Guild Wars Forums - GW Guru
 
 

Go Back   Guild Wars Forums - GW Guru > The Inner Circle > The Riverside Inn

Notices

Reply
 
Thread Tools Display Modes
Old May 31, 2010, 06:16 PM // 18:16   #61
Jungle Guide
 
JoeKnowMo's Avatar
 
Join Date: Oct 2005
Location: Wessst Siiide, USA
Profession: Mo/
Advertisement

Disable Ads
Default

Might be time for password change.

Quote:
Originally Posted by Theocrat View Post
People would rather spam "QQ MOAR BOTTURZ LOL DHUUMSDAY" than discuss something important in an intelligent manner, Chthon.
Or maybe they'd rather spam, "Waah! I wuz banned becuz I cheated but I'm still going to cry that it's unfair."
JoeKnowMo is offline   Reply With Quote
Old May 31, 2010, 06:43 PM // 18:43   #62
Grotto Attendant
 
Join Date: Apr 2007
Default

Quote:
Originally Posted by Gill Halendt View Post
So, credentials were stolen in some other way (keylogging, phishing, scam).
The very obvious implication is that the NCSoft site did indeed have several huge vulnerabilities, and that the operators of this botnet exploited one or more of those vulnerabilities to extract 2 million sets of login credentials. Consider the following:

1. 10x more NCSoft account credentials were stolen than WoW account credentials. What's the most likely explanation for that? There are 10x as many NCSoft accounts in existence as there are WoW accounts, so being stolen at the same rate resulted in 10x as many NCSoft accounts being stolen? No, that premise is precisely the opposite of reality. There are more WoW accounts. NCSoft accounts have more monetary value, so they were targeted more by the thieves? Again, the premise is contrary to reality. WoW accounts are worth more cash. NCSoft customers are 10x dumber on average than WoW customers and 10x more likely to fall for phishing? Perhaps, but it seems unlikely. The most logical explanation is that a NCSoft account is 10x easier to steal because they have serious security flaws.

2. How often do you log into your NCSoft account? Probably not very often. You could have a keylogger on your system for months and it would never pick up your NCSoft password because you never type in your NCSoft password. Ergo, it's unlikely that they keylogged 2 million NCSoft passwords.

3. While there were phishing attempts for the NCSoft password reported on Guru, none that had the sort of volume you'd expect from something that would net 2 million suckers. Unless the phishing was targeted in a way that largely avoided people who post on Guru, we should have seen a lot more reports of attempted phishing than we did. Ergo, it's unlikely that they phished 2 million NCSoft passwords.
Chthon is offline   Reply With Quote
Old May 31, 2010, 07:11 PM // 19:11   #63
Krytan Explorer
 
Ka Tet's Avatar
 
Join Date: Nov 2006
Guild: Pita Bread And Scud Missiles Ai[iiii]
Default

Quote:
Originally Posted by Amy Awien View Post
I don't think they know, the database contained account info for a variety of games, this info was probably gathered using methods specific to each game - or game-publisher.



The virus (a trojan actually) was used to test the passwords.
thank you
Did you know that thank you is not nine chars? I mention this only because I couldn't just post a thank you. Had to add additional characters. All done.
Ka Tet is offline   Reply With Quote
Old May 31, 2010, 08:56 PM // 20:56   #64
Desert Nomad
 
Gill Halendt's Avatar
 
Join Date: Mar 2008
Default

Quote:
Originally Posted by Chthon View Post
[snip]
I know!

All I wanted to say is that the newly discovered trojan isn't the actual danger: the actual danger is probably found elsewhere (hello NCSoft, how's your website?)

So there's really nothing new to report.
Gill Halendt is offline   Reply With Quote
Old May 31, 2010, 09:02 PM // 21:02   #65
Furnace Stoker
 
MisterB's Avatar
 
Join Date: Oct 2005
Location: Planet Earth, Sol system, Milky Way galaxy
Guild: [ban]
Profession: W/
Default

Quote:
Originally Posted by Gill Halendt View Post
So there's really nothing new to report.
Well, there is the fact that we have independent confirmation of stolen NCSoft accounts and a figure attached to it. 2 million accounts is a rather significant figure.
MisterB is offline   Reply With Quote
Old May 31, 2010, 09:47 PM // 21:47   #66
The Fallen One
 
Lord Sojar's Avatar
 
Join Date: Dec 2005
Location: Oblivion
Guild: Irrelevant
Profession: Mo/Me
Default

Now, this is worth concern. 3,700 banned players QQing is irrelevant. This is a big deal. NCSoft has routinely failed at security, and that doesn't seem to be changing.

