2 million NCSoft accounts stolen

Brett Kuntz

Brett Kuntz

Core Guru

Join Date: Feb 2005

01 Jun 2010 at 20:06 - 81
Quote:
Originally Posted by tha walkin dude View Post
Just to be sure, does this mean you emailed a list of 50k sets of login info that you thought might work to a NCSoft employee. And then, he e-mailed you back and told you 10k were valid?
Yes. The information was always very secure in handling, and has long been secure erased. To this point in time, no one has ever publicly investigated the true statistic of how many people use the same password on a public forum as a private account (bank, game, email, etc). I used a fairly large sample size, and came to those statistics on it, so it likely carries over to any scenario.

Quote:
Originally Posted by Martin Alvito View Post
Brett,

The dispute has always been over volume. I believe what you're saying. However, I believe that your hypothesized vector of attack has always been assumed to be present among the more sophisticated.

1)Claiming that your method is causal basically requires believing that the attackers were dumb before (July? October?) but suddenly got smart. By contrast, believing in NCSoft vulnerabilities requires believing that the hackers were smart to begin with but got smarter after reviewing the condition of the site, and altered the vector of attack as a result.

2)The math associated with brute forcing birthday password resets using botnets is just too attractive to a professional hacker. Especially given that we now know that botnets are being used.

In short, I accept the contention that what you describe is part of the explanation, but reject ANet's contention that it constitutes the full explanation. Too many educated people aware of good security practices got hacked for me to believe that this was a simple case of BBS hacking and social engineering. The explanation just doesn't fit the data.
1) These companies must wait for the next big vBulletin, phpBB, Word Press, Apache, mySQL exploit to come along to grab a new snapshot of fansite databases. This explains peaks and valleys in the amount of hackings that take place. Do you see the same fansites getting hacked all the time? No! That French site was hacked once, many accounts were taken, and a month later there was a very large spike in Guild Wars account hackings!

2) While this is a good theory, it is/was easily checked by examining the logs. Multiple computers/IP's trying to reset the passwords (guess the birthdays) on accounts would create a very unique finger print in a log.

Ka Tet

Ka Tet

Krytan Explorer

Join Date: Nov 2006

Pita Bread And Scud Missiles Ai[iiii]

01 Jun 2010 at 20:18 - 82
Quote:
Originally Posted by Brett Kuntz View Post
Yes. The information was always very secure in handling, and has long been secure erased.
I don't know you, so I can't say that you would take advantage of that information, for all I know you're the worlds only pure altruist. I don't know the nature of your relationship with the employee, for all I know he's your brother and has no reason not to trust you personally.
That said, you gave him the list. He has no way of knowing if you deleted the original. Then, he confirmed that if you used the list every fifth attempt would work. To me, that sounds like a huge security risk.

Brett Kuntz

Brett Kuntz

Core Guru

Join Date: Feb 2005

01 Jun 2010 at 20:27 - 83
Quote:
Originally Posted by tha walkin dude View Post
I don't know you, so I can't say that you would take advantage of that information, for all I know you're the worlds only pure altruist. I don't know the nature of your relationship with the employee, for all I know he's your brother and has no reason not to trust you personally.
That said, you gave him the list. He has no way of knowing if you deleted the original. Then, he confirmed that if you used the list every fifth attempt would work. To me, that sounds like a huge security risk.
We are appending some additional information to my original post, please read it on the previous page. I'll also post it here as well:

Quote:
Originally Posted by Brett Kuntz
Some of you might wonder why NCSoft would cooperate with me (Brett) on the accounts. I have proven to be a pretty trustworthy guy in the community, and I am also under legal obligation, so the data was always safe! This experiment was all done in the name of science! Now we have a pretty solid statistic on how many dummies out there use the same weak passwords on public sites as well as their important private accounts!

Ka Tet

Ka Tet

Krytan Explorer

Join Date: Nov 2006

Pita Bread And Scud Missiles Ai[iiii]

01 Jun 2010 at 20:44 - 84
Quote:
Originally Posted by Brett Kuntz View Post
Some of you might wonder why NCSoft would cooperate with me (Brett) on the accounts. I have proven to be a pretty trustworthy guy in the community, and I am also under legal obligation, so the data was always safe! This experiment was all done in the name of science! Now we have a pretty solid statistic on how many dummies out there use the same weak passwords on public sites as well as their important private accounts!
Thanks, that's important information to have.

Mercesa

Mercesa

Frost Gate Guardian

Join Date: Aug 2009

Netherlands

N/

01 Jun 2010 at 21:11 - 85
Even though, If you look just at Bretts posts you can see he's already some kind off tech guy. And I already thought he could know more because he's just more into that kind off stuff.

Ka Tet

Ka Tet

Krytan Explorer

Join Date: Nov 2006

Pita Bread And Scud Missiles Ai[iiii]

01 Jun 2010 at 21:30 - 86
Quote:
Originally Posted by Mercesa View Post
Even though, If you look just at Bretts posts you can see he's already some kind off tech guy. And I already thought he could know more because he's just more into that kind off stuff.
The question wasn't about his knowledge. It was about the feedback from NC.

Martin Alvito

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

02 Jun 2010 at 01:25 - 87
Quote:
Originally Posted by Brett Kuntz View Post
2) While this is a good theory, it is/was easily checked by examining the logs. Multiple computers/IP's trying to reset the passwords (guess the birthdays) on accounts would create a very unique finger print in a log.
I just don't trust the source. They have a strong, vested interest in evading responsibility. Further, if the vector of attack was easily defended, why expend the cost to fix the problems? Finally, the story is inconsistent with data we do have.

I can't evaluate evidence I haven't seen (and I don't expect you/them to share it). But based on what I know, I just don't believe that the fansite attacks were the entire problem. Part of it? Absolutely. All of it? Don't buy it.