Guild Wars Forums - GW Guru
 
 

Go Back   Guild Wars Forums - GW Guru > The Inner Circle > The Riverside Inn

Notices

Reply
 
Thread Tools Display Modes
Old Dec 23, 2009, 02:45 AM // 02:45   #181
Grotto Attendant
 
Join Date: Apr 2007
Advertisement

Disable Ads
Default

Reposting my response from the other thread:

Quote:
Originally Posted by Chthon View Post
1. Let me start by saying that I am very, very pleased with this security update.

2. Let's take a look at how effective it's going to be. Right now, there's 4 known types of account theft going on:
  • GW account is stolen via vulnerabilities in website for the NCSoft Master Account.
    Chinese RMT companies run automated attacks against the NCSoft website, gaining access to random accounts in bulk. This is the type of account theft that until now worried me the most because, unlike other theft methods, there's nothing the player can do to prevent the NCSoft Master Account from getting stolen. Worse yet, NCSoft seems dead set on pretending there's no problem, no matter how many accounts are stolen and how much evidence mounts.
    A-net's little fix puts a complete stop to this sort of theft. Stealing your NCSoft account gives the thief your GW username and password, but he has no way of obtaining your character names from the NCSoft account alone.
  • GW accounts that had their username & password grabbed some time ago in the fansite breach, but the thieves are just now getting around to looting them
    If the stolen database had an IGN field (like Guru's used to), then this fix does very little. At most, it requires the hackers to reconfigure their account looting bots. On the other hand, if that data wasn't part of the fansite's database (or the hackers didn't bother collecting it), these guys are stopped.
  • Various forms of user idiocy
    • User trusts a "friend" he shouldn't have with username & password
      No help. Anyone dumb enough to give out his username and password is also dumb enough to give out a character name.
    • Phishing and other social engineering
      Some help. The thieves now need to ask for username, password, and a character's name. That should sound a notch even more suspicious than asking for username and password. Unfortunately, many folks dumb enough to give username and password will fork over a character name too.
    • Spoofing and Cross-site scripting
      Some help. Every attack page needs to be rewritten, so (hopefully) some attackers may not bother. And the authors have to somehow justify asking for a character name on a webpage. Such sites should appear more suspicious now.
    • Keylogger + Insufficient Antivirus/Firewall
      Very little help. Attacker can just steal the character name too.
      What about putting it in the command line/checking the box to remember it? No use; if the attacker has obtained high enough privileges to execute his keylogger, he's also got high enough privileges to execute a program to scan your shortcut and your GW folder and grab any stored password or character name. At best, this knocks out low-level scum who lack programming ability and use a keylogger written by someone else.
  • Targeted attacks against wealthy individuals.
    Since these attacks are done in varying, and possibly unknown (to me), ways, I can't really judge how effective the character name requirement will be.

3. As you can probably see, a-net plugged the biggest, worst security hole they had -- unfettered GW access once the NCSoft Master Account is compromised. (And it's pretty obvious to the cynics among us (me included) that fixing this particular problem was the goal of this patch.) There's still other holes to be plugged, and a lot more security features that need to be implemented before we have a "secure" game, but this is a very, very good start.

4. The instinct to protect one's IGN (as evidenced by the deluge of name-change requests to Inde) is correct. Since the GW username and password can be obtained from the NCSoft account, and the NCSoft account is utterly insecure, IGN is the only thing standing between you and account theft. At this point, the most important thing you can do to secure your account is to (1) keep you IGN's as private as possible, and (2) minimize connections between your IGN's, GW username, NCSoft username, and forum username. (Assuming, that is, you aren't engaging in plain old user idiocy. Ceasing idiocy would be more important.)

