Page 13 of 14 FirstFirst ...
3
11
12
13
14
LastLast
  1. #241

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by Aragon
    AntiVirus Detection
    Here are the detection abilities of some major AntiViruses to Date (Mar 1, 2010). AntiViruses not listed did not detect anything.
    Does that mean Norton antivirus didnt detect anything? i dont use it, i just thought it was one of the better ones.

    I use comodo, but that seems to have missed NullSoft Packed File too.

  2. #242

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by jobdone
    Does that mean Norton antivirus didnt detect anything? i dont use it, i just thought it was one of the better ones.

    I use comodo, but that seems to have missed NullSoft Packed File too.
    That's right. Norton/Symantec/Insight as of this morning (Mar 1) do not detect any of the samples. I have submitted the samples to all major antivirus companies but it's in a queue for generic submissions.

    It's great to stop the virus as early as possible but since malware authors are encrypting their data, it's hard for scanners to know what happens until after the package in decrypted/unpacked. If anything, the AntiVirus must protect against the malicious code which is only the emcor.dll file.

  3. #243

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    If Norton isnt very good and comodo also isnt up to scratch, which anti virus do you recommend (pref free)?

  4. #244

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    In no specific order...

    Non-Free AV:
    Norton as of the 2009/2010 version are very good, but still will miss obscure/packed samples more than some other AntiViruses.

    These are usually my top two recommendations:
    Kaspersky is probably the top detector and protector for systems.
    ESET NOD32 is probably the smallest, fastest, and most effective at detecting samples that many others miss without false positives.

    Free AV:
    Microsoft Security Essentials - Free and Fast
    Avast Home Edition
    Avira AntiVir - Probably can detect as much as NOD32 but generally has more false positives.

    Other Notes:
    Some other security solutions may use multiple engines like G-DATA and F-Secure. They might have a 1-2% detection lead because of this but I do not know much about the performance hit. Also, some AntiViruses include better generic system protection when something unknown is run. For example, McAfee Enterprise and Symantec Endpoint Security (not available to the general public) are actually really good but requires an IT person to set it up properly.

  5. #245

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by Ryuko
    You can't just simply remove the authenticator. It asks for two new codes before you can.

    So your method fails.
    I think the point went over your head. The point was simply that authenticators do not make an account invulnerable. Also, if you'd read my later posts you'd know that I mentioned that exact thing as a way to mitigate the damage.

  6. #246

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    This "ZTIC" (zone trusted information channel) seems to fully mitigate Man-in-the-middle attacks actually, but the solution seems to be a little expensive at the moment (in hardware costs, ~$70 per device)... However, there is no reason such technology can be produced and distributed alot cheaper!

    http://www.ubs.com/1/e/ebanking/inte...ccess_key.html

    edit:
    IBM about the technology, in English: http://www.zurich.ibm.com/ztic/

  7. #247

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    The "ZTIC" USB device could be bypassed using a similar method. The weakness again is the environment the programs run in. What's to stop a hacker from programming something that intercepts the network traffic that device uses?

    No security is 100% but the idea is to make it so difficult and time consuming that it is not worth the time and effort to bypass the security. The Blizzard authenticator does that for most cases.

    //Edit:

    After reading your updated post, I see that the methods used to protect against OS vulnerabilities were addressed. However, I still see that it is possible to hijack the data since the device is only verifying a secure connection to the server. If malware is on a system, it can be made to show the user anything or just connect to another server with your provided information. The ZTIC would only be there to confirm data sent to the authentication server was correct. Another security method like this ZTIC is called the YubiKey.

  8. #248

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by TobiasX
    The majority of viruses target a computer; they don't care whether it's a mac or a windows pc.
    There are a number of viruses that specifically target windows pcs. This is a very small number relative to the total number of viruses that exist.
    You're clueless, stop posting as if you know what you're talking about.
    Originally Posted by Blizzard Entertainment
    Hi Turtle. According to your account records an authenticator was not attached to the account until after the compromise.

  9. #249

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by Aragon
    The "ZTIC" USB device could be bypassed using a similar method. The weakness again is the environment the programs run in. What's to stop a hacker from programming something that intercepts the network traffic that device uses?

    No security is 100% but the idea is to make it so difficult and time consuming that it is not worth the time and effort to bypass the security. The Blizzard authenticator does that for most cases.

    //Edit:

    After reading your updated post, I see that the methods used to protect against OS vulnerabilities were addressed. However, I still see that it is possible to hijack the data since the device is only verifying a secure connection to the server. If malware is on a system, it can be made to show the user anything or just connect to another server with your provided information. The ZTIC would only be there to confirm data sent to the authentication server was correct. Another security method like this ZTIC is called the YubiKey.
    Yeah, but kernel and BIOS attacks is a completely different league when it comes to computer security and hacking... After a successful attack on that level, there's pretty much little to nothing you can do...

