Rank 17 Guild entirely messed up by hackers!

heh..i was wondering why when gaile was in LA int, that guy wanted to talk her about the tournament.

That's actually a really smart idea.

well thanks for telling everyone.. now everyone will know my password is 1337.

sadly enough thats probably considered a common password now a days.

That is a good method from the 0-9 thing but i always throw away my notes which include tons of ip's phone numbers and passwords when they get full, so id be left without access to anything since i cant remember anything i have done in the pat year but i can remember what i ate for dinner april 14th of 1996, which really makes me angry.

You do know it takes like a week for anet to process an email change! After the week both email accounts get a email from anet about the email change, and both email accounts have to click a link to authorize the email change. If someone tries to change the password to your GW account the new password is sent to the existing email address, so you can change it back easily. I'm not saying your charaters won't be deleted or all your items gone, but you can get your account back.

You can have all the security in the world but sometimes human error will take over.

Guys this has nothing to do with making a good password or not, Bani used a vurnability (sp) exploit on a PHPBB forum, which happens to be ScV's forum. Kava had same forum password as account password, so he managed to get in and well the rest is history. Obviously Kava should have made a different pass/email, but don't think Bani like guessed it or something, he had an exploit to retrieve the password.

VBulletin is a MUCH better coded forum software than PHPBB, their encryption is much better and they have less exploits. Almost like Firefox and IE (BURN!). Frankly if you're going to use a PHPBB, make sure it's all updated and you use different e-mails and passwords.

PHPBB has a lot of exploits and is quite easy to manipulate. vBulletin is a little more secure, i sure hope everyone using PHPBB catches on to the major security flaws.

What the hell. DICE NOOOOOOOOOOOOOOOOOOOOOOOOO.

you would be suprised, vBulletin stepped it up, but they were most likely using phpBB, which just uses an md5 hash of the password.

Though, TECHNICALLY, it wasn't a hacker, it was a cracker.

Its unfortunate, but this isn't the first time something like this has happened.

dude...its a piece of paper...no ones going to actually try and find your house and find a password. If its a burglar they're not going to think anything of it. I just stuff all my passwords into a blank case on a postit note. Its totally safe.

the solution is SIMPLE. just add -password=(your password here) to the target line of the shortcut. as so "C:\Program Files\Guild Wars\Gw.exe" -password=blah blah

That's not a solution acidic, as Kava from ScV was hacked not through a keylogger, but by a PHPBB exploit.

Maybe it's time that ArenaNet/NCsoft adopts GameGuard

It wouldn't have mattered how they were hashing the password in the database. Sure, an ordinary md5 hash would allow someone to figure out a few common passwords, but not uncommon alpha numeric ones.

Some of the older phpBB versions would allow a malicious user to gain enough access to the database to set the forum descriptions (I know this from fixing an abandoned phpBB install). What they would do from there is set a bit of malicious JavaScript as part of the description that would intercept the information being submitted through the quick login form (appears at the bottom of the default forum style). That JS would silently send that information (the plaintext username & password) to a script owned by the malicious user on another site and then allow the user to continue logging in as though nothing abnormal was happening. The JavaScript, being a part of the site, would also be able to read "remember me" login cookies, but I'm not sure if that information would be usable by a malicious user, since it is hashed as well. Few people suspect their own trusted forums as being malicious.

What happened to the good ol' highschool ilove___ passwords?

/changes password... :/

I make it a point to always use E-Mail+Password auto save features. I never use the same E-mail address either. Since I don't have anyone living with or around me that I don't want in my accounts, it works out fine. And if someone breaks into my house to steal my GW account, I have bigger things to worry about than losing 25k

Yes, older versions of phpBB are quite exploitable. I can log in as any member of any phpBB forum that is version 2.0.12 or below, without this one little patch. It takes a grand total of 10 seconds to do. Hopefully that's what happened to them, newer versions of phpbb being easily exploitable is bad bad stuff

Shit. I'm using phpBB, how much does vB cost?

*has like, no money* x.x

Rough week for SCV. They missed out on championship by two points then get hacked. I really hope they come back into ladder play. Great team and fun to watch. I fear this may break their spirit to want to play, but lets hope they come right back!

Phpbb is safe enough. While it only hashes with MD5, as was said earlier, even if they could see the database they wont be able to guess at the passwords.
MD5+SHA1+Salt action is key, but that wont save you from HTML injection.

Awesome avatar

<3 Gir

If that is your problem use words that are fimiliar to you but add odd spelling with non characters like leet spelling or $ for S for example. add numbers in the begining middle or end...that way everything is familiar to you but there would be no way anyone not close to you would be able to just guess it

I think this is the 10th hacking thread that I've read in the last day, across various GW forums. Is Computer Security 101 not taught at school anymore? I was at school when the majority of PCs were still sporting black and white graphics, I would have thought that it would have been more important today that it was then. So here is a little information for all of you who have missed the leason Computer Common Sense and Security because you were all too busy playing Guild Wars.

