Interesting Conversation from Gold Farmer

I saw this interesting conversation posted on a Diablo III fansite today and it has a lot of relevance to Information Security. The interview is around the act of gold farming, or using automated bots to find massive amounts of in-game gold and items that can then be sold for cash. But at one point the conversation goes into how online game accounts are compromised.

The gold farmer claims that most game account compromises come from one source - forums. Attackers compromise a fan forum site and get the username, email and passwords (or hashes). These credentials are then used to attempt to log into the game, as well as email accounts, PayPal, banks, credit cards and other online services. The entire process of checking accounts is automated through tools. These accounts can then be either used by the original criminals or sold to other criminals.

See below for the relevant text or see the entire interview with a Diablo III gold farmer.

MeD: Do you have any information on the account hacking that people are reporting even with having the authenticator?

Farmer: Yeah, I know everything about that.

MeD: Would you be willing to share that information with us?

Farmer: They don’t hack the computers, the passwords.

MeD: When you say they don’t hack the computers, they don’t have the player’s computers or they don’t hack Blizzard’s computers?

Farmer: They hack forums and such and take the same email and password and test it on Blizzard.

MeD: That’s what I thought. And that is testament to all of you guys out there who are using the same email and password for forums and such for your game.

Farmer: If they have 1 million stolen emails and passwords they might get 1% to 10%

MeD: What type of websites are targets for this?

Farmer: Diablo websites or Blizzard in general.

MeD: So you are talking about Diablo fansites that have forums that you know have been succesfully hacked these and get the log ins and passwords.

Farmer: Yeah, correct, it’s easy.

MeD: And in the forums of BLizzard are you able to get anything out of there?

Farmer: No. Blizzard is bullet proof, logically.

MeD: I ran forums quite a while ago and we had 130k+ members and we had issues with hack attempts at our forum accounts quite often. We were very puzzled about it. There was one time when they got everyone’s log in and password but they didn’t log into anyone’s forum account. Do you suppose that when they got into our forums do you think they were just looking to match up

Farmer: Yeah. They used it to try on people, mail and Blizzard and such. It’s called combo.

MeD: Is that a mispronunciation of your program or is that what it’s actually called?

Farmer: Nah. It’s made to make combo lists.

MeD: We reset everyone’s password, we did that for them. We were worried they were trying to hack into the forum accounts. This was many years ago by the way. What I didn’t realise then but I’m realising now is that this was all about accessing the game accounts and it had nothing to do with our forums. I bet that alot of these forums that are getting compromised are getting compromised over and over again. Would you say that is correct?

Farmer: Yeah and Paypal and banks, Facebook and so forth and small percent Russian spammers.

MeD: They are testing this against multiple things, they are not just testing this against Diablo account they also test against Paypal and their bank log ins.

Farmer: They test it against everything and sell it.

MeD: How much do they sell these for?

Farmer: It depends on what’s on them.

MeD: 10c an account, $10 an account? Do you know the range there?

Farmer: ??? Doesn’t sell.

LinkedIn Password Hash Redux

This LinkedIn password hash leak has become a real storm of activity today. This post might not have much longevity, but I hope to quickly recap and summarize what we know, what we don't, what we guess and what we recommend. Everything here comes from correspondance on Twitter, blogs and what have you, so it should all be taken with a grain of salt (pun not intended).

What we know:

• 6.5 Million password hashes were posted on a password cracking website. The author said they were from LinkedIn and that they were unsalted SHA-1 format. Some of the hashes had several digits zeroed out. 
• No account names were included with the post, meaning it's not possible to link the passwords to accounts with the data found.
• LinkedIn has been investigating whether there was an internal breach, but has not yet publicly acknowledged anything they have found.
• LinkedIn has said that "some of the passwords that were compromised correspond to LinkedIn accounts." However, this statement is sufficiently vague that it could mean nothing more than common passwords are used for LinkedIn and found in the compromised data.
• Many security researchers who use unique passwords for LinkedIn and no other site have found those passwords in the leaked data. These passwords are said to be highly unlikely to be used by anyone else.
• An Android app update occurred shortly after the breach was discovered. However, it's unclear if the two events are related.
• A security vulnerability in the LinkedIn iOS app reported today does not call out password security as an issue.

