Update - Wednesday, December 2, 2009 - Guild Wars Guru archive powered by Guild Wars Legacy

Karate Jesus

Forge Runner

Join Date: Apr 2008

Texas

Reign of Judgment [RoJ]

Me/

03 Dec 2009 at 19:36 - 41

Quote:

Originally Posted by masharra

but it seems through what im reading here you people seem to discount human stupidity?

Nope, not at all. I think people here are passionately speaking against Anet on this issue because Anet has refused to admit any fault (except, Gaile a.l.m.o.s.t did once, but then turned around a refuted it.)

I'm sure most of the hacks were because people are idiots and use terrible passwords; HOWEVER, there has to be a problem when so many hacks happen at once. Probability alone would suggest that.

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 19:40 - 42

Quote:

Originally Posted by masharra

but it seems through what im reading here you people seem to discount human stupidity?

sure all problems may not have been caused by negligent users but you make it seem as if thats impossible through your statements, and though i wont say arenanet is at fault or not at fault.

OK, so:

- A sudden increase in reports of account theft occurs.
- A new mechanism is commonly reported by those affected - password resets.
- People observe fundamental security issues on the NCSoft website permitting brute forcing.
- Passwords must be reset through that website.

I don't need to see air to know it's there, and I can infer a fire when I see smoke. You are arguing that no change in how accounts are stolen occurred. The evidence is not consistent with that argument. If that argument is true, you are relying on random chance as your explanation for apparently systematic behavior. While that can happen, it appears to be quite unlikely in this case. We have an explanation that fits the facts, and as a consequence we should discard the thesis that chance caused the results.

I have not been hacked on any of my accounts. Just so you know where I'm coming from. I'm simply appalled at ANet's "response" to this matter, and feel the need to call them on it.

Short

Lion's Arch Merchant

Join Date: Jun 2009

Protectors of Fate [GoF]

N/Me

03 Dec 2009 at 19:41 - 43

Quote:

Originally Posted by sickle of carnage

Usually first monday of the month..

Second thursday actually.

masharra

Pre-Searing Cadet

Join Date: Jan 2008

Oklahoma

Passionate Kiss of Life

E/Mo

03 Dec 2009 at 19:59 - 44

Quote:

Originally Posted by Martin Alvito

OK, so:

- A sudden increase in reports of account theft occurs.
- A new mechanism is commonly reported by those affected - password resets.
- People observe fundamental security issues on the NCSoft website permitting brute forcing.
- Passwords must be reset through that website.

I don't need to see air to know it's there, and I can infer a fire when I see smoke. You are arguing that no change in how accounts are stolen occurred. The evidence is not consistent with that argument. If that argument is true, you are relying on random chance as your explanation for apparently systematic behavior. While that can happen, it appears to be quite unlikely in this case. We have an explanation that fits the facts, and as a consequence we should discard the thesis that chance caused the results.

I have not been hacked on any of my accounts. Just so you know where I'm coming from. I'm simply appalled at ANet's "response" to this matter, and feel the need to call them on it.

firstly i havent been following any of this so forgive my ignorance

i sincerely doubt anyone who has observed these fundamental security issues is a network security specialist and as thus imo their findings are null and void.

a sudden increase in account theft reports

who says a new undetectable key logger hasnt been released?

go play soldier front on ijji

when a shitload of hacks appear 1st thing i say is a new hack is released. i have no idea what i was tryng to say there

i mean what if just MAYBE they are not at fault

is it really that bad to say hey

"hey dont look at me its you guys"

that being said
i have to say i dont know who is to blame if anyone id blame the hackers/keyloggers/gold buyers/etcetc

when there is not enough evidence to say it is your fault as fact
im going to keep my mouth shut.

eitherway i hope the guys who lost their account well get lucky at dhumms chest.

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 20:07 - 45

Quote:

Originally Posted by masharra

who says a new undetectable key logger hasnt been released?

There are much more profitable uses for such things than hacking Guild Wars accounts. If I had both an undetectable keylogger and the inclination to use it for malicious purposes, I wouldn't be stealing digital merchandise that I have to fence in order to realize a profit.

Can we agree that anyone smart enough to write an undetectable keylogger is also smart enough to use it efficiently?

Quote:

Originally Posted by masharra

i sincerely doubt anyone who has observed these fundamental security issues is a network security specialist and as thus imo their findings are null and void.

