Do hackers ever stop here?

I lol'd

Text book c&p no doubt.

Thats what happens when you use bot programs in Jade Quarry and For Older Hero Fast Faction Farm they are finally getting you back


Aint Karma a Bitch?



No in all seriousness srry to hear that happened..lets start a strike in Great Temple of Balthazar.

~Nemo

@Wubbies: you have offended me.

Maybe this clarrifies what i mean:
http://en.wikipedia.org/wiki/Informa...chnology_audit

this is me being sarcastic but....

A-Net should hire MC Hammer to do a commercial on public safety/awareness on account security!! lol

Imagine the dance moves that could go with the commercial?

Depends.
When assuming brute forcing [a-Z][0-9] online at the rate of 1 second/ attempt, knowing it's either 6 or 7 you are talking over 1000 years for all options. (62^6 + 62^7 options).

However, the actual number of trials might be a lot less.
Let's assume we know the password is either 6 or 7 characters long.
Now I'm going to do some guessing.
The actual password has at least one numerical digit and at most two.
The position of those digits is either at the start or at the end of the password. And the password itself is in a dictionary.
That would limit the number of options enormously. We are talking about a 4-6 character word from the dictionary + one or two digits at start or end.

Still this would require some massive work, months to years.
But next we can compose a list of frequently used passwords and put those first. This would make an account with such a password crackable in minutes/hours/days.

On the other hand there is a list of encrypted /hashed passwords that is obtained somehow.
This is way faster to process, hashing can be done upfront when assuming it's plain MD5/SHA1 hashes.
Brute forcing dictionary is a matter of days when a known or no 'salt' is used.
But when the 'salt' changes on every password this effort will take ages when processing a list of accounts.

Attempting to hack an account online by trial and error (except a list of common passwords) is futile. The strongest attempt can be done offline but requires access to the password database. And is only worth the effort if each password is encrypted/hashed with the same mechanism and key.
An attempt with a 'known list' can be done when different keys are used. If that fails the passwords are useless. Not because they can't be cracked but because they take too much time to crack.
It's not NSA passwords or passwords to bank accounts. It's passwords to online accounts with a possible value of let's say $0.01 to $1000. With most accounts around the $0.01 range.

Jos, modern brute force password breakers can do up to 8 million attempts per second.

Ok this topic made me paranoid
I don't know whether it's people stupidity or a very serious threat
I hope there hasn't been a leak of any database (either Anet/wiki etc)
Since stealing credit card numbers is fairly easy why GW accounts should be more difficult?

An idea for the developers (in case any of them is reading). Not perfect but still... Why not implement an option which will narrow the range of IP addresses which are able to log onto the account?

im offended what u wrote that i somehow offended you and then u say i offended you..no offense..but opinions you take as offense doesnt mean i was trying to offend you..just thought it was ridiculous (your post) imo. they say the best offense is defense ..so imo i was defending.

im sure i oofend alot of people but this thread is getting so ridiculous i cant help but check it out everday..it;s better than the comics in the newspaper section..no offense

p.s. no offense i dont clic on links.. u never know who is behind the link "hacking" away

Hardly possible when trying to crack remote password considering that would be 62 MB/s of passwords sent alone; you have to double that since you need to send username too. Here, we exhaused capacity of gigabit network and none of overhead was accounted for yet. Not to mention that most routers would give up way, way before that because of amount of connections opening and closing.

"I am making an assumption" If gold sellers are the motivation behind the hack. Would they not be able to download the client on a bot network and then run passwords on multiple units at the same time until they get a hit?

A couple days ago, it told you specifically you should have an at least 8 digit password.

It depends on a few things:

1. The complexity and length of your password.
2. How many proxies/computing power said hacker has (or how big their botnet is).

If we're talking 6-7 digits with nothing special, just a word and a number or something like yippie7 or something, then not really all that long to be honest...

Check this and go here to check your password strength.

If you're truly worried, what I suggest you do is go here. Set it to 15 characters in length, Num + alpha + ALPHA. Generate a password.

Here's some examples: IKswAquMRmpx49Y
gMojLOz7w0k73Cy
szjTZ0VvbLHFloM
7Ro9MBnKr6EnBPH
rXYyPKhZ3LpT1vx
YtHW9TFaEOHt4ZL
XtKcERyi4svmSRz
(don't use those, generate yourself a fresh one)

Don't use those either. Edit it a little bit, add some special characters in there like !@#$%^&*()-=_ and such. Or if you want an even harder one, alt codes are good, alt+0191 ¿, ¤ alt+0164, alt+0137 ‰, alt+0134 †, et cetera. Just hold alt on your keyboard and hit a 4-5 key combination on your numpad and see what it comes up with. I'll give you an example:

3Liòw.Wóï5OöiH~

Something like the above would be much more difficult to crack.

