Curse

Improvavel · Jan 02, 2010, 10:43 PM // 22:43

Quote:

Originally Posted by Riot Narita

No it is fact, we don't need the numbers to know that. Either you don't understand what "speculation" means, or you really haven't read this thread.

This proves that indeed, you haven't read this thread. Either that, or you didn't understand what's been posted here.

I did read and understand.

People log and log and log and suddenly they are in a different account that doesn't belong to them.

Then they can change the password and log in game.

So it is a bug that happens on occasion.

Thereby, the more times someone log the higher is the change to log into someone else account.

Now you are someone interested into stealing accounts. You make a script to log in and out multiple times. Additionally the script can identify the email and log into a file for the hacker. At the same time, the script changes the password of any accounts it logs in - most of the time the script just changes the password of the hacker account.

Now have a few PCs doing that.

In not too long you will have accessed all the accounts in there and changed the passwords of those emails.

True, the request for the character name makes this more difficult and now requiring old password even more.

So, if this method was being used we would have heard of massive account hacking and not only that but those people would be complaining that their password had been changed and they couldn't log in.

Until is proven otherwise, I will take Regina word that the large majority of hacks didn't include a password change and password change is way to hacking using this method.

Turbo Ginsu · Jan 02, 2010, 11:35 PM // 23:35

Quote:

Originally Posted by Riot Narita

Irrelevant. The problem is real, no matter what the numbers are. It needed to be fixed. It was serious enough that ANet took near immediate action to fix it, after this thread was started.

Do you think A-Net would have made the recent changes - over the holiday period - if there wasn't a critical secuirty issue?

This is my point exactly. No problem=no action. Explain then, naysayers, if you can, why action was taken so promptly, and so aggressively.

I think one of the points a lot of people are missing is that we paid for this game, some of us paid a lot of money, r/l money that we have to work for. I myself have spent (As I've said before) over $600aud on mine and my wifes account. That's without the 3 extra storage panes each and 3 extra character slots each.

IMHO, I prefer that they get bad publicity, simply for not attacking the problem the very instant it arose. This is our r/l hard-earned money, and our r/l invested hours, in a game that a lot of us are passionate about. If you don't share that passion, then good for you. Don't try to speak for the rest of us, as no-one here has asked you to. It is obvious who has dropped the ball, and it isn't aNet.

The way that the Aion community has been neglected, who pay even more out than we do, make it bloody obvious who is at fault here. We wouldn't need a witchhunt if there wasn't a bloody big witch around pilfering as many accounts as they can get their grubby hands on, would we?

Who else here thinks that these same nay-sayers would be the one's to screech the loudest if it were them getting screwed over?

Yeah.. Truth is truth.

Riot Narita · Jan 02, 2010, 11:38 PM // 23:38

Quote:

Originally Posted by Improvavel

I did read and understand.

Evidently. Well, good.

Quote:

Originally Posted by Improvavel

Until is proven otherwise, I will take Regina word that the large majority of hacks didn't include a password change and password change is way to hacking using this method.

That is entirely possible. I think there are more accounts lost this way than you, but that's just my opinion - based on the many postings we've seen here (in spite of the hostile community, and mods closing "hacked" threads on sight), and other sites, including Aion forums. No point debating that though, and we'll probably never know the true extent. I accept that plenty of people lose their accounts due to their own stupidity, and they may be the majority. But no matter how big or small the remaining minority is, I believe they deserve protection from the master account vulnerability. Even a fraction of 1% is a LOT of real people.

What A-Net has done - doesn't that make you happy?

You accept that there was a chance that any of us with NCsoft master accounts could have had our GW accounts randomly robbed or characters deleted, right? Through no fault of our own. Even if that chance is tiny (my opinion, its not so tiny)... it's unnacceptable. There should be no chance at all! I don't want to be in that minority that lost their account this way. Aren't you glad they added more protection to your account too?

