Dec 13Th Incident - Official Response
#61
Posted 13 December 2012 - 05:41 PM
#62
Posted 13 December 2012 - 05:43 PM
Still coming up as malicious on firefox. If this was fixed hours ago well what is really going on?
http://www.stopbadwa...com%2Fforums%2F
Edited by DerelictTomcat, 13 December 2012 - 05:51 PM.
#63
Posted 13 December 2012 - 05:45 PM
Aegis Kleais, on 13 December 2012 - 05:22 PM, said:
Someone gave you guys a run for your money but it looks like you addressed it expeditiously. Nicely done.
I would think it would be best that they have both done to them.
A hashed password usually is just a MD5 checksum, and there are websites out there that have the checksums of MANY popular password combinations.
But if you encrypt the password too, the person has to figure our not only the algorithm used, but the key as well, making the chance to decipher it much harder than just standard hashing.
You forgot to discuss salting.
http://en.wikipedia....cryptography%29
#64
Posted 13 December 2012 - 05:46 PM
Some confirmation as to whether the script found did have something to do with the email would be nice.
Edited by Viterbi, 13 December 2012 - 06:44 PM.
Removed reference to removed content
#65
Posted 13 December 2012 - 05:49 PM
Aegis Kleais, on 13 December 2012 - 05:22 PM, said:
Someone gave you guys a run for your money but it looks like you addressed it expeditiously. Nicely done.
I would think it would be best that they have both done to them.
A hashed password usually is just a MD5 checksum, and there are websites out there that have the checksums of MANY popular password combinations.
But if you encrypt the password too, the person has to figure our not only the algorithm used, but the key as well, making the chance to decipher it much harder than just standard hashing.
Hashing with a variable salt, plus mandating basic secure password policies is a about as secure as you need to be. This defeats both dictionary attacks and rainbow tables, Even better to use a real crypto hash such as bcrypt, which includes a time component to defeat brute force attacks.
Simply encrypting a password is only a shade of gray more secure then plain text passwords. If they have your database of passwords they probably have your keys as well.
#66
Posted 13 December 2012 - 05:49 PM
Sears, on 13 December 2012 - 05:46 PM, said:
Some confirmation as to whether the script found did have something to do with the email would be nice.
How does signing up with mwo@domain.etc and receiving this mail grab you? I wasn't bothered enough to do so but fortunately three clan members were.
Edited by Niko Snow, 13 December 2012 - 09:08 PM.
Quote Clean-up
#67
Posted 13 December 2012 - 05:52 PM
Inertiaman, on 13 December 2012 - 05:49 PM, said:
How does signing up with mwo@domain.etc and receiving this mail grab you? I wasn't bothered enough to do so but fortunately three clan members were.
the email tied to this account is used solely for mwo and received the email.
The email is a week old and never used its sent 0 messages and received like 2 from MWO that's it so its not likely it got on the spam list some other way.
Edited by nom de guerre, 13 December 2012 - 05:53 PM.
#69
Posted 13 December 2012 - 05:52 PM
Emerald Fox, on 13 December 2012 - 05:41 PM, said:
DerelictTomcat, on 13 December 2012 - 05:43 PM, said:
http://www.stopbadwa...com%2Fforums%2F
Thontor, on 13 December 2012 - 05:40 PM, said:
Edited by Ter Ushaka, 13 December 2012 - 05:52 PM.
#70
Posted 13 December 2012 - 05:54 PM
Playing devils advocate here. Someone steals and has access to your MWO account whats the worse that can happen? I mean seriously its not like Guildwars where you come on one day to see your toons stripped and nothing left in your account.
Worse that happens is they play your account and spend your mc on things you didnt want. They cannot transfer this or shut down the account correct?
Edited by DerelictTomcat, 13 December 2012 - 05:55 PM.
#71
Posted 13 December 2012 - 05:56 PM
DerelictTomcat, on 13 December 2012 - 05:54 PM, said:
Worse that happens is they play your account and spend your mc on things you didnt want. They cannot transfer this or shut down the account correct?
they can buy mechs with mc sell mechs, then burn all your cbills on mechs/equipment and then resell it so you only have 1/10th the cbills you started with thats about as mean as they can get in game.
Edited by nom de guerre, 13 December 2012 - 05:56 PM.
#72
Posted 13 December 2012 - 05:57 PM
nom de guerre, on 13 December 2012 - 05:52 PM, said:
the email tied to this account is used solely for mwo and received the email.
The email is a week old and never used its sent 0 messages and received like 2 from MWO that's it so its not likely it got on the spam list some other way.
Which is why I find the offical tone massively dangerous. It's the sodding Iraqi Information Minister all over again. No email addresses compromised?!! They haven't even realised that it's too late.
[REDACTED]
Edited by Viterbi, 13 December 2012 - 07:31 PM.
Removed offensive language
#73
Posted 13 December 2012 - 05:59 PM
Edited by Niko Snow, 13 December 2012 - 09:12 PM.
Flamebait
#74
Posted 13 December 2012 - 06:02 PM
DerelictTomcat, on 13 December 2012 - 05:54 PM, said:
You have issues if you use the same user/pass combo for any popular sites. Amazon, ebay, spotify, steam, itunes etc etc. You have exposure here if your combo is remotely similar.
It seems fair to assume that if the user emails (uid's in this case) were available that easily then the passwords were equally available. Change them swiftly elsewhere - this is a bulk attack - not some random attention seeker. The immediate email intended to convert hints at some decent organisation.
[Redacted]
Edited by Niko Snow, 14 December 2012 - 12:57 AM.
CoC
#75
Posted 13 December 2012 - 06:02 PM
Nothing is totally avoidable, just ask the FBI, Google, Microsoft, Sony, etc
First and foremost no one should be using the same password for their email as their forum or even account for any game... PERIOD! If you do, then you are your own security risk.
Second email phishing scams do not matter, either does your email as long as you practice proper security. (ie: don't use the same username as an email. Don't use your forum name as an email or an account login, etc).
On the off chance some game is using your email/password as a login method and they did get compromised, you've lost nothing. Because you've stopped the infection from getting further by using different passwords, usernames and logins. At most they have your email. And at most you shouldn't be clicking links from your email for phishing scams anyways.
Next we'll have posters going "Oh noes! I've been hacked, all my mechs and CBills are gone".
Edited by Viterbi, 13 December 2012 - 07:32 PM.
Removed quoted removed content
#76
Posted 13 December 2012 - 06:03 PM
If you share important passwords with gaming sites you are the problem dead stop.
#77
Posted 13 December 2012 - 06:04 PM
Edited by Niko Snow, 13 December 2012 - 09:16 PM.
Quote Clean-up (Makin' movies, writin' songs and fightin' round the world!)
#78
Posted 13 December 2012 - 06:05 PM
Edited by Niko Snow, 13 December 2012 - 09:16 PM.
Quote Clean-up
#79
Posted 13 December 2012 - 06:08 PM
My AVG reports that it detected and disabled Exploit Blackhole Exploit Kit (type 2363) which came from mwomercs.com/forums/index.php?whole bunch on random code. This occured at 11:14 am.
Good to know my AVG is working, gonna give it a scan for the hell of it
Edited by M4NTiC0R3X, 13 December 2012 - 06:21 PM.
#80
Posted 13 December 2012 - 06:08 PM
Dark Severance, on 13 December 2012 - 06:02 PM, said:
Yet people do. Hence the responsibility here to let people know what their potential exposure is - not to deny that information has been compromised in the face of 100% evidence to the contrary.
You say this isn't unavoidable - it is. You just don't ever hear about the companies doing it properly. PGI licence the forum software out and write the backend themselves. If it isn't PGI's responsibility to ensure our data is secure then who's exactly is it?
Edited by Inertiaman, 13 December 2012 - 06:09 PM.
4 user(s) are reading this topic
0 members, 4 guests, 0 anonymous users