You're overlooking zombies... 62 MB/sec would require ~620 compromised computers capable of upload speeds around ~100kb/sec which is pretty standard. Of course, they'd also probably have some with much faster/slower connections, so that would affect the number quite a bit.

The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000-node botnet.

Conflicker (aka DownUp, DownAndUp, DownAdUp, Kido) is assumed to have somewhere around a 15,000,000 botnet. And well, if you can do 62MB/sec with about average DSL connections with only 620 computers, just think about 15 million... That's what, 15GB/sec not accounting for faster connections?

To be honest here though, I'm pretty sure someone that has that kind of power wouldn't give a damn about GW money. Bank accounts would be very much within reach and much more profitable (not to mention other things).

Still, you could do a lot more than 1 per second. Plus I'm not entirely sure these hackers need your password and email yet.

Yes, but anets endpoint would be just as affected by amount of traffic. And login servers would be DOSed.

Very noticeable both for players and anet.

I had the same problems a few days ago i loaded up and noticed my character secection screen was on a different character than when i left (I've only been on my warrior for the last few days) and my ranger loaded up which was pretty strange.

Then when i loaded a character i noticed my inventory had been slightly changed (i've had my inventory the same for 4 years) so i noticed it was different straight away.

I checked the guild screen it said i was last online 5 hours ago!! which i hadn't as i had been out all day, needless to say i have changed my password a couple of times since and scanned my pc with just about everything i can think of.

The odd thing is, i have not lost anything from my account, No gold/items/materials/weapons/characters or anything that i can see...

i agree 100% i said that same thing before and was suggested that people could make money by selling ectos ,gold for real $. i still think why go through all the trouble. they wouldnt waste the time.

I've stopped reading posts at some point (mostly due to security mistakes in the posts), but thought I'd comment on the point of password cracking. These are reliable numbers:
http://www.lockdown.co.uk/?pg=combi

The advised alphabet is 96chars, and if you can manage a ClassE cracking-comp (good luck) you're going to spend 2,5years. Event a 52chars alphabet with ClassE will give you 6days (which is not a lot).

Now, if you want big numbers (of course, all these numbers are offline attacks, something that most people completely got wrong in this thread) look here:
http://hak5.org/forums/index.php?showtopic=11551

BTW, very speedy treatment of this case by Gaile and the support team. Hope the guys will get nailed and leave without pants.

To everyone: read this article, it's a good article on passwords: (although I'm not happy he doesn't mention obfuscation by transforming chars, e.g. e to 3, o to 0, a to 4, s to %, etc.)
http://www.schneier.com/essay-246.html

My own retail GuildWars: EoTn CD =/

I just remembered a show on TV about hacking,and there where talking about those really powerful worms like Storm,Blaster and Conflicker,maybe it isn't affecting just GW but other MMO's too?

http://www.adobe.com/support/securit...apsa09-01.html

WARNING, there is a critical buffer overflow bug in Adobe reader, dated Feb 19. There is currently NO FIX until March 11.



Excerpt:

"A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009."

For real?

Wonder what Fril has to say about this? <ducks>

EDIT: Don't do your taxes until after 3/11, I guess - if you use the IRS PDF files...

Most times when I read posts like this, I think "Your fault, what did you do?"

I just spoke with my guild mate. He logged on tonight, Monk was in ToA, not the GH. I had told him about this thread when it was started. He immediately checked storage. Gone is 100+ elite tomes, 100k, 2 undedicated minis, Forgotten sword, Totem Axe, & 2 stacks candy canes.

His computer is less than a week old. It was bought purely for games. Not used for "surfing" the net.

So, now I wonder whats going on.

You know, I was thinking...

If some of you guys have expensive uncustomized weapons/shields like tormented, eternal, et cetera, perhaps it would be wise to put them on some obscure hero until this blows over.

It's easy enough to check characters and storage, but who has the time to go through every one of your heroes, yeah?

Recently while surfing team quitter forum, I ran a strange occurance where my comp started opening a pdf for no reason, and when closed firefox, i was effected by the vondu trojon. This was last week, and I knew better than log onto gw until I cleaned the infection with multiple sweeps. Wonder how many people who have been affected visit this forum. I'm not saying they may be the cause because i may have clicked one of the 3rd party ads which could have caused the infection.

In addition to the Adobe Reader security hole I mentioned above, there is also a new one in Adobe Flash this week that also lets someone remotely take control of your computer.

If you go to GuildWars.com in fact they will detect that you have the exploitable version and tell you to upgrade.

http://news.cnet.com/8301-1009_3-10172339-83.html

"Adobe released a patch for a Flash player hole this week that could allow an attacker to remotely take control of a computer.

