+ Reply to Thread
Page 3 of 5 FirstFirst 1 2 3 4 5 LastLast
Results 41 to 60 of 81

Thread: WoW Account Security - How not to get hacked.

  1. #41
    Join Date
    Apr 2009
    Posts
    19
    I'm in no way network security expert but I'm fairly certain that even if the number on the token changes every 10 seconds, the actual window when the number is valid is somewhat longer. And it doesn't take very long to send the information to the other side of the world and have some automated system login. Disabling your connection to WoW servers permanently is no problem whatsoever if you have your own software running on the victim's machine at admin privileges.

    About only doing a few accounts a day, I'd guess they're doing it manually now as well. It'd be quite a complicated system to automatically take account details, then login and vendor, disenchant, etc all the valuables on all the characters.

    The people cleaning the accounts aren't necessarily the same people writing the malicious software. I doubt many of the people cleaning accounts could write the current key loggers (which btw, as far as I know don't actually really log keys but read the password from memory), yet these key loggers that specifically target WoW exist.

    Don't read too much in the term "man in the middle". Malicious software running on the victim's machine can just as well be the "man in the middle". And they don't need to decrypt anything or poison DNS servers. The details are in plain text on the machine before they get sent to Blizzard. They can be captured just like current key loggers do now. All that needs to be done is send the account details some other way and block the connection to the real server. The victim gets a "Unable to connect" and simply thinks they have a network problem. They might even try to login again giving another one time password for the hackers in case they missed the window first time.

    Really, the only problem is using the password before it expires. The authenticator may be the best available method to secure your account, I don't deny that. But it in no way is unbreakable and a lot of people seem to think that.
    Last edited by Olog; 04-30-2009 at 09:18 AM.

  2. #42
    Join Date
    Nov 2007
    Posts
    187
    Quote Originally Posted by Olog View Post
    I'm in no way network security expert but I'm fairly certain that even if the number on the token changes every 10 seconds, the actual window when the number is valid is somewhat longer.
    It's pretty obvious that you are not a network security expert, because you are wrong. I'm not trying to insult you, only putting this uninformed "debate" to rest. This exact technology is used for remote access into highly secure bank and government systems for a reason. I have one just like it on my keychain now for secure access into a major bank's systems through which hundreds of millions of dollars flow every second. A knowledgeable hacker with my RSA token and my passwords could do literally billions of dollars worth of damage in very short order. You can bet your tail that the bank takes this possibility far more seriously than Blizzard does.

    It is sound technology, and for securing a WoW account it is gross overkill.

    The difference between bank/government implementations, and the way in which the WoW Authenticators have been bypassed to this point is that blizzard's call-in centers have been far too willing in the past to untie the authenticators from accounts, and provide password reset services for people who do not own the accounts. Hacker calls in, pretends to be you, says their authenticator broke, please disable it. Helpful Blizzard call staff do so and reset password for hacker, hacker cleans you out.

    That's not a flaw with the technology, that's a social engineering hack. Blizz has clamped down dramatically on this recently from some things I've read, but it should be your only real concern once you have one of these tied into your account.

  3. #43
    Something along the same side as World of Warcraft Account security, I had this happen to me recently and had to call Blizzard to get my account back, the email looked exactly like this and they keep sending me them... Still to this day I get them, I'm actually not 100% sure if they're real or not but I usually know that I don't share my account. I do know that it doesn't state my account name (don't post your account name in a public forum) or even a account name in the email that's about the only way I know it's usually fake.
    Last edited by Satrina; 04-30-2009 at 12:14 PM.

  4. #44
    Join Date
    Apr 2008
    Posts
    1,399
    If it was real you would be able to go to World of Warcraft Community Site sign in and do it, otherwise its a phisher... and you probably have a keylogger

  5. #45
    Join Date
    Apr 2009
    Posts
    19
    In response to Heladys.

    Well, a quick google search yielded following:

    Some opinions about the vulnerability of these tokens:
    Are one-time password tokens susceptible to man-in-the-middle attacks?
    Schneier on Security: Man-in-the-Middle Attacks
    http://www.tamebay.com/2007/01/5-pay...alse-hope.html

    Some banks using 2-factor authentication cracked:
    Security Fix - Citibank Phish Spoofs 2-Factor Authentication
    Phishing attack evades bank's two-factor authentication • The Register

    Like I said I'm no security expert but I still have a general knowledge of how this stuff works, well at least I think I do. If you're an expert maybe you can tell me how the authenticator defeats the type of attack I, or these articles, describe. Just saying that it must be good because banks use it is hardly an argument. It might very well be the best thing we got, which is why banks use it, but still be very vulnerable.