5. That said, IGN's on the forum are not as big an issue as people are making out out to be. First of all, matching an IGN to a NCSoft username or GW username is a potentially nigh-impossible task, and one that cannot easily be automated. Sure, if your NCsoft username is BobDole, and your forum username is BobDole, and your GW username is [email protected], and your IGN is Bob Dole, then you could be in trouble. If you've got a bit more variation, it's unlikely a bot could make the necessary associative leaps. (How, for example, could a bot connect a forum user named MsNyx with a posted IGN of Stevie Nix to either GW username [email protected] or NCSoft username fleetwood?) A human could do a better job. But human employees are expensive. And English-literate human employees are particularly expensive in China. No doubt there will be some lone wolves trawling the forums for info on high-value targets, but I think the odds of RMT companies turning to the forums to gather info for bulk account thefts are pretty low.

6.
Quote:
Originally Posted by MartinAlvito
Yes, this is a very tight workaround to the parent company's apparent obstinacy.
Yes, it was. A-net scores some points in my book for going against NCSoft's manifest desire that they continue stonewalling. Perhaps a little late, but they ultimately chose to do right by their customers.

7. You know who else scores some points in my book? The community who finally pressured them into action. Particular thanks go to Shan for standing up and making herself heard, Martin Alvito for piecing together how NCSoft accounts could be so easily stolen, and Inde for more behind-the-scenes activism than we may ever know.

8. Why was the update done with no announcement? I lost my snowball tourney/VQ/Mission/girlfriend/etc. because of it!

Assume for a minute that a-net was correct when they said in the past that at least some of the accounts currently being stolen had their username & password grabbed some time ago, but the thieves are just now getting around to looting them, and it should be pretty obvious to you. If I were a thief given a few hours forewarning, I'd promptly write a bot to log into as many accounts as possible and grab a character name off them. If I had a half hour forewarning, I'd have my employees do the same manually.

9. Several folks have pointed out, once a thief has gotten into an account, he has an incentive to delete all the characters and create a new one with a different name in order to keep you out while he loots stuff. After some thought, I don't think this makes much sense. The thief needs to strip each character before he deletes it. By the time he's finished stripping the last character -- the time when he could finally lock you out -- he's finished and no longer cares if you get the account back or not.

In any event, insofar as that's a problem, the oft-requested character locks are the solution.

10. As for the folks complaining that they don't know the character names on their mule accounts, go contact support. Seriously, having to contact support to reclaim your intact account beats the hell out of having to contact support to reclaim your stripped account.

Ultimately, this is the bottom line:
Quote:
Originally Posted by Arkanos
What ANet did just saved hundreds if not thousands of accounts being stolen. That's a huge step in the right direction.
Also,

Quote:
Originally Posted by Lucci_Slevin View Post
<numerous Gaile quotes>
1. If you took the time to read this thread (and several others), you'd see that (a) the reasoning in some of those statements by Gaile is dead wrong and roundly refuted several times, and (b) the NCSoft site has huge and obvious flaws.

2. The manifest purpose of this fix is to change the "breaking the NCSoft account also breaks the GW account" situation. It completely and utterly defeats that method of account theft. It does little-to-nothing against other common methods of account theft. If the NCSoft account wasn't the problem, why implement a fix so directly targeted at it? Hmmmmm?
Chthon is offline   Reply With Quote
Old Dec 23, 2009, 03:47 AM // 03:47   #182
Older Than God (1)
 
Martin Alvito's Avatar
 
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
Default

Quote:
Originally Posted by tom32304 View Post
I am not so sure this will result in more revenue for ANET.
Well, the flip side of the coin would have been that eventually almost every player gets hacked and robbed, and no existing players buy GW2 because they don't trust the integrity of their accounts. ANet probably wanted to avoid that scenario.
Martin Alvito is offline   Reply With Quote
Old Dec 23, 2009, 05:39 AM // 05:39   #183
Hall Hero
 
HawkofStorms's Avatar
 
Join Date: Aug 2005
Profession: E/
Default

Quote:
Originally Posted by tom32304 View Post
And all of this thread so far still does not address my points.

GW sales are falling, the game is not stocked in many big stores, prices at the online store are sky high, NIB stuff is super cheap on ebay.
Of course it is. It's a 4, close to 5, year old game. How many people still go around buying Halo 2?