I for one believe that this should be the point of public outcry. Legitimate players stand to lose their accounts daily because of this, and in far greater numbers than 3,700. This is a major issue, and major steps need to be taken immediately to fix this situation. I would highly recommend the route Blizzard has taken with the authenticator program, as that has been wildly successful.
__________________
Lord Sojar is offline   Reply With Quote
Old Jun 01, 2010, 02:16 AM // 02:16   #67
Furnace Stoker
 
twicky_kid's Avatar
 
Join Date: Jun 2005
Guild: Quite Vulgar [FUN]
Default

2 million infected computers is a very small slice of the overall world wide population of online gamers.

About a year ago I knew something was up when you see more and more accounts being hacked over different games. I think the hackers are ahead of the curve on security. Security can only be reactive. I like authenticators. At least its a physical device with a less chance of being corrupted.

Though I'm sure its only a matter of time before some one figures out a way to hack those as well.
twicky_kid is offline   Reply With Quote
Old Jun 01, 2010, 02:20 AM // 02:20   #68
The Fallen One
 
Lord Sojar's Avatar
 
Join Date: Dec 2005
Location: Oblivion
Guild: Irrelevant
Profession: Mo/Me
Default

Quote:
Originally Posted by twicky_kid View Post
2 million infected computers is a very small slice of the overall world wide population of online gamers.

About a year ago I knew something was up when you see more and more accounts being hacked over different games. I think the hackers are ahead of the curve on security. Security can only be reactive. I like authenticators. At least its a physical device with a less chance of being corrupted.

Though I'm sure its only a matter of time before some one figures out a way to hack those as well.
You really can't hack something that has no connection to the outside world. You can intercept the data being sent by the user as a middle man and attempt to decrypt it, but those are very complex and more trouble to pull off then they are worth. Those type of hacks can also result in prison time.

Authenticators, on the whole, are the most secure method of account security on the planet, period.
__________________
Lord Sojar is offline   Reply With Quote
Old Jun 01, 2010, 02:48 AM // 02:48   #69
Older Than God (1)
 
Martin Alvito's Avatar
 
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
Default

The reason that players aren't deeming this "newsworthy" is that we already knew that NCSoft had security issues. As of right now, the existence of this database is less of a concern than you might think.

Symantec is claiming that:
- somebody is running a botnet
- said botnet tests prospective credentials in online games
- the botnet's dictionary is from another source, probably bulletin boards

This is basically the scenario I proposed in December, except that I posited the use of brute force using the password reset function (a botnet could have snagged many accounts per day this way).

The obvious explanation for the observation that NCSoft accounts were disproportionately compromised is that the botnet was applying brute force to the NCSoft website. The entry mechanism could have been the login bug that some players claimed to have discovered on January 1 (but ANet vehemently denied), or it could have been the reset mechanism. Since those problems were almost certainly unique to NCSoft, it would explain why Blizzard's accounts were less likely to be compromised.

Either way, those issues have been fixed. I've verified that the password reset loopholes have been closed using some less valuable accounts, and the cessation of the rash of hacks conclusively suggests that any means of directly accessing another user's NCSoft account has been removed. Further, the attack mechanism strongly implies this. The thieves are targeting NCSoft accounts in the same way that they would target Blizzard or anyone else. The moral of the story is: don't use your GW access credentials for anything else, and for the time being you should be fine.

Authenticators would be great, and I sincerely hope that they implement them for GW2. I approve of anything that increases the costs of hacking accounts by six orders of magnitude.
Martin Alvito is offline   Reply With Quote
Old Jun 01, 2010, 02:58 AM // 02:58   #70
Ascalonian Squire
 
Join Date: Apr 2010
Profession: W/D
Default

Not trying to start any flaming here.. just a simple question as I have no idea what this is all about or what it is doing... but is it at all possible that any of this issue could have caused some false positives for any of the 3,700 account bans?
I Rogue Syndicate I is offline   Reply With Quote
Old Jun 01, 2010, 03:50 AM // 03:50   #71
Academy Page
 
Pritst Of Death's Avatar
 
Join Date: Nov 2009
Location: Texas
Guild: CGU
Profession: P/
Default

thats kinda a scary thought that lots of the people banned could argue that it was stolen by someone else o.o
Pritst Of Death is offline   Reply With Quote
Old Jun 01, 2010, 04:11 AM // 04:11   #72
Jungle Guide
 