Blind faith in credentials? You wouldn't be the first to make that mistake, but it's an error to assume that people without credentials are always wrong. Often =/= always.

masharra

Pre-Searing Cadet

Join Date: Jan 2008

Oklahoma

Passionate Kiss of Life

E/Mo

03 Dec 2009 at 20:20 - 46

i wouldnt say im blindly putting faith in credentials though i would rather a guy who is a MD to set my leg than the guy who said he saw it on discover channel.

are you placing blind faith in those without credentials?

personally id rather the person with.

and they say its susceptible to brute forcing which means some of these people attempted brute forcing the anet website?

i mean how can you say its susceptible without trying it?

well i suppose you are right about using it efficently
but i think there is a major difference between stealing cc's and gw accounts

gw might not make you as much money but you will be much safer if not totally immune to any retribution.

i mean your arguement about the use of undetectable software for more malicious uses is sort of moot becuase how many hackers hack games daily with dll injection when they could just as easily steal all of your info and they dont?

im grouping you in the smarter catagories of the internet and well just becuase you can make an undetectable keylogger doesnt mean you can/want to steal cc's. personally id want your email address and pw just so i can delete them all to ruin your day

*not you personally*

and well until they gold sellers start posting thier profits we dont know how much they make. id assume a good amount though.

Perkunas

Jungle Guide

Join Date: Aug 2006

In my own little world, looking at yours

Only Us[NotU]

E/

03 Dec 2009 at 20:25 - 47

I am curious. Are the only accounts that are being 'hacked' just the accounts worth major coin? Things that are stolen or go missing are high end items, FOW armor, ectos, rare minis, very rare weapons, etc. If accounts of lesser are not being 'hacked', why not? What is it that the 'rich' accounts have in common, other than being 'rich'? Do they talk about their wealth and where do they talk about it? Is the 'hacker' searching forums or do they sit in 'elite' areas and stalk their victims?

Questions;

How many low end accounts vs high end accounts get hacked?

How many accounts that are 'hacked' do not use forums?

People use their computers for more than just Guild Wars. as an example; How many also use Facebook? Many accounts there get hijacked regularly. My antivirus programs have warned me several times of Trojans detected. Many people shut down background programs to make their computer run faster. This invites infection.

I have and do 'violate' some of the 'rules' of computer protection. Even with that, I still have several layers of protection, always updated. Am I still vulnerable? Probably. After all, a lock just keeps the honest man honest.

masharra

Pre-Searing Cadet

Join Date: Jan 2008

Oklahoma

Passionate Kiss of Life

E/Mo

03 Dec 2009 at 20:34 - 48

what is this facebook you speak of? I also do that i turn off my firewall when something isnt connecting, pfft right now i uninstalled my virus protection cuz well fux it im so poor all they can take is the last 20bucks in my account.

that and it kept ctding. theres this lovely little virus that downloads itself to your comp through a picture.

how to solve problem

switch to linux change password reg. and dont sign up on any fansites

if your account still gets stolen

then say wtf arenanet?

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 20:53 - 49

Quote:

Originally Posted by masharra

i wouldnt say im blindly putting faith in credentials

Of course you wouldn't.

I agree that experience is generally preferable. My point was that rejecting findings out of hand because the individual presenting the findings doesn't have the "appropriate" credentials is a mistake. You did take that position.

Quote:

Originally Posted by masharra

and they say its susceptible to brute forcing which means some of these people attempted brute forcing the anet website?

I can't find the threads with search for some reason, but if memory serves there were two separate issues. One was that you could simply brute force passwords because the system wasn't locking people out properly for failed logon attempts. The other had something to do with the website's code and was a more attractive/efficient option, but since I don't work with this stuff I cannot remember the details.

The threads I did find had posts from people with IT experience indicating that they had passwords stolen using computers that were clean beyond any reasonable doubt. Those experts identified the NCSoft website as the only logical culprit, because it was how their passwords were changed.

Quote:

Originally Posted by masharra

gw might not make you as much money but you will be much safer if not totally immune to any retribution.

While you have a point, ANet has repeatedly stated that the preponderance of the gold sellers are based in China. That more or less makes them immune to prosecution anyway if they don't get too greedy, regardless of activities.

If someone had absolutely unfettered access, extortion would probably beat out even credit cards for profit. Just saying.

I'm not saying that hacking the accounts isn't profitable, merely that it isn't sufficiently profitable given that kind of access to someone's computer. Hacking game accounts when your activities are detectable and you're located someplace where you could be prosecuted starts to make sense.

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 20:59 - 50

Quote:

Originally Posted by Perkunas

I am curious. Are the only accounts that are being 'hacked' just the accounts worth major coin? Things that are stolen or go missing are high end items, FOW armor, ectos, rare minis, very rare weapons, etc. If accounts of lesser are not being 'hacked', why not? What is it that the 'rich' accounts have in common, other than being 'rich'? Do they talk about their wealth and where do they talk about it? Is the 'hacker' searching forums or do they sit in 'elite' areas and stalk their victims?