The vulnerability is critical for one for Adobe Flash Player 10.0.12.36 and earlier versions."

All this recent news is indeed troubling, I've already said this a page or two back, but reading the recent posts makes the whole situation feel even worse. I'm hoping that GW2 will have a security system built in, but you can only do so much when it comes to account hijacking. If they could somehow do what Blizzard has done, I'd gladly pay money for some sort of authenticator that basically removes all possibility of hacking by traditional means.

Online?
I realy doubt that.
Online involves sending and receiving packets. There is waiting time between attempt and response.
And when doing 8M attempts /second on a website you are performing a DoS, there ain't many sites that can handle that many requests. And your computer can't generate that amount of traffic either.

Off-line.
Depends on the way the password is generated.
And the way we are cracking.
One password at the time or a list at once (the last is more efficient but will generate more I/O).
Theory is nice, but let's not forget that's under ideal conditions.
I can make a nice testlab, create a nice clean and newest computer which loads the minimal OS I need for that and start crushing numbers.

Now practice. I want to make money, not spend it.
So I don't buy that $5000 superfast computer but one that will cost me $500.
Remember, each dollar I spend I need to earn back.
I don't have the ability to do parallel cracking, since I don't have the skills for that. I just want to make money, not study parallel processing and create a program for that.
Oh, the fastest ways to bruteforce nowadays are by using gfx chips. That's nice but again not really practical. So I have to use CPU power.
I'll dedicate my computer to password cracking, nothing else.

So I put my stolen database on it and start cracking.
Then I go to sleep and will check tomorrow when I wake up. Because it's no use to keep looking, best is to wait till all or most passwords are cracked.
Since it's a 100.000+ user database this will take a while, but I have time.
Even if it takes a month the system does not enforce change of password ever so most people will keep their old one.

That's more how things work nowadays.
Just be honest (don't have to tell here), how many times did you change the password of: GW account, GWG, E-mail, facebook, myspace, your online bank account, password at school/work, ect since you created them.

See, there is no need to have the newest and fastest hardware to crack passwords. People never or hardly ever change them anyway!
Using older computing stuff or cracking in idle time is much cheaper and will end you up with more money in the end (since that's what it's all about).

Can anyone confirm that? And hell yeah give us the option to permanently lock our characters please! I know I'll never delete my characters, so I'd do it right away. If I ever need a new character, I'll buy an extra slot.
QFT.

how do u put a security system in for gw that covers outside threats like adobe, silly breakable passwords, human error looking at porn, bad web sites or stopping you giving account info to someone..etc.. u cant remove ALL possiblity means of hacking it's impossible.


hence again.. strong password..good antivirus..dont give out info..stay away from sketchy sites..even if u do that there are programs not related to gw but are related to your comp like adobe etc.. that hackers can have fun with.

good antivrus and common sense your best protection..

does this person have good antivirus? did this person previosuly give out account info to friends.. who doesnt use a comp for surfing..that person would be the 1st that i know of.

like JOS suggested there is online banking, facebook and of course MSN who any 12 year old can hack into on messenger.. you can never protect yourself 100%. you want a computer there are risks to woning one. hackers are always gonna be around and while they are you will always be vulnerable. Shut 1 door on them they find another one.

again common sense and good antivirus go a long way but more so common sense. now im not saying those that got hacked are stupid cause it can happen to anyone no matter how cautious u r. but lets say anet found out the way this happened. will it make u feel safe? maybe. but if you keep going to sketchy web sites or do something as human error.. it happens again-->> see common sense.

His old computer could of had a trojan etc.. and they just waited to access the account. Or the new one has an un-updated freeware version. Update manually and scan yourself. Although auto updates are great they wait sometimes till you log off and shutdown to run there updates.

It alarms me they would take a Totem Axe (LOL )

funny until now i thought this "hacker" was only targeting rich people.

A system similar to the Blizzard authenticator keyfob (as mentioned previously on this thread) would work for Guild Wars. That makes your account (but not your computer) pretty much unhackable.

It would be interesting if they let you set up your account so that the game will only let your client log in from a particular subnet. Vanguard does this automatically (Vanguard the financial site, that is, not the awful MMO). If you log in from another subnet from your usual one, it asks you a whole bunch of questions to verify that it is you.

Here's my 2 cents. Around the time these people got their accounts hacked into, I was in LA recruiting members for my guild. Some guy whispers to me "I haven't gotten any accounts yet". I send back a ? mark, and he gets friendly and starts asking questions and offereing to help if I ever need it. I believe he mean't to whisper to someone else but clicked on my name by mistake.

I believe these guys get accounts and use them to steal from others and then the person who had the original account gets banned.