Nerel's Avatar
 
Join Date: Jun 2008
Location: Australia, what you want my home address?
Guild: [CAT]
Profession: Mo/
Default

Quote:
Originally Posted by I Rogue Syndicate I View Post
Not trying to start any flaming here.. just a simple question as I have no idea what this is all about or what it is doing... but is it at all possible that any of this issue could have caused some false positives for any of the 3,700 account bans?
No, not really, if your account was compromised and used to bot by a third party (say an RMT network steals your account and puts it to work botting gold) then Anet/NCsoft support would have a very hard time not noticing the IP difference from where you normally log in and play to where the compromised account is botting from.
Nerel is offline   Reply With Quote
Old Jun 01, 2010, 06:28 AM // 06:28   #73
Core Guru
 
Brett Kuntz's Avatar
 
Join Date: Feb 2005
Default

This is the original article:

http://www.symantec.com/connect/blog...ials-uncovered

NCSoft's website wasn't compromised, these 2 million accounts are from other means, such as hacking fansite forum databases, phishing, and keylogging. NCSoft likely has more total subs than Blizzard, which may be why there is more accounts. Also, a PlayNC account can have more than one game linked to it. Lineage 1, Lineage 2, Aion, Guild Wars, and City of Heroes are all very popular MMO's right now, and have been for a while.

NCSoft's account security is more than fine, really all people need is a username and password, and their account security will be as good as it gets. Even a random password of length 5 can't be guessed in anyone's lifetime.

There are companies out there that do nothing but steal accounts all day long, month after month. When Oct 2009 - Dec 2009 came around and there was an increase in NCSoft (Aion and Guild Wars mostly) accounts being hacked, I did some research. Here is what I came up with over Christmas Break 2009, in a single weekend, in my spare time:

I acquired a total of 200,000+++ database accounts from various Aion and Guild Wars fansites. After writing some text parsers and other various tools to sort and consolidate them into one giant ass file, I had 185,000 e-mails with matching MD5 hashes and Salts in a format hashcat liked.

I then set out and downloaded some simple dictionaries, the two best ones were milw0rm's and Argon's List ver2. I made another text script to consolidate and remove duplicate words from the dictionaries, and once again, form a giant ass dictionary. I can't remember how many words there were, but it was something like 40 million.

So here we go, I have a Quad Core at 4.4GHz, 1680MHz memory at CAS 6, and a 4GHz QPI bus, and it took almost exactly 5 hours to dictionary attack all 185,000 accounts.

Now before I give you the stats, I want to explain to you my theory that I wrote down before I set out to do all this. My theory that was that 1% of fansite users are dumb enough to use the same email and password as their game accounts.

Boy was I wrong.

-185,000 forum/gamesite accounts (email and hash+salt)
-54,366 used easily guessed passwords (md5 cracked) (29.4%)
-Of those 54k, 10,873 were the same email/passwords as used on NCSoft accounts (20%)

In several hours over the course of a weekend, in my spare time, I gained access into 10,900 NCSoft accounts purely based on the stupidity of people using the same email/passwords on various fansites as their NCSoft account.

Most of these same fansite databases were hacked in Oct 2009 by the companies I explained above (the ones who steal accounts 24/7 as a full time business), resulting in an increase of NCSoft accounts being hacked in Nov 2009.

Essentially, the rumors that NCSoft was compromised were a direct result of that French (?) fansite and it's 200,000 users being compromised.



Some of you might question how I had the time to log into all those accounts! Well I didn't! I emailed those 54,366 to an NCSoft database guy who ran a script to match my potential accounts against actual accounts, to see how many matched. That's where the 10,900 number comes from. So I didn't actually log into anyone's account. But if I were a mean person, and I wasn't just doing all this out of shear curiosity, then I would have sold that list of 54,366 to that company I mentioned above for... probably $1 per account.

So let this be a lesson to you all, don't be one of the 20% of morons out there that use the same password on public fansites and your game account. You will get hacked eventually, and all the A/V firewall spybuster software in the world wont protect you from being a dummy.

In my original post I made a summary of the data. I actually did two different tests using just milw0rm's dictionary of 84k words (Test #1) and then a second test using a larger dictionary (40m words). The 10,900 was never confirmed, but it can be assumed it would be fairly accurate. The 6,400 from 32k accounts was confirmed.