The people with a lot of stuff invested time in acquiring it and are much more likely to post about it than players with little in-game wealth.

Also, players that are still highly active are overwhelmingly likely to have some of these things due to XTH and easy ecto farming. Players that post on fansite forums tend to have been highly active at some point in time.

Finally, it's fairly obvious that someone has programmed a bot to steal stuff, and that it's bad at identifying items of value. It goes after the items you mention but misses other valuable goodies such as Sup Vigors on heroes.

]HM[ Sabre Wolf

Lion's Arch Merchant

Join Date: Oct 2006

USA

Servants of Fortuna

W/

03 Dec 2009 at 21:03 - 51

Quote:

Originally Posted by lejimmtohy

Hey no offense to all of these bug updates but really, when are the skill updates rolling in?

Quote:

Originally Posted by Short

Second thursday actually.

Yes, usually the 2nd OR 3rd Thursday of the month... depending on work load... which this month I see has the worst load for ANET to date...

~ Winters Day
~ Skill Update was pushed to this month (which likely includes SF)
~ New Test Krewe integration
~ GW2

So don't be surprised if the Update happens the 3rd Thursday of this month which is Dec 17th. (based on past instances of ANET)

OH and for those that want to QQ about no content/skill updates and stuff... see above list, plus Dhuum and the fact that you are not paying ANET for anything until 2011. So enjoy any free content that comes from ANET in a 4.5 year old game...

masharra

Pre-Searing Cadet

Join Date: Jan 2008

Oklahoma

Passionate Kiss of Life

E/Mo

03 Dec 2009 at 21:13 - 52

perhaps perhaps i tire of this discussion i have a paper to write.

i personally tend to not take most things i read on the internet worth a dime because well i had my stupid days

i have extensive computer experience but ofc i deal with hardware so my knowledge of software is quite limited.

and well at the end of the day all i can say is I dont know.

i am not an expert. Ive yet to be hacked. I do know its not A-nets fault they were hacked. Its the hackers fault. If there is a vulnerability with a-net website im surprised because i seem to remember seeing how many people were locked out when they gave the wrong password during the xunlia pane event. * i was one of em*

though i would like to add just because your password was changed on arena-net doesn't mean the vulnerability is theirs automatically.

your password could have been stolen and the offender merely logged onto your arena-net and changed password.

again until the people who did the tests start showing their ccnp id number or give a repeatable test that everyone can try and get the same results it isnt 100percent arena-nets fault. imo

noneedforclevernames

Krytan Explorer

Join Date: Oct 2007

Jay To Much [SrE]

Me/N

03 Dec 2009 at 21:14 - 53

your password can be mike and nobody will steal your account..simplicity in passwords have nothing to do with it. Think of the probability out of all the simple words that someone picks yours before quitting. Its like telling a friend to think of a word and trying to predict it. Either these individuals got keylogged or they told someone, keylogging is probably the answer.

Karate Jesus

Forge Runner

Join Date: Apr 2008

Texas

Reign of Judgment [RoJ]

Me/

03 Dec 2009 at 21:18 - 54

Quote:

Originally Posted by ]HM[ Sabre Wolf

~ GW2

For the last mother fcking time, the Guild Wars Live Teams DOES NOT work on GW2. The CR team does, but at the moment they have very little to do.

Quit using this as an excuse, even Linsey has called bullshit on this.

Quote:

Originally Posted by ]HM[ Sabre Wolf

OH and for those that want to QQ about no content/skill updates and stuff... see above list, plus Dhuum and the fact that you are not paying ANET for anything until 2011. So enjoy any free content that comes from ANET in a 4.5 year old game...

So when you QQ at the QQ'ers it doesn't count as QQ'ing? Oh, ok. My bad. Circular logic is pro.

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 21:23 - 55

Quote:

Originally Posted by masharra

i am not an expert. Ive yet to be hacked. I do know its not A-nets fault they were hacked. Its the hackers fault. If there is a vulnerability with a-net website im surprised because i seem to remember seeing how many people were locked out when they gave the wrong password during the xunlia pane event. * i was one of em*

This apparently changed and I was just as surprised to hear it as you are.

Quote:

Originally Posted by masharra

though i would like to add just because your password was changed on arena-net doesn't mean the vulnerability is theirs automatically.

If there is unauthorized access, either your system was compromised or the accessed system was compromised. If we can rule one out, the other must be true.

