Curse

masharra · Dec 03, 2009, 10:00 PM // 22:00

Quote:

Originally Posted by Martin Alvito

This apparently changed and I was just as surprised to hear it as you are.

If there is unauthorized access, either your system was compromised or the accessed system was compromised. If we can rule one out, the other must be true.

Which gets back to my points about air and smoke -> fire. I'm not willing to use such a restrictive proof standard. The community suspected duping before the method was proven, but discounted the possibility because ANet assured us backwards and forwards that duping was impossible.

god im never gonna start this paper

yes we can rule out "supposedly" one system but as i said before
unless someone steps up and says i brute forced the system and got a password then we can not automatically say that their system is at fault.

my main problem is that people are saying with 100percent sure"ability"
that their system is not at fault.

and as a person with it experience i would have to say
no system is 100 percent secure.

id prolly shut up if you said we "think" the problem lays with arenanet
instead of the problem lays with arenanet.

bah i get caught up on the little things

Martin Alvito · Dec 03, 2009, 10:19 PM // 22:19

Quote:

Originally Posted by masharra

id prolly shut up if you said we "think" the problem lays with arenanet
instead of the problem lays with arenanet.

It doesn't lay with ANet entirely. We've got two types of hack that appear to be going on. One has been going on for some time - the garden-variety keylogger issue. People are dumb, they download and install third-party programs/porn, get hacked, and QQ.

We also have what appears to be a new and more sophisticated automated hack. It always uses the same mechanism to get access (reset password at NCSoft site), it affects even experienced IT people that know and use proper security precautions, and it has resulted in a sharp increase in the incidence of reports of account theft on fansites. It uses a bot to clean out stuff. The bot's MO is recognizable because it's bad at extracting everything of value, and frequently leaves calling cards (low value items).

You can't disprove the thesis that the experienced people made an error in their security. But if they weren't complaining before, and they are now, it's reasonable to infer that something changed and that it wasn't that they all suddenly started failing at security precautions.

It's also strange that the automated hack is changing passwords at NCSoft if it uses a keylogger to get credentials. Why the extra step? It's not like the hacker is keeping the accounts. Why would the hacker write code to change passwords, when access could be had directly?

The simplest explanation is that there is a problem with the NCSoft site. Prior threads have suggested some of the possible security flaws.

I agree with you that we do not have a "beyond a reasonable doubt" case here. But I'd argue that we have a "preponderance of the evidence" case, and that's good enough for me.

gone · Dec 03, 2009, 11:40 PM // 23:40

Quote:

Originally Posted by Karate Jesus

I'm on the Test Krewe?

naw, after doing a little digging, It is another brah whos name starts with a -K-

masharra · Dec 03, 2009, 11:55 PM // 23:55

Quote:

Originally Posted by Martin Alvito

It doesn't lay with ANet entirely. We've got two types of hack that appear to be going on. One has been going on for some time - the garden-variety keylogger issue. People are dumb, they download and install third-party programs/porn, get hacked, and QQ.

We also have what appears to be a new and more sophisticated automated hack. It always uses the same mechanism to get access (reset password at NCSoft site), it affects even experienced IT people that know and use proper security precautions, and it has resulted in a sharp increase in the incidence of reports of account theft on fansites. It uses a bot to clean out stuff. The bot's MO is recognizable because it's bad at extracting everything of value, and frequently leaves calling cards (low value items).

You can't disprove the thesis that the experienced people made an error in their security. But if they weren't complaining before, and they are now, it's reasonable to infer that something changed and that it wasn't that they all suddenly started failing at security precautions.

It's also strange that the automated hack is changing passwords at NCSoft if it uses a keylogger to get credentials. Why the extra step? It's not like the hacker is keeping the accounts. Why would the hacker write code to change passwords, when access could be had directly?

The simplest explanation is that there is a problem with the NCSoft site. Prior threads have suggested some of the possible security flaws.

I agree with you that we do not have a "beyond a reasonable doubt" case here. But I'd argue that we have a "preponderance of the evidence" case, and that's good enough for me.

thats acceptable to me

uh as for why change the password

so that when the bot is cleaning our the account the user doesnt log on and interrupt the cleaning out operation. especially useful if theuser notices whats going on and changes password immediately

also isnt the ncsoft website password different from the logon password for gw?

eitherway you make a great point with the why take the extra step

]HM[ Sabre Wolf · Dec 04, 2009, 12:20 AM // 00:20

Quote:

Originally Posted by Karate Jesus

Source?

Do you honestly believe that the live team personal that do GW1 have not in anyway, shape or form helped with GW2?

Quote:

Originally Posted by Karate Jesus

The facts, huh? Well, if your facts are wrong....then....you're just ramming bullshit down people's throats.