Good god man, A.net is a brand new game company whose first product was a multimillion dollar hit. This game is WELL beyond its expected shelf-life. A.net is very happy with the sales figures they have. They obviously want more revenue, who doesn't? Thus the new stuff from the in game store. And they will get more with GW2.

But if anybody is honestly saying "OMG A.net is in trouble because their 5 year old product isn't selling that much anymore"... what reality are you living in where you'd expect that to happen?
HawkofStorms is offline   Reply With Quote
Old Dec 23, 2009, 06:00 AM // 06:00   #184
Pre-Searing Cadet
 
Join Date: Dec 2009
Default

Quote:
Originally Posted by HawkofStorms View Post
Of course it is. It's a 4, close to 5, year old game. How many people still go around buying Halo 2?

Good god man, A.net is a brand new game company whose first product was a multimillion dollar hit. This game is WELL beyond its expected shelf-life. A.net is very happy with the sales figures they have. They obviously want more revenue, who doesn't? Thus the new stuff from the in game store. And they will get more with GW2.

But if anybody is honestly saying "OMG A.net is in trouble because their 5 year old product isn't selling that much anymore"... what reality are you living in where you'd expect that to happen?
The reality where you have to pay an electric bill for the air chillers for your servers and if you don't have a revenue stream from somewhere you wind up with massive lags because there are not enough servers to deal with the number of peeps logged on.

I quit playing D2 and switched to GW because I was sick of waiting for D3 to come out. Its been so long I can't remember when I saw the first D3 trailer. So talk of GW2 and a kool trailer for it does not really convince me to hold my breath till GW2 is released, or that GW2 will produce any revenue stream.
tom32304 is offline   Reply With Quote
Old Dec 23, 2009, 10:22 AM // 10:22   #185
Desert Nomad
 
Sjeng's Avatar
 
Join Date: Aug 2005
Location: in my GH
Guild: Limburgse Jagers [LJ]
Profession: W/
Lightbulb

Quote:
Originally Posted by Hyperventilate View Post
A: I can't recall names of my storage characters on another accounts.
B: I have multiple Prophecies CD keys -- I can't tell who's who.
C: I'm not sure if I know where all said keys are, so I cannot prove that I own them.
point a: as long as you can log in with 1 character, all you have to do is check your guild roster for your mule's names. If they aren't in the same guild, try contacting someone from the guild your mules are in.
If your mules aren't in any guilds, check your recent trade window (N).
If all of the above fails, well, I guess you'll have to try and remember their names or contact support anyway.
Sjeng is offline   Reply With Quote
Old Dec 23, 2009, 10:54 PM // 22:54   #186
Frost Gate Guardian
 
Join Date: Nov 2008
Guild: Liars Cheats and Thieves
Default

Quote:
Originally Posted by Chthon View Post
the NCSoft site has huge and obvious flaws.
Quote:
Originally Posted by Martin Alvito View Post
Even if you crack an NCSoft Master Account and change the GW password, you can't gain unauthorized access to the account.
The main problem I have with the NCsoft website hack theory is that having an NCSMA was not a common thread in the hacks.

Referring to the December 15th quote in my earlier post(I know, wall of text, sorry) only half of all hack victims even had a NCsoft account. At the very least the other half could not have been hacked through NCsoft. Of course, this does not rule out that the half that did have a NCSMA got hacked that way.

However I still doubt that those people got hacked that way because there is one common thread between everyone who has been hacked and has gone to Gaile.

One more Gaile quote(bolded the important part)
Quote:
As much as I admire a good Conspiracy Theory, no, I do not think it's possible that an employee is hacking accounts. I believe that is not the case for a variety of reasons, including the fact that, as far as I recall, passwords are not exposed to view in the database and cannot be read, or copied, or cut-and-pasted, by anyone. I certainly am willing to verify that by checking with one of the key programmers, but I can't help but recall that every single victim with whom I've had contact via a phone call or email -- including you -- has used common user names and passwords in multiple places. I believe that is the source of the problem -- a external site has been successfully hacked and their database of credentials is being used by RMT hackers to access Guild Wars accounts. And when I see the tries, the failures, and the retries that the hackers are making -- and we are able to pull that data, as you know -- the theory of an external breach seems well supported.