Quote:

Originally Posted by masharra

again until the people who did the tests start showing their ccnp id number or give a repeatable test that everyone can try and get the same results it isnt 100percent arena-nets fault. imo

Which gets back to my points about air and smoke -> fire. I'm not willing to use such a restrictive proof standard. The community suspected duping before the method was proven, but discounted the possibility because ANet assured us backwards and forwards that duping was impossible.

]HM[ Sabre Wolf

Lion's Arch Merchant

Join Date: Oct 2006

USA

Servants of Fortuna

W/

03 Dec 2009 at 21:27 - 56

Quote:

Originally Posted by Karate Jesus

For the last mother fcking time, the Guild Wars Live Teams DOES NOT work on GW2. The CR team does, but at the moment they have very little to do.

Quit using this as an excuse, even Linsey has called bullshit on this.

Granted yes, but it still has to pass the same people of inspection before it gets implemented... so they are still doing some work on both.

Quote:

Originally Posted by Karate Jesus

So when you QQ at the QQ'ers it doesn't count as QQ'ing? Oh, ok. My bad. Circular logic is pro.

No... stating facts is not QQing... QQing is when you say "blarg blarg blarg (insert cuss) blarg blarg"... its called cramming the facts down their throat so they get it... but deaf ears/blind eyes... so in the end, it was a waste of 30 minutes...

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 21:37 - 57

Quote:

Originally Posted by ]HM[ Sabre Wolf

OH and for those that want to QQ about no content/skill updates and stuff... see above list, plus Dhuum and the fact that you are not paying ANET for anything until 2011. So enjoy any free content that comes from ANET in a 4.5 year old game...

That "free content" is a marketing expense for GW2 and it is simply good business. Software publishing is a business where you lose money now to make money later. We disagree about whether or not that expense will justify its returns, not about whether or not we have a "right" to such free content.

I think you can make a strong argument that NCSoft is being penny wise and pound foolish in their approach to maintaining GW. A lot of things have happened in the last couple of years that have upset a lot of players, and it seems that ANet is taking the future business of those upset players for granted with the skeleton support staff approach.

Karate Jesus

Forge Runner

Join Date: Apr 2008

Texas

Reign of Judgment [RoJ]

Me/

03 Dec 2009 at 21:47 - 58

Quote:

Originally Posted by ]HM[ Sabre Wolf

Granted yes, but it still has to pass the same people of inspection before it gets implemented... so they are still doing some work on both.

Source?

Quote:

Originally Posted by ]HM[ Sabre Wolf

No... stating facts is not QQing... QQing is when you say "blarg blarg blarg (insert cuss) blarg blarg"... its called cramming the facts down their throat so they get it... but deaf ears/blind eyes... so in the end, it was a waste of 30 minutes...

The facts, huh? Well, if your facts are wrong....then....you're just ramming bullshit down people's throats.

gone

Guest

Join Date: Jan 2007

03 Dec 2009 at 21:51 - 59

Quote:

Originally Posted by Karate Jesus

Source?

The facts, huh? Well, if your facts are wrong....then....you're just ramming bullshit down people's throats.

So, you'll be the one from the test krewe to slip on the ice and spill the beans then? sweet.

Karate Jesus

Forge Runner

Join Date: Apr 2008

Texas

Reign of Judgment [RoJ]

Me/

03 Dec 2009 at 21:54 - 60

Quote:

Originally Posted by flubber

So, you'll be the one from the test krewe to slip on the ice and spill the beans then? sweet.

I'm on the Test Krewe?

masharra

Pre-Searing Cadet

Join Date: Jan 2008

Oklahoma

Passionate Kiss of Life

E/Mo

03 Dec 2009 at 22:00 - 61

Quote:

Originally Posted by Martin Alvito

This apparently changed and I was just as surprised to hear it as you are.

If there is unauthorized access, either your system was compromised or the accessed system was compromised. If we can rule one out, the other must be true.

Which gets back to my points about air and smoke -> fire. I'm not willing to use such a restrictive proof standard. The community suspected duping before the method was proven, but discounted the possibility because ANet assured us backwards and forwards that duping was impossible.

god im never gonna start this paper

yes we can rule out "supposedly" one system but as i said before
unless someone steps up and says i brute forced the system and got a password then we can not automatically say that their system is at fault.

my main problem is that people are saying with 100percent sure"ability"
that their system is not at fault.

and as a person with it experience i would have to say
no system is 100 percent secure.

id prolly shut up if you said we "think" the problem lays with arenanet
instead of the problem lays with arenanet.

bah i get caught up on the little things

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 22:19 - 62

Quote:

Originally Posted by masharra

id prolly shut up if you said we "think" the problem lays with arenanet
instead of the problem lays with arenanet.

