Group Details Private

Global Moderators

Forum wide moderators

  • RE: Donation Drive For 2021

    @scousemart Thanks for the donation.

    posted in Donation Drive 2021
  • RE: Donation Drive For 2021

    @beelee Thanks for the donation!

    posted in Donation Drive 2021
  • Security Breach Oct-17-2020

    Incident

    On Oct 17, 2020, around 07:00 GMT we became aware of a person that gained access to an admin account. We are not certain of how they gained access. With the hijacked account that person changed the frontpage of the forum.

    In response to this we restored the forum from a recent backup and changed the password of the compromised account. Several hours later the account was again compromised and this time the attacker began making malicious edits to category titles and malicious posts.

    We again restored the forum from backup and again changed the password of the admin account and removed admin privileges from that account.

    The admin account is a default account created with the 'nodebb' (that runs this forum) and we had left it enabled with a relatively secure password.

    Impact

    While the attacker had access to the "admin" account they had access and could download the list of all usernames and emails.

    Passwords were not exposed and are stored encrypted.

    It's a guess that the main goal of this attack was largely site defacement. The attacker seems to have a collection of defaced sites and was running up their score.

    Analysis

    We were on version 13 of nodebb which had an open security advisory that could allow for account takeover. We do not know the exact method used for account takeover, exploiting that security advisory seems to have been the most likely attack vector used.

    Corrective Action

    • We have upgraded the forum software to 14.3 picking up a number of security patches, notably picking up a patch for the security advisory mentioned above.

    • We now require all admin accounts to use MFA (multi-factor-authentication). This new requirements means if a password is compromised, an attacker would still not be able to log in to that account without the MFA device.

    • We have increased password complexity requirements from 6 characters to 8 and now require passwords to not be "easily guessable".

    • We have deleted the unnecessary 'admin' account that had been compromised.

    Lessons Learned and Future Investments

    We will continue investing in the security of the forum to improve intrusion detection, security vulnerability notification, improve logging (so we can better investigate breaches), and facilitate deployments so that we can increase the deployment frequency and keep the forum software much closer to the latest version available.

    posted in Announcements
  • RE: ToC16 Prize Donations

    @bayder Anyone that donates to the toc prize please state in the comments section on PayPal that it is for the TOC and not a donation to TripleA. Thanks Pras

    posted in Revised Tournament Of Champions
  • RE: Donation Drive For 2021

    @Kindwind Thanks for the donation!

    posted in Donation Drive 2021
  • RE: Donation Drive For 2021

    @forthebirds Thanks for your donation!

    posted in Donation Drive 2021
  • RE: Donation Drive For 2021

    @seancb Thanks for your donation!

    posted in Donation Drive 2021