I've always said that I hope that if we do find that there's an internal weakness or an employee-rendered breach we will fix it and make the details known. We pride ourselves on trying for a high level of transparency, and I'm proud of that and believe we'll continue with that in the future. I've also said since the start of these incidents that I will not say "It's not us" out of some knee-jerk protective mechanism or what players called "PR" type efforts to cover up our responsibility. At this point, I can say, with truth, "It does not appear to be us" because I've seen, and been involved in, a lot of the hack investigation and I truly believe that the source is external. -- Gaile 04:18, 17 December 2009 (UTC)
Which is why I think the fan website hack theory is the most likely cause.

Last edited by Lucci_Slevin; Dec 23, 2009 at 11:09 PM // 23:09..
Lucci_Slevin is offline   Reply With Quote
Old Dec 23, 2009, 11:41 PM // 23:41   #187
Desert Nomad
 
Join Date: Apr 2007
Default

Quote:
Originally Posted by Lucci_Slevin View Post
Which is why I think the fan website hack theory is the most likely cause.
It's a mistake to imagine there is only one cause, or only one method of attack that has been working.

I personally believe that yes, fan website hack is one source... but also that NCsoft master accounts are another, and of course user stupidity is a third. There may be more.
Riot Narita is offline   Reply With Quote
Old Dec 23, 2009, 11:48 PM // 23:48   #188
Wilds Pathfinder
 
Join Date: Aug 2005
Location: Sorrow's Furnace Hot Tub
Guild: RoS
Profession: Mo/Me
Default

Quote:
Originally Posted by Riot Narita View Post
It's a mistake to imagine there is only one cause, or only one method of attack that has been working.

I personally believe that yes, fan website hack is one source... but also that NCsoft master accounts are another, and of course user stupidity is a third. There may be more.
If I had to rank them, I'd say:

1) Stupidity
2) Stupidity (Stupid is as stupid does)
3) Fan Site Hack
4) NCsoft accounts

If this follows general trends, stupidity will account for about 80%, Fansite 15%, and the remainder would be NCSoft. Although the majority of those might fall into the stupidity category.
w00t! is offline   Reply With Quote
Old Dec 24, 2009, 12:08 AM // 00:08   #189
Hall Hero
 
HawkofStorms's Avatar
 
Join Date: Aug 2005
Profession: E/
Default

To break down that stupidity into separate subcategories of stupidity

1) Going to a "hack" or other shady GW site and getting a keylogger.
2) Using the same user/password on another website (like a guild or fan website)
3) Giving the password to a friend, gold seller (so he can deposit items), or leaving the passwords written down somewhereand such nonsense

But yeah, multiple ways people can get hacked. The NCSoft master account thing is just the newest in a stream of conspiracy theories. People used to think Texmod was responsible for hacks. Although the Master Account IS venerable, and likely is the cause of some hacks, people were getting hacked LONG before that came about. There have always been people getting hacked in GW. There is no silver bullet to stop all vulnerability. Since... it's usually user stupidity in the first place.

Last edited by HawkofStorms; Dec 24, 2009 at 12:10 AM // 00:10..
HawkofStorms is offline   Reply With Quote
Old Dec 24, 2009, 12:14 AM // 00:14   #190
Grotto Attendant
 
Join Date: Apr 2007
Default

Quote:
Originally Posted by Lucci_Slevin View Post
The main problem I have with the NCsoft website hack theory is that having an NCSMA was not a common thread in the hacks.
Do you just not read? Seriously? We've been over this same flawed idea when Gaile said it, and then again when Regina said it, and now here you are spouting the same flawed argument. If you had read the other thread, you would have seen it thoroughly refuted twice. You would have even seen it dealt with if you had read the entirety of my post from which you quoted. You also would have seen it if you had read the entirety of Gaile's talk page from which you quoted. Please, learn to read before you post.