What we don't:

• We don't know whether there was a breach at LinkedIn or not. Likely they haven't yet completed their internal investigation.
• We don't yet know if more information was leaked, such as account names, credit card numbers or other private information.
• We don't know if more accounts have been exposed than those found in the original source.
• We don't know if there is an active vulnerability that could be exploited again to gain access to more password hashes.

What we guess:

• Mikko Hypponen has suggested that the list may have come from a LinkedIn web interface vulnerability, but was simply speculation based on past breaches.
• Researchers have speculated that passwords that have digits zeroed out have already been compromised, or that they are used for banned passwords.
• There has been speculation that some password hashes are not from LinkedIn, though it's hard to find evidence either way.
• There has been speculation that the 6.5 Million passwords may cover all accounts on LinkedIn, due to some passwords being used by many different people. However, a number of people have reported that their password was not found among those leaked.
• Some reports suggest the leaked passwords may be 6 months old.

What we recommend:

• If you have a LinkedIn account, change your password soon. Make it something strong. LinkedIn published some very generic account and password security suggestions, but I prefer the excellent xkcd panel on passwords.
• Many security professionals have called for LinkedIn to begin adding a salt value in their password hashing process, in order to strengthen security. 
• Other security professionals have mentioned specific password storage mechanisms built into programming languages which represent the latest techniques in thwarting password cracking, such as bcrypt, scrypt and PBKDF2. This has the added benefit of reducing the risk of an improper implementation which could itself lead to security issues.
• Two sites have been set up to check your password against the list. The sites appear to be safe, in that they won't steal your password, but for the paranoid you can also submit the password hash. I don't personally recommend that anyone do this, unless you have already changed your LinkedIn password and it was unique. But it's fun to look for possible passwords!  

• http://linkedin.biorra.com/
• http://leakedin.org

On the Recent Blizzard and Diablo 3 Account Compromises

As an avid Diablo fan, I eagerly watched and waited for Blizzard to create Diablo 3. My first impression is that they did a masterful job creating it. Yes, there are some initial frustrations, but it definitely has that Diablo feel to it and despite the running jokes about Error 37 as a new prime evil, I've found that the most powerful boss enchantment has been Time Thief - the ability to suck hours off the clock without me realizing it. Bravo, Blizzard, Diablo 3 is a triumph!

But recently there has been a lot of controversy around compromised accounts in Diablo 3. Many players have found that their characters have been stripped of gold and high-level gear. That's as much a tragedy as being robbed in the physical world - the possessions you've worked for so long and felt so happy to acquire are taken from you by an unknown assailant. People feel violated and angry, which is understandable and which is our nature. Many have lashed out at the closest target. 

The most common and convenient target of anger has been Blizzard's security and practices. Many accusations have sprung up that Blizzard, its servers, the game or other technology has been "hacked" and that essentially any player or account could be compromised because of that. In an interesting parallel, this is commonly the first thing people assume when their bank account has been compromised. 

 

The banking world has long confronted security challenges for online services. For as long as online banking has been a reality, malicious individuals have been hoping to compromise accounts and steal money from them. And so banking has come a long way in combating those threats. I've performed dozens of audits for financial institutions around their information security practices, including a component dealing with authentication in online banking (FIL-103-2005, FIL-77-2006 and FIL-50-2011 if you want to look it up). 

Today, banking is one of the safest activities you can engage in online, although it is also one of the most targeted. Cybercriminals from around the world target banks, banking sites and accounts and it has become every bit as disciplined and efficient as any business. The complexity and innovation is staggering. Yet excellent security measures taken by banks effectively thwart almost any attack out there, when used as intended on both the bank's side and on the account holder's side. 

Most bank account compromises in the last decade or so haven't happened because the bank was hacked - they've happened with legitimate account credentials. It used to be that most online banking accounts were compromised by the victim giving away their username and password or other sensitive information after clicking on links in fake emails. But banks improved the security and attackers responded by becoming more sophisticated. Now most of the time compromises happen because the account holder logs into their account from a computer that has malicious software installed. And it's highly likely that this is what has happened with most of the Diablo 3 account compromises. 