It doesn't lay with ANet entirely. We've got two types of hack that appear to be going on. One has been going on for some time - the garden-variety keylogger issue. People are dumb, they download and install third-party programs/porn, get hacked, and QQ.

We also have what appears to be a new and more sophisticated automated hack. It always uses the same mechanism to get access (reset password at NCSoft site), it affects even experienced IT people that know and use proper security precautions, and it has resulted in a sharp increase in the incidence of reports of account theft on fansites. It uses a bot to clean out stuff. The bot's MO is recognizable because it's bad at extracting everything of value, and frequently leaves calling cards (low value items).

You can't disprove the thesis that the experienced people made an error in their security. But if they weren't complaining before, and they are now, it's reasonable to infer that something changed and that it wasn't that they all suddenly started failing at security precautions.

It's also strange that the automated hack is changing passwords at NCSoft if it uses a keylogger to get credentials. Why the extra step? It's not like the hacker is keeping the accounts. Why would the hacker write code to change passwords, when access could be had directly?

The simplest explanation is that there is a problem with the NCSoft site. Prior threads have suggested some of the possible security flaws.

I agree with you that we do not have a "beyond a reasonable doubt" case here. But I'd argue that we have a "preponderance of the evidence" case, and that's good enough for me.

gone

Guest

Join Date: Jan 2007

03 Dec 2009 at 23:40 - 63

Quote:

Originally Posted by Karate Jesus

I'm on the Test Krewe?

naw, after doing a little digging, It is another brah whos name starts with a -K-

masharra

Pre-Searing Cadet

Join Date: Jan 2008

Oklahoma

Passionate Kiss of Life

E/Mo

03 Dec 2009 at 23:55 - 64

Quote:

Originally Posted by Martin Alvito

It doesn't lay with ANet entirely. We've got two types of hack that appear to be going on. One has been going on for some time - the garden-variety keylogger issue. People are dumb, they download and install third-party programs/porn, get hacked, and QQ.

We also have what appears to be a new and more sophisticated automated hack. It always uses the same mechanism to get access (reset password at NCSoft site), it affects even experienced IT people that know and use proper security precautions, and it has resulted in a sharp increase in the incidence of reports of account theft on fansites. It uses a bot to clean out stuff. The bot's MO is recognizable because it's bad at extracting everything of value, and frequently leaves calling cards (low value items).

You can't disprove the thesis that the experienced people made an error in their security. But if they weren't complaining before, and they are now, it's reasonable to infer that something changed and that it wasn't that they all suddenly started failing at security precautions.

It's also strange that the automated hack is changing passwords at NCSoft if it uses a keylogger to get credentials. Why the extra step? It's not like the hacker is keeping the accounts. Why would the hacker write code to change passwords, when access could be had directly?

The simplest explanation is that there is a problem with the NCSoft site. Prior threads have suggested some of the possible security flaws.

I agree with you that we do not have a "beyond a reasonable doubt" case here. But I'd argue that we have a "preponderance of the evidence" case, and that's good enough for me.

thats acceptable to me

uh as for why change the password

so that when the bot is cleaning our the account the user doesnt log on and interrupt the cleaning out operation. especially useful if theuser notices whats going on and changes password immediately

also isnt the ncsoft website password different from the logon password for gw?

eitherway you make a great point with the why take the extra step

]HM[ Sabre Wolf

Lion's Arch Merchant

Join Date: Oct 2006

USA

Servants of Fortuna

W/

04 Dec 2009 at 00:20 - 65

Quote:

Originally Posted by Karate Jesus

Source?

Do you honestly believe that the live team personal that do GW1 have not in anyway, shape or form helped with GW2?

Quote:

Originally Posted by Karate Jesus

The facts, huh? Well, if your facts are wrong....then....you're just ramming bullshit down people's throats.

My facts are comming directly from the Dev's notes that THEY (ANET) post themselves! AND the average occurence of the updates which generally match what/when they say they release them. How can words from the horses mouth and history be wrong?!?!?!?

source | source | source

(Not random bug fixes)
Update - Thursday, April 23 (Fourth Anniversary)
Update - Thursday, May 14 (Skill Update)
Update - Thursday, June 18 (Skill Update)
Update - Thursday, July 2 (Dragon Festival 2009/4th of July)
Update - Thursday, August 6 (Skill Update)
Update - Thursday, September 17 (Skill Update)
Update - Thursday, October 22, 2009 (Halloween 2009/Codex)
Update - Thursday, October 29, 2009 (PvP Henchie)

There I sourced you...

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

04 Dec 2009 at 00:43 - 66

Quote:

Originally Posted by masharra

so that when the bot is cleaning our the account the user doesnt log on and interrupt the cleaning out operation. especially useful if theuser notices whats going on and changes password immediately

Yes, this does make some sense. But you would only have those logon credentials if the user had accessed the PlayNC account since they differ from the GW credentials, and we have observations where people hadn't done that in ages. So either you've got a hacker that's waited patiently for a very long time to gotcha people with a keylogger, or the PlayNC site has been compromised in some way. The latter would seem more likely.

If you reset the game password, the temp password goes to the associated e-mail address. So either you'd need full access to the e-mail account or you'd have to compromise the PlayNC site to make use of the temp password.

Changing the password seems even sillier than I thought. Unless you had a broadly distributed keylogger and an awful lot of patience. But that just doesn't fit some of the observations where the GW password was changed via PlayNC.

Quote:

Originally Posted by masharra

also isnt the ncsoft website password different from the logon password for gw?

I would hope so. I know mine is. I doubt this is the case for everyone. But we have hacked observations where they differ, so you'd need the PlayNC information to alter the password.

Chthon

Grotto Attendant

Join Date: Apr 2007

04 Dec 2009 at 00:56 - 67

Hmmm... I didn't mean to start a firestorm here. I was merely pointing out that this sure sounded like an oblique way of saying "we fixed the spoofability of the password reset urls," and was looking for a clarification whether it was a functionality fix or a security fix.

Quote:

Originally Posted by Bristlebane

I did click that Password retrieval URL after my account had been hijacked, and ALL it did was take you to NCSOFT. So I'm 100% sure that it couldn't have been used for stealing accounts, it just didn't take you to any specific page for retrieving your password.

This would imply it was a functionality fix.

Quote:

Originally Posted by masharra

who says a new undetectable key logger hasnt been released?

This is more Fril's area than mine, but I'm reasonably certain that, not only doesn't such a thing exist, it's fundamentally impossible for it to exist. At worst, you could have a new rootkit that's good at hiding a keylogger from the average user and the cruddy antivirus he relies on as his sole security tool. Also, I don't want to be mean, but your understanding of computer security in general seems pretty far off base. As a result, you're making a lot of very dubious assumptions.

Quote:

Originally Posted by Martin Alvito

It doesn't lay with ANet entirely. We've got two types of hack that appear to be going on. One has been going on for some time - the garden-variety keylogger issue. People are dumb, they download and install third-party programs/porn, get hacked, and QQ.

We also have what appears to be a new and more sophisticated automated hack.

This.

I don't get why it's so hard for people to grasp that accounts can be stolen in more than one way. Yes, there's a certainly baseline of account theft due to user stupidity. Always has been, always will be. But there seems to be more going on. And as the evidence mounts up, it sure does look like there's a way to steal accounts using a vulnerability on the NCSoft/a-net side of things.

That's what has me unnerved. I know what I'm doing. My security is going to be a relatively tough nut to crack, and, frankly, if someone does get in, they almost deserve my account for their efforts. But there's not a damned thing I can do to protect against NCSoft/a-net giving out/resetting my account credentials for any thief who comes along.

(Also, btw, the fact that accounts can be stolen in multiple ways is why I place zero faith in Gaile's assurance that the problem is not with the NCSoft account based on the existence of ONE stolen unlinked account. For all we know or she knows, that particular account could have been stolen through user stupidity while other accounts are stolen through a weakness in the NCSoft account.)

Aleta

Frost Gate Guardian

Join Date: Jan 2006

California

TTP

R/E

04 Dec 2009 at 01:11 - 68

Quote:

Originally Posted by Martin Alvito

Yes, this does make some sense. But you would only have those logon credentials if the user had accessed the PlayNC account since they differ from the GW credentials, and we have observations where people hadn't done that in ages. So either you've got a hacker that's waited patiently for a very long time to gotcha people with a keylogger, or the PlayNC site has been compromised in some way. The latter would seem more likely.

If you reset the game password, the temp password goes to the associated e-mail address. So either you'd need full access to the e-mail account or you'd have to compromise the PlayNC site to make use of the temp password.

Changing the password seems even sillier than I thought. Unless you had a broadly distributed keylogger and an awful lot of patience. But that just doesn't fit some of the observations where the GW password was changed via PlayNC.

I would hope so. I know mine is. I doubt this is the case for everyone. But we have hacked observations where they differ, so you'd need the PlayNC information to alter the password.

I used Plaync site to go to my Aion account to pickup the rewards for time played. I hadn't played GW that much lately as I was playing Aion. Aion has also had accounts hacked. And is wasn't to long after I started reading about Aion hacks that my GW account was hit. Logged in Saturday to my Aion account - logged into GW to play a bit. Sometime between Saturday night and Sunday GW was looted. I cancelled Aion and never went back to see if anything happened to it.

