Curse

studentochaos · Apr 07, 2006, 05:18 AM // 05:18

Rough week for SCV. They missed out on championship by two points then get hacked. I really hope they come back into ladder play. Great team and fun to watch. I fear this may break their spirit to want to play, but lets hope they come right back!

Draygo Korvan · Apr 07, 2006, 05:35 AM // 05:35

Quote:

Originally Posted by calamitykell

Shit. I'm using phpBB, how much does vB cost?

*has like, no money* x.x

Phpbb is safe enough. While it only hashes with MD5, as was said earlier, even if they could see the database they wont be able to guess at the passwords.
MD5+SHA1+Salt action is key, but that wont save you from HTML injection.

art_ · Apr 07, 2006, 06:03 AM // 06:03

Quote:

Originally Posted by Nevin

What happened to the good ol' highschool ilove___ passwords?

Awesome avatar

<3 Gir

Manic Smile · Apr 07, 2006, 08:28 AM // 08:28

Quote:

Originally Posted by Killmur

I know Inde, I know. I read the first post. However sometimes I don't like reading about this stuff at all. I use simple passwords since my memory is crappy with numbers. Kinda has me worried that I may have to start using numbers in my passwords but I just am not willing to.

If that is your problem use words that are fimiliar to you but add odd spelling with non characters like leet spelling or $ for S for example. add numbers in the begining middle or end...that way everything is familiar to you but there would be no way anyone not close to you would be able to just guess it

Lady Lozza · Apr 07, 2006, 08:32 AM // 08:32

I think this is the 10th hacking thread that I've read in the last day, across various GW forums. Is Computer Security 101 not taught at school anymore? I was at school when the majority of PCs were still sporting black and white graphics, I would have thought that it would have been more important today that it was then. So here is a little information for all of you who have missed the leason Computer Common Sense and Security because you were all too busy playing Guild Wars.

Computer game hackers are generally NOT experts. They won't "hack" your home system, the GW servers, or even forum boards for your username and password, instead they use keyloggers (among other things) to get your information.
A common myth I've seen floating around is that anti-virus programs, anti-spy ware, firewalls etc will protect your computer. This is NOT TRUE. Mal-ware can and does get into your system even if you are running the all the right software. This is not suppose to frighten you, it is the simple truth. These programs prevent against known threats, and against files that look similar to known threats. Even then this might not be enough if you have had a rootkit put on your computer.
Rootkits are not necessrily mal-ware in themselves but they can be used to hid mal-ware. Rootkits are difficult to find, and difficult to remove - in fact at bit over 6 months ago Sony had to remove a DRM rootkit because it was being used to hide torjans and keyloggers, furthermore when it was discovered even the experts had trouble removing it without crashing the system. The general solution was a complete hard drive wipe and reload.
Despite all the nastiness floating around on the web, you can take steps to help ensure that you don't fall prey to these "u13er 1337 h4x0rz".

1) Do not download anything with DRM. Rootkits are nice for DRM because they are difficult to remove, so it is very unlikely that Sony was the ONLY company using them.
2) Do not download cheats/skill calculators/bots etc. Doing so, when the login page states that you should not, is just stupid.
3) Do not download anything that you don't trust, or don't know if you should trust. "Free" music and movies might be all the rage but if you really want to indulge in this (and you should know that it is generally illegal) then do it from a computer which you don't game on.
4) Don't use a free email address to game. I know that most of you probably don't have anything but a hotmail account, but using your parents' address is better.
5) Don't register the address you game on with internet forums. That is what hotmail is for.
6) Don't use the same password for forums/email as you do for gaming.
7) Do not write your password down, do not store it on your computer. You should be able to remember SEVERAL 16 character passwords. If you find this difficult here is a nicer solution. Forums and even hotmail do not need complex difficult to crack passwords, afterall it doesn't (or perhaps shouldn't) matter if they get hacked. Use simple passwords for them and keep the complex ones for accounts (eg gaming) that REALLY matter.
8) Passwords should included numbers, different cases, and - if allowed - symbols. Do not use birthdays, other email addresses, or brother/sister/boyfriend etc names.
9) Learn to listen to your computer. If your computer seems to be playing up, chances are it is. Scan, defragged, etc and if you are still having problems save all your data to disk. After that either see a computer tech or wipe the MBR and HD and reload.
10) Understand your personal limitations. I know it is 1337 to pretend you know everything there is to know about computers but even those in the industry don't know EVERYTHING. Be honest with yourself. If you don't know what is going on, don't pretend you do, you will probably just make a mess of things.

