Toon Hacking/Account Stealing/Keylogging Consolidated Thread

[Flybait]

Quote:

Originally Posted by Iadien

I format every 3 months and thought I was bad. haha

sp1's been cracked for a month now.

[Niber]

After reading this article, it seems like public-writable wiki sites would be extremely susceptible to being compromised.

Quote:

Trend Micro discovered that its U.K. and Japanese sites were compromised on Wednesday, according to a spokesperson for the security vendor. The sites had malicious iFrames injected into their "virus encyclopedia" pages, according to a Trend Micro spokesperson. iFrames are HTML tags which link to other Web sites.

Quote:

However, according to Rand, this incident was part of a wider attack on Web sites around the world that was reported by security vendor McAfee on Thursday. Rand said that 165,000 Web sites "and counting" had been affected.

On Wednesday morning, McAfee Avert Labs detected over 10,000 Web pages rigged to hijack Web surfers' PCs. The Web pages had been modified with code redirecting visitors to another Web site "laden with a malware cocktail" that attempted to break into the users' PCs, according to McAfee.

[Sqee]

Quote:

Originally Posted by Petgroup

Just in case anyone cares, I nuke my entire system every month and reinstall Vista. Obviously I don't nuke my external hard drive with the ISO's of the programs and music I have but thats always fully scanned anyways. Vista SP1 is also out of beta and can be downloaded from Microsoft as of this week. If you have a cracked copy though, I advise against it

Thats why God invented Ghost......


I love Ghost.

[Iadien]

Quote:

Originally Posted by Flybait

sp1's been cracked for a month now.

misquote? lol

[Flybait]

Quote:

Originally Posted by Iadien

misquote? lol

beer, lol
dont drinkn click

[Oswaldor]

Quote:

Originally Posted by quasigenx

Neither of these objections are necessarily valid.

While some people may use dynamic IPs and proxies, many do not. It would be an opt-in protection, after all. It would work for me.

That would require SOE to implement multiple logon systems. It is hard enough to secure one system, securing multiple ones and the state transitioning between them is even worse.
What makes this infeasible is that you would have two levels of security for the end-users - just imagine the out-cry when the lesser secure groups gets hacked - it will not be pretty and will hurt SOE as they 'allow' their customers to be open for hacking.

Quote:

Originally Posted by quasigenx

The CD key could be stored on the hard-drive, without requiring the CD to be inserted. I would be surprised if that was not the case already. Making sure it's not in plain-text and easily accessible is slightly harder but do-able.

If it is on the hard-drive or transmitted to online servers it can and will be picked up. I actually retract my previous statement that a CD scheme would work - it won't. A directed attack would simply pick-up the unique identity (either directly from your system or when it is transfered to the login servers) and log it along with the pwd/username. If it is on your system it will be picked up. You can not hide it.

[Oswaldor]

Quote:

Originally Posted by Niber

After reading this article, it seems like public-writable wiki sites would be extremely susceptible to being compromised.

Most public Wiki sites are probably not susceptible to this. It is just Trend-Micro's sites that forgot to validate their input and was thus open for the SQL injection attack.
It is quite mind-blowing that a security company is unable to protect themselves against these very simple attacks.

[quasigenx]

Quote:

Originally Posted by Oswaldor

That would require SOE to implement multiple logon systems. It is hard enough to secure one system, securing multiple ones and the state transitioning between them is even worse.

It's not that difficult, and it could be implemented as an optional check on the existing login scheme. The product I currently maintain does just this. It's a piece of a data and an IF statement somewhere. No big deal.

Quote:

Originally Posted by Oswaldor

If it is on the hard-drive or transmitted to online servers it can and will be picked up... A directed attack would simply pick-up the unique identity (either directly from your system or when it is transfered to the login servers) and log it along with the pwd/username. If it is on your system it will be picked up. You can not hide it.

As I stated, it's not intended to be rock-solid perfect. Nothing is. It's literally impossible. You could just as easily say the password scheme in place is not perfect; why not just remove it?

Physical locks on doors are not perfect either. I can kick down a standard locked door with some rather minimal effort. The idea is to make attacking your system/product require more effort than the payoff is worth, or at least more effort than attacking your competitors.

What the CD key WOULD do is up the ante to two-factor authentication. You would need something you know (the password) AND something you have (the CD key).

[kenman]

The problem with the CD Key scenario is that in order for anybody to get your password, they would have access to the CD Key as well. If you give your account info to somebody else to log on for a raid, you give your CD Key. If you have a virus on your computer, it can either locate the stored CD Key or sniff it as it transmits when you log on.

It's completely and utterly pointless, the only possible result would be that people that have thrown away or misplaced their game discs are now screwed when they try to play after implementing such a thing. Especially because the CD key is almost certainly not stored on people's hard drives now, seeing as you just enter it into a web page that activates it on your account.

[quasigenx]

Quote:

Originally Posted by kenman

The problem with the CD Key scenario is that in order for anybody to get your password, they would have access to the CD Key as well.

No, you either add their CD key to the list of CD keys that can access your account, or you disable this feature on your account.

Quote:

Originally Posted by kenman

If you have a virus on your computer, it can either locate the stored CD Key or sniff it as it transmits when you log on.

You want to make that harder. Don't store it in plain-text, etc. Is it possible to encrypt it in an unbreakable fashion? No. But it's possible to make it more difficult that it's worth to break, especially if there are other games that are more easily crackable, and other players that don't even have this CD key feature enabled.

Quote:

Originally Posted by kenman

It's completely and utterly pointless, the only possible result would be that people that have thrown away or misplaced their game discs are now screwed when they try to play after implementing such a thing.

Again, this should be optional and opt-in. There would need to be customer service policies around it to allow the original account owner to reset this list, turn this feature off, etc. Just like there are now policies in place regarding reclaiming a hacked account.

You could just as easily claim that passwords are utterly pointless, as they only result in people forgetting them and being screwed when they try to login to the game.

This is an idea for an additional security measure. It DOES add something to the over-all level of security in the login process. It is not the final solution. There IS no final solution. That doesn't mean that added security doesn't make sense.