Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Attenzione

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Spirito Libero Propheta's Avatar
    Join Date
    Jul 2004
    Age
    45
    Posts
    4,591

    Default Re: Attenzione

    video di gente che viene hackerata :P
    non controllo l'ortografia... non rompete

  2. #2
    Spirito Libero Propheta's Avatar
    Join Date
    Jul 2004
    Age
    45
    Posts
    4,591

    Default Re: Attenzione

    #1 - 2012/05/27 10:13:00 PM I keep seeing the following things being thrown about, so I want to try and provide information to address them and debunk them.

    1. "Battle.net has crappy security because they make you use your email address as your username"

    -To start, the hackers need to get your username and password. Whether your username is your email address or something you just make up, they obtain it the same way they get your password. Keylogger, phishing, etc. ALL of the methods used to get the password are just as effective at also getting a username. As for the email, you have to have an email attached to your account no matter what. The fact that the email is or is not the username makes no difference and won't make less people use that email for fan sites and other public places.

    In addition, please see this post by discomatt:
    http://us.battle.net/d3/en/forum/top...97?page=25#489

    2. "Because the passwords aren't case sensitive, our accounts are less secure and people get hacked that way"

    -This makes the assumption that someone is brute-forcing passwords. While it is true that currently diablo 3 does not lock out an account after X number of attempts, it DOES appear that it limits the number of attempts via some kind of logon attempt throttling. In other words, brute-forcing needs to be able to attempt thousands of passwords a second in order to be effective. But this isn't possible if the number of attempts per second is throttled/limited.

    This means that brute-forcing would really only be able to be done for "easy" passwords that you could guess like "password". The catch 22 here though is that the addition of case-sensitive passwords isn't going to suddenly make people have an epiphany about account security and change their password from "password" to something stronger. So, it's not a magic bullet.

    3. "Session-hijacking/spoofing is how people are getting hacked."

    -Blizzard made a statement that such a form of hacking was "technically impossible". From what I can see in wireshark, and from joining public games with others, in order to "session-ID hijack" like what happened in RIFT, the data to do so simply doesn't exist, far as I can tell. It doesn't even look like they use session based communication (at least that I can tell, but I admit I'm a bit weaker in this area of expertise), which would in fact, make "session hijacking" a technical impossibility. But if some other such an exploit does exist, I hope someone finds it and offers up proof so blizzard can fix it. But until then, the existence of such an exploit is nothing more than conjecture and anecdotal.

    Me and a couple other users tried an experiment of joining games with "hackers" that others had said took their stuff (was on their recently played with list after being compromised). In mine I even taunted these supposed hackers in an effort to get them to "exploit" my account. As expected, nothing bad ever happened to any of our accounts. I admit though this is just anecdote, but take it for anecdotal evidence since many here seem to enjoy doing so when it comes to trying to claim blizzard is the ones who are hacked and not them.

    4. "Authenticators shouldn't be necessary just because blizzard has bad security."

    -Authenticators enhance END USER security. If there was a security issue on blizzard's end, the authenticators would be useless. If they were able to compromise blizzard to get your password, they'd also be able to get the information (seeds, keys, etc) needed to generate or bypass authenticator codes.

    And on that note, a bit about your passwords at blizzard. Understand that obtaining them is no easy feat. They are stored as hashes, and are not in plain text anywhere in any manner that blizzard or anyone else can obtain them. They would have to be cracked, and doing so in and of itself is not an easy feat. Credit card data is easier to obtain, because it is often stored in a form that can be unencrypted or easier to break encryption methods since there is need for that data to be available in some kind of plain text format, whereas your battle.net passwords are never in any kind of plain text format. (I'm being very basic here)

    5. "Authenticators make your account unhackable".

    -This isn't true either. There are nasty bits of malware out there that can help a hacker circumvent them, but they are incredibly rare. There was (possibly still is) one that worked for wow accounts, with a handful of accounts with authenticators being compromised and blizzard verified this. So far though blizzard has said no diablo 3 accounts with authenticators were hacked.

    6. "diablo 3 accounts with authenticators have been compromised"

    -The only way this will really be proven is if blizzard admits it. There is no way for someone to actually prove their account was protected with a keyfob or mobile app authenticator at the time of their compromise. And in fact, it would be to blizzard's BENEFIT to admit if such a thing occurred with diablo 3. Since such a compromise would be done via a nasty malware or virus, blizzard would want to alert the diablo 3 community to the verified threat.

    Also, most of those threads you see about this are people who used the dial-in authenticator without realizing it doesn't work for D3.

    7. "sony got hacked, so blizzard could be hacked too"

    -Sony also told everyone what information was compromised. Blizzard would do the same should they discover such a scenario. (And chances are they'd know before we would) And, you're right, NO ONE is infallible, including blizzard. But realize that is an unlikely scenario, whereas a bunch of users falling for phishing scams and whatnot are a far more likely scenario. Especially when there is nothing but anecdote and conjecture to try and suggest otherwise.

    8. "there's just too many accounts being hacked for it to not be some breach at blizzard"

    -People have been claiming this for years. I have seen far more threads on hackings on wow forums in wow's heyday than what we have seen here. And this isn't unique to blizzard either. Every MMO has this stuff happen, and has threads about compromises, and there is always a big rabble about blaming the company and not the users. Blizzard is not unique to this.

    9. "i dont go to fishy websites and i dont have any keyloggers, so how did i get hacked"

    -Read these:
    http://us.battle.net/d3/en/forum/topic/5271501737
    http://us.battle.net/d3/en/forum/topic/5271602204

    10. "this is just a conspiracy for blizzard to make even more money selling authenticators!"

    -If this was a big money making conspiracy, then why would they offer the mobile authenticator for free? As for the keyfob, it's $6.50 with free shipping in the US. That is at or more likely, below cost. The authenticators are digipass go 6's made by vasco. The cost per keyfob in bulk from Vasco is around $20 typically on the cheap end, so $6.50 is a good deal. And even then, that doesn't factor in the infrastructure and backend cost. It requires at least one server to run the authentication, a database, licensing, and software to interface with battle.net, along with personnel to support and maintain all of that.

    11. "but nothing is free, so they have to be making money on authenticators!"

    -No, it's actually reducing a calculated loss. You see, for every account compromised, blizzard has to have staff to handle it and infrastructure to provide restores, etc. So there is a very real cost to blizzard for each account that gets compromised. They try to minimize that cost with a "cheaper" cost by offering the authenticators (again free or at cost). So, the more accounts that have authenticators, the more money they will save since it reduces the chance of a compromise.

    12. "I'm in IT so I know I didn't get hacked"

    -Most who say this are probably lying. For those that aren't lying, then they are not too good at security. Nothing is more dangerous to the infrastructure of a network than an IT guy who thinks they are infallible or they are so good that they are less likely to be hacked than blizzard. So in fact, people like that are more vulnerable to attack. Which brings me to my next point.

    13. "blizzard cannot be hacked"

    -No one is infallible. Not even blizzard. The difference, however, is this. No matter how good you think you are at securing your computer, blizzard is better. They have their entire company and livelihood at stake. They are also publicly traded, and have to contend with constant audits and security scans which are designed to find flaws and failures in their security. I guarantee you don't. So again, is it possible? Of course. It's just not likely.

    And there is no evidence to suggest otherwise. A bunch of anecdotes on forums with tales of black helicopters in the night simply doesn't carry weight. And if you think this is a lot of threads about hackings, then you haven't been around online gaming much. And in fact with every game it's the same song and dance. In wow's heyday people swore up and down for years blizzard must have been hacked cus omg look at all the forum threads. Or omg look at all these threads it must be an exploit of wow or battle.net. Nothing ever came to fruition.

    14. "blizzard is a greedy corporation who would do everything in their power to cover up a breach"

    -This is unequivocally false. Just like other companies that were breached (including blizzard in 2001 !) blizzard would probably notify us of a breach within a couple weeks of occurring. Because the penalty and consequence of them covering it up and being discovered later would be FAR worse than admitting it in the first place. We're talking billions of dollars lost, including the possibility of them losing their ability to be publicly traded, etc.

