This is clearly a failure on blizzards end somewhere. there are just too many reports of people that are knowledgeable about computer security and have physical authenticators that are getting hacked. I find it interesting that the hackers are able to access accounts that are inactive and have been for some time and still managed to rape the account. That suggests a larger underlying problem than a few individual users with stupid passwords being hacked
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
Laughing my ass off at the guy who thinks his Mac is immune to malware.
If you believe that, I've got a .DMG file to sell you.
Macs are, in my opinion, MORE vulnerable but LESS targeted. Most Mac users dot run AV software because they think they are invulnerable.
Do yourself a favor and get some av and a firewall on that Mac.
As far as on-topic discussion. It has been known for some time that there are weaknesses in a two factor authentication like the blizzard authenticator. If your machine is infected with a rootkit or A MITM attack is used (yes there are Mac rootkits please stuff that my Mac is invincible crap right now).
Beyond that, wow authenticators have been compromised before, usually because of malware though.
The authenticator uses RSA technology which has been compromised before (at the RSA end).
Beyond that, an attacker can acquire your token through a simple man in the middle attack. This would require access to the users network (either home, Internet cafe, public network, etc) or through malware.
An attacker could intercept the authenticator code and quickly use it themselves. It is not hard to accomplish if the user is already compromised.
This is a different attack, but can detail what is possible. This method has worked for years and is still active today:
I know of a method to defeat SSL secure logins without compromising the ssl encryption. In a MITM attack all data from the user is intercepted on it's way to or from the server. If you are using a secure ssl login, the attacker would be able to intercept your encrypted login details on the way to the server and pass it on. They would not be able to crack it, however.
What they can do is spoof your session certificate. This would throw up red flags for someone that really understands certificates, but most would not understand what was happening.
So, you go to the site and log in. I send you a fake certificate that I know the encryption key for, I also receive the real certificate from the server.
Your password is encrypted with the fake encryption key which I easily decrypt. I now have your password. I encrypt the password with the real encryption key and send it on to the server. You login fine and everything works, but I was able to steal your password.
This all happens almost instantaneously and is automated. It's honestly something your average script kiddie could pull off with ease. It doesn't even take much knowledge.
An authenticator is vulnerable to the same attack. It would be a simple matter to accomplish on a compromised system/network.
Just to be clear, I have never claimed that the authenticator is an impenetrable security fortress. Two factor authentication is not the be all end all of security. It reduces the likelihood of being the victim of an attack greatly. The problem is that of it is not used in tandem with other good security practices it is possible to compromise.
The authenticator itself is not a weak security tool, it is actually quite strong, but it's effectiveness can and has been compromised through indirect means.
An attack on the authenticator is likely not a direct attack on RSA secureid security, but an end-around attack that reveals the data from the authenticator.
Also, the smartphone versions are, theoretically, vulnerable to software attacks on the phone itself. Software authenticators do contain files that can compromise the security of the token.
Thats rather arrogant to blame every user. I never bought gold, nor did I fall for any of those painfully obvious philsing emails. I even regularly scan my computer for viruses. Most likely it went to wowwiki(didn't realize it was a bad site, shame on me) and they got in sometime between my virus scans. Most likely, you were just not unlucky,
Don't forget to remind addons with phishing script inside
The thing is that it is often the users fault but far from always and people tend to assume that everyone is a moron just because 90% of the players who got hacked bought gold or were scammed (90% is a guess without any fact to back it up but it is a large percentage).
Diablo 3 will be the mostly hacked game ever since the hackers can sell the stuff for real money within the game. Every hacker in the world would like to get in on that.
If indeed someone with a physical auth got hacked it is very bad news for Blizz.
On the plus side is all your other games safe since they will focus on D3, but be sure to not have the same password for D3 as your MMOs.
That's the thing. This game is basically a wet dream for hackers. You have:
1) One of the most popular games in history
2) Made by a developer who has openly stated that it 'cannot be hacked'
3) Has a system in place for selling items for real money
There have already been multiple accounts of people getting hacked inspite of having authenticators. It's not a majority, but it isn't an isolated incident either. The game is also already being flooded by goldsellers, and there are groups working on private releases already. Basically everything Blizzard promised wouldn't happen is happening.
Another unfortunate bit of reality, is people assume that 'phishing' is the only way that hackers steal accounts, simply because it was the most popular method used in WoW. However, it's simply not true. There are a number of different ways to hijack an account. Some of which can steal your info directly, regardless of how complex your password / authenticator / encryption is. It's simply a falacy to assume that anything is hack proof, and D3 is a prime example of this.
Other interesting possibilities concerning the case in the op link:
The user is in Taiwan. Do we know if they are using a pirated copy of windows? I'd give even odds that they are, at that point they are absolutely rootkitted. No virus scan will ever detect it. Using a pirated version of windows means you are permanently compromised. Period.
If your OS is pirated, you have an undetectable rootkit on your machine. Have fun with that as your box is officially a zombie in a botnet.
This could tie in with my first guess, but also be applicable to other forms of compromise on the users end:
The attacker could use your machine as a proxy to log into the server. If your authenticator is set to detect your ip and not ask for the token every time, this is a very viable vector for bypassing the authenticator.
Blizzards servers would see the login as coming from your machine. In other words, set the authenticator to ask every single time.
There are a thousand other possibilities that don't involve compromising Blizzard at all.
I wish I could invite all of you that don't understand this stuff over to my house and show you exactly how wrong you are. Haha.
What they can do is spoof your session certificate. This would throw up red flags for someone that really understands certificates, but most would not understand what was happening.
So, you go to the site and log in. I send you a fake certificate that I know the encryption key for, I also receive the real certificate from the server.
Isn't that what Blizzard claims is currently impossible?
I think that implication is what is worrying a lot of people. Since the mass hackings imply some kind of new widespread, unknown vulnerability for flash/winodws etc., or something on Blizzards end, their silence on WHAT exactly it is, is not exactly comforting.
No one who has been hacked has proven that they did not have an authenicator on the account that got hacked. Blizzard says no one got hacked that had an authenicator. It is probably just people trolling. Most of the hacked accounts were accounts that were hacked previously and the information of the user was unchanged when Diablo 3 came out. The hackers just had a field day with all the accounts with the info they had available to them.
I know that it sounds similar but what I described is not, in fact, the same as the session hijacking exploit that people are claiming the game is vulnerable to.
Also, what I described is not a vulnerability within the game, but the entire thing relies on the fact that the attacker has gotten access to the user's network or system not the other way around.
The point is that this is not a server side vulnerability but a client side weakness in security.
Even IF the session hijacking thing was true (which it isn't) it would most likely be executed by gaining control over the users system not the servers. That's the part I find most funny about the session hijacking claims, it's a client side issue not a server side one.
All that aside, I am not describing session hijacking and the game client is not susceptible to such an attack. The purpose of the explanation was to describe how an authenticator might be bypassed in a similar way.
Hell, they even acknowledged in the ticket response that they see all my logins and transactions are done on a Mac, so their suggestions of Malware scanning were not valid in my case.
As said above, Mac is not immune to malware, exploits, viruses, etc. Even the unix OS it was based on(FBSD 4.x) is not immune. Not even hardened OS's are immune. No OS is immune. They are just less likely to be easily exploited. That is, until you add vulnerable software to it, don't maintain it, or get so confident in it that you forsake good practices. There are so many attack vectors it would be insane to ever claim immunity. The only thing that lead to less Mac malware/viruses/worms/etc was population. Less people using it, made it a smaller and less profitable target. That is no longer the case. Security is layers and good procedures/practices. And, not even that will protect you every time.
The game is also already being flooded by goldsellers, and there are groups working on private releases already. Basically everything Blizzard promised wouldn't happen is happening.
When did Blizzard promise there would be no gold sellers or private server emulators?
The problem with authenticator hacks is you have to have a really sophisticated rig to handle it. You have to have such a good virus in place to spoof the client screen and grab the authenticator code which gives you the 30 second window to log into the account. Yeah it's possible, and was done before on WoW, but it isn't common. I am not sure why they have not created the registered PC or input PIN when trying to do stuff involving gold or items.
I would NOT be surprised that gold/account sellers have networks of people working for them to "convince" players to lower their defenses by claming Blizzard's sercurity measures have been compromised. And I damn sure would not be surprised if those campaigns originated in the gold/account selling capital of the world a.k.a. South Korea.
Actually that would be China. The average South Korean income is a bit too high to make it that popular there.
It's been legal in S. Korea for 2 years now...check here
They have the networks, players and tech to established a huge anti-security campaign to boost their gold/PL services. Why on earth would you think they wouldn't? Do you really believe all S. Korean companies/players are so well off that they don't need to capitalize on gold/PL services? Especially when it is a perfectly LEGAL business opportunity in their country.
Like I said. The only reason anyone would be telling players that Blizzard's security services are moot is because they want you to NOT use them in the first place.
"Small minds talk about people, average minds talk about events, great minds talk about ideas."
Comments
I find it interesting that the hackers are able to access accounts that are inactive and have been for some time and still managed to rape the account. That suggests a larger underlying problem than a few individual users with stupid passwords being hacked
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
If you believe that, I've got a .DMG file to sell you.
Macs are, in my opinion, MORE vulnerable but LESS targeted. Most Mac users dot run AV software because they think they are invulnerable.
Do yourself a favor and get some av and a firewall on that Mac.
As far as on-topic discussion. It has been known for some time that there are weaknesses in a two factor authentication like the blizzard authenticator. If your machine is infected with a rootkit or A MITM attack is used (yes there are Mac rootkits please stuff that my Mac is invincible crap right now).
Beyond that, wow authenticators have been compromised before, usually because of malware though.
The authenticator uses RSA technology which has been compromised before (at the RSA end).
Beyond that, an attacker can acquire your token through a simple man in the middle attack. This would require access to the users network (either home, Internet cafe, public network, etc) or through malware.
An attacker could intercept the authenticator code and quickly use it themselves. It is not hard to accomplish if the user is already compromised.
This is a different attack, but can detail what is possible. This method has worked for years and is still active today:
I know of a method to defeat SSL secure logins without compromising the ssl encryption. In a MITM attack all data from the user is intercepted on it's way to or from the server. If you are using a secure ssl login, the attacker would be able to intercept your encrypted login details on the way to the server and pass it on. They would not be able to crack it, however.
What they can do is spoof your session certificate. This would throw up red flags for someone that really understands certificates, but most would not understand what was happening.
So, you go to the site and log in. I send you a fake certificate that I know the encryption key for, I also receive the real certificate from the server.
Your password is encrypted with the fake encryption key which I easily decrypt. I now have your password. I encrypt the password with the real encryption key and send it on to the server. You login fine and everything works, but I was able to steal your password.
This all happens almost instantaneously and is automated. It's honestly something your average script kiddie could pull off with ease. It doesn't even take much knowledge.
An authenticator is vulnerable to the same attack. It would be a simple matter to accomplish on a compromised system/network.
Just to be clear, I have never claimed that the authenticator is an impenetrable security fortress. Two factor authentication is not the be all end all of security. It reduces the likelihood of being the victim of an attack greatly. The problem is that of it is not used in tandem with other good security practices it is possible to compromise.
The authenticator itself is not a weak security tool, it is actually quite strong, but it's effectiveness can and has been compromised through indirect means.
An attack on the authenticator is likely not a direct attack on RSA secureid security, but an end-around attack that reveals the data from the authenticator.
Also, the smartphone versions are, theoretically, vulnerable to software attacks on the phone itself. Software authenticators do contain files that can compromise the security of the token.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
That's the thing. This game is basically a wet dream for hackers. You have:
1) One of the most popular games in history
2) Made by a developer who has openly stated that it 'cannot be hacked'
3) Has a system in place for selling items for real money
There have already been multiple accounts of people getting hacked inspite of having authenticators. It's not a majority, but it isn't an isolated incident either. The game is also already being flooded by goldsellers, and there are groups working on private releases already. Basically everything Blizzard promised wouldn't happen is happening.
Another unfortunate bit of reality, is people assume that 'phishing' is the only way that hackers steal accounts, simply because it was the most popular method used in WoW. However, it's simply not true. There are a number of different ways to hijack an account. Some of which can steal your info directly, regardless of how complex your password / authenticator / encryption is. It's simply a falacy to assume that anything is hack proof, and D3 is a prime example of this.
The user is in Taiwan. Do we know if they are using a pirated copy of windows? I'd give even odds that they are, at that point they are absolutely rootkitted. No virus scan will ever detect it. Using a pirated version of windows means you are permanently compromised. Period.
If your OS is pirated, you have an undetectable rootkit on your machine. Have fun with that as your box is officially a zombie in a botnet.
This could tie in with my first guess, but also be applicable to other forms of compromise on the users end:
The attacker could use your machine as a proxy to log into the server. If your authenticator is set to detect your ip and not ask for the token every time, this is a very viable vector for bypassing the authenticator.
Blizzards servers would see the login as coming from your machine. In other words, set the authenticator to ask every single time.
There are a thousand other possibilities that don't involve compromising Blizzard at all.
I wish I could invite all of you that don't understand this stuff over to my house and show you exactly how wrong you are. Haha.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Isn't that what Blizzard claims is currently impossible?
I think that implication is what is worrying a lot of people. Since the mass hackings imply some kind of new widespread, unknown vulnerability for flash/winodws etc., or something on Blizzards end, their silence on WHAT exactly it is, is not exactly comforting.
What if there was a leak?
No one who has been hacked has proven that they did not have an authenicator on the account that got hacked. Blizzard says no one got hacked that had an authenicator. It is probably just people trolling. Most of the hacked accounts were accounts that were hacked previously and the information of the user was unchanged when Diablo 3 came out. The hackers just had a field day with all the accounts with the info they had available to them.
I know that it sounds similar but what I described is not, in fact, the same as the session hijacking exploit that people are claiming the game is vulnerable to.
Also, what I described is not a vulnerability within the game, but the entire thing relies on the fact that the attacker has gotten access to the user's network or system not the other way around.
The point is that this is not a server side vulnerability but a client side weakness in security.
Even IF the session hijacking thing was true (which it isn't) it would most likely be executed by gaining control over the users system not the servers. That's the part I find most funny about the session hijacking claims, it's a client side issue not a server side one.
All that aside, I am not describing session hijacking and the game client is not susceptible to such an attack. The purpose of the explanation was to describe how an authenticator might be bypassed in a similar way.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
It's probably already been pointed out, but if your computer is compromised, then bypassing an authenticator is not hard to do.
As said above, Mac is not immune to malware, exploits, viruses, etc. Even the unix OS it was based on(FBSD 4.x) is not immune. Not even hardened OS's are immune. No OS is immune. They are just less likely to be easily exploited. That is, until you add vulnerable software to it, don't maintain it, or get so confident in it that you forsake good practices. There are so many attack vectors it would be insane to ever claim immunity. The only thing that lead to less Mac malware/viruses/worms/etc was population. Less people using it, made it a smaller and less profitable target. That is no longer the case. Security is layers and good procedures/practices. And, not even that will protect you every time.
You realize that all of the exploits you listed in that post are client side vulnerabilities not server side right?
What was that you were saying about people here not knowing anything about security? Yeah... Thought so.
Ah who am I kidding, you've got 4 posts you won't be responding to this. Haha.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
When did Blizzard promise there would be no gold sellers or private server emulators?
The problem with authenticator hacks is you have to have a really sophisticated rig to handle it. You have to have such a good virus in place to spoof the client screen and grab the authenticator code which gives you the 30 second window to log into the account. Yeah it's possible, and was done before on WoW, but it isn't common. I am not sure why they have not created the registered PC or input PIN when trying to do stuff involving gold or items.
It's been legal in S. Korea for 2 years now...check here
They have the networks, players and tech to established a huge anti-security campaign to boost their gold/PL services. Why on earth would you think they wouldn't? Do you really believe all S. Korean companies/players are so well off that they don't need to capitalize on gold/PL services? Especially when it is a perfectly LEGAL business opportunity in their country.
Like I said. The only reason anyone would be telling players that Blizzard's security services are moot is because they want you to NOT use them in the first place.
"Small minds talk about people, average minds talk about events, great minds talk about ideas."