So how does this relate to Blizzard and to Diablo 3?

Blizzard has, in fact, said that malware has been the root cause in nearly all of their compromise investigations. Today's cybercriminals have become very sophisticated in their methods. As Blizzard has also pointed out, there is no one way that they get the information and access necessary to compromise accounts. Essentially they use whatever means they need to, in order to get what they want. In practice, this means there are likely multiple groups, each using many different types of attacks to get as many accounts as they can. 

As with bank account holders, gamers have gotten more savvy about giving away information which would allow someone else to access their account. But the attackers have adapted as well and use other ways of getting that information than by sending fake emails. Here are some of the more creative and sophisticated ways the thieves operate.

• By calling you, if you can believe it! There's a good video walking through a typical attack where a cyber criminal may call you on the phone. 
• Text messaging or emails directing you to call a phone number, usually about account compromise, expiration or closing. The phone number then has a recording asking you to enter your information. You never even have to talk to a person and you've given up too much information.
  
• If you are using the same email address and password on another site, if that site is compromised your Diablo 3 account may be too. These compromises happen somewhat frequently, such as the Gawker Media account compromise a couple of years ago. 
• It's possible to buy compromised systems from cybercriminals. Many of the more sophisticated networks have millions of computers that are infected - far too many for the original criminals to take advantage of. So they sell access to others.
• It's also possible to buy accounts from cybercriminals. Often they have account credentials for systems they don't typically target - for example if they only target bank accounts, they may sell gaming accounts for some additional profit.
• Newly compromised accounts are prioritized. The criminals have so many accounts they target the ones that have the highest net worth first. There are stories of operations centers with account queues where each new account is evaluated and ranked according to the amount of money the thieves can get. 

By far the most common way most bank accounts are compromised, and likely Diablo 3 accounts, is simply by installing malware on your computer without you knowing it. Without going into the myriad ways that this can happen, it's sufficient to say that you don't have to visit the shadier side of the Internet to run into malware. Most sites that distribute malware are legitimate. In fact, more than 90% of infected sites find out that they're compromised from someone else. Even some of the most mainstream sites have become malware distributors at times - ESPN, NASA and the Wall Street Journal have all infected their visitors with malware. Many of these sites use standard malware toolkits which exploit dozens of vulnerabilities, generate new malware package for each site visitor and test it against the common antivirus suites before sending it along. It sounds like science fiction, but it's not.

How to protect yourself? 

Security is hard. That's what makes it so hard for an organization like Blizzard to give you one simple answer. But that's not what a lot of people want to hear - even the people in charge of security for companies with huge budgets to protect their information assets often ask "What's the one thing I should do?" So it's not a surprise that most individuals would look for the "silver bullet" solution, if you will.

It's hard to describe how to protect yourself much better than Blizzard themselves did. So instead of rehashing it, I'll just link to Blizzard's excellent article on keeping yourself safe from account theft. But if you're in a hurry I'd say the top 3 things you can do are:

1. Use the authenticator. Banks use similar technology to protect millionaires and billionaires. If you value your stuff, you can't get a better bargain than this! Even the cost of the physical token is inexpensive compared to what it's worth. Blizzard modestly says they're selling these at cost, but that really means they're taking a loss because of all the infrastructure and personnel resources they deploy on the back end. If you're looking for a "silver bullet" to protect your Diablo 3 account, this is the closest you'll come.
2. Don't reuse passwords. If you use the same password for your email, battle.net and bank, odds are you're practicing poor password security. My recommendation is to use something like LastPass or KeePass, which make good password security easy.
3. Update your OS, browser and plugins. Most modern operating systems and browsers will automatically update for you. But it's easy to see the update notification and procrastinate. Don't. Don't wait more than a day or two to update, once you see the notification. For plugins, it's sometimes harder because they don't often announce their updates. Adobe Flash, Adobe Reader and Oracle/Sun Java are the main attack vectors used of all the plugins out there, and they're getting better about notifying you of updates.

How can Blizzard do more to protect you?

