Curse

Smarty · Jan 02, 2010, 03:12 AM // 03:12

Quote:

Originally Posted by J I L T

the only NCSoft reply I've seen was the one from Tamat compared to all the posts from players who really don't know full scope of the situation

The OP of that thread talked about logging in to someone else's NCsoft master account by accident and being able to change their game passwords and see their personal information. Tamat replied about the known issue of logging in to NCsoft's own Aion forum and winding up on someone else's forum account and seeing their character info. The two are completely different and Tamat is an idiot for misreading the OP and dismissing the issue and leading other NCsoft employees to believe that nothing important was being said.

Quote:

Plus I can't help but think that the hacking wouldn't be anywhere near as severe if players hadn't made forum topics exposing the flaws to the public.

Errr people were being hacked left right and centre long before any forum threads were made exposing the possible ways of being hacked. If anything, there's less people posting about being hacked since the details were released than there were before - probably because all the exposure got people changing what information they could in an attempt to safeguard their accounts from the non-NCsoft-master-account-hack route(s) that account for the half of the hacks that Regina and Gaile keep talking about.

Bob Slydell · Jan 02, 2010, 03:12 AM // 03:12

Quote:

Originally Posted by flubber

If I were to compromise security, I would harvest information for use at a later date. sure, -most- of the info might be useless (at a later date), most being the key word here. that, or compile it and sell it to the people who are dumb enough to actually use it..

Yup, most... but not ALL. I think a lot of the hacks before weren't right away, I'm sure the hackers probably waited a little while or spread them out from a earlier security breach as to not bring attention to themselves hacking masses of hundreds of accounts at a time.

AnClar · Jan 02, 2010, 03:12 AM // 03:12

Quote:

Originally Posted by Rhododendron

You guys really sound hysteric. Its the beginning of the new year. So what if they will mess up your accounts and the xunlai booty? Take a break. The more time you invested in the game and stayed in front of the pc screen, the more you could need it.

Hysterical (learn English please).....I don't think so. The worry, concern, frustration, and anger that is beng expressed in this thread is perfectly reasonable, given the implications for the compromising of personal information security, and account security. Maybe you don't care how your information is handled, but a lot of us do. As for me, I want to know that a company that I've decided to entrust my information to is taking reasonable and prudent care of it. As of now, I have serious concerns that NCSoft is not doing that.

And, just by the way, I noticed that Regina used a similar word in her post. I respect ANet staff personally, and I think they are trying to do the right thing within the constraints of being an NCSoft subsidiary. But I would say the same thing to you Regina. I don't think this is hysteria. Unless you can definitively show us that our information housed on NCSoft servers is safe, you're wrong to label the reacttions by posters in this thread as hysteria.

Turbo Ginsu · Jan 02, 2010, 03:13 AM // 03:13

Quote:

Originally Posted by Rhododendron

You guys really sound hysteric. Its the beginning of the new year. So what if there is not even the slightest hint of decent security for your accounts? Take a break. The more time you invested in the game and stayed in front of the pc screen, the more you could need it. And taking a long break will also give the account stealers the time they need to clean you out properly without having to worry about being interrupted while they're working.

There u go. I fixed it for you. If you're going to troll, please do it somewhere where people don't have a legitimate concern about the security of their Real money/time investment.

GG.

AnClar · Jan 02, 2010, 03:16 AM // 03:16

Quote:

Originally Posted by Turbo Ginsu

There u go. I fixed it for you. If you're going to troll, please do it somewhere where people don't have a legitimate concern about the security of their Real money/time investment.

GG.

LOL Thanks....I forget to not feed the trolls sometimes.

karlik · Jan 02, 2010, 03:16 AM // 03:16

Quote:

Originally Posted by Cacheelma

You're basically telling us all that both Anet and NCSoft are just a bunch of rookies who have to rely on thier own CUSTOMERS to investigate AND point out all sort of flaws in things, from marketing "don'ts", community management, BUGS, Security issues, and everything?

How reassuring. Can't believe I was foolish enough to shell out my money so many times in the past for such company.

It's not exactly that Anet/NCSoft don't know what's going, it's more that they won't admit it. There is constant denial in any business out there.

When was the last time time you heard a fast food joint say "yeah, we didn't cook the burgers long enough - it's our fault people got sick"?

It's not that they don't know what's going on and need us to tell 'em - it's that they don't want us to know, and we need to tell 'em we do.

I was one of the first to respond to the "character name" update, and I believe my comment was to the effect of it was like putting a "band aid on a severed artery".

Miscreant_Moon · Jan 02, 2010, 03:20 AM // 03:20

Quote:

Originally Posted by Regina Buenaobra

First of all, we have escalated this up to the NCsoft Security team, and they will investigate the issue.