Computer game hackers are generally NOT experts. They won't "hack" your home system, the GW servers, or even forum boards for your username and password, instead they use keyloggers (among other things) to get your information.
A common myth I've seen floating around is that anti-virus programs, anti-spy ware, firewalls etc will protect your computer. This is NOT TRUE. Mal-ware can and does get into your system even if you are running the all the right software. This is not suppose to frighten you, it is the simple truth. These programs prevent against known threats, and against files that look similar to known threats. Even then this might not be enough if you have had a rootkit put on your computer.
Rootkits are not necessrily mal-ware in themselves but they can be used to hid mal-ware. Rootkits are difficult to find, and difficult to remove - in fact at bit over 6 months ago Sony had to remove a DRM rootkit because it was being used to hide torjans and keyloggers, furthermore when it was discovered even the experts had trouble removing it without crashing the system. The general solution was a complete hard drive wipe and reload.
Despite all the nastiness floating around on the web, you can take steps to help ensure that you don't fall prey to these "u13er 1337 h4x0rz".

1) Do not download anything with DRM. Rootkits are nice for DRM because they are difficult to remove, so it is very unlikely that Sony was the ONLY company using them.
2) Do not download cheats/skill calculators/bots etc. Doing so, when the login page states that you should not, is just stupid.
3) Do not download anything that you don't trust, or don't know if you should trust. "Free" music and movies might be all the rage but if you really want to indulge in this (and you should know that it is generally illegal) then do it from a computer which you don't game on.
4) Don't use a free email address to game. I know that most of you probably don't have anything but a hotmail account, but using your parents' address is better.
5) Don't register the address you game on with internet forums. That is what hotmail is for.
6) Don't use the same password for forums/email as you do for gaming.
7) Do not write your password down, do not store it on your computer. You should be able to remember SEVERAL 16 character passwords. If you find this difficult here is a nicer solution. Forums and even hotmail do not need complex difficult to crack passwords, afterall it doesn't (or perhaps shouldn't) matter if they get hacked. Use simple passwords for them and keep the complex ones for accounts (eg gaming) that REALLY matter.
8) Passwords should included numbers, different cases, and - if allowed - symbols. Do not use birthdays, other email addresses, or brother/sister/boyfriend etc names.
9) Learn to listen to your computer. If your computer seems to be playing up, chances are it is. Scan, defragged, etc and if you are still having problems save all your data to disk. After that either see a computer tech or wipe the MBR and HD and reload.
10) Understand your personal limitations. I know it is 1337 to pretend you know everything there is to know about computers but even those in the industry don't know EVERYTHING. Be honest with yourself. If you don't know what is going on, don't pretend you do, you will probably just make a mess of things.

It may seem like a lot to remember but the majority of it is common sense. Not ALL hackers will be stopped by this, but it will make sure that you aren't the victum of the general "gaming hacker".
My apologies if some of this has already been mentioned.
Googling "computer security" might show you some interesting stuff, and if in doubt pay a visit to a Linux forum or two and read what they have to say about security. It may be a different OS but the general rules and principles remain the same and they don't only talk about Linux either.

Computer Security 101? They get my kids in yr1 and yr3 to read and sign a form that they WONT harm the schools computer (in the software part) in any way.... Oh, and they get told NOT to give out their name, to anyone

Dunno about later in school, but at the moment, computer security is taught at home in my household.

btw, nice advise on how to protect agains having your account stolen. Most likely, if you follow the above advise, you'll be fine. Accounts get stolen due to stupidity of the user.. in most cases, and any work involved in getting the account is trade off for those where the user more or less passes his account info out.. anyone seen those fake bank emails asking for your password and account number? Sorta like that, except, I'm hoping we're all smart enough to ignore that style of email.

Whops, I really didn't mean to write that much, considering, I fall in the reasonably computer illiterate class...

Good idea. Many people, spies included, have used this; it's called a cipher. One somewhat famous cipher was the Enigma cryptographic machine used by German U-boats in WWII. Worked a treat until it was cracked.

From Dictionary.com:

ci-pher also cy-pher
n.

1. The mathematical symbol (0) denoting absence of quantity; zero.
2. An Arabic numeral or figure; a number.
3. One having no influence or value; a nonentity.
4. a. A cryptographic system in which units of plain text of regular length, usually letters, are arbitrarily transposed or substituted according to a predetermined code.
b. The key to such a system.
c. A message written or transmitted in such a system.
5. A design combining or interweaving letters or initials; a monogram.

Source: The American Heritage® Dictionary of the English Language, Fourth Edition
Copyright © 2000 by Houghton Mifflin Company.
Published by Houghton Mifflin Company. All rights reserved.