My facts are comming directly from the Dev's notes that THEY (ANET) post themselves! AND the average occurence of the updates which generally match what/when they say they release them. How can words from the horses mouth and history be wrong?!?!?!?

source | source | source

(Not random bug fixes)
Update - Thursday, April 23 (Fourth Anniversary)
Update - Thursday, May 14 (Skill Update)
Update - Thursday, June 18 (Skill Update)
Update - Thursday, July 2 (Dragon Festival 2009/4th of July)
Update - Thursday, August 6 (Skill Update)
Update - Thursday, September 17 (Skill Update)
Update - Thursday, October 22, 2009 (Halloween 2009/Codex)
Update - Thursday, October 29, 2009 (PvP Henchie)

There I sourced you...

Martin Alvito · Dec 04, 2009, 12:43 AM // 00:43

Quote:

Originally Posted by masharra

so that when the bot is cleaning our the account the user doesnt log on and interrupt the cleaning out operation. especially useful if theuser notices whats going on and changes password immediately

Yes, this does make some sense. But you would only have those logon credentials if the user had accessed the PlayNC account since they differ from the GW credentials, and we have observations where people hadn't done that in ages. So either you've got a hacker that's waited patiently for a very long time to gotcha people with a keylogger, or the PlayNC site has been compromised in some way. The latter would seem more likely.

If you reset the game password, the temp password goes to the associated e-mail address. So either you'd need full access to the e-mail account or you'd have to compromise the PlayNC site to make use of the temp password.

Changing the password seems even sillier than I thought. Unless you had a broadly distributed keylogger and an awful lot of patience. But that just doesn't fit some of the observations where the GW password was changed via PlayNC.

Quote:

Originally Posted by masharra

also isnt the ncsoft website password different from the logon password for gw?

I would hope so. I know mine is. I doubt this is the case for everyone. But we have hacked observations where they differ, so you'd need the PlayNC information to alter the password.

Chthon · Dec 04, 2009, 12:56 AM // 00:56

Hmmm... I didn't mean to start a firestorm here. I was merely pointing out that this sure sounded like an oblique way of saying "we fixed the spoofability of the password reset urls," and was looking for a clarification whether it was a functionality fix or a security fix.

Quote:

Originally Posted by Bristlebane

I did click that Password retrieval URL after my account had been hijacked, and ALL it did was take you to NCSOFT. So I'm 100% sure that it couldn't have been used for stealing accounts, it just didn't take you to any specific page for retrieving your password.

This would imply it was a functionality fix.

Quote:

Originally Posted by masharra

who says a new undetectable key logger hasnt been released?

This is more Fril's area than mine, but I'm reasonably certain that, not only doesn't such a thing exist, it's fundamentally impossible for it to exist. At worst, you could have a new rootkit that's good at hiding a keylogger from the average user and the cruddy antivirus he relies on as his sole security tool. Also, I don't want to be mean, but your understanding of computer security in general seems pretty far off base. As a result, you're making a lot of very dubious assumptions.

Quote:

Originally Posted by Martin Alvito

It doesn't lay with ANet entirely. We've got two types of hack that appear to be going on. One has been going on for some time - the garden-variety keylogger issue. People are dumb, they download and install third-party programs/porn, get hacked, and QQ.

We also have what appears to be a new and more sophisticated automated hack.

This.

I don't get why it's so hard for people to grasp that accounts can be stolen in more than one way. Yes, there's a certainly baseline of account theft due to user stupidity. Always has been, always will be. But there seems to be more going on. And as the evidence mounts up, it sure does look like there's a way to steal accounts using a vulnerability on the NCSoft/a-net side of things.

That's what has me unnerved. I know what I'm doing. My security is going to be a relatively tough nut to crack, and, frankly, if someone does get in, they almost deserve my account for their efforts. But there's not a damned thing I can do to protect against NCSoft/a-net giving out/resetting my account credentials for any thief who comes along.

(Also, btw, the fact that accounts can be stolen in multiple ways is why I place zero faith in Gaile's assurance that the problem is not with the NCSoft account based on the existence of ONE stolen unlinked account. For all we know or she knows, that particular account could have been stolen through user stupidity while other accounts are stolen through a weakness in the NCSoft account.)

Aleta · Dec 04, 2009, 01:11 AM // 01:11

Quote:

Originally Posted by Martin Alvito

Yes, this does make some sense. But you would only have those logon credentials if the user had accessed the PlayNC account since they differ from the GW credentials, and we have observations where people hadn't done that in ages. So either you've got a hacker that's waited patiently for a very long time to gotcha people with a keylogger, or the PlayNC site has been compromised in some way. The latter would seem more likely.

