 |
|
Dec 04, 2009, 05:33 PM // 17:33
|
#81 |
|
Furnace Stoker
Join Date: Jan 2008
Profession: Mo/
|
ok... after reading this thread, Martin, Chthon, and others have me scared. i still have an unused copy of nf lying around somewhere. going to install it, put all my junk on it that is worth anything, and NOT register it with plaync. What is the PR spin on all this Regina? Regina, can you get someone with technical knowledge to give a response to the concerns here?
|
|
|
|
Dec 04, 2009, 05:52 PM // 17:52
|
#82 | |||
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Quote:
The first automated hack with the bot that I heard about was going around in February and March, and left characters in GToB. It didn't change passwords at NCSoft, and we chalked it up to a keylogger at the end of the day. It bagged hundreds of people that spoke out, so you have to figure it probably scored at least in the low thousands. But if I remember right, if that one got you it got all accounts almost without exception. And that smelled of keylogger. That's not consistent with only the one account of yours getting hit, but it does sound like the older mechanism to me. From what I understand, the new bot doesn't leave characters in GToB and it leaves calling cards. Quote:
Oh, and I remembered the brute force approach. The password reset mechanism has a maximum number of allotted attempts, but it only punishes you with a time delay. That'd be fine if the number of authentication combinations were sufficiently large, but it's not. Suppose your security question is your birthday. If we assume that almost every player is aged 11-40 (and I'd say that's 95% true), that's only 10,958 possible combinations. But I can do better than that naive estimate. I can safely assume that most of the people I want to rob are aged 16-25. That's only 3653 possible combinations. At five entries a day, I can get every single one of you in that age range that I can get a username for in two years. I am currently in the process of testing how quickly I can get a new set of attempts, but my guess would be daily. Better yet, if something's not a username, the stupid thing TELLS me. I get an error message if I found a legit username and fail to crack it, and I get a clean refresh if the username is bogus. So I can have one bot generating legit usernames and another bot testing legit usernames... Best of all, if I can back out your age from other sources (eg: if my age were posted here and if my NCSoft login were MartinAlvito), I can get you in two and a half months tops. Instantly if I can match a date of birth to your login. So it looks like unsecured data is the problem because people that are dumb about unsecured data are disproportionately hit initially, when in reality I can hack anyone given time or luck and a bot! Gaile can claim it'll take a bot 278 years to hack a strong password at one entry per second, but she's dead wrong. The strength of your password does not matter. It is not the point of vulnerability. If I can match your login e-mail to your NCSoft username, you're done. You should be very afraid. EDIT: Easily implementable solution concept: Quote:
EDIT2: As for why - since it appears that the update didn't fix this issue, I'm not sure what the update functionally did. Last edited by Martin Alvito; Dec 04, 2009 at 09:11 PM // 21:11.. |
|||
|
|
|
|
Dec 04, 2009, 08:21 PM // 20:21
|
#83 |
|
Krytan Explorer
Join Date: Nov 2007
Location: In your backline
Guild: No Tags [NONE]
|
On one hand, I feel like the lack of official response speaks volumes in and of itself.
On the other hand, I have some different fingers. no, no, what i MEANT to say was - on the other hand, if they did find a URL security breach, and fix it, and intend to remain quiet about it, then why list it at all? Why say 'We fixed a crash bug and we fixed the URL' instead of 'we fixed a crash bug'? that makes no sense. |
|
|
|
|
Dec 04, 2009, 08:57 PM // 20:57
|
#84 | |
|
Krytan Explorer
Join Date: May 2005
Location: NC, USA
Guild: Ohm Mahnee Pedmay [Hoom]
|
(Copied over from the XTH thread, which I realized I was sorta hijacking):
Quote:
|
|
|
|
|
|
Dec 04, 2009, 09:00 PM // 21:00
|
#85 |
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Does it ever display the account's associated e-mail address? Can that be forced via automated correspondence, or is it visible in the account settings?