I could accept losing my account because I was stupid... but not because NCsoft or Anet were negligent. I take a lot of precautions against account theft, where I am able to. And I am glad A-Net is finally doing something about the things I am NOT able to do anything about.

I hope NCsoft follows Anet's lead and fixes the master account security properly. I note that Aion players are still wide-open to this master account abuse. Look at what A-Net achieved in such short amount of time - when their backs were against the wall, and they cared enought to fix it. NCsoft needs a rocket up the ass to put THEM against the wall and give them the will to fix their mess. This thread and others like it, are that rocket.

You seem to regard that as hysteria, and you don't like it. But my view is that it is justified anger - I don't think its unreasonable to pressure A-Net and NCsoft when our accounts and characters are at stake... and they could so easily fix it, if only they had the will to do it.

Inner Salbat · Jan 02, 2010, 11:40 PM // 23:40

Quote:

Originally Posted by Improvavel

So, if this method was being used we would have heard of massive account hacking and not only that but those people would be complaining that their password had been changed and they couldn't log in.

Until is proven otherwise, I will take Regina word that the large majority of hacks didn't include a password change and password change is way to hacking using this method.

That is exactly the point your missing, there have been massive amounts of accounts being hacked, up until recently there would be a new person coming onto the forum(s) reporting that they'd been hacked DAILY! in fact sometimes 2-5 a day, and remember those people that posted on the forums are not the only ones, I was one of them.

Account 1 : Hacked, is linked to NCMA.
I did not share my details for either my game or NCMA with any other site on the Internet, I use extremely complex passwords. in fact I wrote my own software to auto generate the password out of randomness at 8-13 character length, additionally my password recovery questions are responded to my equally random textual strings that are even longer because the box allows more characters.

Curious I ran a mathematical equation over the password string I was using, but first before we do that because some random passwords are weak; for example.

"AAweiu32!"
It's weaknesses are thus;
Double usage of same case characters "AA"
Consecutive usage of upper case characters "AA"
Consecutive usage of lower case characters "weiu"
Consecutive usage of numbers "32"
It too short.
It's only redeeming feature is it uses an "!", which NCSoft or Guild Wars do not allow.

A decent password
Az1%x8Kf+q|3zE^qW

Now the password I was using when the originally hacked my account was along the lines of the decent password yet it was hacked.

Account 2: Was not hacked, wasn't to my knowledge linked to a NCMA at all, and because my wife has trouble with passwords it was an extremely simple password long but simple.

The end result of account 1's password to brute force it, would have taken 2.9million years.

What's the difference there ?

Improvavel · Jan 03, 2010, 12:05 AM // 00:05

Quote:

Originally Posted by Riot Narita

Evidently. Well, good.

That is entirely possible. I think there are more accounts lost this way than you, but that's just my opinion - we'll probably never know the true extent. I accept that plenty of people lose their accounts due to their own stupidity, and they may be the majority.

But what A-Net has done - doesn't that make you happy?

You accept that there was a chance that any of us with NCsoft master accounts could have had our GW accounts randomly robbed or characters deleted, right? Through no fault of our own. Even if that chance is tiny (my opinion, its not so tiny)... it's unnacceptable. There should be no chance at all!

I could accept losing my account because I was stupid... but not because NCsoft or Anet were negligent. I take a lot of precautions against account theft, where I am able to. And I am glad A-Net is finally doing something about the things I am NOT able to do anything about.

I'm not saying it is impossible and every bit of security is helpful.

Still, the simple addition of a current password field, which is quite simple makes no significant difference.

Something this serious would be answered with the website being taken offline and recoded. That expense easily outweighs potential losses due to a website security issue.

If anyone thinks the addition of a "current password" field means that this problems is acknowledge or fixed, they are wrong. A quick band aid would be take the site offline.

Improvavel · Jan 03, 2010, 12:08 AM // 00:08

Quote:

Originally Posted by Inner Salbat

That is exactly the point your missing, there have been massive amounts of accounts being hacked, up until recently there would be a new person coming onto the forum(s) reporting that they'd been hacked DAILY! in fact sometimes 2-5 a day, and remember those people that posted on the forums are not the only ones, I was one of them.