    "IBM expended a lot of effort to figure how to initiate an SSL session within a USB stick, Baentsch said. It takes some processing muscle, and since the USB runs independent of the PC, it does not have access to the computer's processor.

    ZTIC uses a chip from microprocessor designer ARM, and the software has been designed so it can quickly establish a SSL session, Baentsch said. Although it is a memory stick, no data can be stored on it, which also prevents malicious software from infecting it."
    http://pindebit.blogspot.com/2009/03...#ixzz0h19kS3tm

    One strength is that it will also discover attacks, and should in theory be able to boot the user (and making it impossible to log in again for a certain time frame).

    However, the costs related to this technology makes it unlikely that Blizzard implements a similar technology for World of Warcraft. It is simply cheaper to deal with hacked accounts (unless 12M players suddenly want to pay $70 to get a safer account).

    edit:
    I'll admit I have limited experience with this, and haven't spent enough research to state that this is a foolproof solution. But it seems like one of the stronger options available when it comes to online authentication today, and this is also said to be one of the best options available for online banking services today.

  10. #250

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by MurphyPI
    ...
    One strength is that it will also discover attacks, and should in theory be able to boot the user (and making it impossible to log in again for a certain time frame).
    The hack in the original post worked just by key logging or monitoring input and blocking the connection to the real authentication server. With the ZTIC, if malicious code was intercepting the connection, the user should stop (hopefully) and wonder why the security token was inactive/invalid!

    Here is IBM's official video on the ZTIC: http://www.youtube.com/watch?v=mPZrkeHMDJ8&fmt=18

    In their demo, they are showing how to protect the connection to the secure server and validate the data in the case it was modified. The user is still entering information on the Malware Computer and seeing everything as normal. Hackers in these cases don't want to modify the data, but instead send it somewhere else without using the OTP.

  11. #251

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by Aragon
    In their demo, they are showing how to protect the connection to the secure server and validate the data in the case it was modified. The user is still entering information on the Malware Computer and seeing everything as normal. Hackers in these cases don't want to modify the data, but instead send it somewhere else without using the OTP.
    Forgive me if I am slow here, but what good is the user name and the static password for the hacker, as long as he cannot use a generated one-time password to actually log in? I still fail to see how this is not strengthening account security drastically...?

  12. #252

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    The hacker wants to steal the data entered BEFORE it reaches the network and become encrypted.
    The ZTIC wants to validate the data to make sure what you entered matches what the server sees.

    ZTIC is protecting the stream of data to a secure server by showing you the information on a secure non-infected device and asking for your confirmation.

    To gain access to a battle.net account, all I need is a username (email) and password. If I can get this information, I can login somewhere else with or without the ZTIC. If we add an authenticator, then all that changes is the time Window that I can use that OTP. Since the OTP is invalid once used, I would need to prevent the OTP entered from ever being sent to Battle.net. This doesn't mean I have to change it; only block it. If changed, it is possible for the ZTIC to display a prompt on the mini device confirming that the OTP I used was the one I typed in. If I just block or redirect it, the ZTIC has no information to validate and remains idle.

    Think of ZTIC as just another computer and miniature monitor. It is a system you trust not to be infected with malware so what it displays is true information. This doesn't stop the user from entering information on the malware system and allowing their information to leak out.

    If ZTIC integrated a OTP generator for login, then it would protect against these attacks.

  13. #253

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by Aragon
    If ZTIC integrated a OTP generator for login, then it would protect against these attacks.
    To be honest, I kinda assumed that that was already integrated in such a device, compared to having 2 different devices for authentication purposes...

    By the way, you have an authenticator attached to your account, but can log in to battle.net without it? ???
    That is not something I am allowed to do at least!

  14. #254

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    If I mis-worded something, I apologize. Once an Authenticator has been added to the account, it is required for most battle.net logons.


    http://www.pcworld.com/businesscente...usb_stick.html

    ZTIC is also a smart-card reader and can accept a person's bank card for verification. Once a PIN (personal identification number) is verified, a transaction can be initiated through a Web browser.
    One other added level of protection is if ZTIC is used with a smart card reader ($$$this is what's not cheap$$$), it would be the equivalent of typing a OTP or static password into the device thus protecting against this attack as well (password never typed into the untrusted device).

    Web browsers, however, are a point of weakness for online banking because of so-called man-in-the-middle attacks.

    Hackers have created malicious software programs than can modify data as it is sent to a bank's Web server but then display the information the consumer intended in the browser. As a result, a person's bank account could be emptied. Man-in-the-middle attacks are also effective even if the bank's customer is using a one-time password generator.
    Replace Web browsers with any program on a computer. In this case, even the WoW client.

    The ZTIC, however, bypasses the browser and goes directly to the bank. It ensures that the data exchanged is accurate.