I want to preface this section by saying that I don't know the details on what Blizzard is doing on their end to protect player accounts. I'd guess there's a lot going on that they don't talk about, or at least that I haven't read about. But that doesn't mean they can't improve. But I know they're already doing a lot to secure accounts. In many cases, more than your bank does! Things like forcing stronger passwords, investigating many of the reported instances of theft, publishing and linking to a great deal of information, giving you the authenticators, proactively communicating security steps. It even seems like they're refunding money to some gamers whose accounts were compromised, even after determining that Blizzard wasn't at fault - that's got to be some of the best response ever from a gaming company!

What follows is a few ideas I've taken from other industries that may help Blizzard improve. (Or not - again, I don't know for sure what they're doing on their end.)

• Look at metadata associated with each previous login for the account. Often this metadata will differ between legitimate and malicious login attempts. Things like geolocation, keyboard layout, OS or game language or other data will be significantly different between a player and a thief.
• Watch the common locations where compromised accounts are publicly posted for any gamer accounts that use the same account name or email address.
• Drop a unique "cookie" that identifies the system a player logs in from. If the cookie has changed since the last login, or the cookie has been used with multiple accounts, this should raise a flag.
• If there are multiple logins in rapid succession from a single IP or IP block, this should raise a flag.

All of these items can be indicators of a potentially compromised account or of a potential cybercriminal. Of course these measures consume personnel and system resources, meaning it will cost more to administer - but then how much do the reputation damage and time spent answering questions cost? And it will also result in frustrated players unable to login - but then you can take the stance of "we're sorry that you're unable to login, but it's for your own security" which is hard to argue with. And in conjunction with an email address, phone number, Skype or Twitter account, or other contact mechanism these false positives can be resolved very quickly.

And for our part, players should really be more tolerant of security measures. Again, adding an authenticator to your account takes an additional 5 minutes to set up and 5 seconds to use in practice. But it cuts the probability of compromise to nearly zero even if your system is fully compromised! And if you're like most people I know today, you appreciate it when your bank stops an apparently fraudulent transaction, even if it turns out to be legitimate. So do what's needed to help yourself be more proactive with security. A little initial setup can save you a lot of frustration in the end.

Is there anything I've missed? Do you have a different opinion? I'd love to hear about it so I can address the concern or amend my article. Constructive feedback is always welcome.

UPDATE: In an interview, a Chinese gold farmer claims to know the source of compromised accounts. According to him, forums are being compromised and the email addresses and passwords from there are used to try to log in to Battle.net. This is a pretty common tactic and underscores the importance of using unique passwords across sites and games. And if you're not willing to do that, get the Authenticator which will prevent this.

New Research Published on Mobile Malware

Researchers at NCSU have started the Android Malware Genome Project, which is designed to identify and classify known malware samples for study. The researchers' results were recently presented and published at the Proceedings of the 33rd IEEE Symposium on Security and Privacy in San Francisco, California. The paper, entitled Dissecting Android Malware: Characterization and Evolution (PDF link), analyzes the 1,200 samples collected between August, 2010 and October, 2011. The research analyzes the samples to attempt to determine how it is installed (infection vector), how it updates and its primary activities on the mobile device, as well as the sample's relation to other samples.

The research groups infection vectors into several categories. Far and away the largest infection vector is through repackaging and redistributing modified versions of legitimate applications. The second group is spying applications - that is, software for one person to watch another person's activities. Some malicious software purports to do something (which it may or may not), but installs malware in addition - these are so-called Trojan Horses.

There were also several primary types of activity that the samples performed. Many of the samples attempted to elevate privileges on the device by taking advantage of a flaw in the Android operating system. The goal with this action is to allow the application to have greater access to the functionality of the device. Nearly all of the samples attempted to connect the device to a larger group of compromised devices controlled by the malware authors - a so-called Botnet. Researchers found that another common activity was contacting premium services, such as SMS text messaging. Many of the malware samples also collected information, such as user accounts, text messages and phone numbers.

The researchers also looked at the evolution of the malware samples and families over time. Specifically they looked in depth at two malware families to illustrate the rest, DroidKungFu and AnServer Bot. These two malware families show that authors have incorporated many sophisticated features to help circumvent detection and frustrate researchers attempting to study the samples, among other things. And their analysis showed that mobile malware is rapidly maturing.