Account 1 : Hacked, is linked to NCMA.
I did not share my details for either my game or NCMA with any other site on the Internet, I use extremely complex passwords. in fact I wrote my own software to auto generate the password out of randomness at 8-13 character length, additionally my password recovery questions are responded to my equally random textual strings that are even longer because the box allows more characters.

Curious I ran a mathematical equation over the password string I was using, but first before we do that because some random passwords are weak; for example.

"AAweiu32!"
It's weaknesses are thus;
Double usage of same case characters "AA"
Consecutive usage of upper case characters "AA"
Consecutive usage of lower case characters "weiu"
Consecutive usage of numbers "32"
It too short.
It's only redeeming feature is it uses an "!", which NCSoft or Guild Wars do not allow.

A decent password
Az1%x8Kf+q|3zE^qW

Now the password I was using when the originally hacked my account was along the lines of the decent password yet it was hacked.

Account 2: Was not hacked, wasn't to my knowledge linked to a NCMA at all, and because my wife has trouble with passwords it was an extremely simple password long but simple.

The end result of account 1's password to brute force it, would have taken 2.9million years.

What's the difference there ?

And was the password changed? Or were the characters just stripped? Because with this exploit a hacker doesn't need to brute force passwords just change it to a password of his choice.

mrvrod · Jan 03, 2010, 12:18 AM // 00:18

Most importantly, the Master Acct as I see it is only the symptom of a much larger problem: How do we get NcSoft unlinked from ArenaNet?

This money grubbing, non-creative, in fact destructive game publisher is just a giant bloodsucking tick on ArenaNet's back! They've destroyed the Lineage franchise by taking it over and wringing it dry. How long do we let them do this to GW? They're the opposite of King Midas, everything they touch turns to sh*t!

Secondly, ArenaNet, I know it may be hard to do, but stop making excuses and own up to this. It's like someone selling an unshielded microwave and saying "well, less than half the house fires can be directly linked to us so..."! Like that lame excuse does anything for the people who HAVE suffered because of this security breach.

If even ONE account has been breached because of such simple security precautions as - 1. making sure one acct doesn't "randomly" access another, and 2. you have to input your old password to change it - then that's ONE acct too many! And to try to offhandedly blame the OP for "creating" the problem by exposing the security flaw has been one of the biggest problems in IT security for decades! The open-source community has known for decades what you keep failing to learn: Only by exposing these security flaws can we hope to build a more secure product! Hiding these flaws encourages laziness, why fix a security flaw that no one knows about, until it's too late!

I'm much more disgusted with NcSoft, because they obviously only care about the cash, and not the community or the game. But ArenaNet, be careful. If you keep blindly following NcSoft's lead, you will assist in your own destruction.

Inner Salbat · Jan 03, 2010, 12:35 AM // 00:35

Quote:

Originally Posted by Improvavel

And was the password changed? Or were the characters just stripped? Because with this exploit a hacker doesn't need to brute force passwords just change it to a password of his choice.

Oops thanks for pointing that out, yes I was emailed that my password had change since I was unable at the time to even play Guild Wars because my PC had blown up 2 weeks before hand I was curious as to how my password was changed when I wasn't even playing the game, or accessing anything to do with NCSoft or Guild Wars.

Enko · Jan 03, 2010, 01:07 AM // 01:07

Quote:

Originally Posted by Improvavel

I'm not saying it is impossible and every bit of security is helpful.

Still, the simple addition of a current password field, which is quite simple makes no significant difference.

Something this serious would be answered with the website being taken offline and recoded. That expense easily outweighs potential losses due to a website security issue.

