Its unfortunate that this had happened, We do have to remember that is in charge of the security is only human. Mistakes happen. When it comes to the internet, there is always something. I remember the early years, it is nothing compared to what the net is like today. There is just is a lot of TRIBBLE that happens today. So much angles, spam and etc. Technology keeps changing and we can't prevent it all. Nothing is safe. At least they found it now and did what they could to fix the problem. Yes late, but its better than them never finding out.
u do know that the authenticators are nothing more than a glorified cd key that has a master list of all the combo's. while it provides a peace of mind to teh end user its just as breakable as anything else. really its only one extra step on the hackstar:eek:
Not exactly. It depends on the authenticator and the technology behind it.
Commercial-grade authenticators use a timing mechanism to generate a string of alphanumeric (normally numeric) digits. This string is typically associated with the serial number of the authenticator. The hardware on the server side keeps track of what a valid string would be for a given serial number of an authenticator, then compares the string it generates from the authenticator's serial number attached to that account, with the string the user entered.
Consumer-grade authenticators may do things slightly differently, but not too differently. They do NOT keep a list of codes. Otherwise, the authenticator I use in [REDACTED] would work just fine if I type in the string a couple of minutes after I generate it. Instead, it is linked (in some manner, it varies from vendor to vendor) to the current time.
They noticed a potential breach, they notified customers and complied with all applicable decencies and laws. Seems pretty competent to me.
Continue to use the security checks and vigilance previously mentioned?
The fact that it went unnoticed this long is incompetent enough. And obviously their previous security methods don't count for much since they got broken and went unnoticed in the first place.
The first six digits and the last four digits of CC...that's 10 digits. CC is only 12 digits long.
How hard is it going to be to brute force the remaining two and the security number?
-_-
*mighty ****ed*
I missed this detail the first time I read the e-mail. This is terrifying, tbh.
BTW there are apparently some seriously wacky things going on with some accounts right now. Check out STO's Facebook comments.....
u do know that the authenticators are nothing more than a glorified cd key that has a master list of all the combo's. while it provides a peace of mind to teh end user its just as breakable as anything else. really its only one extra step on the hackstar:eek:
Yes I know nothing is 100% secure but that's like arguing to not lock your door because they can just come through your window.
One extra step could have prevented all these accounts from being TRIBBLE in the first place.
The fact that it went unnoticed this long is incompetent enough. And obviously their previous security methods don't count for much since they got broken and went unnoticed in the first place.
Keep in mind that all the Account TRIBBLE posts started showing up on the forum in the last couple of months. While the database might have been cracked in 2010 it wasn't until 2012 that the culprits managed to do anything with the information. If all the TRIBBLE threads had begun in 2010 this situation would have been taken care of then.
I for one am pretty thankful to Cryptic for this measure. The small annoyance of having to change my password is small price to pay for a quick reaction on their part to protect any potential security risks to player accounts.
The fact that it went unnoticed this long is incompetent enough. And obviously their previous security methods don't count for much since they got broken and went unnoticed in the first place.
Spoken by someone who obviously has no idea what cyberspace security actually entails. It is very difficult to detect security breaches, but keeping logs for long periods of time allows security professionals to apply new tools and techniques to old log files in order to discover previously undetected issues.
Detecting a security breach is about pouring through very minute server timing and event records in order to detect things that criminals spend lots of money and manpower making undetectable. It's about recognizing and categorizing normal use conditions (which change constantly), flagging potentially anomalous activities, tracking down anomalous activities to determine potential legitimate causes. The difference between normal and anomalous is very small. The amount of data is completely beyond the capability of any human workforce to evaluate, so reliance on computerized tools, techniques, and signatures is the only way to detect breaches.
Those tools, techniques, and signatures update constantly so new breaches may become detectable when they previously were not. Just as no anti-virus is going to 100% protect your computer, no log flagging system is going to 100% detect breaches. It just isn't possible.