    For example, say a bank customer wants to transfer money. The customer will input US$100 into a form in the browser. The bank's servers will then try to confirm the amount. During a man-in-the-middle attack, the attacker is capable of transferring $1,000 but can modify the confirmation message to still show $100.

    Since it has a direct secure connection with the bank's servers, the ZTIC will show the amount that actually has been requested to be sent. So even if the browser shows a confirmation for $100, the ZTIC will show $1,000, indicating a man-in-the-middle attack in progress, Baentsch said. The user would know to reject the transaction and press the red "x" button on the ZTIC.

    "If malware is attacking your online banking transaction, it will show you something strange has happened," Baentsch said.
    Much of this man-in-the-middle attack talks about modifying the data, not protecting the login details. We assume that if the ZTIC is showing strange information the user has time to call the bank and stop transfers or other fraudulent activity. The account could be monitored for unauthorized access for further investigation and the PC's trust would certainly be under scrutiny.

  15. #255

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by Aragon
    Much of this man-in-the-middle attack talks about modifying the data, not protecting the login details. We assume that if the ZTIC is showing strange information the user has time to call the bank and stop transfers or other fraudulent activity. The account could be monitored for unauthorized access for further investigation and the PC's trust would certainly be under scrutiny.
    The secure connection is between the dongle (ZTIC) and the server. The dongle and the server can do password-authenticated key agreement based on OTPs, and since the dongle cannot be modified by the attacker you are immune to the end host modification attack (e.g., "man in the browser"). Your client on the PC simply tells the dongle to execute a transaction (e.g., wire X amount of money to Y) instead of directly communicating with the server. The dongle can then display the actual transaction that it is about to perform and allows the user to cancel it on the spot if it is fraudulent.

  16. #256

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    I have become very frustrated with the state of PC security. We have a few computers at home and my wife's laptop ended up becoming infected with a trojan that Symantec AV Corp, Microsoft Security Essentials and Spyware Doctor all would not detect. The only reason I found it was looking through the system32 folder and noticing a suspicious dll with a recent modification date.

    Pair this along with the fact that there are constantly zero day exploits for IE and it is to the point that you need a dedicated PC for gaming that you don't do any browsing, facebook, etc on. That is what I have ended up doing. I have VMWare Workstation installed and I do all my browsing on an Ubuntu VM; on the main host PC I rarely open IE or do any other browsing.

  17. #257

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Isn't the hack problem easy to fix by splitting the 6 digit into two 3 digits? While logging in the system first asks for the first 3 digits (which ofcourse can only be used once) and then asks for the last 3 digits. When the trojan gives an error after you used the first 3 digits, you wont be able to show him the last 3 digits. When the trojan gives you an error after the last 3 digits, he will not be able to use the first 3 because you already used them.

  18. #258

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    There aren't that many zero day exploits for IE any more. They just seem common because of past history and the larger amount of news that happens when one is found. Of course, I'm referring to using the latest technology available such as IE 8 and Windows 7.

    I would suggest you try Kaspersky or ESET or some other AntiVirus that includes HIPS functionality or a better firewall with anti leak capabilities (Comodo Firewall Free).

    As for the 3 digits, what you need to understand is once malware is running on the computer, it can do anything it has rights to do. In the case of malware loading inside a program like WoW.exe, there is nothing to stop it from just accepting the first 3 digits and then accepting the last 3 digits and sending that info to the hacker. On the other hand, if you thought you were infected, you could put the wrong info and question why it was accepted.

    The way the authentication system works, this would require more load and complexity on the servers and more trouble for most of the normal non-hacked users.

    What Blizzard could do to protect against this dll injection is have the wow executable watch for injected threads and dlls and remove them from memory... or at least warn about them. Some legitimate programs do this (like Logitech mouse/keyboard software) and this security could break their functionality or produce a lot of fake warnings (massive support calls inc). Even if this done, dedicated hackers will only move to lower levels of attacks (rootkits at user to kernel level) to bypass this security. Fortunately, Microsoft has made Vista/7 x64-bit mostly immune to the kernel hacking so perhaps this threat will shrink when people stop using a 9 year old OS.

  19. #259

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    I'd be shocked more out of curiosity than sorrow if they decided to pick me to hack with authenticator.

  20. #260

    Re: Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

    Quote Originally Posted by Aragon

    As for the 3 digits, what you need to understand is once malware is running on the computer, it can do anything it has rights to do. In the case of malware loading inside a program like WoW.exe, there is nothing to stop it from just accepting the first 3 digits and then accepting the last 3 digits and sending that info to the hacker. On the other hand, if you thought you were infected, you could put the wrong info and question why it was accepted.
    Ah you are right about that. I already thought that my solution wouldn't work, but I had to give it a shot.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •