/tg/Station 13

Deactivate administrative permissions on accounts that are logging in under suspicious circumstances, pending a response to a security question. We can automate this, but doing it manually would suffice for now.

Mandatory criteria for suspicious circumstances:
1. Hasn't logged in for a time period, ideally a week, but a month at most.
2. Has logged in on a new IP address. No exceptions, even if the CID matches, because modern ban evasion tools can spoof a specific CID and due to other SS13 servers suffering worse security breaches to their database in the past, we can't verify that nobody doesn't know an admin's CID.
3. Has logged in on a new CID.
4. Is manually marked as "suspicious" by another admin.

This does not protect against RAT attacks, but will protect against social engineering attacks and "big company fucked up and now your password is leaked" attacks.

Require admins to verify their identity in #adminbus on discord via a security question of their choosing stored with headmins or MSO to regain their permissions. We can also script this into the discord bots and TGS3/4, so that admins could verify from in-game as well.

We have approximately 120 people on the admins.txt as per Statbus's listings at https://atlantaned.space/infobus/adminwho/ and every time a password breach occurs, we roll the dice for every one of these accounts that someone who isn't the account owner logs in and fucks with things during lowpop hours with no admins logged in, even in stealthmin mode, which happens frequently during dead hours.

This is no longer hypothetical. It has happened, as evidenced by the ban log.

All it takes is one person with a functional banning panel to fuck up an insane amount of bans, delete a bunch of notes, and cause a lot of havoc in the span of five minutes.

We are very, very lucky that these two dumbasses unbanned themselves instead of choosing to use javascript to automatically unban a very large chunk of the ban table before being caught.

A real attacker with sufficient time and preparation could have used the absolute trust we give administrator accounts to unban a significant amount of people via automation before being caught if they timed it right.

How soon can we expect /tg/ administration to take action? If you guys refuse, you're announcing to every bad actor we have in this community that it's open season on breaching administrator accounts every time some admin's Ashley Madison account gets compromised and sold in a password dump because the statistics prove a vast majority of users do not change their passwords, and that a majority of users share passwords.
Here's the results from a survey the CSID did!
https://www.csid.com/wp-content/uploads ... _FINAL.pdf
Here's some handy graphs from that survey!



That's 73 of 120 admins who use their BYOND password on Ashley Madison or Adobe or some other fuckin website that did a dumb and had plaintext passwords leaked as listed on haveibeenpwned.

"What if admins just have good passwords?"
Good passwords get cracked when they're shared with other sites.
Can you verify that all 120+ people on the admins.txt has a unique password for BYOND only?

No, you can't, not without asking for their password and that's unacceptable. Hence why we should use security questions as a method of 2FA.

wyci

oranges has suggested CID whitelists, and having admins (I forget which ones, exactly) manually whitelist other admins' CIDs if they change. I thought that was quite good. CID spoofing is possible but you need to actually get their CID in the first place, which would probably be something they'd try to get from social engineering you into a rogue BYOND instance.

It's all code, though.

If this was actually the first manifestation of admin account hijacking from password scraping I'd be inclined to brush you off.

The real problem is that this is not the first one of these incidents, meaning that the security measures admins are supposed to be adhering to and teaching new admins to adhere to are, to an unknown degree, not actually being followed/taught. Maybe goofball is onto something for a change.

I spoke with ninja and they recommended a verification system via the discord where admins can do like, "@verify terry" to verify on terry. The likelyhood of a combo BYOND and Discord breach is incredibly low.

I don't think byond supports 2fa and banning new IP addresses is dumb because dynamic IPs are the standard.

A discord based 2FA system would probably work. Maybe have it remember the admin for the day if they log in unless it's on a different CID though? I reconnect sometimes due to poor internet and I'd hate to have to reverify every time.

The only sensitive information admins can get their hands on ingame is IP addresses, so I don't think this is a big privacy concern. If someone is willing to code it, I don't see why we shouldn't have a verification bot for admins aside from the 15 seconds of inconvenience it would cause said admin. It could save us a lot of grief the next time something like this happens.

It happened to lzimann a long time ago, it just happened again, and as the admin team grows, I don't see why it wouldn't happen again unless we enact some measures against it beyond telling admins to have gud passwords.

I really don’t want a convoluted process of logging into multiple areas because there are some people who haven’t changed their passwords. Perhaps a simple pin system when admins log through a new cid would be sufficient, and we ban dumb ones like 1234 and 0000 so admins HAVE to be a bit creative.

If we think these people aren’t very keen on picking up good password practices who is to say their discord pass and byond pass are different? Can we determine if someone has 2fa on? I’m not entirely sure discord is the way to go here since most of these hackings seem like opportunity arises from doodoo practices instead of actually forcing the pw else they’d go for headmin accounts or at the very least people with better access than an admin.

Cobby wrote:I really don’t want a convoluted process of logging into multiple areas because there are some people who haven’t changed their passwords. Perhaps a simple pin system when admins log through a new cid would be sufficient, and we ban dumb ones like 1234 and 0000 so admins HAVE to be a bit creative.

If we think these people aren’t very keen on picking up good password practices who is to say their discord pass and byond pass are different? Can we determine if someone has 2fa on? I’m not entirely sure discord is the way to go here since most of these hackings seem like opportunity arises from doodoo practices instead of actually forcing the pw else they’d go for headmin accounts or at the very least people with better access than an admin.

If we think these people aren’t very keen on picking up good password practices who is to say their discord pass and byond pass are different?

