Jump to content

Security problem and possible solution


Recommended Posts

Hi, my name is Nicola. I am an engineering student and programmer.

Before writing this post I contacted 0 A.D. with the "Contact Us" form and a community member has kindly suggested to post a thread here.

I have been playing 0ad for several years and I think that in the future it will become one of the best rts! However, in my opinion play0ad.com has a security problem.

It has not an adequate protection against theft of password with brute-force attacks. Using WordPress as CMS, the login page is vulnerable. For instance, a malicious user could easily discover the admin username and then try to steal its password.

This forum as well has a security problem. If I enter the wrong password while logging in, my account gets locked for 15 minutes. This security measure can be annoying for real users, but doesn't even provide a real security control. In fact, if someone creates a script to enter random usernames and passwords, in a short time he could block every account on the forum.

I'm writing here to propose the service I developed as a solution.

It is called Colobe and protects your site against brute-force attacks. It has a dynamic list of malicious users, which is real time updated to guarantee the highest level of protection for your site. Rather than only protecting from brute force attacks, Colobe prevents them. It uses its dynamic list to identify maliciuos users during the login process to block the login attempt, before it is even carried out. I also have created a plugin for WordPress to make things easier.

I can offer it to WildFire Games community for free. In return I only ask to put the logo of the service in the login page, with something like "protected by Colobe " written aside. Just to let users know what Colobe is and that it works.

If you are interested, you can find more information in the website or in the attached presentation.

The project page: Colobe.net

The Wordpress plugin: wordpress.org/plugins/colobe-security/

Thank you for your attention :)

Link to comment
Share on other sites

There are two threats here. One is the denial of service attack (locking accounts by trying to break in), the other is successfully breaking in and taking over one account.

It's not clear how identifying a "malicious user" (i.e., an account owned by an innocent person, which is the target of a breakin attempt), and preventing login, is more useful (or even different) than locking the account.

It's also not clear how you could increase the difficulty of a brute-force attack leading to a successful breakin, other than by the obvious means of requiring strong passwords (non-dictionary words, special characters, minimum length, yadda yadda yadda).

Link to comment
Share on other sites

There's no money to be made by hacking the Web site, so why would anyone bother? Donations are handled elsewhere, so there's no financial information to be stolen - it's simply not an attractive target for malicious hackers, and doesn't need a high level of security. You're correct that it's not very secure, but it doesn't need to be.

Link to comment
Share on other sites

I tried using a wrong password, it says the account is blocked for 14 minutes, and indeed it is on that machine (tried with 2 different browsers), but from a different machine it properly logins (supposedly it checks the client IP). So I see no security DoS here.

It has a dynamic list of malicious users, which is real time updated

About that why don't you propose it for mainlining it in the upstream project? I am a bit sceptical about using plugins that, being used by few and not well code reviewed, may introduce themself security problems. It happened already in the past. Sometime they were themself backdoors :).

  • Like 1
Link to comment
Share on other sites

I tried using a wrong password, it says the account is blocked for 14 minutes, and indeed it is on that machine (tried with 2 different browsers), but from a different machine it properly logins (supposedly it checks the client IP). So I see no security DoS here.

Thanks for the correction.

About that why don't you propose it for mainlining it in the upstream project? I am a bit sceptical about using plugins that, being used by few and not well code reviewed, may introduce themself security problems. It happened already in the past. Sometime they were themself backdoors :).

I don't think that my plugin contains backdoors because the code of the plugin is very simple, anyway if you want see it check out here http://wordpress.org...olobe-security/ :)

Edited by pesapower
Link to comment
Share on other sites

Sorry, play0ad.com doesn't locking anything, and I think (imho) that stopping a malicious user (client) is more intelligent that blocking an account because if you block an account the malicious client can attacks other accounts during those famous 15 minutes, block an account is a way but stop a client is another better way, imho.

Link to comment
Share on other sites

By "stop a client" I assume you mean, refuse connections from a particular IP address that has been seen to try multiple wrong passwords. I wouldn't have a problem with that, if it were time-limited. Wouldn't stop a determined attacker from using Tor to attack from multiple IP addresses, but it would inconvenience the bad guy at least a little.

Link to comment
Share on other sites

Pesapower, perhaps not quite explained simply enough at the start, but is this an accurate description of your Colobe service:

"block at the application layer requests to Wordpress from IP addresses known to have previously attempted multiple incorrect login attempts, i.e. characteristics which could be consistent with a brute force attempt"

Edited by Echelon9
Link to comment
Share on other sites

An undesirable side effect of assigning an IP address to a malicious user, is that innocent people using the same IP (for example, a Tor exit node) will be unable to use it to connect to the Wordpress server. Obviously that's less of a problem if the block time is shorter. Probably any block time, even minutes, is sufficient to make the attacker move on to another target that can be attacked efficiently.