Since you somehow managed to miss it, there is no common thread because accounts are stolen in multiple ways by multiple groups of thieves working independently. There's 4 ways that we know about:
  • User stupidity (gives password to "friend," falls for phishing, downloads keylogger, etc.)
  • GW login credentials same as hacked fansite
  • NCSoft Master Account brute forced because of weak security
  • Targeted attacks on wealthy individuals
There may be other ways we don't know about.

Quote:
Which is why I think the fan website hack theory is the most likely cause.
There is no "most likely cause." There are multiple causes and they are all 100% likely, because they have all been happening.

Now, as for which type of attack caused the sudden jump in account thefts? Well, ask yourself "which one did a-net's update fix completely?" and you should be able to reason your way backward to it. If you can't, just go read the entirety of my post that you quoted and I spell it out for you.
Chthon is offline   Reply With Quote
Old Dec 24, 2009, 01:00 AM // 01:00   #191
Wilds Pathfinder
 
Join Date: Aug 2005
Location: Sorrow's Furnace Hot Tub
Guild: RoS
Profession: Mo/Me
Default

Quote:
Originally Posted by Chthon View Post
There is no "most likely cause." There are multiple causes and they are all 100% likely, because they have all been happening.
Well, the only way there is no "most likely cause" is if all of the causes have the exact same probability. :P

Quote:
Originally Posted by Chthon View Post
Now, as for which type of attack caused the sudden jump in account thefts? Well, ask yourself "which one did a-net's update fix completely?" and you should be able to reason your way backward to it. If you can't, just go read the entirety of my post that you quoted and I spell it out for you.
And to further expose myself to flames, it appears that the one Anet fixed completely is "gw login credentials same as hacked website".

I don't know about you, but my NCSoft Master Account has a different password, and has no information about any characters on my account, so even if they brute forced NCSoft (horribly inefficient), they still couldn't access my GW account with the new security in place. So I guess in a sense they also plug a potential flaw here, even though the probability of Brute Force attacks is much smaller.

Last edited by w00t!; Dec 24, 2009 at 01:06 AM // 01:06..
w00t! is offline   Reply With Quote
Old Dec 24, 2009, 01:30 AM // 01:30   #192
Ascalonian Squire
 
Join Date: Jul 2009
Location: Somewhere in Ascalon
Profession: Me/E
Default

Quote:
Originally Posted by Lucci_Slevin View Post
Which is why I think the fan website hack theory is the most likely cause.
Lucci, you seem to have one single source for all your information. A huge and quite obvious flaw if you are looking for the 'truth'. Need I also point out this person isn't a security expert? They used to do marketing for Anet. Now they do support and still have that same marketing spin. Their objective is to protect their companies pocketbook and their own paycheck. Hardly credible.

I'm going to refer you to this thread: http://www.guildwarsguru.com/forum/a...0407405p2.html Where you can see quite clearly that a "fansite" hacking is quite literally false and borders on the ridiculous. Wow, you mean a single hacker has managed to infiltrate and acquire the passwords, emails and usernames of every single GW fansite, across multiple softwares, in multiple languages? Amazing.
Miscreant_Moon is offline   Reply With Quote
Old Dec 24, 2009, 01:51 AM // 01:51   #193
Frost Gate Guardian
 
Join Date: Nov 2008
Guild: Liars Cheats and Thieves
Default

Quote:
Originally Posted by Riot Narita View Post
It's a mistake to imagine there is only one cause, or only one method of attack that has been working.
That is a good point. However, there seems to have been an uptick in the number of thefts over the past couple of months(They got two of my guildies too). To me that indicates a major event that enabled someone/group to get into a lot of accounts.

Quote:
Originally Posted by Chthon View Post
If you had read the other thread, you would have seen it thoroughly refuted twice.
Actually, I have been keeping abreast of your posts in the other threads(and other people). And you made some good criticisms. Actually Gaile said she would relay some of the ideas to the live team so maybe they will get implemented too. There is no reason to be upset.