Yeah thats kinda the whole reason this happens, if their byond pw is the same as some crappy service they signed up to 8 years ago their discord pass is likely to be the same

Cobby wrote:I really don’t want a convoluted process of logging into multiple areas because there are some people who haven’t changed their passwords. Perhaps a simple pin system when admins log through a new cid would be sufficient, and we ban dumb ones like 1234 and 0000 so admins HAVE to be a bit creative.

If we think these people aren’t very keen on picking up good password practices who is to say their discord pass and byond pass are different? Can we determine if someone has 2fa on? I’m not entirely sure discord is the way to go here since most of these hackings seem like opportunity arises from doodoo practices instead of actually forcing the pw else they’d go for headmin accounts or at the very least people with better access than an admin.

im looking at implementing the cid idea

best wishes,
bobbah 'bee' brown

This wasn't a hypothetical, it's happened before.

I should know.

1. Hasn't logged in for a time period, ideally a week, but a month at most.
2. Has logged in on a new IP address. No exceptions, even if the CID matches, because modern ban evasion tools can spoof a specific CID and due to other SS13 servers suffering worse security breaches to their database in the past, we can't verify that nobody doesn't know an admin's CID.
3. Has logged in on a new CID.
4. Is manually marked as "suspicious" by another admin.

answer a manual security question

Firstly, we have admins that play on VPNs. Secondly, we have admins that have dynamic IP addresses. If you did number 2, they would never get to admin.

To address point 1, a week? God damn. People go on week absences all the damn time. Get our permissions reactivated every time we're busy? Headmins would never do anything else.

If you can't type in discord "@verify terry" once a week or month you're being a whiny baby.

Most goof threads are a bunch of nonsense. This is not one of those threads.

If people are gonna be dumb with their passwords, then we should have something in place to help mitigate that.
Discord bot 2FA, some sort of whitelisting. Something. I am onboard with this and it should be a thing. There have already been too many instances of breaches occurring from bad actors.

iamgoofball wrote:If you can't type in discord "@verify terry" once a week or month you're being a whiny baby.

That aint answering a manual security question, is it?

I support 2fa, just don't make it a massive bother.

iamgoofball wrote:If you can't type in discord "@verify terry" once a week or month you're being a whiny baby.

you're not in the mindset of someone with poor password habits. If I have my byond pass as omegalol123 and a gmail account i made years ago with the pass of omegalol123, it's likely im

1) not using discord 2fa
2) dumb and have my discord password as omegalol123 too

to me it should be a code only that person knows and its built specifically so its impossible to recreate your omegalol123 password.

given that as the previous event's success has given this subject more attention than usual, its unsurprising that another admin's account has fallen to the same (assumed) poor practice of re-using passwords a few minutes ago.

the headmins should be encouraging the use of randomized passwords on admin accounts, a quality password manager like Keepass makes this process rather simple and is something that i personally have been doing for a long time without issue.

through the proactive (very easy) use of something like Keepass you can have a randomized string of characters as a password for all your accounts and not have any problems like this, assuming you don't let the manager get compromised. i recommend keepass for the fact that it is not something stored online unless you elect to upload the database file to somewhere for backup or storage. i personally combine the use of keepass with a Yubikey to make it virtually impossible to access the database without my physical key being present.

with best intentions,
bobbah 'bee' brown

Aside from Keepass, I can also recommend Bitwarden. It's open source as well, but accessing your data across multiple devices is a bit easier.

Denton wrote:Aside from Keepass, I can also recommend Bitwarden. It's open-source as well, but accessing your data across multiple devices is a bit easier.

here is a memory trick, Imagine yourself in a space your familiar with. In said space imagine a few things you have to remember put them on a surface in that space. Now when you have to remember it it is easier and no one else knows it except you(and it's free) also it can work with things besides passwords.

Discord does not require secure passwords.

Discord does not have a perfect track record with account security, or the security of the 2fa system.

Discord does not check passwords against the hibp leaked password list.

Discord does not provide us a way of knowing or requiring 2fa be enabled to do some bot function/command. (we can how ever limit moderator actions).

I do not get why everybody always falls back to discord backed re-authorization as the ideal automated way of doing this.

Me and moth blocks will be setting a system to require admins validate ownership of a forum account that is in our in game admin group to admin up from connection any time their cid or ip changes.

I'll look at 2fa for the forums, but im not too worried because the forums rejects leaked passwords for logging in, even if they are the correct password, and doesn't accept common or simple p@$$w0rds

out of date phpbb forum with heavily modified php considered more secure than discord in 2021

MrStonedOne wrote:Me and moth blocks will be setting a system to require admins validate ownership of a forum account that is in our in game admin group to admin up from connection any time their ip changes.

Oh dear

XivilaiAnaxes wrote:

MrStonedOne wrote:Me and moth blocks will be setting a system to require admins validate ownership of a forum account that is in our in game admin group to admin up from connection any time their ip changes.

Oh dear

and just like that, all the keys have fallen into my domain ?

but youre not moth blocks...

Jaredfogle wrote:but youre not moth blocks...

and who are you supposed to be big guy? Ill have you know I eat girls like you for breakfast when I cook them in my human meat soup so let me tell you non binary WHO ARE YOU? MOTH BLOCKS OR SOMETHING??

https://tgstation13.org/phpBB/viewtopic.php?f=25&t=7830

retlated

Thanks to mothblocks' work we have a form of 2FA for admins now, thanks mothblocks.

Headmin Votes:
Coconutwarrior97: Yes.
Jimmius: Yes.
Naloac: Abstain, on vacation.

Headmin Elect Vote:
NamelessFairy: Yes.