If you reset the game password, the temp password goes to the associated e-mail address. So either you'd need full access to the e-mail account or you'd have to compromise the PlayNC site to make use of the temp password.

Changing the password seems even sillier than I thought. Unless you had a broadly distributed keylogger and an awful lot of patience. But that just doesn't fit some of the observations where the GW password was changed via PlayNC.

I would hope so. I know mine is. I doubt this is the case for everyone. But we have hacked observations where they differ, so you'd need the PlayNC information to alter the password.

I used Plaync site to go to my Aion account to pickup the rewards for time played. I hadn't played GW that much lately as I was playing Aion. Aion has also had accounts hacked. And is wasn't to long after I started reading about Aion hacks that my GW account was hit. Logged in Saturday to my Aion account - logged into GW to play a bit. Sometime between Saturday night and Sunday GW was looted. I cancelled Aion and never went back to see if anything happened to it.

Martin Alvito · Dec 04, 2009, 01:32 AM // 01:32

Quote:

Originally Posted by Chthon

Hmmm... I didn't mean to start a firestorm here.

You didn't. Members have been making the argument about the PlayNC site for months.

Quote:

Originally Posted by Chthon

(Also, btw, the fact that accounts can be stolen in multiple ways is why I place zero faith in Gaile's assurance that the problem is not with the NCSoft account based on the existence of ONE stolen unlinked account. For all we know or she knows, that particular account could have been stolen through user stupidity while other accounts are stolen through a weakness in the NCSoft account.)

I'm glad that I'm not the only person that saw how hard the logic of that argument failed. The thing that really bothers me about it is that Gaile probably wasn't just shooting from the hip there. Which implies that either someone in Support doesn't understand the problem or (God forbid) is pulling an inside job and wishes to distract attention from the real problem.

As for the "use PlayNC site -> hack" issue - I'm not saying that causal mechanism isn't at work. I'm just saying that it can't be the full explanation. If the website is compromised, it can't just be someone that is downloading login information as it is entered, because not everyone that has been hacked with the password reset method had logged into PlayNC recently.

Aleta · Dec 04, 2009, 01:36 AM // 01:36

Quote:

Originally Posted by Martin Alvito

You didn't. Members have been making the argument about the PlayNC site for months.

I'm glad that I'm not the only person that saw how hard the logic of that argument failed. The thing that really bothers me about it is that Gaile probably wasn't just shooting from the hip there. Which implies that either someone in Support doesn't understand the problem or (God forbid) is pulling an inside job and wishes to distract attention from the real problem.

As for the "use PlayNC site -> hack" issue - I'm not saying that causal mechanism isn't at work. I'm just saying that it can't be the full explanation. If the website is compromised, it can't just be someone that is downloading login information as it is entered, because not everyone that has been hacked with the password reset method had logged into PlayNC recently.

Good point. Didn't think about that. Still I believe there's a weak spot someplace in GW security.

The Drunkard · Dec 04, 2009, 02:11 AM // 02:11

I'd love for Anet to be a bit more specific as far as fixing a bug...it could help if another problem occurs

Chthon · Dec 04, 2009, 02:12 AM // 02:12

Quote:

Originally Posted by Martin Alvito

As for the "use PlayNC site -> hack" issue - I'm not saying that causal mechanism isn't at work. I'm just saying that it can't be the full explanation. If the website is compromised, it can't just be someone that is downloading login information as it is entered, because not everyone that has been hacked with the password reset method had logged into PlayNC recently.

My suspicion (and mind you it's just a suspicion) is that we're seeing a variant on the same vulnerability we saw with the huge rash of D2 account thefts all those years ago -- in converting from account name to reset URL, some portions of the URL are the results of something hashed weakly or not at all; and someone has figured out how to spoof reset URL's by using requesting a reset for an account name that's similar in the right ways, then substituting the guessable unhashed or weakly hashed parts for the account they want to steal.

Martin Alvito · Dec 04, 2009, 02:32 AM // 02:32

That's the strongest theory I've heard so far. I don't really believe the inside job thesis for a variety of reasons. The automation suggests that someone has come up with a clever way to bypass authentication, but that it takes some tedious work.

There's no reason to reinvent the wheel if avoidable, so recycling a known approach makes sense.

sirsterm · Dec 04, 2009, 03:25 AM // 03:25

I clicked on that change password link when I couldn't log into my account and I got Chinese writing on the page it sent me to. Thats when I knew all my stuff was gone.

shoyon456 · Dec 04, 2009, 04:11 AM // 04:11

So its a good thing I havent changed my password in years? Holy hell, the irony...

kokuou · Dec 04, 2009, 08:16 AM // 08:16

Quote:

Originally Posted by Chthon

Second one is interesting. Either it wasn't functioning properly (which I think we would have heard about in the Bugs forum) or it had a security vulnerability. If it's the later, I guess the rash of account thefts is over now. However, it would sadden me that a vulnerability that every game programmer should remember from the days of D2 somehow made it into GW. WTB official clarification: can we breathe easier about account theft?