If anyone thinks the addition of a "current password" field means that this problems is acknowledge or fixed, they are wrong. A quick band aid would be take the site offline.

the simple change makes a huge difference for the log in/log out master account method. whoever gets on someone else's account can longer just simply change their password. how you see this as making no significant difference is beyond me since now they actually have to spend the time to either brute the old password or actually break open the database. at the very least, this will slow them down immensely.

this is a quick band aid that still keeps the website up and will most likely stop the majority of the gw accounts being stolen. sadly, it doesn't help the aion guys. if they were truly serious about fixing it, they would take it down and keep it down until all of the problems are fixed.

Chthon · Jan 03, 2010, 01:20 AM // 01:20

1. While I certainly welcome the addition of needing the old GW password to change the GW password on the NCSoft site, we're not out of the woods yet. If Mung is correct, the NCSoft site is still vulnerable to SQL injection and file mirroring -- either of which alone is sufficient to extract that bit of info from the NCSoft site.

Also, and a-net should pay attention here either of those vectors could leave the attacker with a list of GW usernames and passwords without needing to do a password reset. Sound familiar?

2. I want to reverse my position from several pages back. It appears that a-net is making some headway in getting NCSoft to at least take some action on this issue. So long as you believe you can get them to come around and adequately secure their site, I can understand the decision not to fix this from the GW side and face the consequences for insubordination.

3. Re: About 50% of the hacked accounts weren't linked to NCSoft.

We've been over this a dozen times. The flaw in the logic here has been pointed out repeatedly. It may be true, but it does not support the proposition that the NCMA is secure. And yet both Gaile and Regina keep repeating this. What's more, they've each posted something indicating that they understand how the logic is flawed. And they still keep repeating it. Why?

My guess is that NCSoft told them this statistic is the official cover story that they must repeat to defend the company. That's the best way I can explain two rather intelligent people, who appear to understand what's wrong with the argument, nonetheless repeating it over and over.

4. I can answer a couple of your questions, DragonRogue.

Quote:

Originally Posted by DragonRogue

But i am curious about something. What are you doing to the actual hackers?

Nothing. The hackers generally don't own the accounts they use. Those accounts get a temp ban, which is lifted when the true owner contacts support. I'm sure if a-net was able to find accounts owned by hackers, those would be perma banned before you could say "bye bye." I'm sure they'd also love to involve law enforcement, but the hackers tend to operate from China and other southeast Asian countries that don't much care to cooperate on matters like this.

Quote:

Also, you say the hackers have a LIST OF PWs? From where have these been obtained?

A-net says that a fansite was compromised. I have no reason to doubt them. Also, a couple of forum members here whom I trust have hinted they know which site it was. Anyone who was foolish enough to reuse the same username or password on that forum as on GW is in trouble.

Also, if the NCMA has the SQL injection and file mirroring vulnerabilities it's claimed to have, a list of login credentials could come from there as well.

5.

Quote:

Originally Posted by Inde

I'll pop in here. My words don't mean any more than the next poster, but you all must understand that ArenaNet is listening and taking action... I can clearly see that ArenaNet is pushing. They are fighting... ArenaNet, while they might be fighting the bureaucracy of the big corporate giant, is certainly making progress.

Yes, I believe they are. And I applaud them for it. I truly hope they succeed, both for our sake and theirs.

Quote:

On the same note, I do have to give thanks to not only this community but the Aionsource.com community who both seem to be fighting so hard to see that their accounts are protected. Is it because of us these security updates have happened? I think we can say with some degree of certainty that yes, yes it has.

I agree. And I applaud them too.

Quote:

Originally Posted by Lucci_Slevin

I think this one is a false alarm.

OK, your comments have reached the point where I have to ask: idiot or troll? Seriously, there were several posts on the Aion forums confirming the bug; there were posts in this thread confirming the bug (and then even more after you posted); and you could have tested it yourself if you really felt like doubting all those people's honesty. So, what's your deal? Too dumb to read before you post or just trolling us all? Given that I can't recall reading a single post from you before this issue cropped up, I'm suspecting troll.