  6. #46
    Join Date
    Feb 2008
    Location
    Calgary, AB
    Posts
    1,641
    I am not 100% sure how the wow client behaves, however the "I'll redirect your traffic elsewhere while I steal your stuff" attack is not a new thought process. This is why most clients which use two-factor authentication also establish a trusted channel of communication with the authentication server before even requesting the tokens key, let alone transmitting it. Redirecting this trusted channel alone would be a monumental challenge, and with the the client using a public key encrypted with current strong hash/ciphers, virtually impossible.

    It is obvious that the wow client has to communicate with the authentication servers before it prompts you for your token id. This is evidenced by the fact that all users run the same client, and yet some of us have tokens and others do not. We have different login procedures using the same software, how is this possible? Obviously upon login with your basic credentials a connection with the auth server is generated and the server says "hold up, we need more info" to those with authenticators.

    Assuming Blizzard programmers are worth anything more than their salt, the probability of a man-in-the-middle attack when using an authenticator is virtually nil.

    Quote Originally Posted by Turelliax View Post
    people don't know how to keep it in their pants for a little bit before exploding all over my face.

  7. #47
    Join Date
    Apr 2008
    Posts
    1,399
    Thats not hacking thats a phishing scheme, if your stupid enough to put your info in, theres no hope for you with anything with security. The token will not stop a phisher it will stop a hacker. Please understand how those two things are different. The way for every one of your links, that the accounts were compromised was not due to the token but due to the user imputing their information on a fake website. For something like wow they would have to install in on your system a fake exe file and replace your current one for it to work. Theoretically possible but far from probable.

    With your argument we should take air bags out of cars because people still have car wrecks with airbags installed in cars...

    The token will not and cannot prevent you from being a complete and total idiot. It can prevent a hacker using a keylogger from stealing your account info.

  8. #48
    Join Date
    Aug 2008
    Location
    Hawaii
    Posts
    941
    Authenticator. That's how you don't get hacked.

    True Knowledge exists in knowing that you know nothing.
    Agg's tanking guide

  9. #49
    Join Date
    Nov 2007
    Posts
    187
    Quote Originally Posted by Olog View Post
    Just saying that it must be good because banks use it is hardly an argument. It might very well be the best thing we got, which is why banks use it, but still be very vulnerable.
    That's not what I'm trying to say.

    What I'm trying to say is that people with a lot more technical knowledge than you have deemed it the best available mechanism for systems far more sensitive than WoW, and your back of a napkin concerns don't hold water. Every one of the things is built off an internal clock which is synchronized with hardware inside the gates. They don't have clock drift like your PC, and they don't keep the generated codes active inside the environment longer than your authenticator does. They quite intentionally sever attempted authentications which are cutting it close, and you're told as a user receiving one of them not to expect a successful authentication if you try a code during the first or last bar of its life, rather to wait for a code to be around the middle of its age - exactly because the gateways cut them off soon and they don't accept them early.

    An authenticator doesn't render you immune to any theoretical attack from now unto eternity any more than a great security system renders your home immune to burglary. Nobody's ever said otherwise.

    What it does is render you immune to the types of attacks which WoW hackers can afford to be launching. These are not chinese cyber warfare geniuses trying to crack the NSA from known points of entry, nor are they even the types of hackers we send to jail on a daily basis attempting to compromise our systems. They're mom & pop gold shops with a "write your own trojan and try to get people to download it!" kit from SpumCo, aimed at cherry picking the lowest hanging fruit.

    That fruit isn't you, not if you're using an Authenticator. You've moved from a relatively simple password-capture hack to a full-on life man-in-middle hack scenario, and that's simply not reasonable nor cost-effective.

  10. #50
    Join Date
    Apr 2009
    Posts
    19
    Quote Originally Posted by Lizana View Post
    The way for every one of your links, that the accounts were compromised was not due to the token but due to the user imputing their information on a fake website. For something like wow they would have to install in on your system a fake exe file and replace your current one for it to work. Theoretically possible but far from probable.
    In the case of wow it's not a fake website, it's the normal login screen with malicious software (the so called key logger) running on background. The two working together are effectively a fake login screen, which just looks exactly the same as the real thing. The key logger catches your login details and cuts off the communication with Blizzard preventing one-time password from being transmitted. Note that current password stealers aren't installing any fake exe files and are stealing passwords just fine.

