| Pages: [1] :: one page |
|
|
| Author |
Topic |
Lucia Camorrano
2nd Bank of Camorrano
    |
Posted - 2008.03.18 10:47:00 -
[1]
Story so far:
- my buddys account got hacked last week
- 450+BPOs, 500+BPCs, some stuff and couple hundret million ISK were stolen and given to a 10d old char
- around six months of research are destroyed because the º$%&º$% canceled all jobs
- we're a small corp, if we don't get our stuff back, we lost months of time (= what counts)
- GMs are probably playing in southern war or something, dunno... no help so far from this side
Because I'm realistic, I know, that it's not enough to write a pathetic eula and forbid such actions. Because I'm no kid, I know, that when there's money involved, organised crime is already there. Because I read lotsa news, I know that in the last week a couple of online games have been attacked and any serious publisher should have already increased his staff to strictly punish any such actions. Because I play Eve for 16 months now, I know that CCP doesn't care for that at all and because I'm stronger addicted to eve than to nicotine (thx btw.), I need help.
So... how do you protect large assets best. Some intel, I gathered about this attack (if you never faced something alike):
- they're clearly in a hurry 
- browse hangars with the search function, going for most precious stuff (e.g. Capital Parts)
- take all BPOs, regardless if they're crap or not
- but seem to be less intrested in large quantities of items (contract limit?)
- and still have time to leave e.g. one lonly datasheet behind (for my amusement, I guess)
- all stuff is then contracted to a noob-char
- if you don't react quickly, you hopefully kissed your assets byebye 'cause you ain't gonna see them again (instead you get something like "I can't undo a following contract/market-transaction")
So far, I came up with this steps:
- no directors at all and a strict rights-management to contain the given damage.
- every bpo locked
- larger sums as well as all stocks go to a account with one npc-char on it; only CEO has access.
- always pack some contraband besides your assets, so "select all"&"make contract" is not gonna work (as ridiculous as it sounds  )
On top of that:
- strict diversion of critical chars on diffrent accounts
- strict prohibition of M$-crap for every player who has more rights than a n00b (doomed to linux/mac, can you belive it?)
- strict kick-policy for people who double-use passwords or send them with mail (I'm so sad that I still have to think about such idiots)
It seems that time is very critical in such operations because (from the pov of the criminal:) when the stolen items are sold to any other player, you've won and the stuff isn't given back to your victim. But - from my pov - how to exploit this best?
Does anybody have some ideas which do *not* turn this game into a burocratic nightmare? 
|
RaTTuS
BIG
Ka-Tet
|
Posted - 2008.03.18 10:53:00 -
[2]
1) Dont Share accout details with anybody
2) dont use macros as you have no Idea what info they send [apart from being illegal]
3) run virus scans regually on your machines
4) locking BPO's is good - unless you want to move them
if you run a petiton as soon as you discover you will get the account locked until the investigation is concluded [so set a long skill running]
--
BIG Lottery, BIG Deal, InEve &
Portrait Server
|
Considered
Deus otiosus
Southern Cross Alliance
|
Posted - 2008.03.18 11:59:00 -
[3]
Using macros will get the GM's to magically dissapear your account.
|
Tammaria Snegallja
State War Academy
|
Posted - 2008.03.18 12:04:00 -
[4]
Edited by: Tammaria Snegallja on 18/03/2008 12:05:04
Stupid as it sounds: Don't use the same for account name and character name. That way you'll be safe from password-guessing attacks.
And one for the paranoid: Allways change your password when you log off for the day. Use a different PC (or device, e.g. cell phone) to do so, however.
Also good: Don't type your password. Use a secure(!!!) password manager, either one that fills the field by itself, one that provides it in the clipboard and auto-clears the clipboard on first use.
Someone still without a virus scanner out there? And if you got one, are the virus definitions up-to-date? Auto-update should really be on and working. Also, it won't hurt to run a trojan/spyware/root kit scanner from time to time.
You can't remember complicated passwords? No reason to use a simple one---for EVE it's ok if you write it down on paper. Put it in your wallet if you expect to have people around your PC that could use EVE. And btw, when I say paper, I pean it. Real physical paper, not a file on your desktop.
There is one trick to trick keyloggers: Don't enter your password in one run. Enter it intermixed with garbage, change the cursor position with your mouse(!), delete the garbage parts and add more correct parts. That way a simple keylogger only gets useless characters, unless it also monitors your mouse clicks and movement. Ok, it takes some planing in advance to know what to do, as you only see asterisks, but it can really save you when you need to login at a friend's computer to change a skill.
Common password security: Leet does not make a password more secure. A brute-force attack that can guess "iteron" will also guess "1t3r0n". Long word are not more secure then short ones. Again, using a dictionary attack "household" is not more secure than "word". Adding numbers to the end of your password does not make it more secure. Guessing "guess12" is as easy as guessing "guess" (however, "guess3458968344758923683479256827" would be a good password). Don't expect your password to be secret when it is "secret". That was funny 30 years ago.
Constructing a password: (1) decide on the tokens you'll use. "numbers"/"letters"/"caps letters"/"a word"/"punktuation" are common kinds of tokens. (2) decide on the token length you'll use. That is, how many characters of one kind will you put together to form a token. The less, the better, but the more the easier to remember. (3) decide on a pattern to use. Staying with one pattern makes it easier to remember your passwords when you change them. A common pattern is "word(1), numbers(2)"---but that also is the weakest ("guess12" would come match that pattern). A good pattern to start would be "letters(2), numbers(1), word(1), caps(2)", giving you passwords like "gp9helloXU" or "bg0SusannaZP", still easy to remember, but hard for a brute-force attack and somewhat hard for a dictionary attack. Harder patterns would be "number(1), letter(1), caps(1), punktuation(3), caps(2), number(1), punktuation(1), letter(2)" for e.g. "8dP-_(ZA1+sm". And the next step yould be to include hi-ascii and/or low-ascii characters, or in applications using UTF-8 even more unicode characters, e.g. "℅S۩Чź⅓∏␈̎̏ʟ"---however, you may want to limit that to what you can enter on your keyboard, e.g. "☺º+∩"...
|
Lucia Camorrano
2nd Bank of Camorrano
|
Posted - 2008.03.18 12:36:00 -
[5]
Thx for the answers so far, but I was actually looking for some ig-countermeasures and thought, I had covered the topic "account security" with this:
 Originally by: Lucia Camorrano
- strict kick-policy for people who double-use passwords or send them with mail (I'm so sad that I still have to think about such idiots)
I've already written an new tutorial for idiots (over the years, my 12.? 13.? why these people never learn?) but I don't expect it to be very effective (surprise, surprise) so how can you defend yourself best against the worst case scenario (= you've been compromised).
|
Goa Vibe
Center for Advanced Studies
|
Posted - 2008.03.18 16:06:00 -
[6]
putting contraband in containers is indeed a very effective way to keep them from being contracted out to a thief
my main was in 0.0 and I wanted my alt to move some stuff for her in empire, but one of the containers had an illegal tag, so gave that error when I tried to make a private contract for the container and it's contents ... all the other containers contracted out just fine.
if you use station containers like I do to sort you loot, keep them configured with password and lock items if you feel you might be suceptable to a hacking.
|
|
| Pages: [1] :: one page |
| First page | Previous page | Next page | Last page |