Friday, June 08, 2012

Interesting Conversation from Gold Farmer

I saw this interesting conversation posted on a Diablo III fansite today and it has a lot of relevance to Information Security. The interview is around the act of gold farming, or using automated bots to find massive amounts of in-game gold and items that can then be sold for cash. But at one point the conversation goes into how online game accounts are compromised.

The gold farmer claims that most game account compromises come from one source - forums. Attackers compromise a fan forum site and get the username, email and passwords (or hashes). These credentials are then used to attempt to log into the game, as well as email accounts, PayPal, banks, credit cards and other online services. The entire process of checking accounts is automated through tools. These accounts can then be either used by the original criminals or sold to other criminals.

See below for the relevant text or see the entire interview with a Diablo III gold farmer.

MeD: Do you have any information on the account hacking that people are reporting even with having the authenticator?
Farmer: Yeah, I know everything about that.
MeD: Would you be willing to share that information with us?
Farmer: They don’t hack the computers, the passwords.
MeD: When you say they don’t hack the computers, they don’t have the player’s computers or they don’t hack Blizzard’s computers?
Farmer: They hack forums and such and take the same email and password and test it on Blizzard.
MeD: That’s what I thought. And that is testament to all of you guys out there who are using the same email and password for forums and such for your game.
Farmer: If they have 1 million stolen emails and passwords they might get 1% to 10%
MeD: What type of websites are targets for this?
Farmer: Diablo websites or Blizzard in general.
MeD: So you are talking about Diablo fansites that have forums that you know have been succesfully hacked these and get the log ins and passwords.
Farmer: Yeah, correct, it’s easy.
MeD: And in the forums of BLizzard are you able to get anything out of there?
Farmer: No. Blizzard is bullet proof, logically.
MeD: I ran forums quite a while ago and we had 130k+ members and we had issues with hack attempts at our forum accounts quite often. We were very puzzled about it. There was one time when they got everyone’s log in and password but they didn’t log into anyone’s forum account. Do you suppose that when they got into our forums do you think they were just looking to match up
Farmer: Yeah. They used it to try on people, mail and Blizzard and such. It’s called combo.
MeD: Is that a mispronunciation of your program or is that what it’s actually called?
Farmer: Nah. It’s made to make combo lists.
MeD: We reset everyone’s password, we did that for them. We were worried they were trying to hack into the forum accounts. This was many years ago by the way. What I didn’t realise then but I’m realising now is that this was all about accessing the game accounts and it had nothing to do with our forums. I bet that alot of these forums that are getting compromised are getting compromised over and over again. Would you say that is correct?
Farmer: Yeah and Paypal and banks, Facebook and so forth and small percent Russian spammers.
MeD: They are testing this against multiple things, they are not just testing this against Diablo account they also test against Paypal and their bank log ins.
Farmer: They test it against everything and sell it.
MeD: How much do they sell these for?
Farmer: It depends on what’s on them.
MeD: 10c an account, $10 an account? Do you know the range there?
Farmer: ??? Doesn’t sell.

Wednesday, June 06, 2012

LinkedIn Password Hash Redux

This LinkedIn password hash leak has become a real storm of activity today. This post might not have much longevity, but I hope to quickly recap and summarize what we know, what we don't, what we guess and what we recommend. Everything here comes from correspondance on Twitter, blogs and what have you, so it should all be taken with a grain of salt (pun not intended).

What we know:
  • 6.5 Million password hashes were posted on a password cracking website. The author said they were from LinkedIn and that they were unsalted SHA-1 format. Some of the hashes had several digits zeroed out. 
  • No account names were included with the post, meaning it's not possible to link the passwords to accounts with the data found.
  • LinkedIn has been investigating whether there was an internal breach, but has not yet publicly acknowledged anything they have found.
  • LinkedIn has said that "some of the passwords that were compromised correspond to LinkedIn accounts." However, this statement is sufficiently vague that it could mean nothing more than common passwords are used for LinkedIn and found in the compromised data.
  • Many security researchers who use unique passwords for LinkedIn and no other site have found those passwords in the leaked data. These passwords are said to be highly unlikely to be used by anyone else.
  • An Android app update occurred shortly after the breach was discovered. However, it's unclear if the two events are related.
  • A security vulnerability in the LinkedIn iOS app reported today does not call out password security as an issue.
What we don't:
  • We don't know whether there was a breach at LinkedIn or not. Likely they haven't yet completed their internal investigation.
  • We don't yet know if more information was leaked, such as account names, credit card numbers or other private information.
  • We don't know if more accounts have been exposed than those found in the original source.
  • We don't know if there is an active vulnerability that could be exploited again to gain access to more password hashes.
What we guess:
  • Mikko Hypponen has suggested that the list may have come from a LinkedIn web interface vulnerability, but was simply speculation based on past breaches.
  • Researchers have speculated that passwords that have digits zeroed out have already been compromised, or that they are used for banned passwords.
  • There has been speculation that some password hashes are not from LinkedIn, though it's hard to find evidence either way.
  • There has been speculation that the 6.5 Million passwords may cover all accounts on LinkedIn, due to some passwords being used by many different people. However, a number of people have reported that their password was not found among those leaked.
  • Some reports suggest the leaked passwords may be 6 months old.
What we recommend:
  • If you have a LinkedIn account, change your password soon. Make it something strong. LinkedIn published some very generic account and password security suggestions, but I prefer the excellent xkcd panel on passwords.
  • Many security professionals have called for LinkedIn to begin adding a salt value in their password hashing process, in order to strengthen security. 
  • Other security professionals have mentioned specific password storage mechanisms built into programming languages which represent the latest techniques in thwarting password cracking, such as bcrypt, scrypt and PBKDF2. This has the added benefit of reducing the risk of an improper implementation which could itself lead to security issues.
  • Two sites have been set up to check your password against the list. The sites appear to be safe, in that they won't steal your password, but for the paranoid you can also submit the password hash. I don't personally recommend that anyone do this, unless you have already changed your LinkedIn password and it was unique. But it's fun to look for possible passwords!