It may seem like a lot to remember but the majority of it is common sense. Not ALL hackers will be stopped by this, but it will make sure that you aren't the victum of the general "gaming hacker".
My apologies if some of this has already been mentioned.
Googling "computer security" might show you some interesting stuff, and if in doubt pay a visit to a Linux forum or two and read what they have to say about security. It may be a different OS but the general rules and principles remain the same and they don't only talk about Linux either.

lg5000 · Apr 07, 2006, 10:09 AM // 10:09

Computer Security 101? They get my kids in yr1 and yr3 to read and sign a form that they WONT harm the schools computer (in the software part) in any way.... Oh, and they get told NOT to give out their name, to anyone

Dunno about later in school, but at the moment, computer security is taught at home in my household.

btw, nice advise on how to protect agains having your account stolen. Most likely, if you follow the above advise, you'll be fine. Accounts get stolen due to stupidity of the user.. in most cases, and any work involved in getting the account is trade off for those where the user more or less passes his account info out.. anyone seen those fake bank emails asking for your password and account number? Sorta like that, except, I'm hoping we're all smart enough to ignore that style of email.

Whops, I really didn't mean to write that much, considering, I fall in the reasonably computer illiterate class...

MisterB · Apr 07, 2006, 10:10 AM // 10:10

Quote:

Originally Posted by doskir

i have been using this method for safe passwords a long time now and heres how it works:
get a piece of paper and write every letter and the numbers 0-9 on it then randomly assign each letter and nummer a different number or letter. now create a password for each site/game by using it. ie: guildwars = df5onm68z. you can put this anywhere you want because NOBODY will know what this thing does copy it a few times and store it somewhere you wont loose it perfect password aslong you dont tell anybody that has access to it what it does

Good idea. Many people, spies included, have used this; it's called a cipher. One somewhat famous cipher was the Enigma cryptographic machine used by German U-boats in WWII. Worked a treat until it was cracked.

From Dictionary.com:

ci-pher also cy-pher
n.

1. The mathematical symbol (0) denoting absence of quantity; zero.
2. An Arabic numeral or figure; a number.
3. One having no influence or value; a nonentity.
4. a. A cryptographic system in which units of plain text of regular length, usually letters, are arbitrarily transposed or substituted according to a predetermined code.
b. The key to such a system.
c. A message written or transmitted in such a system.
5. A design combining or interweaving letters or initials; a monogram.

Source: The American Heritage® Dictionary of the English Language, Fourth Edition
Copyright © 2000 by Houghton Mifflin Company.
Published by Houghton Mifflin Company. All rights reserved.

Why did you have to post? Now everyone knows what my cheat sheet is for!

Just kidding.

edit: On topic, really tough luck for this guild, perhaps the member with the hacked account should have used a cipher password!

Asplode · Apr 07, 2006, 10:22 AM // 10:22

Yeah he got on IRC and made a long monologue about how he hopes Cefx is happy, as if it's his fault he decided to go stealing accounts, and that he's giving the stuff away to friends and giving accounts back to their owners, as well as his own account, and quitting GW entirely.

It seems ironic that someone would go steal peoples' accounts, wreck a competitive guild's roster, and then go and try to drop some kind of guilt trip on the community.

The Lesson? Use your common sense, and don't use the same password for different things, I suppose.

Haggard · Apr 07, 2006, 12:01 PM // 12:01

Quote:

Originally Posted by Ctb

The fix for that is keeping the password written down somewhere in a physically secure location, but it's not always practical to buy a safe just to store a piece of paper (and then you still have to remember the combination anyway).

Thats the benefit of giant PC moniters, you can simply sellotape your password to the side

Ctb · Apr 07, 2006, 12:25 PM // 12:25

OMG, these people who are writing down their passwords and not securing the slips are going to give me a coniption

lol

To those of you who say "who's going to come into my house and steal my Guild Wars password paper?", what about a malicious "friend", jilted lover, unscrupulous family member? What if the delivery guy for UPS drops off your new uber-gfx card and sees it, and in his off hours he's one of these *ahem* "crackers"?

It's the ice cream lock scenario: it doesn't have to be perfect, but you still need to take a reasonable level of precaution, and leaving your passwords on a piece of paper out in the open (unless you're a recluse) is not reasonable. At least put it on top of the fridge or something where people in your place can't see it by just walking around.

stickyballs · Apr 07, 2006, 01:06 PM // 13:06

Yeah, I *heard* that some sites need you to register, but they got like pics of new Factions weps and stuff, so people get all excited. Then you register w/ your email and pass and then they hope that the SN you used on their site is the same as your email. They don't need your GW account pass, because they can just recover it if they have access to your email.

On a side note, this happened a few months ago to a Rank 30 guild, Elysian Fields. I joined and thought something was wrong when there were like 50 guys and 10 of them hadn't even gotten out of Ascalon yet, lol. I always wonder why these hackers don't SELL the guild for a lot because it is high ranking instead of filling it w/ newbs...

