The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 2:31 pm

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3
Author Message
 Post subject: Re:
PostPosted: Wed Aug 11, 2010 5:14 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Kaffis Mark V wrote:
Not reliably so. If one password is compromised, any other "known" factor should be assumed to be compromised, or compromiseable, too. How does a "known" security measure get compromised? Coercion, interception, or social engineering. I've forced, spied, or tricked you into revealing your password to me. And you think I didn't get the second password/secret question/whatever out of you, too?

To expand on this a little more, one of the problems with single-factor, "something you know" authentication is that in one form or another, the things you know are all typically stored in the same database. For passwords, generally only hashes are stored, but I'm skeptical that the answers to "security questions" are hashed rather than being stored raw in the database. Either way, hashes are usually non-issue for a competent cracker unless your passwords/answers are sufficiently complex. For many ... no, most users, this is not the case.

What's my point? If an attacker can compromise the database, they can dump the answers to your security questions just as easily as they can dump your password (hash). This is a big weakness for single-factor authentication, and one that should be of particular concern to e-commerce sites and the like, which are particularly susceptible to injection-style attacks.

I won't name names, but a couple years ago, I found an SQL injection in a sizable e-commerce site. It wasn't a huge one like, say, amazon or ebay, but big enough that most of you have at least heard of it. I was able to dump passwords, email addresses, CC numbers, the whole nine yards. Given that many of these people were likely to use the same password on the e-commerce site that they use for the email, I could have followed up by accessing thousands of email accounts, which in turn would have given me access to all kinds of things from the inside -- password resets on other sites, etc., etc. And, I should point out, I'm not even a cracker -- just a bored geek who spent 30 minutes or so reading up on SQL injection.

The moral of this story is two-fold:
  1. two+ factor authentication would have shut down all of these attacks. Keeping all of your eggs in one basket is never as secure as splitting them up.
  2. You shouldn't overestimate the security of 3rd-party databases, even if they have a "big name" behind them.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 11, 2010 5:24 pm 
Offline
Cheesehead

Joined: Thu Sep 03, 2009 1:15 am
Posts: 465
bash.org wrote:
<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.


http://bash.org/?244321

Humans are the weakness in any good security system.

_________________
Once, I was a ranger
Then, I was a warlock
And a mage
And a paladin
Now, I seek to be myself


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 11, 2010 8:00 pm 
Offline
User avatar

Joined: Sat Sep 05, 2009 2:40 am
Posts: 3188
Personally, I find the dongle a million times less annoying than having my account hacked.

_________________
Les Zombis et les Loups-Garous!


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Wed Aug 11, 2010 10:03 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Kaffis Mark V wrote:
Not reliably so. If one password is compromised, any other "known" factor should be assumed to be compromised, or compromiseable, too. How does a "known" security measure get compromised? Coercion, interception, or social engineering. I've forced, spied, or tricked you into revealing your password to me. And you think I didn't get the second password/secret question/whatever out of you, too?


I wasn't making any claim as to reliability. In the case of WoW, the second of those is almost certainly the way it was stolen. Therefore, if it isn't entered in the same way it should, at the very least, slow down hackers and phishers if only by making them expend more effort to get both passwords.

Stathol wrote:
What's my point? If an attacker can compromise the database, they can dump the answers to your security questions just as easily as they can dump your password (hash).


That would mean Blizzard's database was compromised and the whole game was in jeopardy. When I was talking about this, I was envisioning the security questions being stored on their end.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 13, 2010 2:33 am 
Offline
Cheesehead

Joined: Thu Sep 03, 2009 1:15 am
Posts: 465
Count me among the compromised.

Not sure what did it.

Using my e-mail and password for WoW (not the e-mail) on WoW sites like WoWHead, WarcraftPets?

Really don't think keylogger as I never log into WoW on Windows. I do WoW Beta on OS X and SC II on OS X only also.

What is odd is I got the e-mails and it said my account was locked almost instantly.

Then I tried to login and I could... so I was like 'What the hell... valid headers, but my password is mine and I am not locked?'

Decided to focus on other tasks... a few hours later, another password change e-mail... and then I reset and what do you know, bam...

Trinkets, emblems, and more gone. Not sure why some gear escaped the purge when others did not but c'est la vie.

We'll see what, if anything, Blizzard will do.

Of course, both wife and I now use authenticators on iOS. Stupid of me not to except sometimes I need to log her in for X and we don't work the same shift anymore.

_________________
Once, I was a ranger
Then, I was a warlock
And a mage
And a paladin
Now, I seek to be myself


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 13, 2010 2:43 am 
Offline
Bull Moose
User avatar

Joined: Wed Sep 02, 2009 7:36 pm
Posts: 7507
Location: Last Western Stop of the Pony Express
Condolences,

People do suck, not all of them, but enough to make it hard to trust anyone.

_________________
The U. S. Constitution doesn't guarantee happiness, only the pursuit of it. You have to catch up with it yourself. B. Franklin

"A mind needs books like a sword needs a whetstone." -- Tyrion Lannister, A Game of Thrones


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 13, 2010 6:12 am 
Offline
User avatar

Joined: Fri Feb 05, 2010 11:59 am
Posts: 3879
Location: 63368
Katas wrote:
Using my e-mail and password for WoW (not the e-mail) on WoW sites like WoWHead, WarcraftPets?

