I've had so many interesting run-ins with computer security recently that, to be honest, I'm a hairs breadth from unsubbing STO.
This kind of breach should simply not be possible if your security people were doing your jobs correctly.
End of story, not open for debate as far as I'm concerned.
Digital security is not a 'sorta kinda maybe' thing, ever. period. exclamation point.
Yes, but it really doesn't matter if they do... Asymmetric cryptography is based on the concept of strong, one directional mathematics. The salt is applied alongside your password into a cryptographic algorithm in order to ensure your password is not the same in my database as another. However, I cannot use my knowledge of the salt to unsalt your hashed password, it just doesn't work that way.
Now, if they do know the salt, that can reduce the complexity of brute forcing your password. But it does not allow them to bypass the need to brute force.
To quote from an article:
Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.
In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.
Key findings of the study include:
The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as brute force attacks.
Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is 123456.
Top 10:
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
Another analysis I can't find right now indicated that the 10000 most commonly used passwords were the vast majority of user's passwords (98% iirc) if you ignored case. Take those 10000 words. make every possible case variation (not hard) and salt-hash them and it gives you the password. I've done it (was a 'white hat' data recovery kind of thing). It took about 20 minutes to run using a perl script on a single core p4 equivilent Xeon.
So it's more likely just a dictionary against the salted hash table. you'll compromise more than enough accounts that way.
Otoh I read recently about someone that used the amazon aws stuff to brute force something like 30 million salted hashes in roughly 5 min, running massively parallel and it cost him roughly $1000 , so it just depends on how good a coder you are and how much effort you want to put into it.
This kind of breach should simply not be possible if your security people were doing your jobs correctly.
This kind of security is hard, and most dedicated hackers are very smart people. Security is incredibly complex in the large, feature rich, highly interdependent cyber world we live in.
Digital security is not a 'sorta kinda maybe' thing, ever. period. exclamation point.
The only truth in this post. That being said, digital security is built on technologies that are inherently vulnerable. So even the best security practices are not foolproof.
Is there any proof that that's exactly what happened?
there is proof they took your handles and passwords and I guarantee you that all those breached accounts recently with players saying there toons stuff was stolen in game used this account data to do so...remember anyone with your account name and password has access to everything in your account
I guarantee you that all those breached accounts recently with players saying there toons stuff was stolen in game used this account data to do so...
Can I bet you $3500 on that guarantee? I've been wanting to buy the new model 8000 series Samsung 55" LED TV. I can send you a name to write the check out to and a PO box you can mail it to.
That is why you can ask for a different at handle. My @handle is actually different than my sign in screenname.
sorry yes that's true but my statement was inaccurate I should have stated that they took usernames and passwords not handles and passwords as you are correct handles and usernames can be different...sorry for the inaccuracy...
Can I bet you $3500 on that guarantee? I've been wanting to buy the new model 8000 series Samsung 55" LED TV. I can send you a name to write the check out to and a PO box you can mail it to.
haha how about a free month paid gold sub instead I don 't like to gamble with high rolls
The STOWiki ad trojan (an external incident that we helped track down and communicated to you in the posts you linked) and this are two different incidents. They are not related in anyway.
Cheers,
Brandon =/\=
This is pure speculation,
But it seems like the Ad Trojan and having Customer Service backed up with TRIBBLE Tickets prompted a greater security investigation which led to them finding the breach from December 2010.
Hopefully we will get more details on this and why it took so long.
there is proof they took your handles and passwords and I guarantee you that all those breached accounts recently with players saying there toons stuff was stolen in game used this account data to do so...remember anyone with your account name and password has access to everything in your account
If you could prove that, maybe Cryptic should hire you as a snoop.
OK I would love to know why it took 2 years to figure this out...that's as bad as Sony's no response statements...really cryptic your customers financial data, passwords, usernames, everything that can be accessed with an email or @ handle with unencrypted passwords was at risk for 2 years before you got your act together and finally looked into it...this just pathetically unacceptable and you need to seriously upgrade your firewall tech and coding to make sure this never happens again...hell I wouldn't be surprised if someone sues you over this incident...:mad:
We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user. *It is possible that the intruder was able to access additional account information, but we have no evidence of this. *If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed.
apparently the account servers are STILL down since neither my friend nor I got the emails we are expecting
All affected accounts have been password reset. Only the legitimate owner of the email account used to register a Cryptic account will be able to reset the password. Emails to all affected users are being sent out over the coming hours, and if you do not receive one within 48 hours, your account was not affected. Cryptic treats your privacy and account security seriously, and is taking proactive steps to ensure that all accounts are secure.
protocols were breached sending me through an hour long headache of trying to reset my password... I can't believe I'm saying this, but I'm about ready to dump Gold. I mean as if it wasn't bad enough with the Cardassian (the rest of this message has been moved to another forum. Please find this forum and search through the many posts to continue reading. Signed Big Brother)
All affected accounts have been password reset. Only the legitimate owner of the email account used to register a Cryptic account will be able to reset the password. Emails to all affected users are being sent out over the coming hours, and if you do not receive one within 48 hours, your account was not affected. Cryptic treats your privacy and account security seriously, and is taking proactive steps to ensure that all accounts are secure.
Ok maybe i was not clear. I'm talking to a friend who yas a cryptic account. he got the reset password link put in his password, and has not received the emial. because of all the worry about the accounts being TRIBBLE I changed my password to one more secure. oddly enough it has not taken and i have not received MY email from PWE., so i'm asking again, are the servers down? does it take 24 hours or something? most password resets I ahve ever used were maybe a 5 minute delay, not 30+
When I unsubscribed just now it asked me why I was unsubscribing, but it wouldn't allow me to go into any details beyond "bad customer service". As I'm sure this thread is being watched closely I want to share my view here.
You say this breach occurred sixteen months ago but that you have only discovered it now. What has happened in these past sixteen months? Sony acknowledged that they were compromised twelve months ago, and Steam six months ago. These incidents should have been warning signs. Anyone can be a victim.
Even with such high profile instances of hacking going on, Cryptic apparently had no idea that they were compromised. Did no one think to check? Was there no concern that "that could have been us?". We are told that the discovery of this compromise is the result of "increased security analysis". Increased security analysis should have happened twelve months ago!
I don't believe you have taken enough care with the sensitive information entrusted to you, and that is why I have unsubscribed. The breach in your security means I cannot trust you with my information. I see on my account "dashboard" that you have retained my credit card details on my account, no doubt so that I can resubscribe with ease. I will be opening a support ticket to have my credit card details permanently stricken from your records and I am seriously considering making the same request of ALL my personal details, which I know will result in my account being permanently inaccessible.
When I unsubscribed just now it asked me why I was unsubscribing, but it wouldn't allow me to go into any details beyond "bad customer service". As I'm sure this thread is being watched closely I want to share my view here.
You say this breach occurred sixteen months ago but that you have only discovered it now. What has happened in these past sixteen months? Sony acknowledged that they were compromised twelve months ago, and Steam six months ago. These incidents should have been warning signs. Anyone can be a victim.
Even with such high profile instances of hacking going on, Cryptic apparently had no idea that they were compromised. Did no one think to check? Was there no concern that "that could have been us?". We are told that the discovery of this compromise is the result of "increased security analysis". Increased security analysis should have happened twelve months ago!
I don't believe you have taken enough care with the sensitive information entrusted to you, and that is why I have unsubscribed. The breach in your security means I cannot trust you with my information. I see on my account "dashboard" that you have retained my credit card details on my account, no doubt so that I can resubscribe with ease. I will be opening a support ticket to have my credit card details permanently stricken from your records and I am seriously considering making the same request of ALL my personal details, which I know will result in my account being permanently inaccessible.
Absolutely horrid. Almost two years before detecting a security breach. Kudos for finally finding it, epic failure for lack of security controls and being the low hanging fruit.
As it stands, I just got through deleting my card information from my account. I want to know if by deleting it now, that deletion has affected everything, including backups (digital or otherwise). If it has not, how long will my financial data be stored and when can I be assured there is no residual data remaining.
As it stands, further transactions with Cryptic will not be done. This obvious oversight regarding security and the lack of controls in place should have everyone scared. There should be some form of compensation from Cryptic for this, free credit monitoring for a fixed period of time, couple of months worth would be great for starters.
Tell you what, how about we all make a few lock boxes, randomly put in them things that Crypt doesn't need to do for that customer, like credit monitoring (Tier 1), refunding of subscriptions for a couple of months (Tier 2), etc... to be fair, throw in a penny or two credit to the customers account (call it a LOBI, but have a store set up where they can buy positive posts and feedback on the forums with about 500 LOBI per post), sell the boxes to Cryptic for a dollar a box, but don't tell them the odds.
Guys, the easiest way to see if the email address you get is true or not is to identify the email-adress you got it from. The official password reset email comes from "donotreply@crypticstudios.com". One of my friends received an email from "noreply@crypticstudios.com" which probably is a fake one.
so you were TRIBBLE back in 12/2010 and just figured it out now? bush-league cryptic, bush-league. didnt think it was even possible, but you've reached yet another new low.
We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user. *It is possible that the intruder was able to access additional account information, but we have no evidence of this. *If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed.
Considering it took so long to realize the original breach, cryptic's lack of evidence isnt very re-assuring.
If you are having trouble logging into your account, your accounts password may have been locked during our account server maintenance today. You can recover your password via the forgot password link on the official Star Trek Online or Champion Online websites:
For full details on why accounts were locked today, please read the notification here.
Apologies for the inconvenience.
Customer Service
Cryptic Studios
I'd like to see the CEO of Perfect World issue an official email, addressing the issue, apologizing for the inconvenience, and stating what corrective actions will be taken.
I'm being serious.
While I'm glad Brandon (PWE_BranFlakes) addressed this on behalf of customer service, the company needs to reassure me, the customer, that further steps are being taken to prevent future issues. Finding out by 1.) not being able to log into my Champions Online OR Star Trek Online clients; and 2.) logging into a forum site to find out why there's an issue ISN'T the way I should discover what happened.
Wrong. By default, you NEVER encrypt user passwords to your database. You ALWAYS hash. There is no excuse for not doing so. That way, even if your database is compromised, important information is not lost.
That is just one of the few BASIC rules for any application...
Very good point, and I stand very much corrected and abashed. Thank you for the correction.
The STOWiki ad trojan (an external incident that we helped track down and communicated to you in the posts you linked) and this are two different incidents. They are not related in anyway.
Cheers,
Brandon =/\=
This claim is disingenuous; The STOWiki ad trojan and this admitted security breach at Cryptic are two seperate events, probably comitted by two different people (or groups of people). However. they are related in that plenty of people who had their accounts compromised last month were told there was absolutely no problem on Cryptic's end, despite numerous people who were affected that had nothing to do with STOwiki or the curse network.
The fact remains, pretty much anyone who had problems with their account over the past two years may or may not be a result of this breach, despite Cryptic's previous party line that any problems were the fault of their players. Or from the STOWiki ad trojan that somehow affected people who never went to STOwiki.
When I unsubscribed just now it asked me why I was unsubscribing, but it wouldn't allow me to go into any details beyond "bad customer service". As I'm sure this thread is being watched closely I want to share my view here.
You say this breach occurred sixteen months ago but that you have only discovered it now. What has happened in these past sixteen months? Sony acknowledged that they were compromised twelve months ago, and Steam six months ago. These incidents should have been warning signs. Anyone can be a victim.
Even with such high profile instances of hacking going on, Cryptic apparently had no idea that they were compromised. Did no one think to check? Was there no concern that "that could have been us?". We are told that the discovery of this compromise is the result of "increased security analysis". Increased security analysis should have happened twelve months ago!
I don't believe you have taken enough care with the sensitive information entrusted to you, and that is why I have unsubscribed. The breach in your security means I cannot trust you with my information. I see on my account "dashboard" that you have retained my credit card details on my account, no doubt so that I can resubscribe with ease. I will be opening a support ticket to have my credit card details permanently stricken from your records and I am seriously considering making the same request of ALL my personal details, which I know will result in my account being permanently inaccessible.
I hope this is some kind of mistake or a joke, because with everything else thats going on with this game sounds like we're dealing with unprofessional people and am glad i deleteded my card details a week ago. Will we see someone from Cryptic go on STOKkes and say sorry like Sony did ? lol
Comments
This kind of breach should simply not be possible if your security people were doing your jobs correctly.
End of story, not open for debate as far as I'm concerned.
Digital security is not a 'sorta kinda maybe' thing, ever. period. exclamation point.
To quote from an article:
Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.
In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.
Key findings of the study include:
The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as brute force attacks.
Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is 123456.
Top 10:
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
Another analysis I can't find right now indicated that the 10000 most commonly used passwords were the vast majority of user's passwords (98% iirc) if you ignored case. Take those 10000 words. make every possible case variation (not hard) and salt-hash them and it gives you the password. I've done it (was a 'white hat' data recovery kind of thing). It took about 20 minutes to run using a perl script on a single core p4 equivilent Xeon.
So it's more likely just a dictionary against the salted hash table. you'll compromise more than enough accounts that way.
Otoh I read recently about someone that used the amazon aws stuff to brute force something like 30 million salted hashes in roughly 5 min, running massively parallel and it cost him roughly $1000 , so it just depends on how good a coder you are and how much effort you want to put into it.
This kind of security is hard, and most dedicated hackers are very smart people. Security is incredibly complex in the large, feature rich, highly interdependent cyber world we live in.
Ok, enjoy your life under that rock.
The only truth in this post. That being said, digital security is built on technologies that are inherently vulnerable. So even the best security practices are not foolproof.
there is proof they took your handles and passwords and I guarantee you that all those breached accounts recently with players saying there toons stuff was stolen in game used this account data to do so...remember anyone with your account name and password has access to everything in your account
Can I bet you $3500 on that guarantee? I've been wanting to buy the new model 8000 series Samsung 55" LED TV. I can send you a name to write the check out to and a PO box you can mail it to.
sorry yes that's true but my statement was inaccurate I should have stated that they took usernames and passwords not handles and passwords as you are correct handles and usernames can be different...sorry for the inaccuracy...
You can?
Having a different handle than log-in name was actually an enforced requirement when I created my account.
haha how about a free month paid gold sub instead I don 't like to gamble with high rolls
This is pure speculation,
But it seems like the Ad Trojan and having Customer Service backed up with TRIBBLE Tickets prompted a greater security investigation which led to them finding the breach from December 2010.
Hopefully we will get more details on this and why it took so long.
Send an email to customerservice@perfectworld.com
We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user. *It is possible that the intruder was able to access additional account information, but we have no evidence of this. *If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed.
I logged in without any issues... is it because its PWE or just got lucky?
All affected accounts have been password reset. Only the legitimate owner of the email account used to register a Cryptic account will be able to reset the password. Emails to all affected users are being sent out over the coming hours, and if you do not receive one within 48 hours, your account was not affected. Cryptic treats your privacy and account security seriously, and is taking proactive steps to ensure that all accounts are secure.
Ok maybe i was not clear. I'm talking to a friend who yas a cryptic account. he got the reset password link put in his password, and has not received the emial. because of all the worry about the accounts being TRIBBLE I changed my password to one more secure. oddly enough it has not taken and i have not received MY email from PWE., so i'm asking again, are the servers down? does it take 24 hours or something? most password resets I ahve ever used were maybe a 5 minute delay, not 30+
You say this breach occurred sixteen months ago but that you have only discovered it now. What has happened in these past sixteen months? Sony acknowledged that they were compromised twelve months ago, and Steam six months ago. These incidents should have been warning signs. Anyone can be a victim.
Even with such high profile instances of hacking going on, Cryptic apparently had no idea that they were compromised. Did no one think to check? Was there no concern that "that could have been us?". We are told that the discovery of this compromise is the result of "increased security analysis". Increased security analysis should have happened twelve months ago!
I don't believe you have taken enough care with the sensitive information entrusted to you, and that is why I have unsubscribed. The breach in your security means I cannot trust you with my information. I see on my account "dashboard" that you have retained my credit card details on my account, no doubt so that I can resubscribe with ease. I will be opening a support ticket to have my credit card details permanently stricken from your records and I am seriously considering making the same request of ALL my personal details, which I know will result in my account being permanently inaccessible.
http://imgs.xkcd.com/comics/cia.png
As it stands, I just got through deleting my card information from my account. I want to know if by deleting it now, that deletion has affected everything, including backups (digital or otherwise). If it has not, how long will my financial data be stored and when can I be assured there is no residual data remaining.
As it stands, further transactions with Cryptic will not be done. This obvious oversight regarding security and the lack of controls in place should have everyone scared. There should be some form of compensation from Cryptic for this, free credit monitoring for a fixed period of time, couple of months worth would be great for starters.
Tell you what, how about we all make a few lock boxes, randomly put in them things that Crypt doesn't need to do for that customer, like credit monitoring (Tier 1), refunding of subscriptions for a couple of months (Tier 2), etc... to be fair, throw in a penny or two credit to the customers account (call it a LOBI, but have a store set up where they can buy positive posts and feedback on the forums with about 500 LOBI per post), sell the boxes to Cryptic for a dollar a box, but don't tell them the odds.
...I'll call that square.:p
::Sarcasm started at the last paragraph::
Considering it took so long to realize the original breach, cryptic's lack of evidence isnt very re-assuring.
I'm being serious.
While I'm glad Brandon (PWE_BranFlakes) addressed this on behalf of customer service, the company needs to reassure me, the customer, that further steps are being taken to prevent future issues. Finding out by 1.) not being able to log into my Champions Online OR Star Trek Online clients; and 2.) logging into a forum site to find out why there's an issue ISN'T the way I should discover what happened.
Very good point, and I stand very much corrected and abashed. Thank you for the correction.
Just keeps gettin' better and better.
This claim is disingenuous; The STOWiki ad trojan and this admitted security breach at Cryptic are two seperate events, probably comitted by two different people (or groups of people). However. they are related in that plenty of people who had their accounts compromised last month were told there was absolutely no problem on Cryptic's end, despite numerous people who were affected that had nothing to do with STOwiki or the curse network.
The fact remains, pretty much anyone who had problems with their account over the past two years may or may not be a result of this breach, despite Cryptic's previous party line that any problems were the fault of their players. Or from the STOWiki ad trojan that somehow affected people who never went to STOwiki.
I hope this is some kind of mistake or a joke, because with everything else thats going on with this game sounds like we're dealing with unprofessional people and am glad i deleteded my card details a week ago. Will we see someone from Cryptic go on STOKkes and say sorry like Sony did ? lol