Curse

Phibes · Jan 02, 2010, 12:09 PM // 12:09

Quote:

Originally Posted by Riot Narita

Require old password, before allowing you to set a new GW password.
This is VERY welcome. It was an obvious feature that should have been there from the start, it was conspicuous by its absence. But at least we finally have it.

People randomly accessing master accounts no longer get the keys to the (GW) kingdom.

I feel much safer now, but I hope that there is more to come.

I feel safer about the game account.

However, you still do not need to enter a current password to change the NCMA password. Which means if someone manages to randomly land in your account via logging in through their own they can still see all your personal profile information.

It only asks for a current password if you have forgotten it, and do a password reset (I got my husband to check this, as he had forgotten his) - then you have to enter the temporary reset password (which expires immediately) to change it to a new one.

So I will be filling my profile with dummy info until NCSoft sort out whatever the heck is going on with these seemingly random erroneous logins.

DragonRogue · Jan 02, 2010, 12:30 PM // 12:30

Quote:

Originally Posted by Turbo Ginsu

Unfortunately, due to the way liability laws work, a public apology is an admission of guilt, and something you'll almost never get from a Corp. Transparency, honesty and down to earth decency is generally something u only get with private operators...

Sadly this is true. However, sadder still is that if something isnt acknowledged and rectified to everyones satisfaction, no one will waste their money or time on their products again. Few will have their faith restored in the security of their games.

Improvavel · Jan 02, 2010, 12:37 PM // 12:37

Quote:

Originally Posted by fenix

2) Every single thread ended up with trolling and flaming about internet security - which now clearly has no affect on whether you get hacked or not.

So are you saying and everyone in this thread saying that all of the accounts hacked were so because NCsoft master account?

I've a few NCsoft master accounts and I'vent been hacked.

And there are people that have been hacked without having a NCsoft account.

It is much easier to just get the information off some poorly protected PC or some careless user than hacking an average secure website.

That extra layer of security implemented, by requesting current password is nice, but sincerely I felt secure before and still feel secure.

Turbo Ginsu · Jan 02, 2010, 12:43 PM // 12:43

Quote:

Originally Posted by Improvavel

So are you saying and everyone in this thread saying that all of the accounts hacked were so because NCsoft master account?

I've a few NCsoft master accounts and I'vent been hacked.

And there are people that have been hacked without having a NCsoft account.

It is much easier to just get the information off some poorly protected PC or some careless user than hacking an average secure website.

That extra layer of security implemented, by requesting current password is nice, but sincerely I felt secure before and still feel secure.

Thing is, no-one is saying that so much as pointing out the glaringly obvious. i.e. If there wasn't a problem, then today's action on the part of aNet and ncsoft would have been unneeded, and therefore would not have happened.

Actions speak louder than words, and in this case, their action says it all.

Nereyda Shoaal · Jan 02, 2010, 01:12 PM // 13:12

Quote:

Originally Posted by Regina Buenaobra

(...) If you try to change your password on the NCsoft web site now, you will notice one of these changes: you will be required to input the old password to change it to a new one

A basic (BASIC) security option added to the website after how many years?
I generally believe ANet care about what they do (whether community agrees or not it's a different story) but NCSoft is an absolute joke
The bigger company the smaller axe falls on people responsible for the mess. Or... not trying to prevent the mess I should say

I'm not pissed about the money I spent purchasing GW because it's not a fortune
I'm pissed about the time I invested in the game. And apparently... time IS money. My investment has been compromised because someone is not doing his/hers job properly. You were employed to be web developer so be a web developer
Unless NCSoft were trying to be smart and employed someone who has no experience but they gave him the job because he/she wanted much less money than an experienced one. In the last few years that person has been sitting with Java/PHP/SQL books on his/her laps whilst writing code for the website
Based on this and real life situations I'm coming to a conclusion 1kg of a competent person is worth more than 1kg of gold

Anyway,
ANet - thumbs up
NCSoft - thumbs down

Riot Narita · Jan 02, 2010, 01:52 PM // 13:52

Quote:

Originally Posted by Improvavel

So are you saying and everyone in this thread saying that all of the accounts hacked were so because NCsoft master account?

It's not a case of "all hacks have a single cause". There will always be idiots who give away their account info, RMT, or get keyloggers etc. That's their fault.

But as pointed out in thread, there are OTHER ways to lose your account that AREN'T your own fault... and until recently there was nothing you could do about it.

Quote:

Originally Posted by Improvavel

I've a few NCsoft master accounts and I'vent been hacked.

