328 replies to this topic

[Kin3ticX]

I know MWO staff have promised that the passwords are safe but arn't the passwords merely stored with MD5 hashes when we create our accounts/passwords. My understanding is that these hashes can be reverse engineered back into the original string. My computer knowlegde in this area is very limited so I might be behind the times on this one. After all, they did get our emails.

NM, i looked up Salted Password and I understand how it works now. Its still possible but very difficult, best to change password anways.

Edited by Kin3ticX, 14 December 2012 - 03:22 AM.

[Joseph Mallan]

Bryan Ekman, on 13 December 2012 - 04:14 PM, said:

• 
  
  We can confirm:
  
  • Account passwords are encrypted, salted, peppered and stored in databases not affected by today’s incident.

We’re sorry for any inconveniences this may have caused.


The MechWarrior Online Team

Could you please dip mine in ranch and wrap it in bacon also... You can never be safe or have enough Bacon! Thanks Guys!

Edited by Joseph Mallan, 14 December 2012 - 04:16 AM.

[Atheose]

Axeman1, on 13 December 2012 - 04:20 PM, said:

I was going to buy MC but someone in another thread said their paypal was compromised after they did...

Sounds like somebody making stuff up.

[Lon3Wo1f]

I'd still like to know why we were told that no email addresses were stolen when it's pretty clear at the very least a large portion were stolen. Why do I want to know so badly? Simply put if they lied to misinformed us about email addresses being stolen then what else have we been misinformed about?

[lizardmech]

I have to say, it was nice of them to remind me not to buy windows 8.

[Vassago Rain]

Put your big developer pants on, PGI.

[Stone Wall]

Vassago Rain, on 14 December 2012 - 04:45 AM, said:

Put your big developer pants on, PGI.

Those pants would have to be bigger than the ones Blizzard and Sony wear. They were also hacked.

[Urza Mechwalker]

EternalCore, on 13 December 2012 - 04:40 PM, said:

md5 is horrible for encrypting and it's incredibly easy to decrypt that a kid with a smart phone could decrypt it.

Impressive kids you have , since MD5 are non reversibles. If you do not have extra info as the lenght of the original content the nubmer of possible plain texts is literally INFINITE.

[Vassago Rain]

They didn something about it....

[Kraven Kor]

OpCentar, on 13 December 2012 - 04:28 PM, said:

This is why linking game accounts to forum ones is/was a bad idea.

Works out OK for EVE Online... and in that game, having your password hacked can result in, literally, thousands of dollars of lost stuff.

[Kogrim]

Stone Wall, on 14 December 2012 - 05:22 AM, said:

Those pants would have to be bigger than the ones Blizzard and Sony wear. They were also hacked.

Blizzard, maybe. But Sony's software developers are famously inept. The Sony store hack happened because they trusted the consoles themselves to restrict access to the store. And the reason the consoles got hacked is because Sony didn't initialize the random number generator when making their encryption keys (something that would have been covered in "Encryption for Dummies", had they read it....). And the PSP? They didn't even turn binary verification on when they shipped the hardware.

Don't confuse the high-quality games (I like my PS3) with the people running the service or writing the firmware.


Meanwhile, PGI got hacked. It happens, I don't fault them for that... you can't audit every vendor's software, even if the vendor will let you. However, their stonewalling definitely cost them points. Saying your site isn't hacked while *multiple* antivirus systems are flagging you, while Chrome is flagging you because of *bad behaviour*, and several of your users are cutting and pasting the malicious code to you... that costs you trust, and you don't get trust back easily, if at all.

Here's what I think happened: a vulnerability was exploited in the forum software to embed some malicious code into the site. Depending on how that code was embedded, it could either spit out bad code to the browser or run unattested code on the server. PGI claims the former... very well, we'll believe them. That code could be used to harvest usernames (aka emails) and passwords and fire it off to a third-party site.

The vulnerability probably exists in many deployments of the forum software. I wouldn't be surprised to find out that this same trick has been played on other users of the forum software. It's completely trivial to scan for the flaw... in fact, most "script kiddies" don't even bother scanning, they just try the exploit and either it works or it doesn't. This is why security vulnerabilities need to be fixed *immediately*.

The kiddies have probably been attacking, harvesting, and then spamming different vulnerable sites, one after another, as interest catches them.

Also, to address one or two flawed statements I've been seeing:

"If they got the email database, wouldn't *everyone* have gotten the spam?"

- No.

- First of all, they probably wouldn't get the *whole* database, especially if they were using a browser harvesting attack.

- Secondly, they were undoubtedly using a hacked webhost to send the spam, who would have shut it down as soon as possible (if the site is in the least bit responsive... not all are, of course...)

- Thirdly, almost every receiver on the net is behind antispam measures now, which would/could catch these spam as it comes in.

- Fourthly, hardly anyone uses "single-purpose" email addresses, so there would be no reason to associate a particular spam with a particular site.

- Fifthly, a good portion of people who actually get the spam will delete it out of hand and not even think of it.

- Six(th?)ly: how many people who get the spam will comment on it on the forums?

"How come others have gotten the same spam?"

- Most likely because other sites have been attacked in the same way. As near as I can tell, all the people using MWO who got spammed received the spam yesterday. That indicates a "batch" to me. The other, non-MWO victims received theirs on different days, thus probably different "batches". I would not be surprised to hear of a different service receiving the same spam on the weekend or next week.

And finally, to address one more peeve: In the future, PGI, rather than a flat out denial which paints you into a corner, please consider using language such as this:

"We have received reports that spam has been received to addresses that users believe were obtained from our site. We are investigating, and as yet we have not discovered any evidence that our sites have been compromised. However, please be assured that the privacy and security of our players is extremely important to us, and that we will be auditing every bit and byte of our systems until we are absolutely satisfied."

It reassures the customer, it doesn't make any absolutist statements you'll have to walk back later, and later on if you do find something bad, it sets it out that the reason you found the Bad Things is because you're so impressively vigilant.

I've been administrating several hundred systems, from measly little vanity webservers to machines that were once (but not anymore) supercomputers for nearly twenty years. And yes, a few of them have been hacked. I have stood where PGI is, and I'm definitely not coming at them from a position of superiority, but simply one of "yeah, I've still got those burns".

[Kraven Kor]

Stone Wall, on 14 December 2012 - 05:22 AM, said:

Those pants would have to be bigger than the ones Blizzard and Sony wear. They were also hacked.

Yes, but this is PGI, and some people (and by that I mean you people ) just can't do anything but complain... or so it seems.

This appears to have been a pretty widespread hack.

[Kogrim]

Urza Mechwalker, on 14 December 2012 - 06:33 AM, said:

Impressive kids you have , since MD5 are non reversibles. If you do not have extra info as the lenght of the original content the nubmer of possible plain texts is literally INFINITE.

Not quite. An MD5 hash (hash = non-reversible) is 128 bits, or 16 bytes, wide. It doesn't matter what you put in, the output will be 128 bits. So you don't really need the original input... you just need *some* value that outputs the same hash, known as a hash collision.

Precomputed tables of MD5 hashes, known as an MD5 rainbow table, are available for download... for free, even. They're extremely large (~3 TB) but once you've got them, a simple "grep" will yield you a password that will work for an *unsalted* MD5-hashed password. It may not be the same password the hacked user uses, but because it hashes the same, it will work.

PGI has said they use salts. That's an extremely good thing, because it makes using the rainbow tables nearly impossible. So even if the attackers have the password database, I'm not overly worried about them extracting the passwords. However, let's not oversell the MD5 algorithm itself. Not every service provider uses salts, and the fact that PGI does is to their credit.

[Rippthrough]

Same here, spam e-mails containing site content sent since the issue, so whether you think they're compromised or not, my inbox says they have e-mail addresses from your database.

[Jakob Knight]

PPO Kuro, on 14 December 2012 - 01:06 AM, said:

Good to know the problem has been fixed. I'm glad I have good security on my pc.

I'm just using W7 firewall and Comodo, browser Firefox with NoScript. Haven't gotten anything 'bad' on my pc for years now

Of course, now that you've told the world what setup you have, I imagine it isn't as good security as it was before, eh?

[Attalward]

I have to say that mwomercs.com/forums is still flagged as dangerous site by firefox from Spain.

[nom de guerre]

miscreant, on 13 December 2012 - 09:00 PM, said:

I'm relieved that it's been found, is my work computer affected now? I accessed the site from work and Chrome warned me about a vulnerability, but I continued anyway.

I played with the page while it was infected from one of my boxes at work and as far as I can tell that box was not infected, got no hits on the real time monitoring and a scan showed nothing.

[Jacmac]

ClemFoster said:

Quote

[color=#959595]The e-mail address I use for Mechwarrior online is specific to Mechwarrior online. At no time since its creation has it ever been used or given it to any other company/individual.[/color]

[color=#959595]And yet today I got a Windows 8 hate e-mail that degenerated to other things on my Mechwarrior e-mail address. The fact that some others I know got the same e-mail leads me to believe that it is not my e-mail server that has been compromised. [/color]

[color=#959595]I know this has to be a hack because I am sure the excellent sales/marketing team at Mechwarrior online wouldn’t just sell such info to random nut jobs.[/color]

[color=#959595]PS: The spam came from fremanfighter@dune.com but I expect that is a spoof.[/color]


[color=#959595]PPS: Should we be changing our passwords?[/color]

Since he used a dedicated email address (assuming he is telling the truth here), this looks really bad. It looks like MWO got hacked in some way. I did not use a dedicated email address, so I can't say.

Edited by Jacmac, 14 December 2012 - 08:50 AM.

[nom de guerre]

Jacmac, on 14 December 2012 - 08:42 AM, said:

ClemFighter said:



Since he used a dedicated email address (assuming he is telling the truth here), this looks really bad. It looks like MWO got hacked in some way. I did not use a dedicated email address, so I can't say.

Hes'd not the only one who reported this. The email tied to this account was created the same day as the MWO account and has sent 0 messages and only received 3, 2 from MWO and 1 which was the spam email.

[ClemFoster]

The e-mail address I use for mechwarrior online is specific to mechwarrior online. At no time since its creation has it ever been used or given it to any other company/individual.

So I would say that there is no way e-mails were not compromised. At this point you know it, and have not change the OFFICIAL RESPONCE. That makes you guys shifty at best.