  11. #51
    Join Date
    Apr 2008
    Posts
    1,399
    The thing is a keylogger is giving that to the hacker that logs in within 10 seconds of the security code. Your misinformed about how they work. My wife had a keylogger on her computer for over 8 months before her account was compromised. The keylogger is logging every action you do, it doesn't magically activate and deactivate when your at the login screen. And to cut off the info going to blizzard would require breaking the secure channel, something far beyond a typical keylogger. For a man in the middle attack to work with your log in, they would have to replace your exe or modify the game files to submit the info to their servers not blizzards.

  12. #52
    Join Date
    Feb 2008
    Location
    Calgary, AB
    Posts
    1,641
    Quote Originally Posted by Lizana View Post
    For a man in the middle attack to work with your log in, they would have to replace your exe or modify the game files to submit the info to their servers not blizzards.
    This is what I was getting at in my post, and my point is that blizzard is probably smart enough to implement measures to prevent this.

    1) Modify the wow executable - blizzard likely signs each of the exe's it publishes to the public, and when you try to login the game file is hashed and compared against the valid signature. When the exe is modified, the hash does not match the valid signature, and your game client does jack squat.

    2) Intercepting the secure channel - nigh impossible using modern hashes/ciphers. Just assume it can't be done by the run-of-the-mill coder getting paid $0.04/hour to work in a Chinese gold selling outfit.

    Quote Originally Posted by Turelliax View Post
    people don't know how to keep it in their pants for a little bit before exploding all over my face.

  13. #53
    Join Date
    Apr 2009
    Posts
    19
    Here's description of one key logger that specifically mentions reading WoW process memory. It doesn't replace the WoW exe, it injects itself into some other process. There's absolutely no need to reroute or intercept the traffic from victim's machine to anywhere or decrypt the communication. The login details are right there in the process memory in plain text.

    And cutting off the network traffic is no magic trick either. Go try doing "ipconfig /release" in command prompt while you're logged in WoW and see what happens. (I take no responsibility if you screw up your network settings with that but "ipconfig /renew" should get stuff back up.) This is of course a very crude way and with a bit more effort they could only block traffic to Blizzard's servers.

    And here's one more link to back up my back of a napking concerns with some Symantec researcher saying following:

    "Two-factor authentication tokens work well for these very simple-minded attacks. However, if an attack is more sophisticated and the phisher can use the credentials in real time, we are the ones out of luck. I believe that two-factor authentication security will be almost futile when we tackle the next generation of phishing attacks."

    I don't intend to say that the authenticator is worthless. It obviously makes it more difficult to steal password and thus your account more secure. It just doesn't make it impossible or even extremely hard and people shouldn't think that they're safe from all malware forever when they get an authenticator.

  14. #54
    Join Date
    Apr 2008
    Posts
    1,399
    They monitor what keys a user pressed and sends the keyboard activity logs to a malicious hacker.
    The kelogger logs the data, that part you understand, what you dont seem to comprehend is what your second link is about, its not hacking, it not keyloggers, its PHISHING

    From wiki

    In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
    The only time that is a concern is if

    1. They hack the DNS and route you to their site when you type in World of Warcraft Community Site

    2. They corrupt your wow install and use their own login screen to have you input the data

    3. your an idiot and click on the like that reads www.istealyourpasswordsandbangyourgf.com and sign into a lookalike wow page.


    Every story you have linked so far has been about the citibank phishing scheme that was from idiot users clicking on a link in their email or on an ad and being taken to a lookalike site of citibank. At that time, those idiots put in their username and password into the fields and they were submitted through the middleman server to the real web server. Then the real web server would send back the secure request for authentication. the phishers being in the middle would intercept the authentication and use it to authorize themselves on the account to log in. At that point they would have access to the account and would send to the idiot a faked page.

    The problem with how this relates to wow is the fact your not clicking on a link in your email to log into the game. You are loading up a program that has a secured install. Changes to the files of your install are tracked and monitored, thats part of the way blizzards anti cheat program works. So even if a hacker was able to create a middle man server to pass your data and intercept it, they would have to find a way for you to be able to have the data send to that server. The fact that a keylogger can read data on a current running app is nothing new. But your asking that same keyloger to modify the transmission of data from a secure chanel to an insecure on to the middleman server. And yes there are ways to block ip address or even totaly disable some ones internet, but thats not how these people make their money. They want you to be totally unaware that you are even infected for as long as possible. We found out after the fact that after my wifes account was compromised, the hackers had been using her account for almost a month spamming trade channels on other servers.

