Curse

Luminarus · May 13, 2008, 08:02 AM // 08:02

Gratz on catching him before he nicked ur stuff

Shanaeri Rynale · May 13, 2008, 08:07 AM // 08:07

Quote:

The users security should be tighter and that's about it. There is no hacking involved at all.

Only partially correct. Security is a two folded responsibility. The User and the provider.

I doubt it's the server that has got hacked, more likely it's the client which since it resides on a PC where it can be reverse engineered is by far the most vulnerable target(after the users PC).

There have been hacks to the client in the past, which allowed people to mess with others(such as crash their clients) so it's my suspicion that the recent spate of hacks we have been seeing is related to that.

Not everyone who has had their account broken into has no firewall, AV or spyware protection. Some are very well protected to the point where it being them is very unlikely.

Going back to the first point, Anet and NCsoft can't just point to the users and go it's your fault! They have a duty of care to ensure the security of their game, some of the security(or lack of it) in for plaync(for example) is shocking and has been an outstanding issue for well over 18 months.

ReiNaruto · May 13, 2008, 08:14 AM // 08:14

Also, I made a discovery at official wiki: wiki.guildwars.com

I just downloaded TexMod from there (Main mirror and first secondary mirror), and my av get nuts, not in the usual form. Usually, it yells me that the file has some unidentified trojan, but now he is telling me that the file has a virus called: Lineage2.Keylogger. I'm putting on quarantine that downloads on wiki.

cataphract · May 13, 2008, 08:30 AM // 08:30

Quote:

Originally Posted by Mystica

The users security should be tighter and that's about it.

I'm not saying it shouldn't, but the point is - so should PlayNC's. Even more so because they are providing a service for their customers (us) to use.

Quote:

Originally Posted by Shanaeri Rynale

Going back to the first point, Anet and NCsoft can't just point to the users and go it's your fault! They have a duty of care to ensure the security of their game, some of the security(or lack of it) in for plaync(for example) is shocking and has been an outstanding issue for well over 18 months.

QFT

Takeko Nakano · May 13, 2008, 08:58 AM // 08:58

Quote:

Originally Posted by Shanaeri Rynale

Only partially correct. Security is a two folded responsibility. The User and the provider......

Not everyone who has had their account broken into has no firewall, AV or spyware protection. Some are very well protected to the point where it being them is very unlikely.

Going back to the first point, Anet and NCsoft can't just point to the users and go it's your fault! They have a duty of care to ensure the security of their game, some of the security(or lack of it) in for plaync(for example) is shocking and has been an outstanding issue for well over 18 months.

I agree. ANet and NCsoft do have a duty of care, so they need to find out what is happening and stop it pronto. Also it is completely wrong to just blame the person with the game - a lot of people have good security. Even changing your password regularly doesn't help if someone is able to hack their way in.

Etta · May 13, 2008, 09:17 AM // 09:17

So in the meantime, AB is a no go zone?

Haskell · May 13, 2008, 09:24 AM // 09:24

Quote:

Originally Posted by Mystica

- Next problem is finding the database. IF a real hacker managed to get access he has to find the database. Now you can be pretty sure that the database is hosted on a seperate network requiring him to find this server and gain access.
- Accessing the database. For the very unlikely case that someone really managed to access 2 super protected server networks fast enough to bypass all logs and security measures he still needs access to the database. You can be sure that Anet or any other online game does not use MySQL or text files to store your data so there is a big chance our hacker faces a system he doesn't know or where he doesn't know any exploits for. Now he has to gain access fast enough not to get caught.

You are right. They don't use MySQL. They use MSSQL on W2k3. Google it.

Quote:

Originally Posted by Mystica

- Cracking the passwords. Even the GW ingame packets are encrypted with a key nobody managed to find yet. Now the passwords won't be plain-text so even if our hacker gets the hashes he still needs to crack them or have enough access to the database to find his own hash and replace all others with it to have the password.
- Getting out without traces. Now if he succeeded to perform the whole chain he still needs to find the logs that had his traces stored to delete them. A lot of companies store log files on a sepearate server...you know what that means + most professional networks are mirrored so he needs access to the mirror containing the logs too.

Is all of that possible? Yes. Very unlikely but possible since nothing is impossible to hack. Would anyone go through all that for some ZKeys and Ecto? Never. It's just not worth it since anybody that could perform all this should have a million better ideas to gain profit and even if someone had access. Why should he take your items when he has the power to create stacks over stacks of items with full access?

Don't talk about stuff you have no clue about. If someone would have direct access to Anets DB there would no need to "hack" player-accounts.

And of course it is very hard to gain access there, so you probably take some sidesteps. How much do you think this DB here is worth? 16ok users... 5ooo$? 1ok? 2ok? ...

Ofc, they will use salts, but it won't matter, because there are enough users with passwords like 'gwen10' or 'gw12345'.

Quote:

Originally Posted by Mystica

Something nobody considers is Social Engineering. Read it up. People are smart enough to ask the right questions to get the answers they need without you knowing it.

Exactly. That's how it's done in 80% of all cases if you really want a *certain* account. If you just want to make money with ebay tough, you have to catch as many stupid people as possible.

Quote:

Originally Posted by Shanaeri Rynale

I doubt it's the server that has got hacked, more likely it's the client which since it resides on a PC where it can be reverse engineered is by far the most vulnerable target(after the users PC).

There have been hacks to the client in the past, which allowed people to mess with others(such as crash their clients) so it's my suspicion that the recent spate of hacks we have been seeing is related to that.

That's not possible and you have to thrust me on that one. Without going into deep details, i can asure you will get never direct connections to any player in GW. The server supervises all that. To tumb it down: Look at this forum - i won't get your IP-adress or anything if i am not allowed to know, because the forum software on this server manages it. Only people who are have permissions to know that stuff (like admins, mods, etc.) can see it. Of course there can be exploits, but as said - if you're on that level you would not need to hack "clients" - you would just abuse the server itself.

Quote:

Originally Posted by Shanaeri Rynale

Not everyone who has had their account broken into has no firewall, AV or spyware protection. Some are very well protected to the point where it being them is very unlikely.

I won't drive THIS debate, but stuff like "personal firewalls" etc. are totally useless.

Quote:

Originally Posted by Shanaeri Rynale

Going back to the first point, Anet and NCsoft can't just point to the users and go it's your fault! They have a duty of care to ensure the security of their game, some of the security(or lack of it) in for plaync(for example) is shocking and has been an outstanding issue for well over 18 months.

I never got "hacked" nor did anyone of whom i know that has some basic clue. I know how that sounds, but that's how things are.

shru · May 13, 2008, 09:32 AM // 09:32

The only connections I've seen between all hackies (by all their stories) is that they're GWGuru members.
I don't browse other fansites, but are there people on other sites getting hacked aswell? Additionaly, any info on alt GW sites regularly visited could be quite helpful.

Arduin · May 13, 2008, 10:05 AM // 10:05

Quote:

Originally Posted by cataphract

Also, PlayNC password policy sucks badly. It forces you to start your password with a letter. That's just horribly wrong and lowers the number of possible password combinations. An account with wich enables you to administer all your games MUST have a way tighter security. SSL is a MUST. There's lots of money involved here, not to mention sentimental value of our game accounts.

Amen to that. You can't even use stuff like !@$% or _- for your password, it's only numbers, a's, and A's.

TideSwayer · May 13, 2008, 10:06 AM // 10:06

Quote:

Originally Posted by ReiNaruto

Also, I made a discovery at official wiki: wiki.guildwars.com

I just downloaded TexMod from there (Main mirror and first secondary mirror), and my av get nuts, not in the usual form. Usually, it yells me that the file has some unidentified trojan, but now he is telling me that the file has a virus called: Lineage2.Keylogger. I'm putting on quarantine that downloads on wiki.

Where are you getting the download link from? I say this because the link I used originally:

http://wiki.guildwars.com/wiki/Guide...-game_graphics

...links to Texmod hosted on a FileFront server that doesn't even have mirrors for it. Just one link. FWIW, I just downloaded Texmod from that FileFront link, did a virus scan on it (and the Texmod.exe file inside) with Avast and a-squared free malware scanner, and compared the MD5 values with the original Texmod.zip I downloaded late last year, which is still on my hard drive. Same exact MD5, so Texmod, at least from this location, hasn't been sabotaged in any way.

Is this a different link than the one you used to get Texmod from? I ask because I have a friend in-game who was hacked this week (and lost a fortune). He thinks Texmod was the reason why it happened. I tried to tell him it couldn't have been, but if there are sabotaged Texmods going around with keyloggers inserted (not unlikely if you've ever tried to download other .exe or installers in the past from shady locations), then this is a serious issue. FWIW, Texmod is a standalone .exe file. You just open the folder and double-click the .exe to run it. There isn't an installer for it. If you download a version of Texmod that asks you for installation, DECLINE/REFUSE/CANCEL immediately.

Here's the MD5 of my "ok" Texmod.zip:

TexMod.zip
MD5: 2291F3095F14EFB847D366E2FBE4BE51

Riot Narita · May 13, 2008, 10:09 AM // 10:09

Quote:

Originally Posted by Azazel The Assassin

I have yet to be hacked and personally, wouldn't care too much about it as the most important things are my titles and stuff in HoM

So what would you think about someone gaining access to your account, and deleting your characters? Titles... HoM... *poof*

Quote:

Originally Posted by Adja1005

Anyone else kind of pissed off at the lack of acknowledgement about this recent surge in threads concerning hacked accounts? I've not seen anyone from Anet, Regina specifically, comment about what they intend to do or what they are doing to combat these hackers.

Yes. I would like at least some reassurance that something is being done. Not just "one guy in Germany was caught and banned". Is the method he used now prevented from working? Otherwise, new account and IP and he's back in business, or maybe he passed the method to others.

But most of all I want A-net to take our account security SERIOUSLY

Why no lockout/delay after x failed attempts?

Why does a player gets kicked out when a second person gains access? I'd like to see an ingame message telling me that someone else just tried to log on, their IP address, and the option to /report instantly.

Why can't we set a character to "undeletable" or delayed deletion, so that even if we lose cash/items we don't also potentially lose our characters/titles?

Why does PlayNC password changer only allow numbers and letters, and not the extra characters from a regular keyboard?

zwei2stein · May 13, 2008, 10:33 AM // 10:33

FYI: anyone can get your ip (and ips of tons of guildwars playing people) by just posting link that those people will follow to forums or wikis.

Image is link that all browsers autofollow. all you need to put to post is transparent 1 pixel size image.

If you want IP address of someone specific, you just send him PM on forum with that image and check your server logs some time later.

One funny idea is that if (hypothetical, anet don't bother looking for it) remote attack on GW client exists people can get nailed down by browsing forums or especially wikis as they usually do it with client open and game running.

(Baseless Fiction

Imagine if someone didn't need to break your password, only steal your session. They get you 007, they use reconnect and bingo, breached acc without them even needing to know your password/email.

IP is known, OS is known, browser is known (and more). And you know that that person has GWs installed, and is serious enough to post to forums, which means that he has stuff worth stealing.

Remember, attacking your machine directly is quite easy unless you are behind nat or firewall.

Longasc · May 13, 2008, 11:03 AM // 11:03

This is alarming.
Your quick reaction to reset the PW probably saved you, Jetdoc.

Should this not be stickied, thread title changed, people given a warning?
I did not really about read the account hacks of the last two weeks, I usually assume social engineering, carelessness or general stupidity.

But getting hacked while just playing in an Alliance Battle is really creepy.

This is much more serious than the usual "hacks" and really demands some official statements.

Mystica · May 13, 2008, 11:20 AM // 11:20

Quote:

Originally Posted by Haskell

You are right. They don't use MySQL. They use MSSQL on W2k3. Google it.

Don't talk about stuff you have no clue about. If someone would have direct access to Anets DB there would no need to "hack" player-accounts.

And of course it is very hard to gain access there, so you probably take some sidesteps. How much do you think this DB here is worth? 16ok users... 5ooo$? 1ok? 2ok? ...

Ofc, they will use salts, but it won't matter, because there are enough users with passwords like 'gwen10' or 'gw12345'.

MSSQL? Ok didn't know that but it is worth a lol.

And I never said that someone had access or would go for it to gain access. I just commented on how hard it is to get in and some things involved with that. I even said that with access nobody would go for other players accounts but mod the own.

And 160k...well 5 million sold copies is 5 million unique and validated email addresses so it is worth a lot only for that. But still, there are other databases with unique accounts over 1 mil that are easier to aquire.

It's not important though, since it was just one of my examples to show that no "hacking" is involved at all especially seeing that only some ectos and gold were stolen.

I am still sure that ALL reported account thefts are results of either Social Engineering, keylogging or public email + easily guessable pass.

A lot of people use their name or forum name as plaync account name. So basically all you need to ask is the birthday. That alone would lead you to the form for the security questions and there are still a lot of people stupid enough to give correct answers there. All questions are perfectly designed for integration into a convo and that's what I meant with "user's security".

And again, I am sure that nobody would confess that he gave his info away, downladed something suspicous or bought gold with direct transaction onto his account.

As for the modified client...already said

Not going to happen. Excuse my badass painting skills please.

Longasc · May 13, 2008, 11:26 AM // 11:26

Quote:

Originally Posted by Mystica

I am still sure that ALL reported account thefts are results of either Social Engineering, keylogging or public email + easily guessable pass.

After some thought I think you are right.

That this happened while Jetdoc in AB was just coincidence. He must have fallen to the "usual" methods.

The idea that someone can hack random people that are online at will and hijack their accounts is more a nightmare than something that can really be possible without major effort.

BlackSephir · May 13, 2008, 11:32 AM // 11:32

You've escaped me for the last time, Jetdoc. You won't be so lucky next time.

Gli · May 13, 2008, 12:05 PM // 12:05

Quote:

Originally Posted by TideSwayer

Where are you getting the download link from? I say this because the link I used originally:

http://wiki.guildwars.com/wiki/Guide...-game_graphics

I don't know a whole lot of the whole wiki page editing thing, but what's to stop anyone from changing links to valid, clean mods into links to mods with a trojan or keylogger payload?

Wiki doesn't sound like a place one should be clicking download links from.

Riot Narita · May 13, 2008, 12:28 PM // 12:28

Quote:

Originally Posted by Mystica

I am still sure that ALL reported account thefts are results of either Social Engineering, keylogging or public email + easily guessable pass.

Those are certainly the most likely causes. However, I don't take your "it's always the user's fault" head-in-the-sand attitude.

I use "strong" passwords, I don't ever tell people those passwords, or write them down, or store them in shortcuts etc. I use different passwords, email addresses, and login names for different things. I am aware of social engineering tricks, and I avoid giving out personal information of any kind in my everyday life. I have a lot of different security software running on my PC.

But despite all reasonable precautions, I still don't feel like my account is safe. I do not underestimate the resourcefulness of people determined to steal, or their ability to eventually find some way to get into other people's accounts. I am also not so arrogant as to believe I can *never* fall for a scam or my account can *never* be stolen. After all, I do use similar user names in various places, simply because it is convenient for friends to recognise me across all those places. I take that risk, and rely on different passwords for protection.

If I ever get my account stolen, people like you will tell me its my own fault for using similar user names - or even that I *deserved* to lose my account. Perhaps you'd be right. But I truly think it's unreasonable that ordinary people have to use different names everywhere they go, be constantly security-conscious, be careful of what they say and who they say it to... to make up for poor security in the things they access online. Especially when those things are just for games and leisure. Choosing a good password at each place and keeping it to yourself, *should* be all that's needed.

Most people are just gamers. They don't want to be computer/network security wizards, ever vigilant and defeating an unseen enemy. They just want to have fun. I think it's important to remember that - and A-Net should do everything they can to protect our accounts. Right now, they AREN'T doing that.

They can't stop people being stupid, using the same weak password for every login, telling it to somebody etc... but they CAN make it harder for other types of attack, and give us the ability to protect our characters from being deleted.

Turbobusa · May 13, 2008, 12:39 PM // 12:39

You should all form a big security company, you seem well aware of all technics used.

Unfortunatly since your main argument is "never been hacked therefore me>u", it's going to fail pretty bad when you'll discover that you know approximatly nothing to what's going on.

I'll quote myself:
http://www.guildwarsguru.com/forum/s...6&postcount=49

Quote:

I'll throw a bone, you're free to discuss.

I was "hacked". Or as this word seems to be misused lets just say someone entered my account. Money gone, some valuable weapons gone, inventory messed up. That was not me not remembering that I did, I did not.

My ex password contained signs SUCH AS +. It contains both upper case and lower case characters, not only at the beginning. It was unique, meaning that I only used it for Guild Wars. It was not a word. It is rated very high security on most website which the feature that test your password (note: I only tested AFTER "someone entered my account").

Noone knows it. I never told anyone, and you can still try remembering it, it took me 2 weeks.

Now that you know that you can't guess it:

After "someone entered my account", I checked for viruses and keyloggers and such. Both MC Afee and Ad-Aware did not detect anything, and they are up to date, none cracked version. They were running all the time. Ho and I changed my computer in January.
When I told that on GWG, people went into an antivirus comparison flamefest. So I checked with other free and cracked antiviruses. Nothing was found.

So what stays:

- Unknown trojan/keylogger whatever that can be removed at will without any protection noticing.
- Vista failure somewhere.
- Mystery.

Discuss.

What's weird is that it didn't receive any answer. I wonder why.

zwei2stein · May 13, 2008, 01:01 PM // 13:01

Quote:

Originally Posted by Turbobusa

What's weird is that it didn't receive any answer. I wonder why.

I think it is obvious. Unknown keylogger/trojan.

There is no reason why antivirus software should be aware of this kind of software if it is very rare (say, someone wrote one in order to get someones specific account, or it was deployed in very small quantity - 10s of infections.)

AV softwares only chance of getting this is Heuristic scans, which are very unreliable and generally only work if author does something stupid that broadcasts "i am keylogger"