TripleA is a free gaming site and survives by the help of our members donations!
On Oct 17, 2020, around 07:00 GMT we became aware of a person that gained access to an admin account. We are not certain of how they gained access. With the hijacked account that person changed the frontpage of the forum.
In response to this we restored the forum from a recent backup and changed the password of the compromised account. Several hours later the account was again compromised and this time the attacker began making malicious edits to category titles and malicious posts.
We again restored the forum from backup and again changed the password of the admin account and removed admin privileges from that account.
The admin account is a default account created with the 'nodebb' (that runs this forum) and we had left it enabled with a relatively secure password.Impact
While the attacker had access to the "admin" account they had access and could download the list of all usernames and emails.
Passwords were not exposed and are stored encrypted.
It's a guess that the main goal of this attack was largely site defacement. The attacker seems to have a collection of defaced sites and was running up their score.Analysis
We were on version 13 of nodebb which had an open security advisory that could allow for account takeover. We do not know the exact method used for account takeover, exploiting that security advisory seems to have been the most likely attack vector used.Corrective Action
We have upgraded the forum software to 14.3 picking up a number of security patches, notably picking up a patch for the security advisory mentioned above.
We now require all admin accounts to use MFA (multi-factor-authentication). This new requirements means if a password is compromised, an attacker would still not be able to log in to that account without the MFA device.
We have increased password complexity requirements from 6 characters to 8 and now require passwords to not be "easily guessable".
We have deleted the unnecessary 'admin' account that had been compromised.Lessons Learned and Future Investments
We will continue investing in the security of the forum to improve intrusion detection, security vulnerability notification, improve logging (so we can better investigate breaches), and facilitate deployments so that we can increase the deployment frequency and keep the forum software much closer to the latest version available.
There were a few reasons to bring in 1.8 compatibility:
we are getting about one error report a week for players launching 1.8 maps. The 1.8 maps keep coming up:https://github.com/triplea-game/triplea/issues/7132 https://forums.triplea-game.org/topic/2234/need-help-to-convert-an-old-game?_=1600642324318
we should never have assumed that we can upgrade all maps in bulk, we do not 'own' all maps. Not all maps are in the repositories
it's been a long running design principle that maps should never be broken. The mechanisms to support this had some big problems and we dropped it in 1.9 as it was not scaling and really just was not cutting it.
As mentioned, 2.3 has a new map parsing architecture that makes supporting 1.8 maps much easier. Adding in that support resolves the above problems and gives us a proving ground for being able to support more XML variations going forward.
As a bonus, now that the map export is fixed, because players can launch 1.8 maps, if they want to upgrade them, they only need to now launch the map and can then re-export the XML.tripleabuilderbot created this issue in triplea-game/triplea closed 2.1.20365: GameParser#parseMapProperties - SAXParseException: game: Test1, line: 190, column: 26, error: Element type "attatchmentLis... #7132
@LaFayette I am totally aware of the history (for more than ten years). But what is the point of this topic then, if they all exist updated in Github? Aren't those legacy files (as they have been updated) as obsolete as TripleA 1.8 is nowadays?
@Panther the files in source forge was the source for the migration into github. Source forge is the old download location, they've been obsolete for some years now. Afaik they nearly all exist in github, the maps in github are updated. The github maps have histories, you can check the commit list even to see the updates.