It is a complex issue and it is hard to respond in a concise way. But I have not seen a situation in which (criticism X=NCsoft site is hackable)

Not that I know 100% that the site is not hackable. I just think that it would be hard/unlikely for that to have been done, even considering the stuff that was mentioned on this forum and on the wiki.






Quote:
Originally Posted by Chthon View Post
NCSoft Master Account brute forced because of weak security
In case it was missed, I want to point out again that the NCsoft site has velocity checks against brute forcing. It was in the Nov. 4th quote of my earlier post(I know, wall of text, sorry)
Quote:
Update: I have been exchanging emails with a number of team members in two different states. One concern I took to the team was about not having "time outs" or other means of preventing brute forcing of passwords on the NCsoft site. Here is part of the answer that I received: "The account management secure site does indeed have velocity checks in place to prevent the brute forcing of master accounts. If too many attempts are made within a given period of time, the user will be temporarily blocked from making any further efforts to login. In addition, there are velocity checks on the action of attempting to change the passwords themselves." -- Gaile 20:10, 4 November 2009 (UTC)





Quote:
Originally Posted by Chthon View Post
Now, as for which type of attack caused the sudden jump in account thefts? Well, ask yourself "which one did a-net's update fix completely?" and you should be able to reason your way backward to it. If you can't, just go read the entirety of my post that you quoted and I spell it out for you.
I did, you mentioned that the fix is targeting a NCsoft breach. Regina said this was not the case and I do not think it is reasonable to assume she is not being truthful. I know you should not take everything at face value, but having the opposite outlook is not good either in my philosophy. From my earlier post.
Quote:
TahiriVeila: Please read the text in red located on the right side of the login screen. That message says that hackers are trying to login to Guild Wars accounts using passwords stolen from other games and web sites. In other words, in this case, the hackers do not have character information. They have existing lists of passwords and emails that they are just trying in Guild Wars to see if they work. They aren't only using this in GW, but also other games. No account theft prevention measure is perfect, however this update will make accounts more secure in instances like this, where hackers have emails and passwords that they've harvested en masse, that they're trying to use in a lot of games, including Guild Wars. --Regina Buenaobra Image:User_Regina_Buenaobra_sig.png 20:06, 22 December 2009 (UTC)
I think it was targeting the fan site breach and here is my reasoning:

If hackers managed to pull a user database from a fan site, they would have emails and passwords that they would be able to punch in to the GW client. If they did not get the the character names in their previous pass they are going to have a much harder time now. They now have to hunt through user's posts to see if they gave away their ign and that will slow them down big time, stop them in some cases.






The last thing I want to say is not directed at anyone in particular. People should use unique passwords for GW despite these changes and here is why.

A google search of 'vbulletin hack' returns 3.4 million results. There is a whole community based around the hacking of this software. It is like a hobby for those people.

It is not because it is a bad software, it is good and it is popular for that reason. But because it is so popular it has the attention of many hackers. Not just hackers who know about GW. And once one of them learns how to defeat a security measure, the whole community finds out and then they all have that ability.

The reason I am talking about this is because I think future breaches can still happen. So always use different passwords.

That is about all I have to say about the subject because that is basically the extent of what I know, so do not be offended if I do not respond right away. If the wiki discussions turn up anything interesting in the future I will post them here.

Since there are multiple lines of discussion going on in the thread here is a compendium of my posts. 1,2,3

Happy holidays, and stay E-safe
Lucci_Slevin is offline   Reply With Quote
Old Dec 24, 2009, 01:58 AM // 01:58   #194
Ascalonian Squire
 
Join Date: Jul 2009
Location: Somewhere in Ascalon
Profession: Me/E
Default

In case you didn't follow that link I posted Lucci, not all those forums use VBulletin. I'd also like to point to the numerous gaming development companies who use VBulletin for their own official forum software who don't seem to be having problems.

http://forums.lotro.com/index.php
http://forums.ddo.com/

Let's not even mention that the Test Krewe uses VBulletin too. Ironic decision if it's as unsafe as you say.

I'd also like to point out the numerous cases just like this posted today on the wiki:

http://wiki.guildwars.com/wiki/Feedb..._091215-002191

Someone who's husband has never visited a forum. Who is not American. Who has mysteriously been hacked. I'm guessing your simple response to them is that they're lying. Despite the fact that I could do my own searching and pull up story after story of these incidents. I'd also love to see you explain the cases of those who reset their passwords and were hacked within minutes to hours of changing their password through the NCSoft site. Nah, guess they were all lying too. If you'd care to jump over to AionSource.com I'd like to see you explain their hackings too, of password resets, IP's from China, and the same stories you see here. Nah, that's just coincidence. Your theory starts to fall apart if you would stop looking to ArenaNet's PR department for your answers.

Last edited by Miscreant_Moon; Dec 24, 2009 at 02:02 AM // 02:02..
Miscreant_Moon is offline   Reply With Quote
Old Dec 24, 2009, 02:07 AM // 02:07   #195
Wilds Pathfinder
 
Join Date: Aug 2005
Location: Sorrow's Furnace Hot Tub
Guild: RoS
Profession: Mo/Me
Default

Quote:
Originally Posted by Lucci_Slevin View Post
(snip)
The last thing I want to say is not directed at anyone in particular. People should use unique passwords for GW despite these changes and here is why.

Happy holidays, and stay E-safe
Thanks much for the posts Lucci, very informative. Much more information than I've been able to acquire.

One last thing of note for the general populace. There are several freeware password managers out there that will generate unique and very safe passwords. Then you can simply cut/paste ID/pwd them into the login screen. I use one so that I'm not tempted to reuse passwords. Sourceforge.net is a good place to look, and you can trust them to not contain Trojans.

Of course this won't protect from keyloggers or social engineering, but not much will.
w00t! is offline   Reply With Quote
Old Dec 24, 2009, 02:51 AM // 02:51   #196
Older Than God (1)
 
Martin Alvito's Avatar
 
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
Default

Quote:
Originally Posted by Lucci_Slevin View Post
In case it was missed, I want to point out again that the NCsoft site has velocity checks against brute forcing. It was in the Nov. 4th quote of my earlier post(I know, wall of text, sorry)
A limiter of 5 attempts every twelve hours works if and only if the feasible set of responses is sufficiently large. Unfortunately, this isn't the case for the older birthday password reset mechanism, and it isn't the case for a fair number of security question combinations given that the system tells you when you got either question right. Two security questions combined with freeze-outs is relatively secure when you don't advise on whether either input is correct, but is not secure when you do tell the user if you got one right.

EDIT: To see this, suppose that you have two security questions. One has 10000 possible responses and one has 5000 possible responses. If you do not advise on when a security question has been inputted correctly, it takes 5000*10000 = 50,000,000 attempts to be certain of success. Given 5 attempts every 12 hours, you're looking at 3650 attempts per year. Not good odds.

However, if you tell the user when you get a response to a security question correct, then the maximum number of attempts needed is just 10,000 to brute force an account. That means that you can brute force any account in three years for certain...which means that over the course of months you're going to brute force a lot of accounts due to luck.

Quote:
Originally Posted by Lucci_Slevin View Post
I did, you mentioned that the fix is targeting a NCsoft breach. Regina said this was not the case and I do not think it is reasonable to assume she is not being truthful.
This isn't an assumption. It's a deduction. At the time the fansite breach occurred, Guru still had IGNs available for player accounts. A little social engineering would have yielded IGNs for much of the stolen data. This security update therefore cannot reasonably be targeted at the fansite breach. It follows that Regina is not being truthful (but not necessarily that she is lying; she could be misled by other employees).