1st Test:
32,000 recovers
6,400 (20%) were confirmed NCSoft accounts

2nd Test using 40 million word dic:
54,366 recovers
20% of that would be 10,873 (unconfirmed) NCSoft

Note: Some of you might wonder why NCSoft would cooperate with me (Brett) on the accounts. I have proven to be a pretty trustworthy guy in the community, and I am also under legal obligation, so the data was always safe. This experiment was all done in the name of science! Now we have a pretty solid statistic on how many dummies out there use the same weak passwords on public sites as well as their important private accounts.
Brett Kuntz is offline   Reply With Quote
Old Jun 01, 2010, 08:26 AM // 08:26   #74
Auctions Mod
 
tasha's Avatar
 
Join Date: Jan 2006
Location: UK
Guild: Mystic Spiral [MYST]
Default

Quote:
Originally Posted by Martin Alvito View Post
...
Either way, those issues have been fixed. I've verified that the password reset loopholes have been closed using some less valuable accounts, and the cessation of the rash of hacks conclusively suggests that any means of directly accessing another user's NCSoft account has been removed. Further, the attack mechanism strongly implies this. The thieves are targeting NCSoft accounts in the same way that they would target Blizzard or anyone else. The moral of the story is: don't use your GW access credentials for anything else, and for the time being you should be fine....
Related to this paragraph somewhat - could this be why we've been seeing more "payment fraud" bans on NCSoft accounts with the Guild Wars accounts being untouched?
tasha is offline   Reply With Quote
Old Jun 01, 2010, 08:49 AM // 08:49   #75
Desert Nomad
 
Join Date: Apr 2007
Default

Quote:
Originally Posted by Brett Kuntz View Post
This is the original article:

http://www.symantec.com/connect/blog...ials-uncovered

NCSoft's website wasn't compromised, these 2 million accounts are from other means, such as hacking fansite forum databases, phishing, and keylogging. NCSoft likely has more total subs than Blizzard, which may be why there is more accounts. Also, a PlayNC account can have more than one game linked to it. Lineage 1, Lineage 2, Aion, Guild Wars, and City of Heroes are all very popular MMO's right now, and have been for a while.

NCSoft's account security is more than fine, really all people need is a username and password, and their account security will be as good as it gets. Even a random password of length 5 can't be guessed in anyone's lifetime.

There are companies out there that do nothing but steal accounts all day long, month after month. When Oct 2009 - Dec 2009 came around and there was an increase in NCSoft (Aion and Guild Wars mostly) accounts being hacked, I did some research. Here is what I came up with over Christmas Break 2009, in a single weekend, in my spare time:

I acquired a total of 200,000+++ database accounts from various Aion and Guild Wars fansites. After writing some text parsers and other various tools to sort and consolidate them into one giant ass file, I had 185,000 e-mails with matching MD5 hashes and Salts in a format hashcat liked.

I then set out and downloaded some simple dictionaries, the two best ones were milw0rm's and Argon's List ver2. I made another text script to consolidate and remove duplicate words from the dictionaries, and once again, form a giant ass dictionary. I can't remember how many words there were, but it was something like 40 million.

So here we go, I have a Quad Core at 4.4GHz, 1680MHz memory at CAS 6, and a 4GHz QPI bus, and it took almost exactly 5 hours to dictionary attack all 185,000 accounts.

Now before I give you the stats, I want to explain to you my theory that I wrote down before I set out to do all this. My theory that was that 1% of fansite users are dumb enough to use the same email and password as their game accounts.

Boy was I wrong.

-185,000 forum/gamesite accounts (email and hash+salt)
-54,366 used easily guessed passwords (md5 cracked) (29.4%)
-Of those 54k, 10,873 were the same email/passwords as used on NCSoft accounts (20%)

In several hours over the course of a weekend, in my spare time, I gained access into 10,900 NCSoft accounts purely based on the stupidity of people using the same email/passwords on various fansites as their NCSoft account.

Most of these same fansite databases were hacked in Oct 2009 by the companies I explained above (the ones who steal accounts 24/7 as a full time business), resulting in an increase of NCSoft accounts being hacked in Nov 2009.

Essentially, the rumors that NCSoft was compromised were a direct result of that French (?) fansite and it's 200,000 users being compromised.



Some of you might question how I had the time to log into all those accounts! Well I didn't! I emailed those 54,366 to an NCSoft database guy who ran a script to match my potential accounts against actual accounts, to see how many matched. That's where the 10,900 number comes from. So I didn't actually log into anyone's account. But if I were a mean person, and I wasn't just doing all this out of shear curiosity, then I would have sold that list of 54,366 to that company I mentioned above for... probably $1 per account.