At what point in the last month did you guys realize it was your fault and not theirs?
The STOWiki ad trojan (an external incident that we helped track down and communicated to you in the posts you linked) and this are two different incidents. They are not related in anyway.
Yes I know nothing is 100% secure but that's like arguing to not lock your door because they can just come through your window.
One extra step could have prevented all these accounts from being TRIBBLE in the first place.
You're assuming a lot here. You are assuming that the accounts that got TRIBBLE would have purchased an authenticator in the first place, which is not likely to be the case for the vast majority of F2P accounts. Especially since, if you assume they were TRIBBLE due to the database breach, you are talking about accounts of customers that use weak passwords and therefore care very little about account security in the first place.
The STOWiki ad trojan (an external incident that we helped track down and communicated to you in the posts you linked) and this are two different incidents. They are not related in anyway.
Cheers,
Brandon =/\=
So was that the catalyst for re-examining your own internal security? It seems kinda odd timing that you would just happen to have new security checks scheduled at this time.
I don't know what type of CC you have, but mine is 16 digits long.
Still, that leaves only 6 digits. Which means it could potentially be any number between 000000 - 999999, and actually, far fewer going based on credit card numbering conventions. Not exactly a hard one for a computer to crack.
I don't frequent any gaming wikis, so I'm relatively sure I haven't been to the Curse network at large either.
I'm somewhat wary that the tone of the thread seems dead-set on the fact that the problem is absolutely not Cryptic's fault. I've dealt with too many companies lately that seem to have some kind security breach, but refuse to admit it for a couple months, and blame their customers instead.
when you have a major issue like this shut whole thing down so everyone has to reset
not fair people still get to play STF event for those wishing to do that
with down time will we get the correction I asked for regaurding STF respawn map leave time lapse
with that oversight
day 3 stf boycott for me i am refusing to run them
I keep clicking the link that's supposed to take me to the password reset page and all I get is the basic home page for STO. This is kinda frustrating!
So was that the catalyst for re-examining your own internal security? It seems kinda odd timing that you would just happen to have new security checks scheduled at this time.
I would hope that they have new security checks all the time. Cyberspace security is a fast paced and evolving battle between hackers and security professionals. New tools and techniques are published daily.
Still, that leaves only 6 digits. Which means it could potentially be any number between 000000 - 999999, and actually, far fewer going based on credit card numbering conventions. Not exactly a hard one for a computer to crack.
6 digits is basically 1 million possible combinations to get to yours. That's not a small number. Still, if you find it's an issue you can always contact your CC provider and ask for a new number.
I can't get to the forgot password link , it keeps sendimg mr to the main page. I can get into my account but need the password to get into the settings. What am I supposed to do . HELP
The first six digits and the last four digits of CC...that's 10 digits. CC is only 12 digits long.
How hard is it going to be to brute force the remaining two and the security number?
I was *wondering* why that sentence sounded so strange! Seemed like a strange way of putting it. However, some clarification is required.
CC numbers for Visa and MC are 16 digits (11 unique plus the checksum) long plus a three digit CCV. AmEx uses 15 digits (10 unique plus the checksum) plus a 4 digit CCV. Of these, the first six are not unique to the bearer of the card, but depend on the industry, the issuer, and the country it was issued in.
So basically, instead of needing to brute force 5 or 6 digits, the bad guys would need to brute force 11 digits. Significantly harder!
Seeing as the baddies may have broken the encryption on the passwords, we can hope that the CC information was stored with significantly more robust encryption.
EDIT: I apologize, I edited this poorly from a prior type-up.
Visa/MC cards are 16 digits long, Amex 15. Of them, the first six are vendor/country identifiers. That leaves 10 or 9 unique digits. Of them, the last four would be known to a bad guy; that leaves 6 or 5. Add in the CCV (3 for MC/Visa, 4 for Amex) and you get nine digits that the bad guys need to brute force.