Sora267 · Jan 03, 2010, 01:22 AM // 01:22

Quote:

Originally Posted by Chthon

List of Known Vulnerabilities with the NCSoft Site:[list][*]2. Advanced Vulnerabilities Reported by Mung on Aion Forums

"SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of "page not found" or "incorrect login" [Mung] received an SQL ack!"
"The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host)." Chthon's note: HOLY SHIT! That's very bad....
"[T]he majority of the process functions for each page under the "secure.ncsoft.com" domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention."

[*]3. Brute Force Vulnerabilities

Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site's username field.
Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct. This vastly reduces search time for a brute force attack.
IP's attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
4. GW character are present in old support tickets. This renders the new character name security question useless.

Would those specific vulnerabilities, the weaker ones working in tandem with eachother, aid in either the extraction of (such as the file mirroring) or the building of (the latter of which would require a LOT of effort, but it seems like a lot of the vulnerabilities would make it quicker) the supposed leaked password database that Regina blamed for a significant portion of the hacks?

Also, the fact that an extracted password database (if it was indeed extracted from a server) alone would allow hackers access to the account shows to me negligence on the part of whoever is in charge of the password lists. For a game with over 6 million accounts sold, I'd expect both the login name and the password to have one-way encryption. If the password database actually did anything then it was either a) a disgruntled ex-employee who either knew the encryption algorithm or had the necessary knowledge to derive the the algorithm; b) the result of a weak algorithm or the worst of all; c) they were stored in plain-text.

I'm going to go ahead and assume NCSoft controls the database since we must deal with their support (not ANet's) and it's changeable from the NCMA. If this is the case, then it's your move, NCSoft.

Edit: Is it possible that a hacker could have just used SQL injection on the password change page to be able to access the database? I recall that RockYou!'s plaintext database was retrieved through SQL injection...

ricocheting · Jan 03, 2010, 01:53 AM // 01:53

Quote:

Originally Posted by Sora267

Is it possible that a hacker could have just used SQL injection on the password change page to be able to access the database?

SQL injection is generally used to bypass security. eg; logging into a site without a password and/or username. Anyone with basic knowledge or anyone with time + a search engine could do it depending on what was vulnerable.

Someone with more advanced knowledge and luck at guessing how the database was designed could potentially use SQL injection to change or reset info in a database.

Using SQL injection to get a list of info (like logins) from the database is a lot harder (not skill-wise, but opportunity-wise) and I would put the chance of that at very very VERY slim.

Chthon · Jan 03, 2010, 01:56 AM // 01:56

Quote:

Originally Posted by Sora267

Would those specific vulnerabilities, the weaker ones working in tandem with eachother, aid in either the extraction of (such as the file mirroring) or the building of (the latter of which would require a LOT of effort, but it seems like a lot of the vulnerabilities would make it quicker) the supposed leaked password database that Regina blamed for a significant portion of the hacks?

In principle, either SQL injection or file mirroring alone would be sufficient to learn anything a given website knows. Because it would be illegal to actually start making unauthorized SQL queries or copying their files, Mung did not go that far. So there is a slim possibility that some unexpected measure protects the GW passwords, despite the lack of obvious industry-standard measures.

Sora267 · Jan 03, 2010, 02:13 AM // 02:13

Quote:

Originally Posted by ricocheting

SQL injection is generally used to bypass security. eg; logging into a site without a password and/or username. Anyone with basic knowledge or anyone with time + a search engine could do it depending on what was vulnerable.

Someone with more advanced knowledge and luck at guessing how the database was designed could potentially use SQL injection to change or reset info in a database.

Using SQL injection to get a list of info (like logins) from the database is a lot harder (not skill-wise, but opportunity-wise) and I would put the chance of that at very very VERY slim.

Quote:

Originally Posted by Chthon

In principle, either SQL injection or file mirroring alone would be sufficient to learn anything a given website knows. Because it would be illegal to actually start making unauthorized SQL queries or copying their files, Mung did not go that far. So there is a slim possibility that some unexpected measure protects the GW passwords, despite the lack of obvious industry-standard measures.