An alternative approach is in place on many UNIX-like systems: if the username/password combination is incorrect, just wait 5 seconds or so before giving the bad news. A brute force attack under those conditions wouldn't be able to try more than a dozen username/password combinations in an hour (assuming no other defenses, like disconnecting the attacker after three attempts). I don't have the data, but I would guess that would make it difficult to break in---the job of hours or days.

Link to comment
Share on other sites

An undesirable side effect of assigning an IP address to a malicious user, is that innocent people using the same IP (for example, a Tor exit node) will be unable to use it to connect to the Wordpress server. Obviously that's less of a problem if the block time is shorter. Probably any block time, even minutes, is sufficient to make the attacker move on to another target that can be attacked efficiently.

It's correct, anyway who use Tor to logged into an account of play0ad.com or wildfiregames.com/forum?! :)

And use the IPs has the advantage that if a Bot server that attacks a site, it won't can attack any other sites that use Colobe for protect the login page.

Link to comment
Share on other sites

even me was hard sign today in forum and cannot change my password. i dont know why.

Could you please explain what you mean? You apparently has changed your password, otherwise you would not have been able to log in as we removed all the old ones as a safety measure. Are you saying you can't change your password after that process? If so, you need to enter the password that was sent to you during the reset password process in the "Current password" field, not the password you had previously.

Link to comment
Share on other sites

pesapower, I've looked over your website and cannot find anything regarding how your service works. How does it detect malicious users before they try to brute force? What exactly is the service you're offering? Is it just an IP blacklist? These are things you should be open about.

Looking further, I don't see any API documentation. I see documentation about a library, which I cannot download until I register for your service. But nothing about the working of the API. Also, since you're in the business of security, I find this little part of your documentation very interesting:

"Warning! In the library there is also the Secret Key associated with the site! This Key must remain secret!"

One thing that I also wonder about: how do you warrant privacy for 3rd parties (the customers of your customers)? Your privacy statement talks about a person's personal privacy; what about their users? Since I cannot access your library and do not have any API documentation, I can't know exactly -what- is sent to your service, but there is user data sent along with every API request I'm sure. What happens with this data? What is stored, where is it stored, how securely is it stored and what is it used for?

While I think everyone here appreciates you offering your services, I honestly don't see it happening with the current tidbits of information you have provided. Especially not in exchange for advertising space.

I thank you for your advice about the Wordpress problem though. I have remedied the issue.

  • Like 2
Link to comment
Share on other sites

I thank you for your advice about the Wordpress problem though. I have remedied the issue.

You're welcome.

Thank you for your feedback about Colobe's documentation.

In oder:

- "How does it detect malicious users before they try to brute force?"

Colobe does NOT detect a malicious clients before before they try to brute force, it is not magical. BUT if a client try to brute force a site (for example pippo.com) he being detect, then if the same client try to attacks any other site that using Colobe, he will be detected before to attacking.

Every client added to the list of Colobe has a "warning level" that indicates if he is more or less reliable.

- "I see documentation about a library, which I cannot download until I register for your service. But nothing about the working of the API."

The algorithms used by Colobe are not public for a safety reason. Sorry if you can't download a sample copy of the library! Here you can download a copy of the library: colobe-lib.php.

- "Warning! In the library there is also the Secret Key associated with the site! This Key must remain secret!"

Yes, there is a secret key and an ID in the library that an user can download after adding a site into Colobe.

- "One thing that I also wonder about: how do you warrant privacy for 3rd parties (the customers of your customers)? Your privacy statement talks about a person's personal privacy; what about their users? Since I cannot access your library and do not have any API documentation, I can't know exactly -what- is sent to your service, but there is user data sent along with every API request I'm sure. What happens with this data? What is stored, where is it stored, how securely is it stored and what is it used for?"

The only informations that the library (or the WordPress plugin) sends to Colobe are: an IP address and a boolean value (0 or 1). Any username, password or email is NOT send to Colobe, for 2 reasons: privacy and security for the sites that use this service. The informations are stored into Colobe's databases and they are used only to identified the malicious clients and to improve the service. "how securely is it stored?" I don't say it to others.

- "While I think everyone here appreciates you offering your services, I honestly don't see it happening with the current tidbits of information you have provided. Especially not in exchange for advertising space."

Your question is right. Colobe is a economic cost for me but I have decided to not sell advertising space because I think that a secure service without advertising is more professional and also because I want guarantee the privacy and the security of my users. To return from the costs Colobe use a service of plans where the users that have a commercial (or non-personal) site pay to use the service in proportion to size of site. For personal sites that don't gain money (beyond their cost) and for open source project sites with small-medium size that don't gain money the service is free.

I hope to have answered your questions in a comprehensive manner :)

Link to comment
Share on other sites

I categorically reject security technology whose design is hidden. You should too.

Hi, I have a question for you: have you never used some antivirus softwares on your personal computer? I use Avast antivirus, it is closed source but I never thought that it is NOT secure because its algorithms are hidden!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...