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

04 Dec 2009 at 01:32 - 69

Quote:

Originally Posted by Chthon

Hmmm... I didn't mean to start a firestorm here.

You didn't. Members have been making the argument about the PlayNC site for months.

Quote:

Originally Posted by Chthon

(Also, btw, the fact that accounts can be stolen in multiple ways is why I place zero faith in Gaile's assurance that the problem is not with the NCSoft account based on the existence of ONE stolen unlinked account. For all we know or she knows, that particular account could have been stolen through user stupidity while other accounts are stolen through a weakness in the NCSoft account.)

I'm glad that I'm not the only person that saw how hard the logic of that argument failed. The thing that really bothers me about it is that Gaile probably wasn't just shooting from the hip there. Which implies that either someone in Support doesn't understand the problem or (God forbid) is pulling an inside job and wishes to distract attention from the real problem.

As for the "use PlayNC site -> hack" issue - I'm not saying that causal mechanism isn't at work. I'm just saying that it can't be the full explanation. If the website is compromised, it can't just be someone that is downloading login information as it is entered, because not everyone that has been hacked with the password reset method had logged into PlayNC recently.

Aleta

Frost Gate Guardian

Join Date: Jan 2006

California

TTP

R/E

04 Dec 2009 at 01:36 - 70

Quote:

Originally Posted by Martin Alvito

You didn't. Members have been making the argument about the PlayNC site for months.

I'm glad that I'm not the only person that saw how hard the logic of that argument failed. The thing that really bothers me about it is that Gaile probably wasn't just shooting from the hip there. Which implies that either someone in Support doesn't understand the problem or (God forbid) is pulling an inside job and wishes to distract attention from the real problem.

As for the "use PlayNC site -> hack" issue - I'm not saying that causal mechanism isn't at work. I'm just saying that it can't be the full explanation. If the website is compromised, it can't just be someone that is downloading login information as it is entered, because not everyone that has been hacked with the password reset method had logged into PlayNC recently.

Good point. Didn't think about that. Still I believe there's a weak spot someplace in GW security.

The Drunkard

Wilds Pathfinder

Join Date: Nov 2007

Still looking

Rt/

04 Dec 2009 at 02:11 - 71

I'd love for Anet to be a bit more specific as far as fixing a bug...it could help if another problem occurs

Chthon

Grotto Attendant

Join Date: Apr 2007

04 Dec 2009 at 02:12 - 72

Quote:

Originally Posted by Martin Alvito

As for the "use PlayNC site -> hack" issue - I'm not saying that causal mechanism isn't at work. I'm just saying that it can't be the full explanation. If the website is compromised, it can't just be someone that is downloading login information as it is entered, because not everyone that has been hacked with the password reset method had logged into PlayNC recently.

My suspicion (and mind you it's just a suspicion) is that we're seeing a variant on the same vulnerability we saw with the huge rash of D2 account thefts all those years ago -- in converting from account name to reset URL, some portions of the URL are the results of something hashed weakly or not at all; and someone has figured out how to spoof reset URL's by using requesting a reset for an account name that's similar in the right ways, then substituting the guessable unhashed or weakly hashed parts for the account they want to steal.

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

04 Dec 2009 at 02:32 - 73

That's the strongest theory I've heard so far. I don't really believe the inside job thesis for a variety of reasons. The automation suggests that someone has come up with a clever way to bypass authentication, but that it takes some tedious work.

There's no reason to reinvent the wheel if avoidable, so recycling a known approach makes sense.

sirsterm

Pre-Searing Cadet

Join Date: Jan 2007

Ravn

W/N

04 Dec 2009 at 03:25 - 74

I clicked on that change password link when I couldn't log into my account and I got Chinese writing on the page it sent me to. Thats when I knew all my stuff was gone.

shoyon456

Desert Nomad

Join Date: Jul 2006

D/

04 Dec 2009 at 04:11 - 75

So its a good thing I havent changed my password in years? Holy hell, the irony...

kokuou

Academy Page

Join Date: Nov 2007

N/Me

04 Dec 2009 at 08:16 - 76

Quote:

Originally Posted by Chthon

Second one is interesting. Either it wasn't functioning properly (which I think we would have heard about in the Bugs forum) or it had a security vulnerability. If it's the later, I guess the rash of account thefts is over now. However, it would sadden me that a vulnerability that every game programmer should remember from the days of D2 somehow made it into GW. WTB official clarification: can we breathe easier about account theft?