Thanks for the clarification.

glacialphoenix · Jan 03, 2010, 02:57 AM // 02:57

Quote:

I accept that plenty of people lose their accounts due to their own stupidity, and they may be the majority. But no matter how big or small the remaining minority is, I believe they deserve protection from the master account vulnerability. Even a fraction of 1% is a LOT of real people.

Also, if you consider the sheer number of people who reported being hacked (not to mention those who could've got hacked, but either a) aren't really playing GW anymore; b) didn't bother to say anything given the generally negative response from the community)... that's a lot of people. There are always going to be people who lose their accounts through keyloggers, giving away their passwords to people who then turn around and steal their stuff, buying gold etc. - sure, you can say that that's their own fault, but what about those who lost theirs through no discernible fault of their own?

I saw something on an earlier page about witch-hunts, and well. I don't really think it's a witch-hunt (generally speaking, people appear to be rational enough to point out that Anet, at least, responded.); but you can't blame people for being angry and wanting NCSoft to own up. We should never have had to make this much noise for them to add something as simple as keying in your old password to change it to a new one, and that was achieved only through the efforts of Anet - no other NCSoft game has had anything like that despite them complaining for as long if not longer.

Quote:

Originally Posted by Improvavel

Something this serious would be answered with the website being taken offline and recoded. That expense easily outweighs potential losses due to a website security issue.

Seriously, I think the only reason why we even got that additional password field is because Anet pushed for it. If the other NCSoft games aren't even getting that password field, I highly doubt NCSoft is going to get the website taken down. (I personally trust that the Anet team is doing their best, but there's only so much they can do if NCSoft won't listen.)

obastable · Jan 03, 2010, 03:24 AM // 03:24

Quote:

Originally Posted by Chthon

I'm sure they'd also love to involve law enforcement, but the hackers tend to operate from China and other southeast Asian countries that don't much care to cooperate on matters like this.

That's not entirely true ... the Asian community, by and large, is at the forefront of developing, implementing, and enforcing virtual property laws that thoroughly protect gamers from precisely these sorts of actions. Thailand in particular (if memory serves) would be a good place to live if your account was hacked.

Regina Buenaobra · Jan 03, 2010, 03:42 AM // 03:42

Hey, everyone. There's been a lot of discussion going on within NCsoft and ArenaNet based upon the feedback in this thread. The Aion team is also involved in these discussions, and I'm actively working with their community managers on this issue. I would like to let you know that actions are being taken by the NCsoft security team to address the security concerns outlined. This includes the random login issue (reportedly being able to randomly login to another player's NCsoft Master Account), which the Security team is actively researching and investigating. They are also looking at the other points as outlined, such as brute force vulnerabilities, web site vulnerabilities. I will keep you updated with information on the steps being taken on our end to the extent that I'm able. If you have information that could potentially help our team with their investigation (in particular, the random account switching bug), but which is too sensitive to display on a public forum, you're welcome to contact me or customer support directly. Thank you very much, and we appreciate the feedback you've been giving us so far.

Turbo Ginsu · Jan 03, 2010, 03:53 AM // 03:53

Speaking entirely for myself(Others have their own voices)I'd just like to say thank you very much for being so actively involved and prompt in this matter Regina. This goes a very long way towards reassuring my wife and I that as far as aNet are concerned, we do matter, and that our concerns aren't falling on deaf ears.

Keep up the good work, and please do keep us all informed.

GG!

Enko · Jan 03, 2010, 04:03 AM // 04:03

Thanks, Regina.

The last 48 hours has restored much of my faith in the Arena.net team. Looks like a lot of the crap you guys take really should have been directed at the NCSoft guys.

Kador · Jan 03, 2010, 04:11 AM // 04:11

Anet should seriously provide a way for players to make purchases WITHOUT forcing the customer to link to an NCSoft master account.

There are a lot of purchases I would like to make but I refuse to link any of my accounts and hence cannot purchase anything from the NCSoft store.