Post by Morreion on Jan 8, 2010 10:02:47 GMT -5
Video gamers face malware deluge (BBC)
Blizzard giving serious consideration to mandatory authenticators (WoW.com)
Potential smoking gun found for Guild Wars security issues (Massively)
Your NCsoft Master Account: A Ticking Time Bomb? (Massively Multiplayer Fallout)
It looks like NCsoft has inexcusable lax security procedures.
It would be a good idea to have unique login information for games instead of using the same ones across all games. Avoid using an identifiable login name, such as the name you use on forum sites.
These issues highlight how important it is to keep your computer safe, although there still would be a risk from inept security procedures by game companies. In addition to having a 2-way firewall and updated antivirus software installed, I'd recommend using a more secure browser such as Firefox with the NoScript add-on, antimalware software such as Spyware Blaster and Spybot Search and Destroy, cleaning software such as Ccleaner, and consider running your browser sandboxed.
Players of online games are increasingly becoming the target of virus writers, reveals research.
More and more malicious programs are being written to steal the login credentials of popular online games.
The Microsoft research revealed a family of malicious programs aimed at titles such as Lineage, World of Warcraft, Maple Story and many others.
Hijacked accounts are plundered for in-game booty or sold on through the net's underground market places.
More and more malicious programs are being written to steal the login credentials of popular online games.
The Microsoft research revealed a family of malicious programs aimed at titles such as Lineage, World of Warcraft, Maple Story and many others.
Hijacked accounts are plundered for in-game booty or sold on through the net's underground market places.
Blizzard giving serious consideration to mandatory authenticators (WoW.com)
WoW.com has learned through trusted sources close to the situation that Blizzard is giving serious consideration to making authenticators mandatory on all accounts. According to our sources, while this policy has not been implemented yet and the details are not finalized, it is a virtually forgone conclusion that it will happen.
This response is a direct effort to stop the massive number of compromised accounts by gold sellers and keyloggers. The seriousness of the situation with compromised accounts has reached such a level that wait times for item and character restoration are entirely unacceptable, even to Blizzard executives. Blizzard has taken other internal measures to deal with long wait times of people in account restoration queues, and we'll be covering those measures tomorrow.
However, with the inclusion of mandatory authenticators, this should solve a major problem for Blizzard's support and account administration teams.
This response is a direct effort to stop the massive number of compromised accounts by gold sellers and keyloggers. The seriousness of the situation with compromised accounts has reached such a level that wait times for item and character restoration are entirely unacceptable, even to Blizzard executives. Blizzard has taken other internal measures to deal with long wait times of people in account restoration queues, and we'll be covering those measures tomorrow.
However, with the inclusion of mandatory authenticators, this should solve a major problem for Blizzard's support and account administration teams.
Potential smoking gun found for Guild Wars security issues (Massively)
It started as a surprise. Guild Wars players reported suddenly finding themselves hacked, their accounts cleaned out, no indication of what could have caused the problem. NCsoft and ArenaNet offered suggestions, security safeguards, new measures being taken, hints that the problem lay in a popular third-party website with an undisclosed name. But with the recent rash of problems that Aion players have been having regarding security, new facts have begun coming to light, and they paint a picture that isn't pretty.
Specifically, some players seem to be finding that it doesn't take any skill to wind up hacking someone's account accidentally. And all it takes is a few log-in attempts to find yourself with access to someone's account name, password, and billing information for all of a player's NCsoft games.
Specifically, some players seem to be finding that it doesn't take any skill to wind up hacking someone's account accidentally. And all it takes is a few log-in attempts to find yourself with access to someone's account name, password, and billing information for all of a player's NCsoft games.
Your NCsoft Master Account: A Ticking Time Bomb? (Massively Multiplayer Fallout)
List of Known Vulnerabilities with the NCSoft Site:
* 1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else’s account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
* 2. Advanced Vulnerabilities Reported by Mung on Aion Forums
o “SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of “page not found” or “incorrect login” [Mung] received an SQL ack!”
o “The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host).”
o “[T]he majority of the process functions for each page under the “secure.ncsoft.com” domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention.”
3. Brute Force Vulnerabilities
* Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site’s username field.
* Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question which is the default!) is particularly easy. So is the car color question.
* Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct.This vastly reduces search time for a brute force attack.
* Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
* IP’s attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
* Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account’s associated address.
* The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
* Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account’s associated address. [Edit: Apparently this was fixed a few hours ago. Old password is now required.]
* No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
* 4. GW usernames are present in old support tickets. This renders the new character name security question useless.
* 1. Wrong Account Bug. Sometimes simply logging into the NCSoft site takes you to someone else’s account instead, with FULL CONTROL over that account. An attacker need only use a bot to log into their own account over and over until the bug occurs, then steal the account the bug gives them.
* 2. Advanced Vulnerabilities Reported by Mung on Aion Forums
o “SQL injection is apparently NOT prevented very well. [Mung] was able to send a basic acknowledge request and instead of “page not found” or “incorrect login” [Mung] received an SQL ack!”
o “The ENTIRE web domain is unprotected from file mirroring (process of copying all files housed at the web host).”
o “[T]he majority of the process functions for each page under the “secure.ncsoft.com” domain are scripted in PERL but referencing Javascript multiple times for all sorts of verifying processes. This can easily be manipulated to a users intention.”
3. Brute Force Vulnerabilities
* Login failure gives different error message for real usernames and non-usernames. An attacker can generate a list of valid usernames by systematically running all character strings against the NCSoft site’s username field.
* Security questions for password reset have dangerously small search spaces that can be guessed quickly. The birthday question which is the default!) is particularly easy. So is the car color question.
* Failed attempt at answering security questions that includes one correctly guessed question returns error message that tells user which question is correct.This vastly reduces search time for a brute force attack.
* Password reset attempts are allowed too frequently. 5 attempts every 12 hours is too many given the small search spaces.
* IP’s attempting multiple failed logins or password reset attempts are not blocked, blacklisted, or greylisted.
* Attacker can specify new NCSoft password immediately upon correctly guessing password reset questions. The system should create a random password sent in a confirmation e-mail it to the account’s associated address.
* The GW username is displayed from the NCSoft site. It should not be. This gives an attacker 1/3 of the GW login credentials.
* Attacker can specify new GW password immediately upon accessing the NCSite. User should be required to enter old password and/or respond to confirmation e-mail to the account’s associated address. [Edit: Apparently this was fixed a few hours ago. Old password is now required.]
* No countermeasures at all against brute forcing NCSoft password.(Gaile states that she has been told there are, but forum members making repeated failed login attempts did not encounter lockout, blacklisting, or increasing delay. Suspect Gaile has been misinformed by NCSoft staff.)
* 4. GW usernames are present in old support tickets. This renders the new character name security question useless.
It looks like NCsoft has inexcusable lax security procedures.
It would be a good idea to have unique login information for games instead of using the same ones across all games. Avoid using an identifiable login name, such as the name you use on forum sites.
These issues highlight how important it is to keep your computer safe, although there still would be a risk from inept security procedures by game companies. In addition to having a 2-way firewall and updated antivirus software installed, I'd recommend using a more secure browser such as Firefox with the NoScript add-on, antimalware software such as Spyware Blaster and Spybot Search and Destroy, cleaning software such as Ccleaner, and consider running your browser sandboxed.
