Fórum do Skulltag foi hackeado!
Enviado: Qua Jul 30, 2008 1:58 pm
EDIT: Esqueci de colocar a fonte... Aí está: http://skulltag.com/blog/Rivecoder escreveu:July 26, 2008 by Rivecoder
Um, well, yeah.
Today, a small group of hackers successfully took down most of Skulltag: they hacked the forums, DDossed the [FR] servers*, and dislocated our IRC channels.
I'm angry with myself, because this isn't the first time this has happened. Many months ago, the same people successfully invaded the forums. I made changes, but not the right ones – upgrading passwords, moving the admin dir, and closing the suspected “source” of the hack.
The problem is that this isn’t – wasn’t - enough. There will always be zero-day vulnerabilities for phpBB – all a hacker has to do is find them. The sad thing is that the hack this group used probably wasn’t even a zero-day attack; it just wasn’t fixed in the phpBB 3.0.2. The result is the same, however; vanilla phpBB is not enough.
When we first got hacked, I contemplated changing the password hashing code. I stopped for two reasons – first, there was a pretty nasty line in the code warning me not to do that, and second, we had already re-opened the forums and I didn’t want to have everyone change their passwords again. I’ll just let it fade away, I thought.
Ah, such sweet naiveté.
Well, I no longer have that excuse. The password code is mine to redo. When the forums return, everybody will have to change their password – the old hashes will be completely incompatible. And, they won’t be saved using something insecure like MD5; I’m thinking Blowfish (via bcrypt) to start out with – something that doesn’t allow hashes to be created quickly. Salts will be unique by user, and lengthy. Rainbow tables won’t stand a chance.
We’ll also give the admin center its own password, which will be encrypted via SSL. Thus, even if attackers get admin rights, they won’t be able to do any serious damage before we splatter them with our banhammers. We’ll also watch the phpbb trunk carefully, as well as hack sites like milw0rm, for any breaking vulnerabilities. Just like the “reverse Skulltag” question on the register page, a quick variation off the main phpBB code will block 99% of the script kiddies and bots.
Meanwhile
I’m going to do a proper job here, so this could take several days. In the absence of the forums, feel free to chat with other Skulltaggers on IRC (which is under control now), and arrange game with Doom Connector (as the master is down).
In case you’re wondering who attacked us, it was a group led by Harrison; you can read more about them at their website. They want Metalhead gone, which is ridiculous; I’m not dumping any of my staff to bow down to some hackers. Metal has shown great loyalty during these dark and personal times; I’m very grateful for that. She's also a fair admin and a nice person (when you don't ban evade, that is ).
They also offer leaked internal builds; feel free to try them, though you won’t be able to play on non-internal servers with them. You’ll also be at the mercy of Harrison and co as far as viruses go. (Edit: Harrison says they're OK.) I’m not sure how leaking builds fits in with the “we’re the good guys” campaign of these guys; same with DDossing some of Skulltag’s finest servers. A bit hypocritical, no?
Anyway, that’s what’s going on. Sorry for the disturbance, and see you on IRC (or DC)!
As there's no way for you to comment about this post, feel free to e-mail me, at rivecoder at skulltag dot com.
Thanks for your patience!
*Edit 2: Harrison says that his group didn't DDos the servers. However, we both agree that the timing was very coincidental. Since we have no proof for or against either claim, I'll have to leave it up to the reader to decide.