So let this be a lesson to you all, don't be one of the 20% of morons out there that use the same password on public fansites and your game account. You will get hacked eventually, and all the A/V firewall spybuster software in the world wont protect you from being a dummy.

In my original post I made a summary of the data. I actually did two different tests using just milw0rm's dictionary of 84k words (Test #1) and then a second test using a larger dictionary (40m words). The 10,900 was never confirmed, but it can be assumed it would be fairly accurate. The 6,400 from 32k accounts was confirmed.

Note: Some of you might wonder why NCSoft would cooperate with me (Brett) on the accounts. I have proven to be a pretty trustworthy guy in the community, and I am also under legal obligation, so the data was always safe. This experiment was all done in the name of science! Now we have a pretty solid statistic on how many dummies out there use the same weak passwords on public sites as well as their important private accounts.
Wow. That's an epic illustration of how important it is to use unique logins and (strong) passwords for everything that matters to you... and also the shocking percentage of idiots who aren't doing that.
Riot Narita is offline   Reply With Quote
Old Jun 01, 2010, 11:22 AM // 11:22   #76
Ascalonian Squire
 
Join Date: Feb 2006
Profession: R/E
Default

Quote:
Originally Posted by Brett Kuntz View Post
I acquired a total of 200,000+++ database accounts from various Aion and Guild Wars fansites.
Wait - how exactly did you acquire NCSoft accounts? Are you an owner/employee of these sites who's normal work involves access to these accounts? I find it hard to believe that a company would just pass off it's userbase details to someone - even salted MD5 hashes are weak given a long enough attack, as you demonstrated.
oxylus is offline   Reply With Quote
Old Jun 01, 2010, 11:37 AM // 11:37   #77
Krytan Explorer
 
Stuart444's Avatar
 
Join Date: Aug 2007
Location: Alexandria, Scotland
Guild: The Charter Vanguard [CV]
Profession: W/
Default

Quote:
Originally Posted by Brett Kuntz View Post
important stuff
Wow, nice research there (seriously, no sarcasm intended)
Stuart444 is offline   Reply With Quote
Old Jun 01, 2010, 06:36 PM // 18:36   #78
Core Guru
 
Brett Kuntz's Avatar
 
Join Date: Feb 2005
Default

Quote:
Originally Posted by oxylus View Post
Wait - how exactly did you acquire NCSoft accounts? Are you an owner/employee of these sites who's normal work involves access to these accounts? I find it hard to believe that a company would just pass off it's userbase details to someone - even salted MD5 hashes are weak given a long enough attack, as you demonstrated.
The same way children without money acquire candy from a store.
Brett Kuntz is offline   Reply With Quote
Old Jun 01, 2010, 06:52 PM // 18:52   #79
Older Than God (1)
 
Martin Alvito's Avatar
 
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
Default

Brett,

The dispute has always been over volume. I believe what you're saying. However, I believe that your hypothesized vector of attack has always been assumed to be present among the more sophisticated.

Claiming that your method is causal basically requires believing that the attackers were dumb before (July? October?) but suddenly got smart. By contrast, believing in NCSoft vulnerabilities requires believing that the hackers were smart to begin with but got smarter after reviewing the condition of the site, and altered the vector of attack as a result.

The math associated with brute forcing birthday password resets using botnets is just too attractive to a professional hacker. Especially given that we now know that botnets are being used.

In short, I accept the contention that what you describe is part of the explanation, but reject ANet's contention that it constitutes the full explanation. Too many educated people aware of good security practices got hacked for me to believe that this was a simple case of BBS hacking and social engineering. The explanation just doesn't fit the data.
Martin Alvito is offline   Reply With Quote
Old Jun 01, 2010, 07:39 PM // 19:39   #80
Krytan Explorer
 
Ka Tet's Avatar
 
Join Date: Nov 2006
Guild: Pita Bread And Scud Missiles Ai[iiii]
Default

Quote:
Originally Posted by Brett Kuntz View Post
I emailed those 54,366 to an NCSoft database guy who ran a script to match my potential accounts against actual accounts, to see how many matched. That's where the 10,900 number comes from. So I didn't actually log into anyone's account. But if I were a mean person, and I wasn't just doing all this out of shear curiosity, then I would have sold that list of 54,366 to that company I mentioned above for... probably $1 per account.
Just to be sure, does this mean you emailed a list of 50k sets of login info that you thought might work to a NCSoft employee. And then, he e-mailed you back and told you 10k were valid?
Ka Tet is offline   Reply With Quote
Reply

Share This Forum!  
 
 
           

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:33 AM // 05:33.


Powered by: vBulletin
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("