beelee1
commented
4 years ago Did a quick nodebb search and didn't see anything. Probably triplea specific then I'd guess. Idk
Closed panther2 closed 3 years ago
beelee1
commented
4 years ago Did a quick nodebb search and didn't see anything. Probably triplea specific then I'd guess. Idk
panther2
commented
4 years ago I went online when "Admin" did all of this. This is why he addressed me personally in the "Admin-forum-section". His IP was from Saudi Arabia, another one from Vietnam.
RoiEXLab
commented
4 years ago I'm on it, thanks for the information
RoiEXLab
commented
4 years ago I reset the forum to a backup from 6am this morning and changed the password of the "admin" user. Let's hope this is enough action for now. (Especially because it seems the account has been compromised already at this point in time)
Cernelius
commented
4 years ago Is the matter just that the Admin password was brute-forced because of being too simple?
panther2
commented
4 years ago @RoiEXLab Thank you.
I can tell that it was a strange feeling being online together with the hacker this morning. I was able to revoke his sessions and block the IPs he used. But I felt a bit lost, as I was not aware of further action that maybe could have been taken.
I am especially glad, that the IP blacklist he deleted is back now.
I can only recommend to all to use a strong password together with 2FA.
RoiEXLab
commented
4 years ago @panther2 Good Thing you noticed It so quickly. @Cernelius My best guess is that it has been brute forced, the admin account has only ever been used for initial setup, so i doubt that anyone has been using it recently. The password was rather short and simple, so brute forcing seems possible (unlikely still but possible), but I went with a strong auto-generated password for now that should be impossible to get brute forced. If we get an incident like this again we might have a more severe breach somewhere else, but for now we should be good i think. @DanVanAtta @ron-murhammer Have a look at the password store, I kept the old password around in case we need to restore an even older backup.
My current guess at the scale of this incident: I currently doubt that more than this account has been compromised, it looks like someone had fun messing around with the admin panel and branding the forum with their "hacker tag". Pretty silly imo. If they had real system access they could've installed crypto miners, or manipulated nginx altogether to host files for them or something like that, something that we probably won't ever really notice. I'll try to check if something has been altered on a system level later this evening, but as i said i doubt it.
Regardless we should create a post explaining the situation to everyone. Passwords are safe in theory, because they are securely hashed, but we should recommend changing them nevertheless just to be sure (SSO logins are not affected by this btw). Emails, usernames, real names are compromised if visible from the admin panel.
Cernelius
commented
4 years ago I can only recommend to all to use a strong password together with 2FA.
I don't want to have to imput a complex password that I may eventually just forget. I use the same username and password that I use in lobby, and I'm sure this is the case for most other people.
panther2
commented
4 years ago @Cernelius
I don't want to have to imput a complex password that I may eventually just forget. I use the same username and password that I use in lobby, and I'm sure this is the case for most other people.
Totally up to you and most other people. I just think that at least admin accounts deserve a better protection - as proven by today.
DanVanAtta
commented
4 years ago Good work here.
@RoiEXLab I changed the 'admin' user name as well. 'admin', 'root' are common for password guess attempts.
I wonder if we should have known about repeated password attempts, seems like the IP of this user should have been locked out.
DanVanAtta
commented
4 years ago User emails were leaked, we need to issue a breach disclosure, I'll post it to forums.
trevan
commented
4 years ago @DanVanAtta @RoiEXLab @prastle @ron-murhammer @panther2 the forum got hacked again.
DanVanAtta
commented
4 years ago I'm a bit surprised we did not get hacked a 3rd time...
Yesterday after the 2nd hacking, again restored from backup and then demoted the 'admin' user to not be an admin. If we can delete that account, we likely should. @RoiEXLab , can you speak to what that account is used for?
Meanwhile today there were a number of changes:
Admins will now need to install GAuthenticator and set up MFA to login as a admin.
panther2
commented
4 years ago @DanVanAtta
I'm a bit surprised we did not get hacked a 3rd time...