Charqus · Apr 07, 2006, 01:16 PM // 13:16

hmm the officers were probably at fault to... prob downloaded a hack and got a key logger.... v bad tho

lg5000 · Apr 07, 2006, 02:44 PM // 14:44

Quote:

Originally Posted by Ctb

To those of you who say "who's going to come into my house and steal my Guild Wars password paper?", what about a malicious "friend", jilted lover, unscrupulous family member? What if the delivery guy for UPS drops off your new uber-gfx card and sees it, and in his off hours he's one of these *ahem* "crackers"?

LOL, they'd need to be able to read my handwriting, which becomes hitroceous(sp?) when it comes to writing personal notes for my memory.

Sir Mad · Apr 07, 2006, 05:20 PM // 17:20

Quote:

Most forums are now encrypted. For example, there is no way in vBulletin for me to obtain or hack anyone's passwords. The encryption is that good. I know that older versions of Invision you could. This would also be the reason that I have different passwords for everything. For my GW Account, forum account, emails, admin access, etc.

phpBB, which is one of the most common version of BB on the net (it's free) doesn't. That's what I use on my own site (I dont want to invest in BBs like vBulletin for I'm proud to keep my site free of any advert and get no income from it - I'd rather use eavilly modded (by me) versions of phpBB than spending more money again for the site) and yes, there is a way for me to retrieve the passwords of my users. Of course, that's something I'll never do, but who knows if the admin of the GW related you've just registered with the same PW used for forums, mail addies, GW accounts, etc... will have the same ethics? You can trust people on guru, gameamp, or gwonline.net for ex from this point of view. But what about this guild forum spammed in-game where you need to be registered to read most of the topics?

asdar · Apr 07, 2006, 06:11 PM // 18:11

cypher won't help against a keylogger if you're typing in your own password.

What I do for this is keep a word file with an unusual name. I open that file and type a bunch of garbage.

llXXlKKKDDD"pas"kkKKl;;;"wo"klsdlkfasd"rd"

I use numbers and letters but I use something I know so I won't forget it.

Then when I log in I open that file, which won't trigger any keystroke logger and I highlight the sections I want and paste them in. I have a big huge file of this garbage so they can't easily get my password even if they do get that file. I never type in my password so they can't keystroke capture.

It's really easy to use, I just click file open, highlight, copy, paste, enter and i'm in without any fuss and without ever typing my pass.

I agree with the rest too, don't download anything or use forum pass.

Ctb · Apr 07, 2006, 06:37 PM // 18:37

Quote:

I have a big huge file of this garbage so they can't easily get my password even if they do get that file.

As a professional programmer, I can assure you that anybody with that file and some minimal C or Perl skills could trivially run that file against a list of services you use and discern which password goes to what.

Even assuming you have 5000 passwords, it would take maybe a week to figure them all out, assuming you do them one at a time, and assuming that it takes two minutes per resource to test (which are some pretty long assumptions).

More realistically, someone competent enough to thread the attack script could probably unravel the whole file in about 8-10 hours with a few proxies.

Loviatar · Apr 07, 2006, 06:45 PM // 18:45

ATTN. PEOPLE.

https://www.grc.com/x/ne.dll?bh0bkyd2

THE SHIELDS UP SITE HAS A RANDOM PASSWORD GENERATOR THAT BEATS WHATEVER YOU HAVE NOW.

TRUSTED SITE FOR SECURITY FOR YEARS YOU MIGHT LIKE TO HAVE THEM GIVE YOUR PC A PORT SCAN (AND OTHERS) JUST TO SEE HOW LEAKY YOUR SETUP IS.

MINE IS AS TIGHT AS A WINDOZE BOX GETS.

Sir Skullcrasher · Apr 07, 2006, 07:15 PM // 19:15

Quote:

Originally Posted by Loviatar

ATTN. PEOPLE.

https://www.grc.com/x/ne.dll?bh0bkyd2

THE SHIELDS UP SITE HAS A RANDOM PASSWORD GENERATOR THAT BEATS WHATEVER YOU HAVE NOW.

TRUSTED SITE FOR SECURITY FOR YEARS YOU MIGHT LIKE TO HAVE THEM GIVE YOUR PC A PORT SCAN (AND OTHERS) JUST TO SEE HOW LEAKY YOUR SETUP IS.

MINE IS AS TIGHT AS A WINDOZE BOX GETS.

Sorry, i don't open random links!

Y.T. · Apr 07, 2006, 07:23 PM // 19:23

Quote:

Originally Posted by Maxiemonster

Yep, it's Kava. The hacker said he got into the forum of the guild or something, and it contained the accounts and passwords.

I hope the guild leader speaks English, so I can explain what happened. I really hope this guild can still get their members back and get into the tournament, since with a bunch of randomly invited people, they won't get far.

but why they had their passwords on the guild forums? thats really weird...

i feel really sorry for this guild and especially for the officer whos account was hacked.... i hope anet'll find the hacker and ban him for good.

eternal pho · Apr 07, 2006, 07:25 PM // 19:25

As Anet warned everyone, you are NOT suppose to download add-ons or any other gw programs because it's risks your account of being hacked into.