Actually, I think they just fixed the URL on this one. I've clicked on the "Reset Password" link on the login page a couple times, and all it was was a broken NCSoft link that took me to a "Page not found" in Korean.

I'm assuming that all they did was put in the correct URL, so no, I don't think it has anything to do with account security.

pumpkin pie · Dec 04, 2009, 09:02 AM // 09:02

HMMMMMM. does this whole thing has anything to do with linking all your accounts to NCSoft master accounts?

Shasgaliel · Dec 04, 2009, 11:36 AM // 11:36

You guys forget the third option - ISP.

In some countries hacker just needs your telephone number to get everything. Some ISPs make telephone numbers ID/login numbers to the network - hacker just needs to brute force password and he will see everything you send passwords logins he just need to play with SYN packets a bit (in some cases he needs IPs) etc - nothing on your PC will help, no firewall, no anti-malware software. My Friend after connecting his pc to a local network in one of the campuses managed to get all the logins/passwords in 24 hours. Those people were not at fault, also the websites/games they were connecting weren't it was all due to bad network protection by the ISP. I am not hacker I do not know much about of the security details but I happened to see a lot. Anyway people with more technical knowledge will be able to write more useful details this.

Writing scripts to obtain passwords from badly protected URLs takes minutes. Running them may take a while but then you use several IPs or even rented botnets. I saw botnets in actions. If you operate one you can run through URLs very very fast.

I am quite sure that goldsellers operate with botnets. Which means that often it is some infected computer which is getting blocked by ANET not the hacker himself.

Hengis · Dec 04, 2009, 01:17 PM // 13:17

Quote:

Originally Posted by Martin Alvito

We also have what appears to be a new and more sophisticated automated hack. It always uses the same mechanism to get access (reset password at NCSoft site), it affects even experienced IT people that know and use proper security precautions, and it has resulted in a sharp increase in the incidence of reports of account theft on fansites. It uses a bot to clean out stuff. The bot's MO is recognizable because it's bad at extracting everything of value, and frequently leaves calling cards (low value items).

This is a interesting idea Martin, but I think my particular experience falls between both. My account was not hacked through a password reset, but what was taken and what was left on my characters exactly fits your "clean out bot" scenario.

All my gold was taken (1.7 million spread over storage and 10 chars)
All obviously valuable items in storage e.g ectos, but full stacks of common and even some full stacks of rare crafting materials were left.
FOW armour salvaged
DEDICATED Kuunavang taken (This pissed me off more than anything)
ALL Elite tomes taken from storage (I had around 100 Elite tomes for some reason LOL)
ALL alcholol and sweet and party items were taken, of which I had quite a lot as I was saving for a double hit on Party and Sweet tooth max titles.

However, all my heroes were left fully runed up with superior vigor runes etc and they were all armed with UNDEDICATED Destroyer Weapons which were not touched.

What I am saying is that although they hit me very hard (My initial estimation was that I lost around 3 million, but I have since upped this in my own mind to around 5 million) they missed a fair amount of stuff that could have easily been just sold to the merchant to convert into quick cash.

I still don't know with any degree of certainty how my account was hacked or why my account was targetted. I don't have a GWAMM (my max is 28 titles), I have never bought or sold really high end items. I've sold a few things on guru auctions, but nothing worth more than a couple of hundred K at the most and nothing at all recently. I am in a guild of one and for the last year or so have only ever played solo title farming. The only fansite I am active on is this one and of course I have never used any third party programs with the exception of GWML (Guild Wars Multi Launch). This in itself would seem to rule out a keylogger as the secondary accounts I used were not touched.

I would dearly love to put this whole thing to bed in my own mind, just to know how and why my account was targetted.

nitetime · Dec 04, 2009, 05:09 PM // 17:09

Quote:

Originally Posted by kokuou

Actually, I think they just fixed the URL on this one. I've clicked on the "Reset Password" link on the login page a couple times, and all it was was a broken NCSoft link that took me to a "Page not found" in Korean.

I'm assuming that all they did was put in the correct URL, so no, I don't think it has anything to do with account security.

I don't think you read much of the thread. It seems to be something more then just some kind of innocent mistake.

Quote:

Originally Posted by sirsterm

I clicked on that change password link when I couldn't log into my account and I got Chinese writing on the page it sent me to. Thats when I knew all my stuff was gone.