Some other interesting analysis was performed on the samples. The researchers ran all the collected samples against four mobile anti-virus packages Detection rates ranged from 20-80% effectiveness, with a big name A/V company firmly at the back of the pack. Unknown malware is likely much more successful than these results indicate, meaning anti-virus software really needs to catch up.

Securely Deleting Data Before Donating or Recycling Your Devices

Katherine Boehret has a good article over on All Things D about recycling your technology. But it overlooks one crucial point - you need to make sure your information is deleted before you hand it over. If you don't, your information, including financial data, could wind up in someone else's hands. A recent case-in-point was made when many refurbished Motorola Xoom devices were sold with their old owners' data still on them. When that happens it can lead to embarrassment (think private photos, videos), identity theft, financial fraud or other unpleasant things.

To avoid any of these calamities, you'll want to take steps to wipe out your data. You should do this regardless of what the company or person you're giving it to tells you. But don't worry, securely erasing your information has never been easier! Many devices have mechanisms built in to do just that. And there are some good tools out there for your desktops and laptops.

Securely Erasing your iPhone, iPod Touch or iPad

Apple's website has simple instructions on how to securely erase an iPhone, iPod Touch or iPad. Here are the steps from Apple's support site:

You can remove all settings and information from your iPhone, iPad, or iPod touch using "Erase All Content and Settings" in Settings > General > Reset.

For even more security, plug your device into your laptop and use iTunes to restore the device to its factory settings (but do not restore from a previous backup) before using the Erase All Content and Settings feature. Here are the steps from Apple's support site:

1. Verify that you are using the latest version of iTunes before attempting to update.
2. Connect your device to your computer.
3. Select your iPhone, iPad, or iPod touch when it appears in iTunes under Devices.
4. Select the Summary tab.
5. Select the Restore option.
6. When prompted to back up your settings before restoring, select the Back Up option (see in the image below). If you have just backed up the device, it is not necessary to create another.
   
7. Select the Restore option when iTunes prompts you (as long as you've backed up, you should not have to worry about restoring your iOS device).
   
8. When the restore process has completed, the device restarts and displays the Apple logo while starting up:
   
   After a restore, the iOS device displays the "Connect to iTunes" screen. For updating to iOS 5 or later, follow the steps in the iOS Setup Assistant. For earlier versions of iOS, keep your device connected until the "Connect to iTunes" screen goes away or you see "iPhone is activated."
   

Securely Erasing your Android Device

If you have an Android phone or tablet, you also have an easy option to securely erase the data. Though it's not quite as simple as with Apple devices, since Android has many versions and many devices that it supports. On Android, within the Privacy Settings dialog there is an option to delete all the data. The Google online manual for Android describes the option this way:

Opens a dialog where you can erase all of your personal data from internal tablet storage, including information about your Google Account, any other accounts, your system and application settings, any downloaded applications, as well as your music, photos, videos, and other files.

You should make sure that you have selected the options to delete internal memory and any memory on a SD card. If you don't have that option, the easiest thing to do would be to simply remove the SD card before donating, recycling, selling or giving it away.

Securely Erasing your Blackberry Device

Research In Motion's Blackberry devices differ in the steps to wipe them. Instead of trying to mention all versions and models, I'll suggest you look through Settings, Options or Device Settings to find something that mentions Security. In there, you should find something that says Security Wipe or Wipe Handheld. For specific directions you may be able to search the web and find help.

The same advice for SD cards applies to the Blackberry as to the Android phones. If it doesn't offer you the option, you should probably just the card.

Securely Erasing your Windows Mobile Device

Microsoft Windows Mobile also has multiple versions with different ways to securely erase your data. And again, my advice is to explore on your own. Look through Settings or Options until you find something called System Tab, Security, or About. In there you should see Reset, Reset your Phone or Clear Storage. Again, for specific directions you may be able to search the web and find help.

And for SD cards on Windows Mobile devices, you should likely just keep it.

Securely Erasing your Desktop or Laptop

There is some great free software called DBAN that will securely erase data from your desktop or laptop. I've personally used it for years and highly recommend it. Simply download the ISO file and burn it to CD or DVD. The method to do this varies across operating systems. If you need help, search the Internet and you'll find lots of information.