If so, you could get everything you need via a realistic brute force solution. Hunting social networks and fansites would speed up the rate at which you can crack accounts, but you could get anybody irrespective of personal security eventually. |
|
|
|
|
Dec 04, 2009, 09:10 PM // 21:10
|
#86 | |
|
Krytan Explorer
Join Date: May 2005
Location: NC, USA
Guild: Ohm Mahnee Pedmay [Hoom]
|
Quote:
So there would have to be a vulnerability with the NCSOFT logins and passwords for this to be a problem. Maybe I'm reading something wrong in this thread, but I don't remember there being any particular vulnerability pointed out with these. I thought the password reset mechanism being discussed was just for a game account password. |
|
|
|
|
|
Dec 04, 2009, 09:12 PM // 21:12
|
#87 | |
|
Desert Nomad
Join Date: Jan 2008
Profession: Mo/
|
Quote:
If you create a bogus site or a big forum, you can start fishing details as well. (ie. maybe builds, contests, or just a mere guild/alliance forum). Then just collect the data for 6-12 months so nobody makes the connection between hacked accounts and your website. Even better, make sure at registration the website asks security questions in case you lost your password with identical questions asked by NCSOFT. - - - I DO hope Anet/NCSOFT reads this and realize that their security system is indeed flawed and should be updated. |
|
|
|
|
|
Dec 04, 2009, 09:28 PM // 21:28
|
#88 | ||
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Quote:
Here's the problem - it would be a very easy piece of programming to get a bot to generate valid NCSoft usernames. Once someone has that piece of the puzzle, the point of vulnerability is the NCSoft security question for resetting that password. Birthdays are easy. Once past that authentication, the hacker has the keys to the kingdom. The hacker has your in-game login and can make your in-game password whatever is desired. So the hacker never needs either of those pieces of information. The hacker can back out valid NCSoft usernames and then bots crack them via the weak password reset system. The following needs to change yesterday: - The security question is unacceptable. Birthdays are tremendously insecure and vulnerable to brute force even when properly secured. The number of valid combinations is too small. A birthday is about half as good as a 40 digit combination lock. And you won't see 40 digit combination locks guarding important data. - E-mail addresses used as logons need to be concealed, and you need to enter the present e-mail to change them. - The passwords need to be protected with the existing password for changes, and resets MUST generate an e-mail to the undisclosed game login address with the new password. Doing those things will result in fewer unauthorized access problems and no value for gaining unauthorized access. Do those three things, and the present rash of hacks via the NCSoft site should die down. A fourth thing would be nice: - Take some ownership! If I'm right, this is your fault. You (ANet) may not have designed it, but you forced us to use this wholly insecure system. I'm no data security expert. I study human conflict. Yet even my rudimentary computer design capabilities can beat the system you're using to guard the security of your players' accounts in a feasible time frame. Quote:
Last edited by Martin Alvito; Dec 04, 2009 at 10:37 PM // 22:37.. |
||
|
|
|
|
Dec 04, 2009, 09:40 PM // 21:40
|
#89 | |
|
Forge Runner
Join Date: Jan 2007
|
Quote:
He sees them, resets their password to something he knows, cops+pastes the email name of the account into GW account name box and types in password and there you go. |
|
|
|
|
|
Dec 04, 2009, 09:54 PM // 21:54
|
#90 | |
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Quote:
All you need is three computers sharing data and some fairly simple programs: - One to generate valid account names - One to test birthdates and steal information - One to clean accounts Then you just add computers wherever the production bottleneck is (probably testing birthdates) as your budget allows. Simple. Of course, a fourth computer to search the Internet for personal data once you identify a valid username would improve efficiency. Or you might attack the problem the other way around and start with a dictionary of probable username/birthdate combinations derived from fansites, then move on to brute force. Last edited by Martin Alvito; Dec 04, 2009 at 09:58 PM // 21:58.. |
|
|
|
|
|
Dec 04, 2009, 09:59 PM // 21:59
|
#91 | |
|
Forge Runner
Join Date: Jan 2007
|
Quote:
|
|
|
|
|
|
Dec 04, 2009, 10:00 PM // 22:00
|
#92 | |
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Quote:
However, there's a reason that we're discussing it rather than doing it, now isn't there? Last edited by Martin Alvito; Dec 04, 2009 at 10:02 PM // 22:02.. |
|
|
|
|
|
Dec 04, 2009, 10:05 PM // 22:05
|
#93 |
|
Krytan Explorer
Join Date: May 2008
Location: england
Profession: Mo/
|
last time i changed my Ncsoft password 2 seconds later i got a email from ncsoft saying some 1 at IP so and so changed your password if it was'nt you plz click this link and report it to us immediately
|
|
|
|
|
Dec 04, 2009, 10:06 PM // 22:06
|
#94 | |
|
Forge Runner
Join Date: Jan 2007
|
Quote:
|
|
|
|
|
|
Dec 04, 2009, 10:08 PM // 22:08
|
#95 |
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
A lot of the recent hacks have resulted in that e-mail.