There have been ongoing investigations on the hacking incidents for some time, and according to the data gathered, none of them appear to be directly or exclusively related to NCsoft Master Accounts. Some hacking victims have NCsoft Master Accounts, some don't. Data was recently reviewed, and about half are not NCsoft Master Account holders. Therefore the hysteria surrounding the idea that all hacks are coming through the NCsoft Master Account doesn't seem to be valid. However, this doesn't necessarily rule out that some hacks are coming through NCsoft Master Accounts. The information about this particular exploit is new to us, and we don't know what will happen as more people, due to this thread, learn about it and even try it. We're not brushing things under the rug, nor denying that there might be a problem. The Support team has not previously notified us of this issue as detailed in the OP. The first we have heard of this information, as detailed in this thread's original post, was brought to our (ArenaNet's) attention just recently (yesterday, according to Gaile), so it's incorrect to suggest that we've been covering it up for months. Please be assured that we are taking the concerns in this thread seriously, following up with NCsoft Security, and actively raising the issue with the Security team.

Thank you.

This is just deja vu of what we have continually seen from ArenaNet over the past few months. If you have all this data let us know. Surely you can't convince us that knowing how many accounts have been affected is going to hurt anything other then your PR. Are you stating that this is what is most important than? Screw the players, screw the years of work that have been lost. ArenaNet just doesn't want to let us know what's going on. Which makes us all the more suspicious.

So tell us than. How many accounts have been affected? How was Linsey's account, one of the Live Team devs that you guys have neither confirmed or denied, accessed and hacked into? Surely that's a data point that is going to be pretty solid evidence as to what happened with some of the other accounts and you've researched that thoroughly. Tell us how many people have been banned for this. Tell us how Aion and Guild Wars seem to both be mysteriously hit by the same type of NCSoft master account password resets at the same time. What connection is there between Aion and Guild Wars but the NCSoft master account? Instead of sitting there high and mighty in your lofty chairs, tell the players what you've found out. Simply stating that you haven't found a connection is no longer good enough. Simply stating the same thing over and over again about 1/2 the accounts not having an NCSoft master account is known. Simply telling us to change our passwords is known. Tell us what you have found with all this data you have.

Trx · Jan 02, 2010, 03:20 AM // 03:20

This was just posted on Gaile's Support Issues Page

Quote:

Update: January 1, 2010 (7:15 PM Pacific)
ArenaNet and NCsoft staff members have been discussing the issues pointed out by players in various forum threads. We absolutely do take these concerns seriously, and measures are being and will continue to be taken to address the concerns on several levels. A change in one of the NCMA processes is being made even as I write, and I think you will all agree that this change will help tremendously in enforcing a high level of account security. I just want to say I'm very grateful to the people who have been involved. They are working on a holiday, some of them away from home, and they've just been splendid in getting into this, to listening, to looking at what they can do to help -- to taking on board the whole matter and making definite improvements in very short order.

Research continues and additional changes may be put in place. But if you try to change your password in on the NCsoft site, you will notice a change, I'm sure, that will enhance account security now and in the future. -- Gaile 03:15, 2 January 2010 (UTC)

chimx · Jan 02, 2010, 03:20 AM // 03:20

The thing that bothers me the most is that these hacker reports started coming in in the beginning of Novemberish, and it amazes me that in two months time it took a member of the community to figure out at least partially what is going on. Bloody brilliant?

Giga_Gaia · Jan 02, 2010, 03:23 AM // 03:23

The thing is, though, that from our end only Gaile has been actively involved with fixing this problem. Since she can't do anything about the security loopholes on NCSoft's end, all we can do is sit back and watch the drama unfold. Very nerve wracking I agree, but Rhododendron is right. Still I agree with what many are saying. If/When my account does get hacked, I'll be sure to go back to WoW (and I don't even like WoW) and tell all my friends to not bother with another NCSoft product ever again. How sad.

Enko · Jan 02, 2010, 03:25 AM // 03:25

Quote:

Originally Posted by Trx

This was just posted on Gaile's Support Issues Page

really? I haven't seen any changes at all beyond the requirement for us to put a character name in when we log in now. There have been plenty of security holes that have been pointed out that any web programmer should be able to fix. Hopefully whatever change they're discussing comes out soon.

As numerous people have said, even requiring the old password to change the password would stop the majority of this for now until NCSoft can fix the real issue.

Trx · Jan 02, 2010, 03:27 AM // 03:27

Quote:

Originally Posted by Enko

really? I haven't seen any changes at all beyond the requirement for us to put a character name in when we log in now. There have been plenty of security holes that have been pointed out that any web programmer should be able to fix. Hopefully whatever change they're discussing comes out soon.

As numerous people have said, even requiring the old password to change the password would stop the majority of this for now until NCSoft can fix the real issue.

