General Discussion - Hacked Accounts - Forum

" altaccount wrote: I am getting a little bit paranoid about my own security, since GGG is adamant that their security has no problems and I can't find anything either. Oracle was adamant that Java 7 had no sec problems either, and now people are getting compromised all over the place because of drive-by rooting. Software sucks, and it happens. The most frustrating part of this all for me is that two very valid and relatively trivial changes have been proposed and GGG hasn't seemingly bothered to investigate or comment on either. 1) Don't store password hash in game memory during session 2) Don't store password hash in the clear in a text file (or anywhere) if that's all you need to log in to an account (which is currently the case). A patch could be written for the above two within an hour or two and would at least break any exploits that rely on either of the two above mechanisms (more likely the first). It wouldn't necessarily patch whatever vulnerability, if any, is being used for information gathering, but it could reduce the value of that as an attack vector and band-aid any potential exploit issue. ign: SeriouslySRSLY	Posted by Thrombo on Feb 21, 2013, 4:40:56 PM Quote this Post
" Thrombo wrote: " altaccount wrote: I am getting a little bit paranoid about my own security, since GGG is adamant that their security has no problems and I can't find anything either. Oracle was adamant that Java 7 had no sec problems either, and now people are getting compromised all over the place because of drive-by rooting. Software sucks, and it happens. The most frustrating part of this all for me is that two very valid and relatively trivial changes have been proposed and GGG hasn't seemingly bothered to investigate or comment on either. 1) Don't store password hash in game memory during session 2) Don't store password hash in the clear in a text file (or anywhere) if that's all you need to log in to an account (which is currently the case). A patch could be written for the above two within an hour or two and would at least break any exploits that rely on either of the two above mechanisms (more likely the first). It wouldn't necessarily patch whatever vulnerability, if any, is being used for information gathering, but it could reduce the value of that as an attack vector and band-aid any potential exploit issue. The latter is also easy to exploit. I wouldn't be surprised if some accounts are compromised that way. Example given - the file is in a location that is shared by default on some Windows desktop versions, and many POE players might be running P2P gaming VPN solutions such as Tunngle or Hamachi, inadvertently exposing the file to outside of their LAN. Not to mention many browser components can access and read files in the directory.	Posted by altaccount on Feb 21, 2013, 4:54:23 PM Quote this Post
" altaccount wrote: The latter is also easy to exploit. I wouldn't be surprised if some accounts are compromised that way. Example given - the file is in a location that is shared by default on some Windows desktop versions, and many POE players might be running P2P gaming VPN solutions such as Tunngle or Hamachi, inadvertently exposing the file to outside of their LAN. Not to mention many browser components can access and read files in the directory. Yes, I agree it's not secure. I suppose my point is that I think the more likely attack vector is the client itself rather than the user OS. It's very possible that there is an exploit for this out there, though. ign: SeriouslySRSLY	Posted by Thrombo on Feb 21, 2013, 5:00:25 PM Quote this Post
" altaccount wrote: There is no such correlation - People have lost their primary accounts, people who are security-conscious, people who are closed beta players, people who have bought microtransactions. And like you said it yourself, there are exceptions to the "average stupid player". People absolutely did SOMETHING for this to happen. They're just too stupid to know what it was, most likely because they were tricked into it. There's basically two types of people that got hacked, people that invited it and did something stupid like downloading a (fake) map hack program and people that didn't even realize they gave away their account information (aka, got phished or reused their email/password that they used somewhere else that got compromised). If you don't think you are one of these groups, you're absolutely in the 2nd group and you're ignorant of your mistake. EDIT: I'll add that a lack of computer security lands you in the 2nd group, as well. How Fusings Work: http://www.pathofexile.com/forum/view-thread/38585/page/3#p1451934 IGN: TheHammer Last edited by TehHammer on Feb 21, 2013, 5:45:33 PM	Posted by TehHammer on Feb 21, 2013, 5:40:27 PM Banned Quote this Post