It gets a little tricky when you consider that the last digit -- one of the known digits -- is a checksum. So, you know what? Forget most of what I said. It's both easier than I suggested -- 6 or 5 unique digits but a known checksup, and a 3 or 4 digit CCV which could be anything -- and more complicated!
I keep clicking the link that's supposed to take me to the password reset page and all I get is the basic home page for STO. This is kinda frustrating!
As has been said at least 1 dozen times now, you must LOG OUT first. It can't reset while you're logged into the STO website or forum.
Still, that leaves only 6 digits. Which means it could potentially be any number between 000000 - 999999, and actually, far fewer going based on credit card numbering conventions. Not exactly a hard one for a computer to crack.
Actually, storing the credit card number in this fashion meets MasterCard and Visa security requirements. It's probably how your credit card number is stored in almost every database it is stored in.
Not exactly. It depends on the authenticator and the technology behind it.
Commercial-grade authenticators use a timing mechanism to generate a string of alphanumeric (normally numeric) digits. This string is typically associated with the serial number of the authenticator. The hardware on the server side keeps track of what a valid string would be for a given serial number of an authenticator, then compares the string it generates from the authenticator's serial number attached to that account, with the string the user entered.
Consumer-grade authenticators may do things slightly differently, but not too differently. They do NOT keep a list of codes. Otherwise, the authenticator I use in [REDACTED] would work just fine if I type in the string a couple of minutes after I generate it. Instead, it is linked (in some manner, it varies from vendor to vendor) to the current time.
This is true. I have 4 different authenticators for different things. One of the interesting bits is that while most of the 'game' authenticators have roughly a 20 minute timeout (generate the code and it's good for quite a while) the code is only good once.
WoW and Final Fantasy are like that, which is why the 'super' account stealling trojans let the program launch, wait for you to authenticate, and then cause it to segfault before it sends the information to the servers so they can then use their short window to get in and steal your stuff.
As far as getting access to the encrypted database, I presume it would be a salted hash. The good news is that a database of passwords that are done in salted hash is almost uncrackable. The bad news is that it's trivial to, once you determine the salt, do a salted hash run on a massive dictionary of 'high grade' passwords like Bond007, THX-1138 and NCC1701 (seriously those are in the top 100 passwords, based on known stolen databases from several social web sites) and then you do a simple comparison to the list. You wouldn't get my password out of it, but you would get a good 75%+ of the customert.
(this guy did an analysis of over a million accounts. the top 100 passwords accounted for 84% of the database. The top 10000 accounted for 98%)
Seeing as the baddies may have broken the encryption on the passwords, we can hope that the CC information was stored with significantly more robust encryption.
If they encrypted your credit card number, they wouldn't be able to bill you. Credit card numbers are not stored encrypted, but they are required by MasterCard, Visa, and a slew of national and international laws that they be stored in two separate databases. Typically, the first 6 and last 4 are stored together for routing purposes and the middle digits and CVC are stored in elsewhere.
Besides, no matter how robust the encryption, if the baddies know that the credit card number contains only numbers, it'd be fairly trivial to crack it.
When Does Account/Billing Open in the mornings I need to know i need to get my Second account back.I have demoted it in the Fleet so just in case it is TRIBBLE.So that the hacker will not be able to take any of my Bank items.Still No respond from them.
This is true. I have 4 different authenticators for different things. One of the interesting bits is that while most of the 'game' authenticators have roughly a 20 minute timeout (generate the code and it's good for quite a while) the code is only good once.
WoW and Final Fantasy are like that, which is why the 'super' account stealling trojans let the program launch, wait for you to authenticate, and then cause it to segfault before it sends the information to the servers so they can then use their short window to get in and steal your stuff.
As far as getting access to the encrypted database, I presume it would be a salted hash. The good news is that a database of passwords that are done in salted hash is almost uncrackable. The bad news is that it's trivial to, once you determine the salt, do a salted hash run on a massive dictionary of 'high grade' passwords like Bond007, THX-1138 and NCC1701 (seriously those are in the top 100 passwords, based on known stolen databases from several social web sites) and then you do a simple comparison to the list. You wouldn't get my password out of it, but you would get a good 75%+ of the customert.
(this guy did an analysis of over a million accounts. the top 100 passwords accounted for 84% of the database. The top 10000 accounted for 98%)
There are a number of cryptanalysis techniques that can do an unsalted hash run on a massive dictionary and figure out what the salt is. It takes significantly longer, but if the economic reward is there it isn't hard enough to dissuade a good hacker. The real security that salting the hash gives you is that your hash can't be directly passed to some other authentication server to log into your account. Being able to "pass the hash" would bypass the need to crack your password at all.
Cosmic, for some people, that's still not working. Others are logging in to find they no longer have any toons. Something weird is going on.
I can't speak to that. But I can say that anyone who is posting on the forum about it not working has obviously not logged out. Because once you log out you can't get back onto the forum until you reset your password.
I can't speak to that. But I can say that anyone who is posting on the forum about it not working has obviously not logged out. Because once you log out you can't get back onto the forum until you reset your password.
Good point. Sorry. I had an imbecile moment. You may award me the Fail ribbon at your discretion.
Comments
Not exactly. It depends on the authenticator and the technology behind it.
Commercial-grade authenticators use a timing mechanism to generate a string of alphanumeric (normally numeric) digits. This string is typically associated with the serial number of the authenticator. The hardware on the server side keeps track of what a valid string would be for a given serial number of an authenticator, then compares the string it generates from the authenticator's serial number attached to that account, with the string the user entered.
Consumer-grade authenticators may do things slightly differently, but not too differently. They do NOT keep a list of codes. Otherwise, the authenticator I use in [REDACTED] would work just fine if I type in the string a couple of minutes after I generate it.
The fact that it went unnoticed this long is incompetent enough. And obviously their previous security methods don't count for much since they got broken and went unnoticed in the first place.
I missed this detail the first time I read the e-mail. This is terrifying, tbh.
BTW there are apparently some seriously wacky things going on with some accounts right now. Check out STO's Facebook comments.....
Yes I know nothing is 100% secure but that's like arguing to not lock your door because they can just come through your window.
One extra step could have prevented all these accounts from being TRIBBLE in the first place.
Spoken by someone who obviously has no idea what cyberspace security actually entails. It is very difficult to detect security breaches, but keeping logs for long periods of time allows security professionals to apply new tools and techniques to old log files in order to discover previously undetected issues.
Detecting a security breach is about pouring through very minute server timing and event records in order to detect things that criminals spend lots of money and manpower making undetectable. It's about recognizing and categorizing normal use conditions (which change constantly), flagging potentially anomalous activities, tracking down anomalous activities to determine potential legitimate causes. The difference between normal and anomalous is very small. The amount of data is completely beyond the capability of any human workforce to evaluate, so reliance on computerized tools, techniques, and signatures is the only way to detect breaches.
Those tools, techniques, and signatures update constantly so new breaches may become detectable when they previously were not. Just as no anti-virus is going to 100% protect your computer, no log flagging system is going to 100% detect breaches. It just isn't possible.
The STOWiki ad trojan (an external incident that we helped track down and communicated to you in the posts you linked) and this are two different incidents. They are not related in anyway.
Cheers,
Brandon =/\=
You're assuming a lot here. You are assuming that the accounts that got TRIBBLE would have purchased an authenticator in the first place, which is not likely to be the case for the vast majority of F2P accounts. Especially since, if you assume they were TRIBBLE due to the database breach, you are talking about accounts of customers that use weak passwords and therefore care very little about account security in the first place.
So was that the catalyst for re-examining your own internal security? It seems kinda odd timing that you would just happen to have new security checks scheduled at this time.
Could this also be ATARI's fault in any way?
Still, that leaves only 6 digits. Which means it could potentially be any number between 000000 - 999999, and actually, far fewer going based on credit card numbering conventions. Not exactly a hard one for a computer to crack.
Just sayin'.
not fair people still get to play STF event for those wishing to do that
with down time will we get the correction I asked for regaurding STF respawn map leave time lapse
with that oversight
day 3 stf boycott for me i am refusing to run them
I would hope that they have new security checks all the time. Cyberspace security is a fast paced and evolving battle between hackers and security professionals. New tools and techniques are published daily.
I was *wondering* why that sentence sounded so strange! Seemed like a strange way of putting it. However, some clarification is required.
CC numbers for Visa and MC are 16 digits (11 unique plus the checksum) long plus a three digit CCV. AmEx uses 15 digits (10 unique plus the checksum) plus a 4 digit CCV. Of these, the first six are not unique to the bearer of the card, but depend on the industry, the issuer, and the country it was issued in.
So basically, instead of needing to brute force 5 or 6 digits, the bad guys would need to brute force 11 digits. Significantly harder!
Seeing as the baddies may have broken the encryption on the passwords, we can hope that the CC information was stored with significantly more robust encryption.
An excellent and informative article on the anatomy of a credit card number is here:
http://www.merriampark.com/anatomycc.htm
EDIT: I apologize, I edited this poorly from a prior type-up.
Visa/MC cards are 16 digits long, Amex 15. Of them, the first six are vendor/country identifiers. That leaves 10 or 9 unique digits. Of them, the last four would be known to a bad guy; that leaves 6 or 5. Add in the CCV (3 for MC/Visa, 4 for Amex) and you get nine digits that the bad guys need to brute force.
It gets a little tricky when you consider that the last digit -- one of the known digits -- is a checksum. So, you know what? Forget most of what I said.
Actually, storing the credit card number in this fashion meets MasterCard and Visa security requirements. It's probably how your credit card number is stored in almost every database it is stored in.
WoW and Final Fantasy are like that, which is why the 'super' account stealling trojans let the program launch, wait for you to authenticate, and then cause it to segfault before it sends the information to the servers so they can then use their short window to get in and steal your stuff.
As far as getting access to the encrypted database, I presume it would be a salted hash. The good news is that a database of passwords that are done in salted hash is almost uncrackable. The bad news is that it's trivial to, once you determine the salt, do a salted hash run on a massive dictionary of 'high grade' passwords like Bond007, THX-1138 and NCC1701 (seriously those are in the top 100 passwords, based on known stolen databases from several social web sites) and then you do a simple comparison to the list. You wouldn't get my password out of it, but you would get a good 75%+ of the customert.
(this guy did an analysis of over a million accounts. the top 100 passwords accounted for 84% of the database. The top 10000 accounted for 98%)
If they encrypted your credit card number, they wouldn't be able to bill you. Credit card numbers are not stored encrypted, but they are required by MasterCard, Visa, and a slew of national and international laws that they be stored in two separate databases. Typically, the first 6 and last 4 are stored together for routing purposes and the middle digits and CVC are stored in elsewhere.
Besides, no matter how robust the encryption, if the baddies know that the credit card number contains only numbers, it'd be fairly trivial to crack it.
Cosmic, for some people, that's still not working. Others are logging in to find they no longer have any toons. Something weird is going on.
There are a number of cryptanalysis techniques that can do an unsalted hash run on a massive dictionary and figure out what the salt is. It takes significantly longer, but if the economic reward is there it isn't hard enough to dissuade a good hacker. The real security that salting the hash gives you is that your hash can't be directly passed to some other authentication server to log into your account. Being able to "pass the hash" would bypass the need to crack your password at all.
Good point. Sorry. I had an imbecile moment. You may award me the Fail ribbon at your discretion.