|
| Author | Thread Statistics | Show CCP posts - 2 post(s) |
 ZzeusS    |
Posted - 2003.12.02 18:51:00 -
[1] Edited by: ZzeusS on 02/12/2003 18:56:06
There are any number of ways an account could have been compromised. 1. Sniffing the same network as the hacked gamer - trolling for EVE login packets would be trivial once you sniffed your own and knew what to look for. It would take forever, and you would have to be on the same collision domain (subnet), pretty unlikely scenario. You'd have to just 'get lucky'. 2. Computer was trojaned. Once your PC was trojaned, it would be simple to snag the EVE login info, IF you had it cached for login. TONS of MMOG accounts get compromised this way. 3. Brute forcing player logins. It would be trivial to set up a bruteforce program with a huge wordlist to hack away on someone's account. Does EVE have a password fail lockout timer? You certainly wouldn't need the GUI for anything. You'd just the player ID, port, pass good response and pass fail response. Since again you could sniff your own login to find out what was a good login and bad login, would be trivial to drop that in the bruteforce program. Is the local login and password cached on the client anywhere? Is it encrypted? I dunno, I never tried to hack the client.
Depends. If the hacked user was sharing account information, and it was due to the users insecurity that lost them their stuff, then CCP is not liable. However, if the account was hacked from the outside, then that's a computer crime, and CCP would have to investigate and/or do forensic work. Whether or not they would reimburse the player for lost items is up to them; I would hope they would. If the login proxy was compromised, well that's just a bad deal all around. Pretty unlikely that happened. Most likely it was one trojaned system, and the hacker aquired everyone elses account info from that one system.
I am. There are any number of programs out there, windows, unix, mac, what have you, that make brute forcing login credentials trivially easy. It ALL depends on what CCP's login proxy does with failed logins, and whether or not they log the infomation. Source can be spoofed, proxies can be used, I wouldn't really try to back hack to the hackers origin - that would be a waste of time unless they were stupid. Probably the best thing to do would be set a policy on the server where 3 failed logins locks the account for 30 minutes or something. Or even make them call customer service. If there is NO account lockout mechanism in place, depending on the OS, brute forcers can hit anywhere from 100 to 300 passwords a second. At 23 hours a day, and if you have a 700+mb wordlist... how many times do you change your password? Just takes time.
You would be surprised. I wouldn't say just because someone plays a space MMOG that they are any more likely to practice good computer security. Heck, the forums list everyone's accounts for them.
That's probably what happened, as it is what usually happens, just the other way around. I would be interested to know if EVE sends other clients IP information to users once you encounter them in local space, or not. As a side note, I can sniff Windows passowords on a local LAN, and depending on what version of NTLM they use, snag the hashes for offsite cra.cking. A dual Xeon 2.8 HT system does about 10k passwords a second, and that's not even getting into distributed crac.kers... |
 ZzeusS Caldari Provisions |
Posted - 2003.12.02 18:51:00 -
[2] Edited by: ZzeusS on 02/12/2003 18:56:06
There are any number of ways an account could have been compromised. 1. Sniffing the same network as the hacked gamer - trolling for EVE login packets would be trivial once you sniffed your own and knew what to look for. It would take forever, and you would have to be on the same collision domain (subnet), pretty unlikely scenario. You'd have to just 'get lucky'. 2. Computer was trojaned. Once your PC was trojaned, it would be simple to snag the EVE login info, IF you had it cached for login. TONS of MMOG accounts get compromised this way. 3. Brute forcing player logins. It would be trivial to set up a bruteforce program with a huge wordlist to hack away on someone's account. Does EVE have a password fail lockout timer? You certainly wouldn't need the GUI for anything. You'd just the player ID, port, pass good response and pass fail response. Since again you could sniff your own login to find out what was a good login and bad login, would be trivial to drop that in the bruteforce program. Is the local login and password cached on the client anywhere? Is it encrypted? I dunno, I never tried to hack the client.
Depends. If the hacked user was sharing account information, and it was due to the users insecurity that lost them their stuff, then CCP is not liable. However, if the account was hacked from the outside, then that's a computer crime, and CCP would have to investigate and/or do forensic work. Whether or not they would reimburse the player for lost items is up to them; I would hope they would. If the login proxy was compromised, well that's just a bad deal all around. Pretty unlikely that happened. Most likely it was one trojaned system, and the hacker aquired everyone elses account info from that one system.
I am. There are any number of programs out there, windows, unix, mac, what have you, that make brute forcing login credentials trivially easy. It ALL depends on what CCP's login proxy does with failed logins, and whether or not they log the infomation. Source can be spoofed, proxies can be used, I wouldn't really try to back hack to the hackers origin - that would be a waste of time unless they were stupid. Probably the best thing to do would be set a policy on the server where 3 failed logins locks the account for 30 minutes or something. Or even make them call customer service. If there is NO account lockout mechanism in place, depending on the OS, brute forcers can hit anywhere from 100 to 300 passwords a second. At 23 hours a day, and if you have a 700+mb wordlist... how many times do you change your password? Just takes time.
You would be surprised. I wouldn't say just because someone plays a space MMOG that they are any more likely to practice good computer security. Heck, the forums list everyone's accounts for them.
That's probably what happened, as it is what usually happens, just the other way around. I would be interested to know if EVE sends other clients IP information to users once you encounter them in local space, or not. As a side note, I can sniff Windows passowords on a local LAN, and depending on what version of NTLM they use, snag the hashes for offsite cra.cking. A dual Xeon 2.8 HT system does about 10k passwords a second, and that's not even getting into distributed crac.kers... |
 ZzeusS |
Posted - 2003.12.04 02:22:00 -
[3] I really wouldn't mind a post-mortem on the situation from CCP. What should we be doing as customers to prevent this type of thing from happening again? |
ZzeusS Caldari Provisions |
Posted - 2003.12.04 02:22:00 -
[4] I really wouldn't mind a post-mortem on the situation from CCP. What should we be doing as customers to prevent this type of thing from happening again? |
Quote:| Copyright © 2006-2025, Chribba - OMG Labs. All Rights Reserved. - perf 0,34s, ref 20251018/0814 EVE-Online™ and Eve imagery © CCP. |
| COPYRIGHT NOTICE EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website. |