|
On August 10 2012 18:54 Maluk wrote:
I'm just wondering what exactly could the "hackers" do even if they catch my password ? I mean, if someone steals my account to ladder with it I won't be to mad, and aside from that what are the risks ?
For accounts with just SC2, there's not much to be gained. WoW and D3 accounts are rather interesting though, since they contain tradeable items and currency, making it easy to strip the account of valuable commodities to be sold for actual money at some later time.
|
On August 10 2012 18:54 Maluk wrote:
I'm just wondering what exactly could the "hackers" do even if they catch my password ? I mean, if someone steals my account to ladder with it I won't be to mad, and aside from that what are the risks ?
it isn't really with battle.net, you only really risk the standard wow/diablo account steal if your e-mail had a unique password. the real risk would be if your battle.net password happened to be your paypal password and you hadn't changed it when it came time to farm this data.
we don't like to collect risk potential. we tend to try to stomp it out even if only a minor potential threat caused by user stupidity.
|
I have a question to the "experts" here.
I'm always wondering about using Brute Force stuff for this. How do you know if a password is correct unless you have it checked on the servers? I mean wouldn't someone who using that method have to register millions of BNet enquiries, which would make it easy to prevent that? Some explanation on how that stuff works would be appreciated 
|
Tank you for the answers, Rannasha and multiversed, I guess I don't have to be concerned then. SC2 only ftw
|
Bosnia-Herzegovina114 Posts
I started receiving regular fake MoP invites to my mail about 2 months ago. I believe that Blizzard was hacked around the time of D3's release, and they found out just now about it
"The trespass into our internal network was detected by us on August 4, 2012."
I remember reading official D3 forums when there was a mass of users going: "Blizz, I take every possible precaution and I lost all my gear and gold, your servers have been hacked!" and the massive amount of verbal abuse they received. They should feel vindicated now.
|
i will explain in broad general terms...
brute forcing is most often done with a botnet (a large network of hacked computers.) if a single user attempted to enter 5 million passwords into a server, it would to get noticed. if 200,000 computers try 1-2 times each in a controlled method, the associated IP doesn't get flagged, logged, and banned. *this more the general theory, than the actual practice...*
i'd rather not go into more detail, as this is all stupidly easy to begin with. all it really requires is teenaged angst, or the equivalent.
edit: update for clarity. account was a poor choice of words.
|
On August 10 2012 19:06 Na_Dann_Ma_GoGo wrote:I have a question to the "experts" here. I'm always wondering about using Brute Force stuff for this. How do you know if a password is correct unless you have it checked on the servers? I mean wouldn't someone who using that method have to register millions of BNet enquiries, which would make it easy to prevent that? Some explanation on how that stuff works would be appreciated
If you have the hash and know the algorithm, you can hash millions of possible passwords and as soon as your hash and the password hash matches, you have the correct password. No need to check with the server, it will just do the same algorithm and will consider both equal.
There are databases of password/hash combinations - called rainbow tables - where the cleartext password is already matched to the hash in the database, so you can just search for the hash and get the cleartext as result. To counteract those, it is common practice to add a "salt", i.e. some additional data, to the password which makes it harder to get the correct result in the rainbow table.
Depending on the algorithm, salt, password length, etc., there is an infinitely small chance of two different passwords generating the same hash (0.000....01%) but that actually won't matter because as long as the end result is the same, the server will still accept it as valid because it doesn't know the difference either.
|
On August 10 2012 19:12 greendestiny wrote:
I started receiving regular fake MoP invites to my mail about 2 months ago. I believe that Blizzard was hacked around the time of D3's release, and they found out just now about it
"The trespass into our internal network was detected by us on August 4, 2012."
I've been receiving these phising mails for years, so they're not really new. They tend to pop up whenever a new expansion/game is in beta. I use different email addresses for different websites and I've only ever received these fake mails on 2 addresses I used for some community websites that are known to have been compromised (since they announced it to their users). I have never received any such mail on the address I use for my Battle.net account.
I remember reading official D3 forums when there was a mass of users going: "Blizz, I take every possible precaution and I lost all my gear and gold, your servers have been hacked!" and the massive amount of verbal abuse they received. They should feel vindicated now.
Except that they're not vindicated. The people that lost their D3 account back then simply didn't have the appropriate security measures. It didn't help that Blizzard gave their SMS service that didn't work with D3 the name "SMS Authenticator", which was the main source of people saying that they did have an authenticator and still lost their account. Blizzard has since then renamed the thing to something like SMS Protect or so.
|
I must say it's quite contrasting when comparing SC2 gamer's response with D3 gamer's response on this Blizzard security breach. From what I see in this thread, most people are being quite objective and understanding of it however on the D3 forum, the general opinion is "LOL BLIZZARD SUX DIX SO BAD FAIL".
|
I only just changed my password a couple of months ago and I'm not playing SC2 often nowadays, so stuff it until I get reason to get them to lock it.  I have no money on the account.
|
@ Morfildur
Aye thanks.