And if I've been smoking for the last 30 years without dying of cancer, does that mean smoking poses no health risk?

No, it just means we were both lucky

Quote:

Originally Posted by Improvavel

And there are people that have been hacked without having a NCsoft account.

Like I said there is more than one way to lose your account.

Quote:

Originally Posted by Improvavel

It is much easier to just get the information off some poorly protected PC or some careless user than hacking an average secure website.

Actually, no it isn't. Because NCsoft is not an "average secure website". It is well below average, "secure" should not appear in any description of it.

What could be easier, than getting an NCsoft master account of your own, and then have a bot that just keeps logging into it? Until it glitches you into somebody else's account?

Quote:

Originally Posted by Improvavel

sincerely I felt secure before

That is without question, a very dumb thing to say after all that's been posted in this thread. I don't mean that as a personal insult, I mean it's literally a crazy attitude.

Did you actually read what the NCsoft vulnerabilities are? Did you not understand them? Furthermore, most of the vulnerabilities are still there as far as we know - but now with a band-aid stuck on it. You said you have master accounts... I suggest you take out any personal information, credit card details etc from them ASAP. Because that information is not secure.

dr love · Jan 02, 2010, 02:00 PM // 14:00

thanks erys, regina and gaile. i'm glad action was taken swiftly. i feel safe playing again

Erys Vasburg · Jan 02, 2010, 02:02 PM // 14:02

It seems there was a small amount of drama in the past few hours?

Quote:

Originally Posted by Lonesamurai

I now want to know what information the Guru mods want from Regina and others that they don't already have

I'm sorry, but if you'd please take some time to read the thread, you'd know what is wanted.

shump · Jan 02, 2010, 02:03 PM // 14:03

It's nice to see anet say they are investigating.

It pisses me off that aion players and the game developers knew about it and surely told ncsoft and nothing happen like wth it took 2 ncsoft games having the problem for them to pay any attention to it.

Quote:

Originally Posted by DOCB22

We should all get a $25 GW store credit..

I would prefer 2.5 million gold to cover the lost of all the stuff I lost when I got hacked.

Lucci_Slevin · Jan 02, 2010, 02:05 PM // 14:05

I think this one is a false alarm. I decided to do some sleuthing after a concerned friend brought this up in vent.

I read that 8 page thread over on the the Aion boards.

The whole thing.

The only person that said they had that issue with the "NCSoft Master account" was the OP (AKA: Allah). Every single other person was having a different issue related to the Aion website. The info on this site can not be used to steal an account as others mentioned.

When several people asked him to clarify, he did not respond.

That was posted on 12/17/09, it is now 1/2/10. Allah has not gone missing. He has posted 143 times since then, none of those posts had anything to do with the incident(I checked

). He is a extremely active poster, yet he did not respond to any of the people asking him to elaborate in that thread.

I think he just misspoke and is too embarrassed to correct it now that this thing has blown up so big.

----------------------------------------------------------------

Quote:

Originally Posted by zwei2stein

A forum.

username AND email to try to log against? check
password to try? check
character name? you bet!

I am with you. I still think this is the main culprit. I checked securityfocus.com for vbulletin hacks and there were 5 discovered in the passed few months. Including one discovered on 12/31/009 which has not been patched yet. The second one on the list. Link. I hope there is someone here well versed in IT who can look that over to tell us if it is a possible culprit.

I remember a few months ago both major fan sites got flagged by google as attack sites not too far apart(Can not remember the exact dates). I wonder how that got resolved and if there was a correlation with these hacks. Even if that attempt was not successful, it showed that someone was targeting the forums.
--------------------------------------------------------------

I have been following this story since early November. A couple of my guildies were among the first victims(one of them quit

).

Here is a compendium of my posts on the issue.1,2,3,4

I know it is going to be a while before we figure out exactly what happened. But in the meantime, humor me folks and use a unique password for GW.

Enko · Jan 02, 2010, 02:09 PM // 14:09

Quote:

Originally Posted by Lucci_Slevin

I think this one is a false alarm. I decided to do some sleuthing after a concerned friend brought this up in vent.

I read that 8 page thread over on the the Aion boards.

The whole thing.

The only person that said they had that issue with the "NCSoft Master account" was the OP (AKA: Allah). Every single other person was having a different issue related to the Aion website. The info on this site can not be used to steal an account as others mentioned.

When several people asked him to clarify, he did not respond.

That was posted on 12/17/09, it is now 1/2/10. Allah has not gone missing. He has posted 143 times since then, none of those posts had anything to do with the incident(I checked

). He is a extremely active poster, yet he did not respond to any of the people asking him to elaborate in that thread.