Actually, I think they just fixed the URL on this one. I've clicked on the "Reset Password" link on the login page a couple times, and all it was was a broken NCSoft link that took me to a "Page not found" in Korean.

I'm assuming that all they did was put in the correct URL, so no, I don't think it has anything to do with account security.

pumpkin pie

Furnace Stoker

Join Date: Jul 2006

behind you

bumble bee

E/

04 Dec 2009 at 09:02 - 77

HMMMMMM. does this whole thing has anything to do with linking all your accounts to NCSoft master accounts?

Shasgaliel

Jungle Guide

Join Date: Apr 2008

[bomb]

04 Dec 2009 at 11:36 - 78

You guys forget the third option - ISP.

In some countries hacker just needs your telephone number to get everything. Some ISPs make telephone numbers ID/login numbers to the network - hacker just needs to brute force password and he will see everything you send passwords logins he just need to play with SYN packets a bit (in some cases he needs IPs) etc - nothing on your PC will help, no firewall, no anti-malware software. My Friend after connecting his pc to a local network in one of the campuses managed to get all the logins/passwords in 24 hours. Those people were not at fault, also the websites/games they were connecting weren't it was all due to bad network protection by the ISP. I am not hacker I do not know much about of the security details but I happened to see a lot. Anyway people with more technical knowledge will be able to write more useful details this.

Writing scripts to obtain passwords from badly protected URLs takes minutes. Running them may take a while but then you use several IPs or even rented botnets. I saw botnets in actions. If you operate one you can run through URLs very very fast.

I am quite sure that goldsellers operate with botnets. Which means that often it is some infected computer which is getting blocked by ANET not the hacker himself.

Hengis

Wilds Pathfinder

Join Date: Apr 2006

London

Better Than Life (BTL)

R/

04 Dec 2009 at 13:17 - 79

Quote:

Originally Posted by Martin Alvito

We also have what appears to be a new and more sophisticated automated hack. It always uses the same mechanism to get access (reset password at NCSoft site), it affects even experienced IT people that know and use proper security precautions, and it has resulted in a sharp increase in the incidence of reports of account theft on fansites. It uses a bot to clean out stuff. The bot's MO is recognizable because it's bad at extracting everything of value, and frequently leaves calling cards (low value items).

This is a interesting idea Martin, but I think my particular experience falls between both. My account was not hacked through a password reset, but what was taken and what was left on my characters exactly fits your "clean out bot" scenario.

All my gold was taken (1.7 million spread over storage and 10 chars)
All obviously valuable items in storage e.g ectos, but full stacks of common and even some full stacks of rare crafting materials were left.
FOW armour salvaged
DEDICATED Kuunavang taken (This pissed me off more than anything)
ALL Elite tomes taken from storage (I had around 100 Elite tomes for some reason LOL)
ALL alcholol and sweet and party items were taken, of which I had quite a lot as I was saving for a double hit on Party and Sweet tooth max titles.

However, all my heroes were left fully runed up with superior vigor runes etc and they were all armed with UNDEDICATED Destroyer Weapons which were not touched.

What I am saying is that although they hit me very hard (My initial estimation was that I lost around 3 million, but I have since upped this in my own mind to around 5 million) they missed a fair amount of stuff that could have easily been just sold to the merchant to convert into quick cash.

I still don't know with any degree of certainty how my account was hacked or why my account was targetted. I don't have a GWAMM (my max is 28 titles), I have never bought or sold really high end items. I've sold a few things on guru auctions, but nothing worth more than a couple of hundred K at the most and nothing at all recently. I am in a guild of one and for the last year or so have only ever played solo title farming. The only fansite I am active on is this one and of course I have never used any third party programs with the exception of GWML (Guild Wars Multi Launch). This in itself would seem to rule out a keylogger as the secondary accounts I used were not touched.

I would dearly love to put this whole thing to bed in my own mind, just to know how and why my account was targetted.

nitetime

Krytan Explorer

Join Date: May 2005

eotn

W/

04 Dec 2009 at 17:09 - 80

Quote:

Originally Posted by kokuou

Actually, I think they just fixed the URL on this one. I've clicked on the "Reset Password" link on the login page a couple times, and all it was was a broken NCSoft link that took me to a "Page not found" in Korean.

I'm assuming that all they did was put in the correct URL, so no, I don't think it has anything to do with account security.

I don't think you read much of the thread. It seems to be something more then just some kind of innocent mistake.

Quote:

Originally Posted by sirsterm

I clicked on that change password link when I couldn't log into my account and I got Chinese writing on the page it sent me to. Thats when I knew all my stuff was gone.