Just checked on NCSoft, you now have to put in the current password first. About time, no idea why this wasn't there in the first place.

Edit :

Quote:

The thing is, though, that from our end only Gaile has been actively involved with fixing this problem.

Somebody was hating on her earlier in the thread but she's probably the main reason they've done anything at all, I'm glad she's still around lol.

kokuou · Jan 02, 2010, 03:28 AM // 03:28

Your current password is now required to change your GW password when trying to change it via the NCSoft Game Account site.

Miscreant_Moon · Jan 02, 2010, 03:30 AM // 03:30

Quote:

Originally Posted by kokuou

Your current password is now required to change your GW password when trying to change it via the NCSoft Game Account site.

Almost there and yet not quite. Current password is still not needed to change the NCSoft Master Account.

The Last Battle · Jan 02, 2010, 03:31 AM // 03:31

New years Resolution be more judgmental in companies i share personal info with.

Giga_Gaia · Jan 02, 2010, 03:32 AM // 03:32

The old PW to new PW should have been a no-brainer. Any self-respecting IT should have implemented it in the first place. It really makes you wonder what kind of monkeys they have working there at NCSoft...

Enko · Jan 02, 2010, 03:34 AM // 03:34

Quote:

Originally Posted by Trx

Just checked on NCSoft, you now have to put in the current password first. About time, no idea why this wasn't there in the first place.

must have just added this in the past few hours then. wasn't like that when i checked earlier.

good to know that it only took the method getting posted to a major forum for them to finally do something.

from what i know of programming, adding in the requirement to input the old password when changing the new password, doesn't take that long to add . ..

Quote:

Originally Posted by Miscreant_Moon

Almost there and yet not quite. Current password is still not needed to change the NCSoft Master Account.

working for me. just tried it out.

Miscreant_Moon · Jan 02, 2010, 03:39 AM // 03:39

Your Guild Wars account yes Enko. Your NCSoft master account password you still don't need to type in your current password.

Chthon · Jan 02, 2010, 03:41 AM // 03:41

1. At this point the only responsible thing NCSoft can do is SHUT OFF THEIR WEBSITE ASAP and keep it down until it is completely fixed.

2.

Quote:

Originally Posted by Regina Buenaobra

First of all, we have escalated this up to the NCsoft Security team, and they will investigate the issue.

I have no confidence in them. This is the same security team that has continued to insist there's nothing wrong in the face of direct evidence to the contrary.

Quote:

Therefore the hysteria surrounding the idea that all hacks are coming through the NCsoft Master Account doesn't seem to be valid.

There is no hysteria that "all hacks are coming through the NCsoft Master Account." There is and always will be a certain baseline or morons who get their accounts stolen through phishing, social engineering, keylogging, etc. There is a concern, and a (justified) anger, that all the hacks of accounts belonging to people who have practiced good security on their part and done nothing wrong are coming through the NCSoft master account.

Quote:

The first we have heard of this information, as detailed in this thread's original post, was brought to our (ArenaNet's) attention just recently (yesterday, according to Gaile), so it's incorrect to suggest that we've been covering it up for months.

You haven't. NCSoft has. The Aion community says they've been reporting this issue since Oct. We've been reporting the vulnerabilities that make brute forcing trivially easy for at least a month and nothing's been done about them either. NCSoft has buried their heads in the sand here -- no two ways about it.

Since it appears that somehow information on the vulnerabilities on the NCSoft site are not filtering up the way they should be, I'm going to take the time to condense them all into 1 post.

List of Known Vulnerabilities with the NCSoft Site:

1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else's account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
2. Advanced Vulnerabilities Reported by Mung on Aion Forums
- "SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of "page not found" or "incorrect login" [Mung] received an SQL ack!"
- "The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host)." Chthon's note: HOLY SHIT! That's very bad....
- "[T]he majority of the process functions for each page under the "secure.ncsoft.com" domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention."
3. Brute Force Vulnerabilities
- Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site's username field.
- Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question (which is the default!) is particularly easy. So is the car color question.
- Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct. This vastly reduces search time for a brute force attack.
- Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
- IP's attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
- Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account's associated address.
- The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
- Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account's associated address. [Edit: Apparently this was fixed a few hours ago. Old password is now required.]
- No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
4. GW character names are present in old support tickets. This renders the new character name security question useless.

[edit: fixed a couple typos, mistakes]

Tullzinski · Jan 02, 2010, 03:41 AM // 03:41

Quote:

Originally Posted by Enko

must have just added this in the past few hours then. wasn't like that when i checked earlier.

good to know that it only took the method getting posted to a major forum for them to finally do something.

from what i know of programming, adding in the requirement to input the old password when changing the new password, doesn't take that long to add . ..

working for me. just tried it out.

You called that one.

Went in and changed all my personal info to boot.