" TehHammer wrote: " VideoGeemer wrote: Don't you see? They seem to be getting a little of everything. I like Chris' quote, when he said why aren't they targeting people at the top of the ladders with ten thousand times the currency. They simply can't because the people at the top aren't doing stupid things getting their accounts hacked. This is indeed possible. All I'm saying is that the OTHER option is also POSSIBLE; that the hackers aren't able, or choose not, to target specific high-level players. Invited to Beta 2012-03-18 / Supporter since 2012-04-08	Posted by VideoGeemer on Feb 21, 2013, 5:42:14 PM Quote this Post
" altaccount wrote: " VideoGeemer wrote: Is it possible that hackers would program their little bots to deliberately wait a certain period of time before trying another password? Probably... You seem to be active in this discussion, but you have no absolutely expertise on the topic you're commenting on. You would need to try millions of passwords per second to bruteforce a weak password within weeks. I'm sure you can figure out how long it'll take if you're limited to less than one try per second. Yes, I suppose you're right. The only reason I made that other comment is because there are some here who seem to be adamantly denying that anything other than user stupidity could be to blame, and there have been a couple very good ideas as to other ways the information could be getting leaked, which have nothing to do with user issues (or passwords at all, for that matter). Invited to Beta 2012-03-18 / Supporter since 2012-04-08	Posted by VideoGeemer on Feb 21, 2013, 5:44:25 PM Quote this Post
" TehHammer wrote: " altaccount wrote: There is no such correlation - People have lost their primary accounts, people who are security-conscious, people who are closed beta players, people who have bought microtransactions. And like you said it yourself, there are exceptions to the "average stupid player". People absolutely did SOMETHING for this to happen. They're just too stupid to know what it was, most likely because they were tricked into it. There's basically two types of people that got hacked, people that invited it and did something stupid like downloading a (fake) map hack program and people that didn't even realize they gave away their account information (aka, got phished or reused their email/password that they used somewhere else that got compromised). If you don't think you are one of these groups, you're absolutely in the 2nd group and you're ignorant of your mistake. TehHammer, you are mistaken here. While it is true that most username/password tuples are gleaned in this fashion, there are often software exploits that involve vulnerabilities in the software itself. Nobody gets a rootkit installed on their machine because they got their WoW password phished, for example. It's naive to think that these two methods are the only ways to compromise an account, and saying so is damaging in this context, because doing so attempts to discredit other valid points that GGG really needs to look into. Edit: If there is a vulnerability, you may need only to log in to be exposed. I suppose you can argue that is "SOMETHING". ign: SeriouslySRSLY Last edited by Thrombo on Feb 21, 2013, 5:47:12 PM	Posted by Thrombo on Feb 21, 2013, 5:45:49 PM Quote this Post
-image removed- hahahahahahahaha all these -edit- dling obv hacks and playing it off by saying someone hijacked their account Last edited by peachii on Feb 21, 2013, 5:55:35 PM	Posted by furryseedman on Feb 21, 2013, 5:46:30 PM Quote this Post
" furryseedman wrote: hahahahahahahaha all these -edit- dling obv hacks and playing it off by saying someone hijacked their account I am currently trying to pry my palm away from my face. I have to commend you though. At least you're up front about your stupidity. Last edited by peachii on Feb 21, 2013, 5:55:51 PM	Posted by Feriluce on Feb 21, 2013, 5:53:14 PM Quote this Post
" Thrombo wrote: TehHammer, you are mistaken here. While it is true that most username/password tuples are gleaned in this fashion, there are often software exploits that involve vulnerabilities in the software itself. Nobody gets a rootkit installed on their machine because they got their WoW password phished, for example. It's naive to think that these two methods are the only ways to compromise an account, and saying so is damaging in this context, because doing so attempts to discredit other valid points that GGG really needs to look into. Edit: If there is a vulnerability, you may need only to log in to be exposed. I suppose you can argue that is "SOMETHING". I am arguing that you are completely wrong in your assessment of how people are getting hacked. There is no way people are simply "logging in" to get hacked. If that was the case, the high end players with tons of currency would be the first to get hacked as that's where the profit lies. The sample of who is getting hacked is absolute proof that they aren't hand picking those who "log in" and stealing their info. People are getting hacked because they are doing something stupid, in many cases, they don't KNOW they're doing something stupid. That's called ignorance. Of course they claim they did nothing wrong, they don't KNOW that they did something wrong. How Fusings Work: http://www.pathofexile.com/forum/view-thread/38585/page/3#p1451934 IGN: TheHammer	Posted by TehHammer on Feb 21, 2013, 5:53:36 PM Banned Quote this Post