My office plays League of Legends regularly. It's quite a fun game. This, however, isn't fun at all.
Is it just a fact of doing business in the modern internet age that everyone can and will eventually be pwned?
The best part of this is that it's obviously some legacy system that wasn't properly decommissioned. Think about it, the records haven't been in use for 2+ years? Sounds weird, right?
Remember, if it's on the network somebody can get to it and just because you don't use it anymore doesn't mean you can just stop patching the boxen :(.
> Think about it, the records haven't been in use for 2+ years?
If I read it correctly, only the payments part have been inactive for 2 years- probably because they switched to another system and just left the old records there. The rest of the database is likely to be a current production system though.
> Is it just a fact of doing business in the modern internet age that everyone can and will eventually be pwned?
Unless a company spends decent money on security auditing, pentesting, etc, then yes. It's ridiculous for a software company to be spending tens/hundreds of thousands of dollars a year on security for their physical offices, but to not have routine security audits for their digital property.
I don't think it matters how much money a company spends on security, it'll get hacked if there's strong incentive for that event to occur. Basically, if you're popular... just assume you'll be hacked one day. I think there are only really 2 things you can do.
1. Just make sure the hack isn't something embarrassingly easy like SQL injection in the username/password field. If you get hacked, make sure the hacker had to do something really clever that any developer would go "whoa, that's not an exploit I see everyday..."
2. Assume a hacker got a bash shell to your system and apply the next level of security there. Salted hashes, PGP encryption on any sensitive data. Make sure the salt isn't sitting there in plain view and if pub/priv key, make sure the private-key isn't just sitting there on the same system without a passphrase.
Good advice. I'll add one more thing. If you're dealing with credit cards, the private key should be on a hardware security device with the only backups stored on a couple USB sticks sitting in a safety deposit box at a bank.
Well thats a given since your merchant bank and processor will force you to be PCI compliant including annual reviews. PCI compliance doesn't specify where your private key is stored just that your data is in a "unreadable" state and that you have certain key management procedures in places. For example, hashing your credit cards is acceptable though it can easily be brute forced since its just 16 digit number and the six digit prefix set(BIN) is already known.
Pretty much. Look at company's like Blizzard who are even bigger.
- Their passwords aren't case sensitive.
- Their login form's GET request isn't using https.
- Within 20 minutes of informing a security specialist not affiliated to blizzard he was able to write a script that compromised every single battle.net e-mail address.
* This information is based from about June 2012, I'm not sure if their security measures changed since then but I remember the thread on the bnet forums and it being confirmed by an official moderator-like person saying blizzard was aware of the problem for the longest time but didn't care about fixing it.
I never understood how game companies could be so lazy when it comes to security. They obviously have the talent to do things right and rake in silly amounts of $. Why jeopardize the integrity of their name.
"- Within 20 minutes of informing a security specialist not affiliated to blizzard he was able to write a script that compromised every single battle.net e-mail address."
The difference comes out to be 6.7 bits of entropy for a 12 chraracter, case sensitive and case insensitive alphanumeric with symbols. 81.38 vs 88.08. (Note that this "bits of entropy" number is mostly beyond my comprehension.. could anyone elaborate a bit? I'd assume more==better)
I agree with Steko that being case insensitive is not a big deal. If you force users to use randomly generated passwords, 12+ characters is safe whether case sensitive or not.
On the other hand, if users choose their passwords themselves... Well I made a quick script to analyze the RockYou leak of 32 million plaintext passwords:
91% of passwords are lowercase
5% are uppercase
3% are lowercase but begin with a capital letter
In other words, you can crack 99% of case sensitive passwords just by trying these 3 possibilities!
More characters is always numerically better... but better, as they say, is the enemy of good enough.
And "more ornerous" is the enemy of a paying casual userbase and doesn't help you at all vs the most common attack vectors (keyloggers and social).
Because of blizzard server limits you're not going to brute force login to my battlenet account even if I tell you my username and half of my password.
If you steal the hashes you're probably not going to be able to do anything with it because of work factor key lengthening and the fact that you have to attack each account one at a time.
Even then let's say you've managed to steal blizzards user/salt/hash databases and put a small country's GDP worth of GPU resources into breaking all the passwords. Now you come up against the fact that the vast majority of the accounts, including prohibitively all of the best ones, have 2 factor authentication.
Get past those 3 mission impossibles and you run into even more server side limits on IP logins. And logging in and doing anything on accounts takes time and blizzard's going to quickly figure out something is going on and put the whole thing on lockdown.
So yeah, not a huge deal imho.
...
"bits of entropy" is just the binary log of the character space, 81 bits -> 2^81.
it's one of the reasons why i don't play Blizzard games anymore. it gets old when every time i want to play a game, i need to go through endless webpages to reactivate my account that has been blocked because of 'suspicious activities'.
I do assume that almost all online services will be pwned. I have a small amount of faith that my Google account, Amazon account, and (major) bank account won't be compromised except by my government. Maybe a few other services are this trustworthy to me, but not many, and I can't think of them off the top of my head.
We just need to get used to using throw away credit card numbers from our credit card's website. Or buy game currency/points/time in stores, in the form of cards, to prevent giving out the info that will be pwned sooner or later, on one service or another.
And get used to using throwaway passwords. If your password being compromised on one service makes you worry about other services, you've already done it wrong.
I assume my passwords will be stolen. I even have a generic password I use for many sites that I do not and will never trust.
It could be stolen -- and hell probably has, knowing how many services have been pwned, and how many don't even realize it. But it won't give you anything close to access to any email, bank, or merchant website connected to my debit card, as they're all using unique passwords and 2-factor auth where available.
Startup Idea: Debit/Credit card services that provide not "throwaway" numbers, but separate numbers/info for every major subscription or service you use. Generate an Amazon number, an Xbox live number, a number for your cellphone payment. If any one number is compromised, it can be disabled and handled without any interruption or issue to other numbers and services.
In the age of constant pwning, a debit card that isolated the damage to that one service without any hassle or disruption to any other service would be brilliant. I know I'd pay for that. In fact, how easy would fraud monitoring be when the only charges to a specific number would be allowed from that 1 service. It makes the numbers useless outside of that 1 service you're using it for, even when stolen.
If I understand the service correctly, you can pre-approve companies before you are charged. I think this type of service can be useful outside of their target audience of the elderly.
Secure online account numbers is a free online service offering you added security by protecting your account number while shopping online. When you make a purchase with a merchant using a secure online account number, the number is assigned only to that particular merchant. Once a secure online account number is assigned, the merchant can use it for your future purchases with them unless you specify otherwise. Some merchants, such as Facebook, Amazon, and PayPal, will not be able to use the same secure online account number multiple times. When shopping with those merchants, you will need to use a new secure online account number each time.
Just make sure you keep track of the number you used, or be able to find it in your statements, because some customer validation systems require parts of the CC number. I've had to stall customer service reps several times because I had forgotten.
Also a case study on how not to store passwords. They enforce a maximum length on the user's password. It's something short, like 12 chars. The only reason they would enforce a maximum length is if they were storing the plaintext password in a database somewhere.
I for one am sick and tired of these account breaches. Not only do account details get disclosed, but I am forced to create these accounts to access games which I play. I have a perfectly accessible steam account with an authentication API available that only a handful of games decide to not use.
If you want me to have another account, fine. But promise these two things:
1 - It is worth my time and effort to create the account (I think League of Legends is fine here,they have a large ecosystem, however my two examples above are not.)
2 - You take care of my details. (Which they have all failed.)
In the Activision/Blizzard buyback from Vivendi one of the investors was Tencent, owner of Riot.
Meanwhile Blizzard is also developing a Dota-clone, Blizzard All-Stars.
Unfortunately I can't add anything more but I found that interesting.
Some variety of exploits probably lead to this, for example communication to their internal servers from their public servers may not have been isolated well enough from the outside world (providing a proverbial window into their internal system of services, databases, and APIs).
I'd imagine that Riot Games operates a plethora of servers with one, central, very large database containing all customer billing information.
Large-scale attacks are usually coordinated with a collection of exploits, for example SQL injection can provide a means to utilize XSS for exploiting administrative interfaces leading to session hijacking. This can be useful for reconnaissance and analysis.
I don't buy it. You're exposing your users to massive risk in order to detect fraud on a product that effectively costs $0 for you to provide. I might understand it for a retailer that gets chargebacks for physical items shipped, but that doesn't make sense here.
31 comments
[ 1.6 ms ] story [ 70.1 ms ] threadMy office plays League of Legends regularly. It's quite a fun game. This, however, isn't fun at all.
Is it just a fact of doing business in the modern internet age that everyone can and will eventually be pwned?
The best part of this is that it's obviously some legacy system that wasn't properly decommissioned. Think about it, the records haven't been in use for 2+ years? Sounds weird, right?
Remember, if it's on the network somebody can get to it and just because you don't use it anymore doesn't mean you can just stop patching the boxen :(.
If I read it correctly, only the payments part have been inactive for 2 years- probably because they switched to another system and just left the old records there. The rest of the database is likely to be a current production system though.
> Is it just a fact of doing business in the modern internet age that everyone can and will eventually be pwned?
Unless a company spends decent money on security auditing, pentesting, etc, then yes. It's ridiculous for a software company to be spending tens/hundreds of thousands of dollars a year on security for their physical offices, but to not have routine security audits for their digital property.
1. Just make sure the hack isn't something embarrassingly easy like SQL injection in the username/password field. If you get hacked, make sure the hacker had to do something really clever that any developer would go "whoa, that's not an exploit I see everyday..."
2. Assume a hacker got a bash shell to your system and apply the next level of security there. Salted hashes, PGP encryption on any sensitive data. Make sure the salt isn't sitting there in plain view and if pub/priv key, make sure the private-key isn't just sitting there on the same system without a passphrase.
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Secu...
- Their passwords aren't case sensitive.
- Their login form's GET request isn't using https.
- Within 20 minutes of informing a security specialist not affiliated to blizzard he was able to write a script that compromised every single battle.net e-mail address.
* This information is based from about June 2012, I'm not sure if their security measures changed since then but I remember the thread on the bnet forums and it being confirmed by an official moderator-like person saying blizzard was aware of the problem for the longest time but didn't care about fixing it.
I never understood how game companies could be so lazy when it comes to security. They obviously have the talent to do things right and rake in silly amounts of $. Why jeopardize the integrity of their name.
Not a huge deal.
"- Within 20 minutes of informing a security specialist not affiliated to blizzard he was able to write a script that compromised every single battle.net e-mail address."
I don't remember this ever happening.
Wouldn't cutting your key search space roughly in half reduce your cracking time greatly, though?
According to Wolfram, for a 12 character password:
The difference comes out to be 6.7 bits of entropy for a 12 chraracter, case sensitive and case insensitive alphanumeric with symbols. 81.38 vs 88.08. (Note that this "bits of entropy" number is mostly beyond my comprehension.. could anyone elaborate a bit? I'd assume more==better)On the other hand, if users choose their passwords themselves... Well I made a quick script to analyze the RockYou leak of 32 million plaintext passwords:
91% of passwords are lowercase
5% are uppercase
3% are lowercase but begin with a capital letter
In other words, you can crack 99% of case sensitive passwords just by trying these 3 possibilities!
More characters is always numerically better... but better, as they say, is the enemy of good enough.
And "more ornerous" is the enemy of a paying casual userbase and doesn't help you at all vs the most common attack vectors (keyloggers and social).
Because of blizzard server limits you're not going to brute force login to my battlenet account even if I tell you my username and half of my password.
If you steal the hashes you're probably not going to be able to do anything with it because of work factor key lengthening and the fact that you have to attack each account one at a time.
Even then let's say you've managed to steal blizzards user/salt/hash databases and put a small country's GDP worth of GPU resources into breaking all the passwords. Now you come up against the fact that the vast majority of the accounts, including prohibitively all of the best ones, have 2 factor authentication.
Get past those 3 mission impossibles and you run into even more server side limits on IP logins. And logging in and doing anything on accounts takes time and blizzard's going to quickly figure out something is going on and put the whole thing on lockdown.
So yeah, not a huge deal imho.
...
"bits of entropy" is just the binary log of the character space, 81 bits -> 2^81.
Then it clearly must have not happened.
It's on the bnet forums somewhere.
We just need to get used to using throw away credit card numbers from our credit card's website. Or buy game currency/points/time in stores, in the form of cards, to prevent giving out the info that will be pwned sooner or later, on one service or another.
And get used to using throwaway passwords. If your password being compromised on one service makes you worry about other services, you've already done it wrong.
I assume my passwords will be stolen. I even have a generic password I use for many sites that I do not and will never trust.
It could be stolen -- and hell probably has, knowing how many services have been pwned, and how many don't even realize it. But it won't give you anything close to access to any email, bank, or merchant website connected to my debit card, as they're all using unique passwords and 2-factor auth where available.
Startup Idea: Debit/Credit card services that provide not "throwaway" numbers, but separate numbers/info for every major subscription or service you use. Generate an Amazon number, an Xbox live number, a number for your cellphone payment. If any one number is compromised, it can be disabled and handled without any interruption or issue to other numbers and services.
In the age of constant pwning, a debit card that isolated the damage to that one service without any hassle or disruption to any other service would be brilliant. I know I'd pay for that. In fact, how easy would fraud monitoring be when the only charges to a specific number would be allowed from that 1 service. It makes the numbers useless outside of that 1 service you're using it for, even when stolen.
If I understand the service correctly, you can pre-approve companies before you are charged. I think this type of service can be useful outside of their target audience of the elderly.
Secure online account numbers is a free online service offering you added security by protecting your account number while shopping online. When you make a purchase with a merchant using a secure online account number, the number is assigned only to that particular merchant. Once a secure online account number is assigned, the merchant can use it for your future purchases with them unless you specify otherwise. Some merchants, such as Facebook, Amazon, and PayPal, will not be able to use the same secure online account number multiple times. When shopping with those merchants, you will need to use a new secure online account number each time.
Crytek: http://www.eurogamer.net/articles/2013-08-05-crytek-pulls-we...
Ubisoft: http://forums.ubi.com/showthread.php/779040-Security-update-...
And even the PSN outage in 2011.
I for one am sick and tired of these account breaches. Not only do account details get disclosed, but I am forced to create these accounts to access games which I play. I have a perfectly accessible steam account with an authentication API available that only a handful of games decide to not use.
If you want me to have another account, fine. But promise these two things: 1 - It is worth my time and effort to create the account (I think League of Legends is fine here,they have a large ecosystem, however my two examples above are not.) 2 - You take care of my details. (Which they have all failed.)
In the Activision/Blizzard buyback from Vivendi one of the investors was Tencent, owner of Riot. Meanwhile Blizzard is also developing a Dota-clone, Blizzard All-Stars.
Unfortunately I can't add anything more but I found that interesting.
Is this simply a lack of SQL injection protection or is it the result of an attacker gaining access to the web/database servers?
I'd imagine that Riot Games operates a plethora of servers with one, central, very large database containing all customer billing information.
Large-scale attacks are usually coordinated with a collection of exploits, for example SQL injection can provide a means to utilize XSS for exploiting administrative interfaces leading to session hijacking. This can be useful for reconnaissance and analysis.
Why oh why would you store the number. Utterly unnecessary for recurring billing.