    15. "the hackers only stole my diablo 3 stuff, if it was a compromise on my end why wouldn't they have taken my banking info and paypal login, etc"

    -Because, according to blues on the WOW forums, the most common form of compromise for battle.net accounts is phishing scams. In other words, keylogger compromises are more rare, and thusly why your banking and paypal info is safe. If you got hacked via one of the various methods that do not require any kind of keylogger to perpetrate, this explains why only your diablo account was hacked.
    un bel testo da leggere ma vale la pena.
    non controllo l'ortografia... non rompete

  3. #3

    Default Re: Attenzione

    traducendo in soldoni, come ogni persona conoscente il mondo dell'informatica sa benissimo che i pc di noi comuni mortali non e ribadisco non sono invulnerabili, se un hacker vuol entrare nel mio pc lo fa e in 2/5minuti.
    L'utilizzo di un autenticator puo essere di aiuto, non garantisce l'immunita totale da frodi, sicuramente aiuta a far si che il cinese smadonni qualche minuto in piu.
    Una maggior sicurezza puo essere data da autenticator + il cambio di pass...anche se non puoi sapere quando ti entreranno nel pc...percui puoi cambiare la pass anche ogni giorno....e ogni giorno potrebbe esser quel giorno...
    Morale della favola....è tutta questione di CULO.

  4. #4
    Spirito Libero Propheta's Avatar
    Join Date
    Jul 2004
    Age
    45
    Posts
    4,591

    Default Re: Attenzione

    visto che per motivi di lavoro frequento siti di sicurezza e decrypting sono andato a cercare delle info a riguado e ho trovato qualcosa di interessante.
    With WoW or Diablo this can potentially all be done through the client. The client (although web based) connects a web server that is possibly (although we do not know this for certain) in what they call a DMZ (DeMilitarized Zone). This means that the server is exposed on open internet for connection and as such is much more vulnerable than the internal servers that handle account information and authentication. Now those servers are behind a firewall and safe… well again sort of. When you allow traffic to pass through your firewall from a DMZ you usually create different security zones (in Cisco systems these are security levels and are represented by numbers) and obviously put the DMZ in a “lower” security level than the inside network. So (if Blizzard is using Cisco ASA hardware) you would have the internet set to security level 0, the DMZ set to something like 50 and the internal network set to 100. Your DMZ will also be on a separate IP address range to further isolate it and protect the internal network. The simple act of doing that allows higher security networks to have access to the lower security networks but not in reverse. To allow information (such as database requests, authentication requests etc.) you have to create rules which allow these connections. These are typically restricted by IP (and in some cases MAC address) and only point to specific servers. In a “best case” design the requests for read information in terms of authentication and database access go to Read-Only copies of the authentication servers and data base. These make it harder for a potential attacker to impact the network and database servers from a compromised server in the DMZ. Now once authentication takes place read and write access is needed (in case you want to update your account information etc and to apply in-game information/updates). This is the most critical piece of the puzzle and where a typical network would have the most security in place. We have worked on crazy designs that had primary and secondary write servers that were heavily protected before information was written back to the main database servers (after running the information through multiple scans looking for attempted injection attacks etc). We would honestly expect no less from a company like Blizzard, but still their system IS being compromised as is indicated by the sheer number of compromised accounts. This could mean a couple of things: One – the connection to the Blizzard servers for authentication is not secure. Two – Someone has found a way to read authentication information off of the servers during the authentication stage. Now this may seem like a bold claim, but let’s look at the situation. If a single edge server is compromised someone can read the data packets that are traveling from there through the firewall to any existing authentication servers. At this point you do not have to put keyloggers on thousands of accounts. You only have to skim data off of the edge server as it passes through. Now this is all theory (and something of an oversimplification of security) as we do not know exactly how Blizzard has built their network (or the hardware used in it) but it does provide a perfect example of how someone can use the system to great effect and to grab user information at a single point. Hacking an edge server is also much easier than trying to monitor thousands of individual user accounts to skim their data. Instead you pull from one or two sources and harvest en masse. We have noticed that Blizzard is very carefull with what they are saying using statements like: “What I can still confirm is that our database hasn't been brute-force hacked, nor has the personal information of our playerbase been compromised in anyway on our end. We're not kidding when we always say account security is very important to us. If we found any evidence that even a single account's login information was stolen from us, or our databases were otherwise vulnerable to attack, we'd inform our players and do whatever it'd take to lock everything down. “ zaryhm-02 They are right, in the scenario I described above the database in not touched at all except for normal transactions. The comment “nor has the personal information of our playerbase been compromised in anyway on our end” Is interesting because again they are saying that no one has gotten to the authentication servers and hacked them. It does not address the possibility of an edge based attack or that someone is skimming traffic to and from another server (perhaps a server that hosts a specific world or again the edge web servers). All we see here is that Blizzard does not know what is happening and as such they are automatically blaming the people that are using the game. Again this move is both unprofessional and ignorant on their part. What Blizzard needs to do now is to acknowledge the possibility of a compromise of the system and then do an actual investigation to identify what is happening, perhaps even setting up honeypot accounts to see how the compromises are happening in the first place. We just simply cannot believe that every hack has been due to keyloggers and malware, it is exceptionally unlikely. Additionally if this were the case we are fairly confident that end users would also see problems with their bank accounts as well.
    scusate ma mi toglie la formattazione del testo... vedo + tardi di sistemare fonte: http://www.decryptedtech.com/index.p...sue&Itemid=139
    non controllo l'ortografia... non rompete