    Theres a reason gold stealers don't delete the chars after they have strip mined them, they are hoping you come back in, get your stuff back and they can steal it over and over and over again. Doing man in the middle defeats the purpose of that.


    You are very confused about the difference of malware, phishing and hacking. And i think you might have watched the latest die hard a few too many times. They can do a lot, but without physical access to the keyfob your going to be too much effort for them to mess with

  15. #55
    Join Date
    Apr 2009
    Posts
    19
    Don't be too focused on the terms used or arbitrary definitions. But even your wiki definition applies here. The password stealing malware is exactly masquerading as trustworthy entity by hiding behind the real login screen.

    Out of the three possibilities you list number two is the exact thing that applies here. Only thing is that they don't need their own fake login screen, they can just piggy back on the real one. Pulling off the attack I've describe several times is actually much easier if you can get malicious software running on the victim's machine than doing it over the net with some fake server in the middle. You don't need to worry about getting the user on your fake server or security certificates and you can actually use the real login screen instead of building a lookalike yourself.

    And let's not forget that I'm sure there are plenty of people that have lost their account to number three. And indeed the authenticator isn't a be all end all security measure against that either.

    As for number one, hacking a dns server is hardly necessary. Again, malicious software on victim's machine can do pretty much anything, for example change your DNS settings so you unknowingly connect to a hostile DNS instead of the one provided by your ISP. Even simpler solution is to modify the hosts file. If you want to try this yourself, open your Windows\system32\drivers\etc\hosts file. Add a line with "74.125.45.100 www.worldofwarcraft.com" in there (that IP address should go to google). Then restart your browser and try going to that address.

    As I've said, and provided evidence, tampering with WoW process doesn't require completely replacing the executable. Yes Blizzard has anti cheating and security measures in place but so far they don't seem to be very effective. If the install was so secured, how do you think current key loggers work or why all the bot programs are able to operate at all. I've also said a few times now that there's no need to tamper with the secure communication channel other than disconnect it altogether, which really is not hard at all.

    You are right in that the authenticator would probably largely stop using the hacked account for spamming because the attacker can't login whenever they want. But cleaning account several times, if you don't remove the malware in between, applies just as well in this case. Most people probably wouldn't be too alarmed if they one day can't suddenly connect. They'd just think that there's something wrong with their net or ISP.

    I don't think there is anything else I can say about this. I've provided you with expert third party opinions about two-factor authentication, examples where it has been cracked already, descriptions how a key logger works and tried to correct some misconceptions as best as I can myself. If you still refuse to believe it I don't think there's anything more I can do.

    And thank you very much, I have not seen the latest Die Hard.

  16. #56
    Join Date
    Aug 2007
    Posts
    913
    Quote Originally Posted by Lizana View Post
    The thing is a keylogger is giving that to the hacker that logs in within 10 seconds of the security code. Your misinformed about how they work. My wife had a keylogger on her computer for over 8 months before her account was compromised. The keylogger is logging every action you do, it doesn't magically activate and deactivate when your at the login screen. And to cut off the info going to blizzard would require breaking the secure channel, something far beyond a typical keylogger. For a man in the middle attack to work with your log in, they would have to replace your exe or modify the game files to submit the info to their servers not blizzards.
    You're making things more complicated than they are. For example, here is an application for a different MMORPG that pretty much takes the role of a Recount-like addon. The MMORPG in question does not allow for UI modifications, so you need an external program. It does this by reading the game process's memory and analyzing the communication stream between it and the server. While this is a legitimate use, there's nothing that would prevent such an application from also modifying process memory or simply kill the game process when one does not want it to communicate with Blizzard's servers anymore (for bonus points, you can make it look like a regular application crash).

    A piece of malware of course will generally have far more privileges, too, and can intercept operating system calls, too. For that, you modify the OS's interrupt/trap table (it's INT 2E on Windows, I seem to recall) to modify calls that you don't want to succeed or to return a different result (e.g., prohibiting the sending of further messages to Blizzard's servers). This is not rocket science: People were doing it all the time for legitimate purposes (OS extensions) in the days before memory protection in CPUs was widespread (8086, 68000 processors), and the only thing that is different these days is that you need superuser privileges to perform the required modifications to the OS.

    That's not saying that this will or can happen. First of all, a Blizzard authenticator DOES make it harder to hack an account successfully, since timing will be critical and more technical expertise required. Second, there currently is little incentive for criminals to use a more complicated scheme when there is plenty of low-hanging fruit. Things would change if two-factor authentication did become widespread and if there were a financial incentive for them to go after authenticator-protected accounts. But two-factor authentication does not make you immune to being hacked.