Last edited by Martin Alvito; Dec 24, 2009 at 04:19 AM // 04:19..
Martin Alvito is offline   Reply With Quote
Old Dec 24, 2009, 03:23 AM // 03:23   #197
Grotto Attendant
 
Join Date: Apr 2007
Default

Quote:
Originally Posted by w00t! View Post
And to further expose myself to flames, it appears that the one Anet fixed completely is "gw login credentials same as hacked website".
Like I said before, that depends on a bit of data we don't know. Pretend that instead of getting whatever site they actually got that they got Guru circa 1 month ago instead. A month ago a majority of users here had their IGN in their profile. So did many other GW-related sites. If the hacked site had IGN as a field in their database, this fix only helps the people who didn't populate that field and who never posted "my IGN = X" in a thread somewhere. On the other hand, if the hacked site did not have that data, the fix helps everyone who's never posted "my IGN = X" in a thread somewhere. Unfortunately, since it's been described as a trade site, "my IGN = X" is probably all over the place.

Quote:
Originally Posted by Lucci_Slevin View Post
Not that I know 100% that the site is not hackable. I just think that it would be hard/unlikely for that to have been done, even considering the stuff that was mentioned on this forum and on the wiki.
It is 100% hackable. If you've been following along, you'll know that Martin Alvito has posted vulnerabilities that can be exploited to accomplish every step needed to steal a NCSoft account save one. Someone else posted the final step. (Which was more of a "actually there's nothing to bypass here" than a way around a security feature... People (me included) were assuming a security feature existed which doesn't.) I'm not about to put 2 and 2 together in the same post, but anyone who's been reading should know exactly how to steal NCSoft accounts. Every step of the way is publicly posted.

Quote:
In case it was missed, I want to point out again that the NCsoft site has velocity checks against brute forcing. It was in the Nov. 4th quote of my earlier post(I know, wall of text, sorry)
I trust Martin Alvito more than I trust Gaile. His observations are that: NCSoft login has no discernible anti-brute-forcing. NCSoft password reset has a generous 5 tries per 12 hours. If Gaile says differently, then either (a) she's not being truthful, or (b) she was given false information by NCSoft, or (c) the was an honest miscommunication between NCSoft and Gaile (perhaps "there's a 12 hour lockout after 5 failed password reset attempts" somehow got mistakenly turned into "both login and password reset have velocity checks"), or (d) there is a velocity check on NCSoft logins, but it is either non-functional or way too generous, so it went unnoticed.
Chthon is offline   Reply With Quote
Old Dec 24, 2009, 05:01 AM // 05:01   #198
Ascalonian Squire
 
Join Date: Mar 2006
Default

And here you go. As much admission as NCSoft will probably give you. There's a new Aion account login screen as of today:

NCsoft Password and Account Security Notice
Due to an increase in account theft in Aion and other online games, it is critical that you take these important steps.

http://na.aiononline.com/board/notic...leID=184&page=
Alesa is offline   Reply With Quote
Old Dec 24, 2009, 05:05 AM // 05:05   #199
La-Li-Lu-Le-Lo
 
Faer's Avatar
 
Join Date: Feb 2006
Default

Quote:
Originally Posted by Lucci_Slevin View Post
A google search of 'vbulletin hack' returns 3.4 million results. There is a whole community based around the hacking of this software. It is like a hobby for those people.
A Google search of "wiki hack" returns 6,920,000 results. I suppose that means the official wiki is at great risk! Everybody leave the wiki pronto!

Unfortunately for you, "vBulletin Hack" is another term for "vBulletin Module", a beneficial software addition to the core forum software. Things that further protect account information? vBulletin Hacks. Things that make the site prettier? vBulletin Hacks. Things that keep the real names of 180 Test Krewe members secure? Well, that's not a vBulletin Hack, that's just knowing how to set up incredibly basic forum permissions, but I think you get the idea.

Yeah, making vBulletin Hacks is a hobby for a lot of us. That doesn't mean it's malicious. Learn what something actually means before you try and use it to defend somebody. Yes, people should use unique passwords for everything, but your logic is flawed in that you have no idea what you are talking about.
__________________
Stay Breezy
Faer is offline   Reply With Quote
Old Dec 24, 2009, 05:15 AM // 05:15   #200
Site Contributor
 
Join Date: Dec 2004
Default


Screenshot for those who are interested.
Inde is offline   Reply With Quote
Reply

Share This Forum!  
 
 
           

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:45 AM // 10:45.


Powered by: vBulletin
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("