  5. #5
    Spirito Libero Propheta's Avatar
    Join Date
    Jul 2004
    Age
    45
    Posts
    4,591

    Default Re: Attenzione

    qui potete leggere un articolo dettagliato sulla tecnologia usata per hackerare i account di battle.net https://www.eff.org/wp/detecting-packet-injection per chi se ne intende... buon diverntimento a rintracciare i dati e fregare segreti in rete :P
    non controllo l'ortografia... non rompete

  6. #6
    IL Briatore del BloodBowl TraumFabriK's Avatar
    Join Date
    Jan 2007
    Location
    Fuori da un cantiere
    Posts
    6,534

    Default Re: Attenzione

    che pheegata
    Io so’ io, e vvoi nun zete un cazzo (G.Belli)

  7. #7
    autostoppista galattico nanodagiardino's Avatar
    Join Date
    Jul 2004
    Location
    Un giardino, Brescia, Italia
    Age
    57
    Posts
    6,036

    Default Re: Attenzione

    Quote Originally Posted by TraumFabriK View Post
    che pheegata
    vedi?
    tu che cercavi fonti di reddito alternative: eccoti servito

    Attualmente: al cazzeggio in attesa di qualcosa che entusiasmi
    In passato: VogonJetz(F) , Vogon, Nanodagiardino, Janx o JanxOl'Spirit su millemila giochi online
    Cofondatore della community Fremen.

    malvagio blogger:Umarells videoludici (pubblicazioni al momento sospese)

    "L'importante non è vincere, è vincere con eleganza." (A. Pazienza)
    "Nazisti dell'Illinois? Io li odio i nazisti dell'Illinois!" (J. Belushi)
    "Don't panic!" (Guida Galattica per Autostoppisti, D. Adams)


  8. #8
    IL Briatore del BloodBowl TraumFabriK's Avatar
    Join Date
    Jan 2007
    Location
    Fuori da un cantiere
    Posts
    6,534

    Default Re: Attenzione

    Quote Originally Posted by nanodagiardino View Post
    vedi?
    tu che cercavi fonti di reddito alternative: eccoti servito
    reported

    fosse mai che ti arrestino per istigazione alla devianza nelle sue varie forme
    Io so’ io, e vvoi nun zete un cazzo (G.Belli)

  9. #9
    autostoppista galattico nanodagiardino's Avatar
    Join Date
    Jul 2004
    Location
    Un giardino, Brescia, Italia
    Age
    57
    Posts
    6,036

    Default Re: Attenzione

    bah
    denunciare qualcuno per istigazione al reato quando nel post prima esprimevi apprezzamento entusiastico per la medesima condotta
    non mi pare una gran mossa sai?
    mi sa che stai lavorando troppo in questo periodo

    Attualmente: al cazzeggio in attesa di qualcosa che entusiasmi
    In passato: VogonJetz(F) , Vogon, Nanodagiardino, Janx o JanxOl'Spirit su millemila giochi online
    Cofondatore della community Fremen.

    malvagio blogger:Umarells videoludici (pubblicazioni al momento sospese)

    "L'importante non è vincere, è vincere con eleganza." (A. Pazienza)
    "Nazisti dell'Illinois? Io li odio i nazisti dell'Illinois!" (J. Belushi)
    "Don't panic!" (Guida Galattica per Autostoppisti, D. Adams)


  10. #10
    IL Briatore del BloodBowl TraumFabriK's Avatar
    Join Date
    Jan 2007
    Location
    Fuori da un cantiere
    Posts
    6,534

    Default Re: Attenzione

    Quote Originally Posted by nanodagiardino View Post
    mi sa che stai lavorando troppo in questo periodo
    mi sà pure a me

    vedendo i BO dell'asta co li sordi di diablo quasi quasi mi metto a fare quello di lavoro
    Io so’ io, e vvoi nun zete un cazzo (G.Belli)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •