUGtE
X7hEOh4YYmr3A6772daxUVTWK9xagUj8I7smihZwqH2Q8B8Lv+RtTgE8UYpdRFKW
V+hjj6J1a6iIHjbyF1H35uFJHdKTlmix4kStI/qrkvup1AuPg/HsC9dmF5fCDcE=
=xBLJ
-----END PGP SIGNATURE-----

Where are you getting your figures on how long it'd take to capture the ECC private key? In any case, I'd agree that it's unlikely there'd be an attack on your U2F token directly. As for centralized passwords, it sounds like you're saying less about "centralized" and more about "attacker accessible". Ie, something like a U2F token that stored your keys with a master password would be similar, which is what U2F seems to be functionally (you just don't know the master password)*--I assume that's what your "Secure Access Modules" are. It also comes with all the same headaches of revoking access.

As for the last part, I'm very dubious of the fact that there are so many variants of Yubikey. It's unclear to me Yubikey 4 vs FIDO U2F Security key, even though one is twice the price. There's also the issue that you have to trust Yubikey not to store keys (or you have to build your own). In any case, my point about the system you run is cache attacks and actually how powerful side channel attacks can be.

* I know it's technically different but since you can make your own U2F Key, the notion that a U2F Key is "what you have" is dubious to some extent. You can just as well simulate a U2F Key in software, which defeats the whole purpose but would create the illusion of more security. To me, most 2FA that uses email verification falls into the same category.

 

[mathieulh]

Where are you getting your figures on how long it'd take to capture the ECC private key? In any case, I'd agree that it's unlikely there'd be an attack on your U2F token directly. As for centralized passwords, it sounds like you're saying less about "centralized" and more about "attacker accessible". Ie, something like a U2F token that stored your keys with a master password would be similar, which is what U2F seems to be functionally (you just don't know the master password)*--I assume that's what your "Secure Access Modules" are. It also comes with all the same headaches of revoking access.

As for the last part, I'm very dubious of the fact that there are so many variants of Yubikey. It's unclear to me Yubikey 4 vs FIDO U2F Security key, even though one is twice the price. There's also the issue that you have to trust Yubikey not to store keys (or you have to build your own). In any case, my point about the system you run is cache attacks and actually how powerful side channel attacks can be.

* I know it's technically different but since you can make your own U2F Key, the notion that a U2F Key is "what you have" is dubious to some extent. You can just as well simulate a U2F Key in software, which defeats the whole purpose but would create the illusion of more security. To me, most 2FA that uses email verification falls into the same category.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

For starters, the attack you are talking about refers not to U2F in particular but Only the YubiKey Standard and YubiKey Nano with firmware before version 2.4, so this vulnerability has been fixed since April 2014 and only concerns specific old Yubikey 2 hardware (which I myself do not posess), this was due to a lack of entropy (the unique ID being only 6 bytes long) and non random execution order and timing operations (which has fixed since firmware 2.4 and at the hardware level in Yubikey 3 and onward, although it has never affected the Yubikey NEO), this rendered a side channel attack very cost efficient (in the thousands of dollars), and doable in a timely fashion (hours), hardware however does not typically have this kind of vulnerability, especially temper proof SAM that perform operations in die and short of decapsulating to access traces, disallow most types of precise power measurements required by side channel attacks. It is also important to note that this attack allowed an attacker to get the device's AES key used to generate Yubikey's own OTP hash, it however does not allow the attacker to extract/calculate the ECC private key used in U2F.
More on this vulnerability in the following link:
https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/02/04/paper_yubikey_sca.pdf

As to U2F there is no such thing as a "Master password" considering it uses asymmetric cryptography to authenticate you (ECC to be precise) meaning the private key never leaves the device, basically you register a public key on a remote server with an AppID (to prevent phishing) and a key handle (to identify a registered pair), the server sends an encrypted challenge to your U2F dongle, the dongle decrypts it with the private key, signs it, and sends it back to the server, the server verifies the challenge's signature and authentication proceeds if it matches, this mitigates phishing (the hacker does not know your public key and cannot forge the AppID without bypassing the providers' SSL certificate) and replay attacks (the challenge is only valid once for the very brief period it is issued)

More details on how key generation is performed is available here:
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html

About the Yubikey 4 vs the FIDO U2F security key, the Yubikey 4 emulates a full set of CCID (PIV/GPG/OATH) smartcards along with the U2F specification, to put it simply it has more features (the U2F security key only handles U2F) Yubikey4 is more expensive because in die storage capable of handling 4096 bit keys along the processing power required to perform RSA operations with that large number of bit does not come cheap.

And yes, you would have to trust Yubikey, Nitokey or whoever else your vendor is, not to save your per device keys during the manufacturing process, at the end of the day, there's always some vendor you need to trust unless you build something from scratch.

Cache attacks only work if one of your endpoint is compromised and only to a point. If your endpoint is compromised you have bigger issues than someone targeting your account.

As to U2F, just like any other modern cryptographic algorithm, it is always based on software implementation (with the exception of electro-mechanical rotor cipher machines such as the Enigma machine or Turing's cryptologic bomb), as such it can obviously be reproduced in software (after all, it's a protocol based on the ECC algorithm, itself based on the mathematical notion of elliptic curves, but I digress...)

As such you can indeed emulate your U2F security dongle in software (for engineering purposes and whatnot), you would however have to be very dumb to actually register it on a service hosted on an online production server! The whole purpose of U2F is to keep the ECC secret key, or the elements used to generate the secret key, kept securely on a secure storage where it cannot be read nor retrieved by software running on your endpoints! (computers or otherwise); it is obvious that running it in a space where the key can be retrieved/read renders the whole concept of using U2F useless, the same issue actually occurs with people using TOTP on smartphone applications such as google authenticator (as I mentioned earlier in this very thread)
As such, your statement just does not make any sense in a security standpoint (or otherwise).

Spoiler: PGP Signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYeTpIAAoJEKa4nBz3AlIIS8UH/1cLC5b6SdVUAb4Hh3MEGXtc
bLyg/DQTN18e92tYpJHcSjoZzigeig4eWkBIJvnuZdRVkeLhrhSeYQXSMnH9tgiM
p+BSvaIhx5jnxo7EmExtpBGaPSWwITsInwtaKRZSk221yyv0fZz0cxtP+zyeOvNW
PV5MyDHMrQIkvDqdDUy7+qnexzQTE9KWM8YDy0EItf8sJ45MT2L9rzB1h3QIWloD
ixfnmQCPh9wY1eurDG5VZm6buts8+xFsHbV6M6gAn1TLPvhOBu3YwRHcLx7ljUsv
Nje7msMs+J53+UYIvGL154rTVOMW9RSjYNPFAYLm6nLA+O4m5aMM9a2vqhlKfJU=
=Li8t
-----END PGP SIGNATURE-----

 

[Deleted User]

Thanks for warning us. I have secured my Facebook account password now!

 

[Costello]

We have received first hand confirmation that there is no known vulnerability on our site, and that these accounts were hacked because their e-mail address/nicknames were listed on leaked databases. There are several sites out there that allow to make such verifications, some of these site even provide passwords in plain text.

We strongly recommend everyone again to make sure to use a unique password on GBAtemp and to enable two step authentication.

There is no need to further discuss the issue at this point. I will lock this thread. If you have any further questions feel free to PM me and I will reply when I can.