It is Anets responsibility to keep things secure. I can't imagine a bank using the stolen car reference if people starting finding their accounts hacked into. Strange how they seem to know the accounts that have a lot of etcos and Z keys. Also, a lot of people (kids) might not report to anet if their things were stolen.

This idea has been proposed and discussed here:
http://www.guildwarsguru.com/forum/s...php?t=10248665

People finds a lot of ways to abuse such systems anyway.

Gaile Gray answered in that thread.
Use the thread to ask if they would do it for gw2 maybe.

i would agree with this and hence good idea..i was just making a point like u just said your computer still hackable..use common sense to make it less hackable

Well guys after going back and forth with gw account support, where I used multiple programs to scan both my hardware and software for anything that might have caused this, I got this in my email:

Hello,

I appreciate you taking the time to submit this information to us.

Guild Wars regrets instances where players lose characters or items, whether it is through the actions of unfriendly or unscrupulous players, through deletion accidents, or through other means. Because we know that our servers are secure, we believe it is possible that someone may have gained access to your account without your knowledge or permission. This can happen if you share your password, use the same e-mail and password on message boards, or even if you have accidentally installed a keylogger onto your computer.

We have permanently blocked some game accounts related to this compromised account and are continuing to research the issue.

Here are some tips to help you protect your account and keep your computer secure.

1. Never give your passwords to anyone, including family, friends, or guildmates.

Even if the person is normally trustworthy, you cannot guarantee that they will be following the same strong security precautions that you will follow. Also, there have been occasions when friends have deleted items or characters (often by accident) without the owner's knowledge or permission.

If you believe someone may have learned your password, change it right away.

2. Do not re-use the same username and password on other accounts.

For example, if someone learns the e-mail address and password that you use for a certain message board, it will be easy for them to log into your game account if you use the same e-mail address and password. Use different passwords to improve your account security.

3. Do not install third-party software (i.e. software not created by NCsoft or ArenaNet).

Programs that claim to be item modifiers, cheat programs, or even harmless looking programs such as attribute, skill, or dye calculators might actually contain a harmful virus or keylogger that could allow someone to steal your account information.

If you think you have accidentally installed a keylogger on your computer, you should:

a. Obtain anti-virus software, make sure it is updated with the latest files, and scan your system for viruses and key-loggers.

b. Change all the passwords for accounts that you may have accessed after installing the third party software, such as your Guild Wars game account, PlayNC master account, e-mail address account, fansite forum accounts, etc.

c. Never download any untrustworthy programs in the future! Even if you are confident that you can trust the third-party, please use extreme caution. Virus and keylogger creators rely on your trusting nature to help them steal your accounts from you.

4. Please review our Security FAQ at the following URL, which includes additional information for keeping your Guild Wars account secure:

http://www.plaync.com/us/support/doc_993.html

Please contact us again if you have any question or comments regarding this or any other issue.

Regards,

GM Oghma
The Guild Wars Support Team

Which basically tells me, they didn't find anything are are going to assume it's something I did, so here's the cut and paste response for that. Although that line about the blocked accounts is curious, as they usually say they can't reveal what action was taken.

maybe it was something you did and may not of realized it. only u know.

I take that part as the hounds are on the trail. Sorry so sad you where involved and a victum.

I guess if I was in your shoes I would do a Hijack log and submit it, and wait it out. Not that they will find it or anything but if a root kit got in and Virus software is missing it they will have a better chance of seeing it. All you need to know is once submidted do not download or install anything till you get an answer on your log. It may take 1-2 weeks

Edit- if they did ban accounts we will see a message on the log in or on GURU i am sure

As far as guild mate's new computer:

The computer shop set it up with Mcafee. He brought it home hooked it up to internet, logged on. Only place he went was Guild Wars homepage to download the game. I had to talk him through it on phone.

Friends? I am his only friend that plays with computers. (both of us in our 50's) I got him started into several online games. He is not a social person. He does not chat with people online. He farms with inventory open, covering the chat window. When I log on, I have to call him to get his attention.

He got his computer for games, period.

Anet has taken the most professional and responsible route of action: they're not going to show anyone what they're doing, they're running an intense investigation which is going to make sure that they don't target innocent people. They don't want people like these thiefs anymore than we do, it's harming their business.

Those whose accounts have been blocked are suspects and they'll try as best as they can to determine who's the cause, but they can't do a "CSI job" (read this article to understand how people don't understand security) because: 1) they probably haven't implemented a full-forensics technology on their server; 2) it's stunningly easy to fake digital information; 3) even if you catch an IP/location, you'd have to refer it to an authority and virtual theft are not yet considered seriously (although most country would listen to big companies).

In the security scene, McAfee is not considered a solid AV (although it's serious).

uhm, just got Error=007. Would it be reson to worry?