You used the same password for a internet site as your WoW account? Yeah, that could have something to do with it...

Did your password have mixed case, alpha and numeric characters and used more than 8 characters? Was it a dictionary word?

_________________
In time, this too shall pass.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 13, 2010 11:05 am 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Katas,

I believe you can use the same authenticator on multiple accounts? Would that help your situation?


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 13, 2010 1:32 pm 
Offline
Cheesehead

Joined: Thu Sep 03, 2009 1:15 am
Posts: 465
Task,

7 characters, no upper.

Midgen: It would except during times when we are actually playing. She hasn't logged in in months.

Essentially, her account held my alt who became my main.

My account held her alt who became her main.

My old main and my mage are still with her main.

My new main and my alt with tons of heirloom is the one affected.

I am relatively numb about the whole thing.

Since we don't WoW much, I have been lax in my security stuff.

Ah well... a password changing I am going.

_________________
Once, I was a ranger
Then, I was a warlock
And a mage
And a paladin
Now, I seek to be myself


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 13, 2010 2:00 pm 
Offline
The Dancing Cat
User avatar

Joined: Wed Nov 04, 2009 2:21 pm
Posts: 9354
Location: Ohio
Weird, I just got an email that someone changed my battle.net account email address. I didn't even know I had a battle.net account since I haven't bought a Blizzard game since Warcraft III

_________________
Quote:
In comic strips the person on the left always speaks first. - George Carlin


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 13, 2010 2:25 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
If you ever played WC3 multiplayer, you had a battle.net account.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Fri Aug 13, 2010 2:38 pm 
Offline
The Dancing Cat
User avatar

Joined: Wed Nov 04, 2009 2:21 pm
Posts: 9354
Location: Ohio
Kaffis Mark V wrote:
If you ever played WC3 multiplayer, you had a battle.net account.

Nope, never got into MP RTS.

_________________
Quote:
In comic strips the person on the left always speaks first. - George Carlin


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 13, 2010 2:55 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Maybe if you registered it, then? Depending on how you patched, that might have done it, too.

Oh, or Diablo 1/2?

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Fri Aug 13, 2010 4:00 pm 
Offline
The Dancing Cat
User avatar

Joined: Wed Nov 04, 2009 2:21 pm
Posts: 9354
Location: Ohio
Kaffis Mark V wrote:
Maybe if you registered it, then? Depending on how you patched, that might have done it, too.

Oh, or Diablo 1/2?

It would have to be registering WIII. I never played D1 or D2. Oh noz... someone haxxored my 10 year old account? I don't even have any of the same credit cards or bank accounts from that long ago.

_________________
Quote:
In comic strips the person on the left always speaks first. - George Carlin


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Aug 22, 2010 7:33 am 
Offline
Eatin yur toes.
User avatar

Joined: Mon Sep 07, 2009 2:49 am
Posts: 836
Could be phishing. Oh no your email changed, log in using this handy link to check and correct ...


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 24, 2010 8:46 am 
Offline
User avatar

Joined: Sat Sep 05, 2009 2:40 am
Posts: 3188
Yeah, check the headers of the email and see if it's actually from blizzard or battle.net.

My old email address is still bombarded by emails from "blizzard" and "battle.net" saying that I am in the cataclysm beta, that my account has changed, that someone stole my account, and a ton of other things. 1. The headers always show the truth of the matter. 2. Blizzard doesn't use that email anymore. At this point, I find those emails quaint and humorous.

_________________
Les Zombis et les Loups-Garous!


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 24, 2010 10:24 pm 
Offline
Kitchen Temptress
User avatar

Joined: Sat Sep 05, 2009 11:53 am
Posts: 997
Numbuk wrote:
Yeah, check the headers of the email and see if it's actually from blizzard or battle.net.

My old email address is still bombarded by emails from "blizzard" and "battle.net" saying that I am in the cataclysm beta, that my account has changed, that someone stole my account, and a ton of other things. 1. The headers always show the truth of the matter. 2. Blizzard doesn't use that email anymore. At this point, I find those emails quaint and humorous.



Shel got these phishing emails today, I haven't yet. We both have authenticators and I'm very happy with them. $6.50? Trivial compared to the time and hassle it would be for me if my account got hacked. And I got an ingame pet, too.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Aug 26, 2010 4:14 pm 
Offline
Sensitive Ponytail Guy
User avatar

Joined: Fri Sep 04, 2009 10:18 pm
Posts: 2765
Given how slick and polished the phishing messages I received were, I think it's safe to say it's best not to click on links you find in any email that appears to come from Blizzard. I got a "your battle.net account information has been updated" message and moused over the link it contained. The display text was a legit Blizzard address, but the link itself was not. Apart from that, the only other obvious clue that this was a scam was a single grammatical error that could easily be overlooked.

_________________
Go back to zero, take a pill, and get well ~ Lemmy Kilmister


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 171 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group