But then there shouldn't be much to worry about at the moment since acquiring the algorithm should be night impossible right?
I mean it shouldn't be straight away available to the hackers and reverse engineering is one hell of a task I'd imagine.
|
that is the hope/assumption. it would take lifetimes without the key to the door. so to speak.
|
Very unfortunate that this happened however I'm really happy with how honest Blizzard are being telling customers exactly what information was compromised and steps to protect your account rather than avoiding what information was compromised or keeping it to themselves.
Horrible that it has happened, however kudos to Blizzard for handling it the best way possible.
|
This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
|
unfortunately since i use the same pw for a lot of websites including financial now i have to change /sigh
|
On August 10 2012 19:39 Na_Dann_Ma_GoGo wrote:
@ Morfildur
Aye thanks.
But then there shouldn't be much to worry about at the moment since acquiring the algorithm should be night impossible right?
I mean it shouldn't be straight away available to the hackers and reverse engineering is one hell of a task I'd imagine.
Companies all use standard algorithms and with some practice you can limit the amount of possible algorithms by just looking at the hash, the only factor that can make it hard is the salt and the password complexity.
The more complex the password is, the less likely it's in a rainbow table and the harder it is to brute force.
A more in-depth Explanation:
A password of length 1 that consists of only lowercase characters (a-z) has a complexity of 26^1, i.e. 26.
A password of length 1 that consists of lower- & uppercase has a complexity of 52
A password of length 1 that consists of lower- & uppercase & numbers and a selection of 50 special characters has a complexity of 112.
A password with those properties but of length 2 has a complexity of 112^2, i.e. 12 544
A password of length 10 with only lowercase characters just has a complexity of 26^10, i.e. 141 167 095 653 376
A password of length 10 with the 112 characters has a complexity of 112^10, i.e. 310 584 820 834 420 916 224
complexity means the range of possible passwords that have to be hashed to find the correct password.
If you add a salt of 10 characters from a selection of 112 characters, it suddenly becomes 112^20 which is a 40 digit number.
Now as for the actual time it takes to hash the password and brute force it, the stronger algorithms take longer than simple algorithms like MD5. You can calculate several million up to several billion ( http://www.codinghorror.com/blog/2012/04/speed-hashing.html ) MD5 hashes per second depending on your PC, so to definitively crack the lowercase-only password, it takes a few hours or at most a few days. To crack the complex password it still takes a few weeks.
Other algorithms like SHA256, etc. are slower, so it takes 10-100 times longer to brute force passwords. Add the salt and it suddenly becomes an eternity.
That is why the rainbow tables exist. Basically each lower- & uppercase only combination for passwords of up to 10-15 characters in length is included in rainbow tables which makes a search for it a matter of seconds.
Most of those that steal a huge amount of password hashes don't bother brute forcing, if it's not in the rainbow tables, they ignore those but still might sell or release those users&hashes. That means that someone who targets a specific user/group can still try to brute force the passwords.
So in summary the best way to protect your password is:
1. Have long password using special characters, numbers and a mix of upper and lower characters to maximize it's complexity
2. Hope that the one storing your password uses a strong salt
3. Hope that the one storing your password uses a strong&slow algorithm.
|
On August 10 2012 19:26 Dakkas wrote:
I must say it's quite contrasting when comparing SC2 gamer's response with D3 gamer's response on this Blizzard security breach. From what I see in this thread, most people are being quite objective and understanding of it however on the D3 forum, the general opinion is "LOL BLIZZARD SUX DIX SO BAD FAIL".
That's because a lot of people were hacked when D3 launched, because they were too stupid to protect their accounts from keyloggers and phishing scams. They blamed Blizzard. They accused Blizzard of being hacked, even though Blizzard had never been hacked at that time.
They said it was greedy and unfair they had to buy an authenticator to secure their accounts, without realizing that you don't need an authenticator if you're not stupid.
And now that Blizzard has been "hacked", they've actually been proven completely wrong. Blizzard got hacked and nothing that would allowed unauthorized access to any account has been compromised. No account will be hacked as a direct result of Blizzard getting hacked.
The D3 community -- what were you expecting from a bunch of people with no internet skills who were dumb enough to get phished and hacked?
|
On August 10 2012 20:01 paralleluniverse wrote:
This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime.
The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
|
On August 10 2012 19:26 Dakkas wrote:
I must say it's quite contrasting when comparing SC2 gamer's response with D3 gamer's response on this Blizzard security breach. From what I see in this thread, most people are being quite objective and understanding of it however on the D3 forum, the general opinion is "LOL BLIZZARD SUX DIX SO BAD FAIL".
I honestly feel that the response here is influenced by a lot on how blizzard has handled this. They came clean and divulged quite a lot of info on what was taken and how it was stored.
I feel that the response would have been a lot less friendly if for example they stored their passwords in plain text (like GOMTV) or if credit card information had been taken.
|
So these hackers now only have my email since I only have an EU account, right ?
|
|
|
|
|
|
EPT
