ATTENTION - Security Breach here.

General Announcements about Unreal Tournament and UT99.org

ATTENTION - Security Breach here.

Postby Dr.Flay » Mon Apr 03, 2017 10:53 pm

CHANGE YOUR PASSWORDS
It seems we have had an unwanted visitor using an admins password, so they could extract the user database.

I have temporarily disabled session logins, so you will have to keep giving your ID at login for the moment.
Cookies will now be using SSL once they are re-enabled, and I have upped the password requirement, so from now on you will need to include mixed case and numbers.

DO NOT REUSE PASSWORDS EVER
User avatar
Dr.Flay
Site Staff
 
Posts: 2982
Joined: Thu Aug 04, 2011 9:26 pm
Location: Kernow, UK
Personal rank: Chaos Evangelist

Re: ATTENTION - Security Breach here.

Postby papercoffee » Mon Apr 03, 2017 10:55 pm

Is it now safe to change the PW?
User avatar
papercoffee
Godlike
 
Posts: 7830
Joined: Wed Jul 15, 2009 11:36 am
Location: Cologne, the city with the big cathedral.
Personal rank: coffee addicted !!!

Re: ATTENTION - Security Breach here.

Postby Higor » Mon Apr 03, 2017 11:45 pm

I assume it's only the password hashes that were compromized right?
Higor
Godlike
 
Posts: 1463
Joined: Sun Mar 04, 2012 6:47 pm

Re: ATTENTION - Security Breach here.

Postby Dr.Flay » Tue Apr 04, 2017 12:50 am

It is very unlikely that anything useful was taken, as the database is not directly accessible and the passwords are encrypted.

However unlike Companies that say "no! nothing wrong here" to keep people calm, I feel that until a full inspection is done we cannot know what has, or has not been achieved.
Waiting and not saying anything until later would be irresponsible of me.

They were logged in as admin for many hours and made changes to what can be downloaded from this site.
However, the database is not accessible via the admin panel and the passwords are encrypted.

Any data lifted via browsing around will be minimal because Admin don't get to see your passwords.

Our visitor claims that the shell upload did not go as planned.
Again, until we know the reality we take no chances that it is not a bluff.

The outlook is good, but don't take chances.
I change my passwords every month or 2 (as you should all learn to do), so for example each and every time Yahoo was hacked, my password had already been regularly changed.

I am re-enabling cookie sessions so we can go back to just walking in like normal, but they will now be using SSL so if you have any problems let us know.
User avatar
Dr.Flay
Site Staff
 
Posts: 2982
Joined: Thu Aug 04, 2011 9:26 pm
Location: Kernow, UK
Personal rank: Chaos Evangelist

Re: ATTENTION - Security Breach here.

Postby Barbie » Tue Apr 04, 2017 2:02 am

Dr.Flay wrote:the passwords are encrypted.
I hope that the passwords are hashed and not encrypted... ;o) Even better with a bit of salt.
Anyway, for me it would not a big deal if my password gets known to third, because usually I use a PW manager and a different passwords for every service. So in worst case an attacker could write "Barbie is silly" with my account here. :lol:

Dr.Flay wrote:They [...] made changes to what can be downloaded from this site
That's worse at least for people who runs everything they downloaded, because the attacker could have infected the files. Maybe you should check the time stamp of the downloadable files or even better compare them to backup versions.

Dr.Flay wrote:Our visitor claims that the shell upload did not go as planned.
What is meant by this? :what:
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Barbie
Godlike
 
Posts: 1171
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: ATTENTION - Security Breach here.

Postby Dr.Flay » Tue Apr 04, 2017 2:21 am

The claim is that the upload of a shell to make use of the changes did not finish.

Yes you are correct, I meant to say the database is encrypted and the passwords hashed. No idea if a pinch of salt is in the mix, SHADE can let us know tomorrow.
Right now he is in bed sleeping, but is aware of the situation.

looking at the admin logs, not much happened, but admin logs can be deleted.
No uploads are obvious at this point, and the new file extensions are not in use as far as I can see. I did find 1 that should not be allowed and removed it "js".
User avatar
Dr.Flay
Site Staff
 
Posts: 2982
Joined: Thu Aug 04, 2011 9:26 pm
Location: Kernow, UK
Personal rank: Chaos Evangelist

Re: ATTENTION - Security Breach here.

Postby sektor2111 » Tue Apr 04, 2017 6:33 am

I'm not changing nothing until problem will be secured else the new password will not help...
Underground Location.
User avatar
sektor2111
Godlike
 
Posts: 2610
Joined: Sun May 09, 2010 6:15 pm
Location: Into personal private location.
Personal rank: 0.11

Re: ATTENTION - Security Breach here.

Postby Carbon » Tue Apr 04, 2017 11:09 am

Use a password manager like Keepass and this breach means nothing. Already changed my password and can do so again without issue anytime. I strongly suggest that others use a manager as well with Keepass being the most secure as there is nothing stored online; your database is local, password generation ensures unique passwords every time and for every site.

Keep us posted admin and thanks for being prompt and forthright. :gj:
User avatar
Carbon
Masterful
 
Posts: 731
Joined: Thu Jan 17, 2013 1:52 pm
Personal rank: Hoarder.

Re: ATTENTION - Security Breach here.

Postby Shade » Tue Apr 04, 2017 2:52 pm

Dr.Flay wrote:They were logged in as admin for many hours and made changes to what can be downloaded from this site.


To be more precise: As far as the logs tell us, he changed the allowed file extensions for attachments (he added asp, cgi, dhtm, dhtml, htm, html, jar, js, pl, sh, shtm, shtml). So for example he added *.html, which theoretically allowed him to upload html-files as attachments. It is not possible to open and run these files directly from the directory on the server, where all attachments are saved. Also, all uploaded files have encrypted file names on the server.

PS: Passwords on the database are hashed (MD5).
User avatar
Shade
Site Admin
 
Posts: 1346
Joined: Sun Jan 27, 2008 12:03 pm
Location: Germany
Personal rank: Founder of UT99.org

Re: ATTENTION - Security Breach here.

Postby Gustavo6046 » Tue Apr 04, 2017 9:55 pm

Shade wrote:(MD5).


lmao, MD5. It has been decades! I suggest to change to something like Twofish and let the users store the encryption keys in either cookies or otherwise locally. I will ask the Valoran team for any correction I must do for this to work.
You spin me right round
User avatar
Gustavo6046
Masterful
 
Posts: 624
Joined: Mon Jun 01, 2015 7:08 pm
Location: What if I say ""?
Personal rank: Unroyal?

Re: ATTENTION - Security Breach here.

Postby Chamberly » Tue Apr 04, 2017 10:47 pm

Gustavo6046 wrote:lmao, MD5. It has been decades! I suggest to change to something like Twofish and let the users store the encryption keys in either cookie or otherwise locally.


Meh, the cookies have been hacked as well from other using it to compromise Yahoo! accounts for example.
Image
Image
irc.globalgamers.net #uscript
http://irc.lc/globalgamers/uscript
Image
User avatar
Chamberly
Godlike
 
Posts: 1509
Joined: Sat Sep 17, 2011 4:32 pm
Location: Tennessee, USA
Personal rank: Dame. Vandora

Re: ATTENTION - Security Breach here.

Postby EvilGrins » Wed Apr 05, 2017 9:14 am

Well, poop.
:pfff:
http://unreal-games.livejournal.com/
Image
medor wrote:Replace Skaarj with EvilGrins :mrgreen:
User avatar
EvilGrins
Godlike
 
Posts: 5498
Joined: Thu Jun 30, 2011 8:12 pm
Location: Palo Alto, CA
Personal rank: God of Fudge

Re: ATTENTION - Security Breach here.

Postby sektor2111 » Wed Apr 05, 2017 8:09 pm

If you are hosting any sort keys they can be hooked - probably a "spyware" means nothing for a "programmer"...
Else, what did I say a few previous posts ago ? Let me recall. When you have connected the Internet to your machine, security will be a cheap fake story which nobody with a sane mind will never believe.

Note: two dudes here were chatting about newer database software from M$. Well... after 2015 - 2016 they are not only expensive but are just utter craps. One of them works there, no worries, he knows some "policies". So the chaos is closer with each day passing, these "teams" are about to lose track about what they do. Security will suffer here... :sleep:

Fact:
In some passed year, whatever dude hacked my E-mail account (more time after a so called infection which did not exist before). Let me see damage taken at this point, not that much, but I have figured advantages coming later. Poor "Yoohoo" suddenly decided to take measures according to accounts and they have improved e-mail management. I was wondering why they did not take those measures before. Probably they could see people retiring away from them which was not a good thing about their "image" aka reputation. So... time will solve problems or will make them worst...
Underground Location.
User avatar
sektor2111
Godlike
 
Posts: 2610
Joined: Sun May 09, 2010 6:15 pm
Location: Into personal private location.
Personal rank: 0.11

Re: ATTENTION - Security Breach here.

Postby Rixuel » Sat Apr 08, 2017 5:39 pm

Why would anyone try to hack a community that play a 17-18 years old game? (dont get me wrong, ut99 is still awesome) They gain nothing :/
█████████ Loading Hax 99%
Rixuel
Novice
 
Posts: 6
Joined: Fri Mar 17, 2017 3:29 am

Re: ATTENTION - Security Breach here.

Postby Barbie » Sat Apr 08, 2017 6:23 pm

Rixuel wrote:They gain nothing :/
As I wrote above: if an attacker gets your user name and password, he can login here and write silly things. But that's probably not the aim of an attacker: because a lot of people use same username/password combination for several online services, an attacker can try if this combination also works for Paypal or Amazon or other services where money is involved. And of course that username/password combination is added to hacker's password dictionary so that these tests can be done automatically and periodically (by attackers bot net, not by his own machine^^).

Gustavo6046 wrote:lmao, MD5. It has been decades!
Yes, it it proven that you can find a token that generates the same MD5 sum as the original password. But what does the attacker win? He can login here and only at other services that also has this username/password combination stored as MD5 hash.
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Barbie
Godlike
 
Posts: 1171
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing


Return to Announcements

Who is online

Users browsing this forum: No registered users and 1 guest