I hope so, as the forum's homepage again looks different ... ... but not "as hacked as before"
(@RoiEXLab )
DanVanAtta
commented
4 years ago The previous UI 'theme' we had seemed to not have carried over to the updated version of the forum. : /
RoiEXLab
commented
4 years ago @DanVanAtta @panther2 Fixed the widgets
Cernelius
commented
4 years ago Admins will now need to install GAuthenticator and set up MFA to login as a admin.
I've no idea what that means or how I'm supposed to do anything in the moment I cannot log in any longer (because of my very short and simple password).
DanVanAtta
commented
4 years ago @Cernelius - MFA stands for multi-factor-authentication. It is like a second password and required when you access the admin functionalities. Had we had that in place, this hacking incident would not have happened. When you get to that requirement, there are on-screen instructions advising you to install on your phone the 'GAuthenticator' app
how I'm supposed to do anything in the moment I cannot log in any longer (because of my very short and simple password).
Cernelius
commented
4 years ago
- Are you being prompted to change your password?
I don't think so.
- Does the forgot password or reset password options all you to reset your password?
I'm not using any "forgot password" function, as I assume that is merely going to send my password to my e-mail. I'm not seeing any option to reset my password.
- Can you post a screenshot of being denied login?
Are there any options to change your password on that screen at all?
I'm not seeing any one.
In my opinion, by restricting the acceptable passwords, you are just blocking out of the forum every existent user that doesn't meet the new minimum standards, making them unable to use their accounts.
panther2
commented
4 years ago @Cernelius
I'm not seeing any one.
"Password dimenticata?" is the link behind the password reset. The password is NOT sent to your email-address but an instruction for a password reset procedure instead.
In my opinion, by restricting the acceptable passwords, you are just blocking out of the forum every existent user that doesn't meet the new minimum standards, making them unable to use their accounts.
No, they simply need to reset their passwords.
Cernelius
commented
4 years ago @Cernelius
I'm not seeing any one.
"Password dimenticata?" is the link behind the password reset. The password is NOT sent to your email-address but an instruction for a password reset procedure instead.
In my opinion, by restricting the acceptable passwords, you are just blocking out of the forum every existent user that doesn't meet the new minimum standards, making them unable to use their accounts.
No, they simply need to reset their passwords.
Ok that worked. However, it didn't even allow me to use my GitHub password, deeming it too simple. So now I have to have another password, and did it. However, I don't want to do this "Two-Factor Authentication" thing and I really almost never do anything with the admin abilities. So, can I please just be downgraded to just Moderator, instead of Admin (if that will not require the Two-Factor Authentication), please? In the rare occasion I might need to do something with the Admin panel, I'll just tell an Admin to do it.
I will look out for changing my lobby and GitHub passwords to this same password, so I don't have multiple passwords to remember...
I still maintain that, in the moment the link is saying "Password dimenticata?", that means "Forgotten password?", someone who didn't forget its password cannot be supposed to click on there, on the assumption that link is generally for resetting the password, no matter whether or not you forgot it (bad name).
My uninformed perception is that, after having had a much too lax security, now too much is being done in the opposite direction, maybe. As I said, I don't really know.
Cernelius
commented
4 years ago I would be fine doing something like this "Two-Factor Authentication" thing if it can be done without requiring another hardware (like if it can be done with the computer, instead of having to use a phone). However, what I understand is that this is not possible, so nevermind.
tvleavitt
commented
4 years ago 2FA using email should be possible, SMS and the use of a smartphone app or other third-party hardware is generally not required.
Here are instructions on how to replicate Google Authenticator on your PC, this was published in August, so it should still be current and accurate:
https://www.maketecheasier.com/google-authenticator-windows/
On Tue, Oct 20, 2020 at 9:15 AM Cernelius notifications@github.com wrote:
I would be fine doing something like this "Two-Factor Authentication" thing if it can be done without requiring another hardware (like if it can be done with the computer, instead of having to use a phone). However, what I understand is that this is not possible, so nevermind.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/triplea-game/triplea/issues/7920#issuecomment-712966611, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB5HALPWO3C5UHJSNUITFLSLWZTDANCNFSM4SUGFBVA .