I think he just misspoke and is to embarrassed to correct it now that this thing has blown up so big.

There were a few people in this thread that said they were able to get into other people's master accounts. Not sure how reliable they are but even without that, the ncsoft master accounts still had some glaring security holes in it, one which now has a band aid on it.

Turbo Ginsu · Jan 02, 2010, 02:16 PM // 14:16

Quote:

Originally Posted by Lucci_Slevin

I think this one is a false alarm. I decided to do some sleuthing after a concerned friend brought this up in vent.

IMHO, a false alarm does not trigger instant action from both companies concerned, unless there is a real danger. Obviously, given the flurry of action at aNet alone, there is more than just a false alarm here, and you would have to be wearing blinkers and hiding under a rock encased in concrete in a cave on Mars to not see that.

As I said before, actions speak louder than words.

JR · Jan 02, 2010, 02:19 PM // 14:19

Quote:

Originally Posted by Lucci_Slevin

I am with you. I still think this is the main culprit. I checked securityfocus.com for vbulletin hacks and there were 5 discovered in the passed few months. Including one discovered on 12/31/009 which has not been patched yet. The second one on the list. Link. I hope there is someone here well versed in IT who can look that over to tell us if it is a possible culprit.

I remember a few months ago both major fan sites got flagged by google as attack sites not too far apart(Can not remember the exact dates). I wonder how that got resolved and if there was a correlation with these hacks. Even if that attempt was not successful, it showed that someone was targeting the forums.

I can't speak for other fansites, but I can say with certainty that Guru has never been compromised in any way that would put account information at risk. We have comprehensive security measures in place, and would know if anyone had tried or managed to penetrate any of them.

Meridon · Jan 02, 2010, 02:28 PM // 14:28

Right, I'm going to pop in here, even though it's page 19.

First of all, @ Erys Vasburg: Thanks for going public with this. Also, thanks to any of the forum moderators you quoted. You took a big risk by going public with this, as now all the information on NCSoft's security is out on the street. However, you are now forcing Anet/NCsoft to respond, which Anet has done so far, and hopefully NCSoft will do too. The real danger here, however, is that NCSoft's response is pulling the plug on GW1 and Anet's Live team.

@ Inde: Thanks for the reassuring words. I have been reading through the thread (well, only the posts from the people that matter), and your words are far more comforting than Regina's so far.

@ the Moderation Team: While I understand some of you may be frustrated that fansites and their security (in other words, Guru, in other words, you guys) received the initial blame, please don't turn hostile towards Anet. Yes, they have screwed up multiple times. However, as some posters already mentioned, the best way to get something done about situation, is probably for Guru to work with Anet and all the other NCSoft game communities out there, to show the corporate executives there that we are all together in this.

Finally, some questions on behalf of my own concern.

1. With the NCMA no longer being secure, is it a wise idea to log in now, in order to delete any possible Support tickets it may still hold? This of course for them to not show my character name.

2. How can we, the Guru community, and the GW community as a whole, now work with Anet in the best possible way to make sure something is done about this by NCSoft? This is a question that also goes out to Anet's employees reading this. What's the next step for us to take Anet?

Improvavel · Jan 02, 2010, 03:02 PM // 15:02

Quote:

Originally Posted by Turbo Ginsu

IMHO, a false alarm does not trigger instant action from both companies concerned, unless there is a real danger. Obviously, given the flurry of action at aNet alone, there is more than just a false alarm here, and you would have to be wearing blinkers and hiding under a rock encased in concrete in a cave on Mars to not see that.

As I said before, actions speak louder than words.

Wrong.

It is a question of cost/benefit - this thread is bad publicity.

A small fix like asking the current password only prevents random joe user of being able to hack the account. Grabbing the account email information allows hacker then to try to brute force passwords/character names.

It is a lot easier when you have half the information or even 1/3 of the information.

This question, real or unreal is bad publicity. Doing something, specially something so simple and so inexpensive, tells the world they are doing something, giving them good publicity.

If situation described on this thread is real, a not too complex script that would automatically log in and a few PCs could get hundred of thousands of accounts details in a matter of hours.

I don't have the data, but I doubt that there has been hundreds of thousand hacked NCsoft accounts.

gone · Jan 02, 2010, 03:03 PM // 15:03

Quote:

Originally Posted by JR

I can't speak for other fansites, but I can say with certainty that Guru has never been compromised in any way that would put account information at risk. We have comprehensive security measures in place, and would know if anyone had tried or managed to penetrate any of them.

THIS IS JUST AN EXAMPLE IN NO WAY AM I SAYING THEIR SITE WAS HACKED OR TARGETED
I can't begin to tell you how much info was/is probably harvested right from the guild recruitment section(s). yes, this site(GURU) may have good security, why go after, and try to compromise it? There are plenty of other sites(with info), easy sites, to target. it's just a matter of finding them. Look at this site(GURU) as a one stop shop for tons of data, leading to OTHER, smaller, less secure sites. So yes the GURU has it's rear-end covered but why work hard, when you can hardly work. I don't even have to log in to view those sections that give info(all of guru)....So, right there is one of GURU's largest security flaws..every tom, dick and harry can view tons of data, without even being a member...

over time, I've found links to sites, from this site, that google can't find...if you can believe that.

I can't remember which thread I posted in (the guild recruitment section) and I think I even asked for the post to be deleted after read by moderation, but I do remember posting "this is a hacker's delight"
/Edit
http://www.guildwarsguru.com/forum/d...t10418991.html

Quote:

If you are interested in joining [DL], please go to our forum and open up a new thread in the New Recruits Application section. Start your thread with the title of "Your In Game Name Application". Copy and paste the questionnaire below. Screenshots are helpful to your application and very much appreciated. Please answer all the questions with as much detail as possible. Your effort into making your application would reflect the outcome of our decision.

IGN:

1.How much time have you spent playing GW? How old is your account /age and which Campaigns do you own?(Screen Shot of your /age in game is a bonus and will help with your application)

----Answer--->

2.How often do you play and during what time/days? What is your timezone?

----Answer--->

3.Which professions do you have and which campaigns have they completed?
Please include rank of titles like Lightbringer, Sunspear, EoTN Titles, and Luxon/Kurzick rank.

----Answer--->

4.How did you hear about DL? Through a friend/forum?

----Answer--->

5.Why do you want to join DL? What do you want to get out of DL and what can you bring to DL?

----Answer--->

6.Have you done any of the elite PvE Areas(DoA/UW/FoW/HM Dungeons/Urgoz/Deep)? If yes please state what role you played as in those areas.

----Answer--->

7.What other guilds have you been in? For how long and your reason for leaving.

----Answer--->

8.What maxed titles do you have and which ones make you proud the most?(You are not required to have any maxed titles or Screen Shots of your maxed titles but having them is a bonus and will help your application)

----Answer--->

9. Tell us something about yourself.

----Answer--->

Please use this guideline to complete the application. Any additional information is appreciated. DL Officers and members will be reviewing your application. During the voting process DL officers and members will be leaving comments on your application stating why they do or don't like the application. Any negative comment is not to be taken as an insult or to put your appliaction down but as an honest opinion of an officer or a member of DL and maybe as an advice on how to improve yourself as a GW player and at the same time your application. If you are here for speed clears a trial run will be requested. If you are new to speed clears please be honest with your appliaction. Here in DL we understand that we all had to start from somewhere and will gladly help you learn if you are willing to put in the work.

That is a pretty good Blueprint....
THIS IS JUST AN EXAMPLE IN NO WAY AM I SAYING THEIR SITE WAS HACKED OR TARGETED

Goddess Of Defense · Jan 02, 2010, 03:15 PM // 15:15

Quote:

Originally Posted by flubber

THIS IS JUST AN EXAMPLE IN NO WAY AM I SAYING THEIR SITE WAS HACKED OR TARGETED
I can't begin to tell you how much info was/is probably harvested right from the guild recruitment section(s). yes, this site(GURU) may have good security, why go after, and try to compromise it? There are plenty of other sites(with info), easy sites, to target. it's just a matter of finding them. Look at this site(GURU) as a one stop shop for tons of data, leading to OTHER, smaller, less secure sites. So yes the GURU has it's rear-end covered but why work hard, when you can hardly work. I don't even have to log in to view those sections that give info(all of guru)....So, right there is one of GURU's largest security flaws..every tom, dick and harry can view tons of data, without even being a member...

over time, I've found links to sites, from this site, that google can't find...if you can believe that.

I can't remember which thread I posted in (the guild recruitment section) and I think I even asked for the post to be deleted after read by moderation, but I do remember posting "this is a hacker's delight"
/Edit
http://www.guildwarsguru.com/forum/d...t10418991.html

That is a pretty good Blueprint....
THIS IS JUST AN EXAMPLE IN NO WAY AM I SAYING THEIR SITE WAS HACKED OR TARGETED

I agree, recon and social engineering are more likely the cause of people losing their accounts. I mean seriously there are easily manipulated people out there that put out a lot of information that make them large targets. Some sections would be better off blocked from guests, although that doesn't get rid of the problem 100% it still puts another roadblock in the lurkers path.

Improvavel · Jan 02, 2010, 03:18 PM // 15:18

Quote:

Originally Posted by Riot Narita

It's not a case of "all hacks have a single cause". There will always be idiots who give away their account info, RMT, or get keyloggers etc. That's their fault.

But as pointed out in thread, there are OTHER ways to lose your account that AREN'T your own fault... and until recently there was nothing you could do about it.

Until someone can provide hard numbers on how many accounts have been hacked this is mere speculation.

If someone can hack into NCsoft database, THEY WILL HAVE ALL OF THOSE ACCOUNTS, not just some.

Quote:

And if I've been smoking for the last 30 years without dying of cancer, does that mean smoking poses no health risk?
No, it just means we were both lucky

Genetics - every human being is different. Some can smoke 30 cigarettes per day and will never have cancer. Same way milk is considered a very good nutritional source and a decent percentage of the human beings have problems digesting it, or how some people are immune to certain diseases.

Quote:

Like I said there is more than one way to lose your account.

This thread gives the impression that the only way or the biggest way of getting hacked is due to the ncsoft site.

Quote:

Actually, no it isn't. Because NCsoft is not an "average secure website". It is well below average, "secure" should not appear in any description of it.

What could be easier, than getting an NCsoft master account of your own, and then have a bot that just keeps logging into it? Until it glitches you into somebody else's account?

So why don't we see mass reports of people with NCsoft accounts getting hacked?

Why do half the accounts being hacked aren't linked to a NCsoft master account? What is the proportion of accounts linked to NCMA to those not linked.

Quote:

That is without question, a very dumb thing to say after all that's been posted in this thread. I don't mean that as a personal insult, I mean it's literally a crazy attitude.

Did you actually read what the NCsoft vulnerabilities are? Did you not understand them? Furthermore, most of the vulnerabilities are still there as far as we know - but now with a band-aid stuck on it. You said you have master accounts... I suggest you take out any personal information, credit card details etc from them ASAP. Because that information is not secure.

Are you able to reproduce that bug? Did you create a script that tried to log in thousands of times in a NCMA and got into someone else account?

Do you have data on how many accounts were hacked? How many of those accounts had suffered password changes?

We had like the op and 1 other person claiming in this thread to have got inside someone else NCsoft account.

We have hundreds/thousands of users in these forums. Many logged into their NCsoft accounts afterwards to check their info. If 1 user just got into 1 after 60 logs, even if ppl only logged once or twice, shouldn't we have this thread flooded by people claiming to get into someone else account by now?

Or simply people claiming to have been hacked in the few last hours?

As you say, a simple script to load in the account, change password and print screen, run by a dozen or so PCs, could get hundreds of thousands accounts data.

If that is true we are all RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOed, so where are the all RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOed people? Where are all the new posters to this forum asking for help? Or around the internet?

Not saying there aren't any vulnerabilities but people just love mass hysteria and stories about the end of the world.

Lonesamurai · Jan 02, 2010, 03:24 PM // 15:24

Right, lets back up a little here as multiple issues seem to be confusing things... the point of this thread is to discuss the NCSoft Master Account issue ONLY...

Yes there are standard security issues and even vague stupidity, but unfortunately, that is not limited to games accounts, it happens with banks and even in governments... It happens...

However I agree with EVERYONE here that NCSoft needs to step up and let us know whats happening here, but as that hasn't happened in nearly a month of this being known about, I very much doubt this will change just because the Guild wars community has gotten involved... not unless we, as a whole work with ANet to push the issue with NCSoft!

Conjecture, speculation and other factors also play a part in this and we need to stay on track about what we as a community want to hear from NCSoft, not ANet, not the community, but NCSoft, who's website has a security flaw and needs fixing!

We also have to remember that this issue is NOT limited to Guild Wars and first came to light with Aion and in the Aion community, however it is still NOT the Aion communities fault, or the fault of any community, it is a security flaw, nothing more and one that needs to be fixed, but only NCSoft can do that, not ANet!

gone · Jan 02, 2010, 03:29 PM // 15:29

Quote:

Originally Posted by Lonesamurai

Right, lets back up a little here as multiple issues seem to be confusing things... the point of this thread is to discuss the NCSoft Master Account issue ONLY...

says you. People need to be made aware NOW. not just slam Anet/NCsoft.

I can get more info from GURU than I can from NCsoft.