Why did you have to post? Now everyone knows what my cheat sheet is for! Just kidding.

edit: On topic, really tough luck for this guild, perhaps the member with the hacked account should have used a cipher password!

Yeah he got on IRC and made a long monologue about how he hopes Cefx is happy, as if it's his fault he decided to go stealing accounts, and that he's giving the stuff away to friends and giving accounts back to their owners, as well as his own account, and quitting GW entirely.

It seems ironic that someone would go steal peoples' accounts, wreck a competitive guild's roster, and then go and try to drop some kind of guilt trip on the community.

The Lesson? Use your common sense, and don't use the same password for different things, I suppose.

Thats the benefit of giant PC moniters, you can simply sellotape your password to the side

OMG, these people who are writing down their passwords and not securing the slips are going to give me a coniption

lol

To those of you who say "who's going to come into my house and steal my Guild Wars password paper?", what about a malicious "friend", jilted lover, unscrupulous family member? What if the delivery guy for UPS drops off your new uber-gfx card and sees it, and in his off hours he's one of these *ahem* "crackers"?

It's the ice cream lock scenario: it doesn't have to be perfect, but you still need to take a reasonable level of precaution, and leaving your passwords on a piece of paper out in the open (unless you're a recluse) is not reasonable. At least put it on top of the fridge or something where people in your place can't see it by just walking around.

Yeah, I *heard* that some sites need you to register, but they got like pics of new Factions weps and stuff, so people get all excited. Then you register w/ your email and pass and then they hope that the SN you used on their site is the same as your email. They don't need your GW account pass, because they can just recover it if they have access to your email.

On a side note, this happened a few months ago to a Rank 30 guild, Elysian Fields. I joined and thought something was wrong when there were like 50 guys and 10 of them hadn't even gotten out of Ascalon yet, lol. I always wonder why these hackers don't SELL the guild for a lot because it is high ranking instead of filling it w/ newbs...

hmm the officers were probably at fault to... prob downloaded a hack and got a key logger.... v bad tho

LOL, they'd need to be able to read my handwriting, which becomes hitroceous(sp?) when it comes to writing personal notes for my memory.

phpBB, which is one of the most common version of BB on the net (it's free) doesn't. That's what I use on my own site (I dont want to invest in BBs like vBulletin for I'm proud to keep my site free of any advert and get no income from it - I'd rather use eavilly modded (by me) versions of phpBB than spending more money again for the site) and yes, there is a way for me to retrieve the passwords of my users. Of course, that's something I'll never do, but who knows if the admin of the GW related you've just registered with the same PW used for forums, mail addies, GW accounts, etc... will have the same ethics? You can trust people on guru, gameamp, or gwonline.net for ex from this point of view. But what about this guild forum spammed in-game where you need to be registered to read most of the topics?

cypher won't help against a keylogger if you're typing in your own password.

What I do for this is keep a word file with an unusual name. I open that file and type a bunch of garbage.

llXXlKKKDDD"pas"kkKKl;;;"wo"klsdlkfasd"rd"

I use numbers and letters but I use something I know so I won't forget it.

Then when I log in I open that file, which won't trigger any keystroke logger and I highlight the sections I want and paste them in. I have a big huge file of this garbage so they can't easily get my password even if they do get that file. I never type in my password so they can't keystroke capture.

It's really easy to use, I just click file open, highlight, copy, paste, enter and i'm in without any fuss and without ever typing my pass.

I agree with the rest too, don't download anything or use forum pass.

As a professional programmer, I can assure you that anybody with that file and some minimal C or Perl skills could trivially run that file against a list of services you use and discern which password goes to what.

Even assuming you have 5000 passwords, it would take maybe a week to figure them all out, assuming you do them one at a time, and assuming that it takes two minutes per resource to test (which are some pretty long assumptions).

More realistically, someone competent enough to thread the attack script could probably unravel the whole file in about 8-10 hours with a few proxies.

ATTN. PEOPLE.

https://www.grc.com/x/ne.dll?bh0bkyd2

THE SHIELDS UP SITE HAS A RANDOM PASSWORD GENERATOR THAT BEATS WHATEVER YOU HAVE NOW.

TRUSTED SITE FOR SECURITY FOR YEARS YOU MIGHT LIKE TO HAVE THEM GIVE YOUR PC A PORT SCAN (AND OTHERS) JUST TO SEE HOW LEAKY YOUR SETUP IS.

MINE IS AS TIGHT AS A WINDOZE BOX GETS.

Sorry, i don't open random links!

but why they had their passwords on the guild forums? thats really weird...

i feel really sorry for this guild and especially for the officer whos account was hacked.... i hope anet'll find the hacker and ban him for good.

As Anet warned everyone, you are NOT suppose to download add-ons or any other gw programs because it's risks your account of being hacked into.