The following is a preliminary review of my GitHub account compromise (not GitHub’s fault) and related Gamocosm security. Gamocosm is a project of transparency; I may not be professional, but I intend to be genuine. I will continue documenting the security status and practices of Gamocosm over the next while. As bad as this incident was, I would like to reiterate that Gamocosm servers and data were not compromised.
Around 12:00 noon eastern time on 2018 January 7, a hacker gained access to my GitHub account and deleted the Gamocosm organization along with all the repositories. He/she then attempted to logon to my personal Digital Ocean account, presumably to try to delete the Gamocosm servers. Digital Ocean detected suspicious activity, automatically blocked the logon, and emailed me.
Fortunately, I just happened to be checking my email and quickly changed all my passwords. Unfortunately, before I could save it, he/she also deleted my personal Gamocosm account. There was a small window he/she could have done more damage on GitHub, but it seems deleting Gamocosm was all.
This security breach was at no fault of GitHub’s; it was purely enabled by my own negligence of not protecting my logins and not enabling 2 factor authentication. I have updated all my passwords, enabled 2fa, and from this experience recommend all of you to too (I will look into adding 2fa to Gamocosm).
Fortunately, GitHub support was very helpful and able to restore the organization with all the old data such as the wiki and submitted issues. If they were not able to, I would have been able to restore Gamocosm itself (have copy of the source code), but we would lose some updated wiki pages and other data such as issues and discussions on them.
After thorough investigation (within my power), Gamocosm servers and data were not compromised. The servers and services used by Gamocosm were under better security than my personal accounts, though I’ve taken the time to tighten them up too. If Gamocosm’s database was breached, the following user data could be leaked:
- passwords salted and hashed with bcrypt (practically uncrackable; Gamocosm is following best practices)
- Digital Ocean API keys (ability to destroy your servers and snapshots, or spawn many servers/use many resources)
- any live server IPs, and the Minecraft Server Wrapper key (ability to start/stop/run commands on Minecraft server)
If Gamocosm’s server was completely breached, the following data would additionally be breached:
- Gamocosm’s SSH key, able to log in as root on users’ servers to execute commands (run setup and update)
So the hacker(s) would have root access to your servers. This may be a huge oversight/something I should have made clear before, but there is no good way around it, and I considered Gamocosm to be very secure (possibly justified).
As of my GitHub account hack, it had no relation to the security of Gamocosm’s servers.
If the hacker chose to upload malicious code in the gamocosm-minecraft-flavours repository, he would be able to run said code as an unprivileged user on a new server. This step is performed before user SSH keys are uploaded (and root SSH keys are OS filesystem permissions protected), so the only sensitive data that could be leaked is the MCSW key. This could later be used to start/stop/run commands on the Minecraft server. The hacker could install his/her own SSH keys and other user level programs to continue snooping on a newly created server.
If the hacker tried to write malicious code in the primary Gamocosm repository (for the Gamocosm server), the Gamocosm server would only pull the code if someone with access to the server did so. This is a possibility if I am careless and do not review all git commits.
Further security documentation will be posted soon. Thank you again for your patience and support.