The IP isn't as helpful at tracing the perpetrator as you might think. If the hacker's any good, the hacker is using various tricks to hide the IP. And once the hacker has changed that password, it's too late. The hacker is faster than Support. |
|
|
|
|
Dec 04, 2009, 10:09 PM // 22:09
|
#96 | |
|
Krytan Explorer
Join Date: May 2005
Location: NC, USA
Guild: Ohm Mahnee Pedmay [Hoom]
|
Quote:
When I login to my NCSOFT account and click on the link to change my NCSOFT password, here's what I see: "You will need to choose two hint questions which will be asked should you need to reset a forgotten password. You will need to provide the exact hint answers which you enter below in order to reset your password." Then there's a picklist of 10 hint questions of which you select 2 and provide answers. Some of them are actually decent ones such as "What was your childhood nickname?" instead of the typical "mother's maiden name" bs. I assume that you would need to specify those 2 answers after you click on NCSOFT's "Forgot your password?" link, but I'm too scared to try that right now to verify  .
|
|
|
|
|
|
Dec 04, 2009, 10:13 PM // 22:13
|
#97 |
|
Wilds Pathfinder
Join Date: Apr 2006
Location: London
Guild: Better Than Life (BTL)
Profession: R/
|
I posted an idea while ago on one of the previous hacking threads that got locked and assigned to the ether.
Beefing up account security would be one way of helping to prevent the current outbreak of hacking, but I was trying to think of a resolution to the underlying problem. The underlying problem in my opinion is Real Money Traders. These are the people responsible for the vast majority of hacks. They hack accounts to steal the in game gold and items and then sell the gold for real money. If they were prevented from selling their gold in game then their reason for existing would cease to exist. I believe that Anet already has some kind of system in place that monitors transactions looking for unbalanced trades. If this system could be enhanced, it could be possible to stop these RMTs from selling their gold. Gold buyers and sellers usually deal in multiples of 100K. The idea would be that all high value transactions are analysed for balance on both sides of the trade. A gold seller trying to pass over 100K for nothing of similar value in return would trigger the system and the trade could be blocked. A gold seller handing over a stack of ectos for nothing in return of similar value could be blocked. A series of lower value trades totalling a high value within a short time frame to or from one account could be blocked. This would need some kind of rough value table being coded into the system to give base values for high end items, or stacks of items that are regularly traded for a high value but the number of these items is limited, so this should be possible. For example the game already knows a rough (merchant buy/sell) value for all crafting materials, so they should be easy to work out. A set of exemptions could be made for example, trades between chars on the same account, or chars from accounts on the same NCSoft Master Account would be allowed no matter what the value. Trades between people in the same guild could be allowed no matter what the value after both parties have been in the guild for a week (for example). There could also be a popup message for example saying that the trade has been blocked because it is unbalanced perhaps with a “click here to have the transaction verified”. This could fire off a support ticket and the trade could then be suspended pending investigation or allowed to proceed after a week perhaps. If enough doubt could be introduced into the mind of the gold buyer that they will not get the gold that they have paid real cash for, then they will stop buying. If the gold sellers can be for the most part prevented from handing over the gold they have been paid for, then they will not be able to continue to trade. A bonus from this would be that if an account was hacked, the gold seller would be unable to transfer the stolen gold and items to their mules/bots/harvesters as the trades would be unbalanced and so be blocked. This is only a rough and ready idea, and probably has a load of flaws, but if somehow Anet/NCSoft could hit the RMTs with a double blow of increased account security and make it much more difficult, time consuming and risky for them to go about their illegal business, then just perhaps they can be driven from the game. Wow.. just previewed this.. sorry for the "Wall'o'Text"! I didnt realise how much I had written! |
|
|
|
|
Dec 04, 2009, 10:20 PM // 22:20
|
#98 | |
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Quote:
The only security question I've seen is the birthday on the "Forgot your password?" link. I didn't luck into anyone's birthday when figuring out how to identify a valid username, so I haven't managed to verify the existence of additional security questions. (I haven't exactly tried very hard.) Like you, I'm unwilling to test any of my own accounts since there are other suspected vulnerabilities on the site. If I'm mistaken, that changes things quite a bit. That would rule out brute force and make Chthon's explanation the more likely one. It doesn't change the fact that there's a glaring security vulnerability should someone gain unauthorized access to your PlayNC account that permits immediate forced entry to your game accounts. Last edited by Martin Alvito; Dec 04, 2009 at 10:29 PM // 22:29.. |
|
|
|
|
|
Dec 04, 2009, 10:25 PM // 22:25
|
#99 | ||
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Quote:
I forget which of Posner's books makes that argument, but it was the best expression of the concept I've seen. Quote:
Separating out legit transactions from illegitimate ones is harder than you think. Last edited by Martin Alvito; Dec 04, 2009 at 10:31 PM // 22:31.. |
||
|
|
|
|
Dec 04, 2009, 10:34 PM // 22:34
|
#100 | |
|
Furnace Stoker
Join Date: Oct 2005
Location: Planet Earth, Sol system, Milky Way galaxy
Guild: [ban]
Profession: W/
|
Quote:
|
|
|
|
|
 |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 10:54 AM // 10:54.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("