-- Thomas Leavitt Internet enabled since 1990
Cernelius
commented
4 years ago 2FA using email should be possible, SMS and the use of a smartphone app or other third-party hardware is generally not required. Here are instructions on how to replicate Google Authenticator on your PC, this was published in August, so it should still be current and accurate: https://www.maketecheasier.com/google-authenticator-windows/ … On Tue, Oct 20, 2020 at 9:15 AM Cernelius @.***> wrote: I would be fine doing something like this "Two-Factor Authentication" thing if it can be done without requiring another hardware (like if it can be done with the computer, instead of having to use a phone). However, what I understand is that this is not possible, so nevermind. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#7920 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB5HALPWO3C5UHJSNUITFLSLWZTDANCNFSM4SUGFBVA . -- Thomas Leavitt Internet enabled since 1990
Thanks for the suggestion, but I understand that I would still need a phone connected to my account (not to use it).
tvleavitt
commented
4 years ago As per the linked page, WinAuth doesn't require a phone, presuming you're using Windows. Neither does G-Auth Authenticator (and that should be cross-platform).
On Wed, Oct 21, 2020 at 12:14 PM Cernelius notifications@github.com wrote:
2FA using email should be possible, SMS and the use of a smartphone app or other third-party hardware is generally not required. Here are instructions on how to replicate Google Authenticator on your PC, this was published in August, so it should still be current and accurate: https://www.maketecheasier.com/google-authenticator-windows/ … <#m_7498349684576788876_m6587573603386251978> On Tue, Oct 20, 2020 at 9:15 AM Cernelius @.***> wrote: I would be fine doing something like this "Two-Factor Authentication" thing if it can be done without requiring another hardware (like if it can be done with the computer, instead of having to use a phone). However, what I understand is that this is not possible, so nevermind. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#7920 (comment) https://github.com/triplea-game/triplea/issues/7920#issuecomment-712966611>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB5HALPWO3C5UHJSNUITFLSLWZTDANCNFSM4SUGFBVA . -- Thomas Leavitt Internet enabled since 1990
Thanks for the suggestion, but I understand that I would still need a phone connected to my account (not to use it).
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/triplea-game/triplea/issues/7920#issuecomment-713817483, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB5HAPFDITWJNJINBDQGO3SL4XKLANCNFSM4SUGFBVA .
-- Thomas Leavitt Internet enabled since 1990
Cernelius
commented
4 years ago As per the linked page, WinAuth doesn't require a phone, presuming you're using Windows. Neither does G-Auth Authenticator (and that should be cross-platform). … On Wed, Oct 21, 2020 at 12:14 PM Cernelius @.> wrote: 2FA using email should be possible, SMS and the use of a smartphone app or other third-party hardware is generally not required. Here are instructions on how to replicate Google Authenticator on your PC, this was published in August, so it should still be current and accurate: https://www.maketecheasier.com/google-authenticator-windows/ … <#m_7498349684576788876_m6587573603386251978> On Tue, Oct 20, 2020 at 9:15 AM Cernelius @.> wrote: I would be fine doing something like this "Two-Factor Authentication" thing if it can be done without requiring another hardware (like if it can be done with the computer, instead of having to use a phone). However, what I understand is that this is not possible, so nevermind. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#7920 (comment) <#7920 (comment)>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB5HALPWO3C5UHJSNUITFLSLWZTDANCNFSM4SUGFBVA . -- Thomas Leavitt Internet enabled since 1990 Thanks for the suggestion, but I understand that I would still need a phone connected to my account (not to use it). — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7920 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB5HAPFDITWJNJINBDQGO3SL4XKLANCNFSM4SUGFBVA . -- Thomas Leavitt Internet enabled since 1990
If this is true, then I suppose that means I'm not figuring it out (you are presuming correctly).
Cernelius
commented
3 years ago I still cannot figure out anything. Can I be just de-admined, so I can log in forum without a smart-phone, please?
There is someone messing around with the account "Admin"
@prastle @RoiEXLab @ron-murhammer @DanVanAtta