  17. #57
    Join Date
    Feb 2009
    Location
    AZ (Zonie)
    Posts
    376
    Quote Originally Posted by Warwench View Post
    thats not clever at all, it is incredibly easy to spot and anyone who fell for it deserves it.
    Hmm, my use of the word "clever" was not in the sense that it was something new, or ingenious...rather, it was an exploitation of inherent trust in a fellow guildy, disguised as a promotion for the guild, instead of the usual appeal to greed, or self promotion. As to the incredibly easy to spot, I fully agree, since I spotted it, even though I haven't seen an .exe link in ages, and the fake url actually had to be entered, or pasted, into one's own browser, to boot!
    Even so, it still almost fooled me, since I overlooked the slight name change, and read it as one of my guild officers' characters.

    "Anyone who fell for it deserves it"--wow, that's just cold, War! Anyone? Brrrrr!!! (Actually, I kinda agree, since even a half-_ssed anti-virus program would have caught this, anyway...but, still...shivering).
    -"Just like a buzzin' fly, I come into your life, I'll float away, like honey in the sun..."--Tim Buckley

  18. #58
    Join Date
    Jul 2009
    Posts
    24
    Couple tips for actually creating your password that might be good to include for complete... gullible people...

    -DO NOT USE YOUR BIRTHDAY OR A FAMILY MEMBER'S BIRTHDAY
    -Do not make it something insanely simple, such as "fido" or "grandma" - thats just asking for some idiot to try to put something simple in some randome account name, that just might be yours. Don't fool yourself, PEOPLE DO DO THIS, usually not seriously, but hey, if they get in, 99.9999999% of the time they'll abuse that luck.
    -As much as it pains me to promote '1337' speak, USE IT. Combining numbers and letters in your password makes it THOUSANDS of times harder for people, using character generators or not, to guess your password.
    -Combining unrelated things, such as your favorite holliday and, say, a character from your favorite TV show will probably be a very hard password to guess.
    -DON'T WRITE YOUR PASSWORD DOWN IF YOU DON'T INTEND TO KEEP IT HIDDEN/SAFE
    -For the love of whatever you believe in, DO NOT SAVE IT IN SOME EASY TO FIND FILE, if you can find it easily, so can anyone you might invite over who might use your computer to look at the news online.

    Seriously, its NOT hard to NOT get hacked.

    Oh, and I doubt this needs said, but...

    DO NOT OPEN ATTACHMENTS IN EMAILS THAT YOU DON'T TRUST. If it has .exe at the end of the name, and be careful of things like (Movie.wmv.exe), DO NOT OPEN IT OR DOWNLOAD IT UNLESS YOU KNOW EXACTLY WHAT IT IS, AND TRUST YOUR SOURCE (I.E. Blizzard's mirrors are alright, but something like realwowpatchesforyounohacksnoscams.com is NOT).

  19. #59
    Join Date
    Apr 2008
    Posts
    1,399
    Quote Originally Posted by Darthruneis View Post
    -DO NOT USE YOUR BIRTHDAY OR A FAMILY MEMBER'S BIRTHDAY
    -Do not make it something insanely simple, such as "fido" or "grandma" - thats just asking for some idiot to try to put something simple in some randome account name, that just might be yours. Don't fool yourself, PEOPLE DO DO THIS, usually not seriously, but hey, if they get in, 99.9999999% of the time they'll abuse that luck.
    -As much as it pains me to promote '1337' speak, USE IT. Combining numbers and letters in your password makes it THOUSANDS of times harder for people, using character generators or not, to guess your password.
    -Combining unrelated things, such as your favorite holliday and, say, a character from your favorite TV show will probably be a very hard password to guess.
    Doing these steps will just make it harder for you to remember you password and wont realy prevent most "hacks"

    http://www.usenix.org/event/hotsec07.../florencio.pdf

    Read and learn...

  20. #60
    Join Date
    Jul 2009
    Posts
    24
    Well personally I memorize my password almost immediately after changing it. Either that, or after logging in with it a few times I have it memorized.

    And as for Phishing and Keylogging...

    Seriously, stop with the porn, check your URLs, and use common sense. Don't know why you bothered to post that, I already know all of that, I was just posting extra tips I didn't see in the first few posts that I myself have thought up.

    Oh, and Avast! Antivirus is amazing for alerting average users about potential risks in what may appear to be refutable site downloads.

+ Reply to Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts