Sunday, May 30, 2010

Suffer mortals, as your pathetic password betrays you!

One of the things we often don't put much thought into is password selection. Usually it is a loved-one's name or an easily remembered string of characters. Unfortunately, a poor choice of password can dramatically increase the chance of your game account being hacked.

In an analysis performed by Imperva of 32 million leaked passwords from rockyou.com, it was found that nearly 50% of passwords consist of people's names, slang words, dictionary words or trivial passwords. The study estimates that if a hacker used the top 5000 passwords in a dictionary attack, it would take, on average, only 111 attempts to break into a given account.

World of Warcraft does not have an account or IP address lockout after any number of bad password attempts. This gives the bad guys an opportunity to dictionary attack your account.

Assuming that the WoW account password frequency distribution is similar and that a hacker could try a password every 2 seconds - it would take an average of only 3.7 minutes to hack an account.

Obviously the time required to hack your account is going to vary based on the strength of your game password so choosing an uncommon and complex password is key. The report lists the following as the most commonly used passwords:
  1. 123456
  2. 12345
  3. 123456789
  4. password
  5. iloveyou
  6. princess
  7. rockyou (or 'warcraft' in our case)
  8. 1234567
  9. 12345678
  10. abc123
Other common passwords include monkey, qwerty, 654321 and first names of people.

How can you better protect your WoW account?

First, buy yourself an authenticator and add another layer of security to your account. A dictionary attack is largely rendered useless with the addition of a hardware token.

Second, if you don't have an authenticator or wish to be more secure then choose a strong password. Strong passwords contain numeric and non-standard characters and do not have any strings that contain dictionary words. They should be at 12-14 characters in length. However, don't bother too much with upper and lower case characters since the battle.net authentication service does not differentiate between upper/lower case. An example of strong WoW password would be something like "sdm#6wua2pa9jk".

If you have trouble remembering a strong password (and most of us will) then try to create something similar from a memorable saying. For example, Professor Putricide's "Bad news everyone! I don't think I'm going to make it" becomes "bne!idtig2mi" as your password. Such a password will be close to impossible to dictionary attack and will take a long time to brute force attack. Don't share this password with anyone and don't use this password on any other service - keep it unique to WoW only.

Finally, create a unique email address as your battle.net login. Hackers need to be able to guess or steal your username so making this complex will certainly hinder their efforts.

Update: If you want to read more about hackers stealing account usernames and passwords, check out the Symantec article where they recently discovered 44 million stolen gaming credentials.

A little bit of effort with your password selection will make hacking your precious account significantly more difficult... and don't forget to get yourself an authenticator.

Friday, May 21, 2010

MMO-Champion hacked

The team at the popular WoW fan site MMO-champion have announced that their site was recently hacked. What happened here and how can you best protect yourself against malicious code on legitimate web pages?

The malicious code was Gumblar - a malicious piece of javascript that was placed on their pages.

How did the malicious code get there?

This is a question that has not been answered by the web site owners. However, it is likely to be one of the following causes:
  1. The mmo-champion.com site was hacked and the code was manually planted there by the attacker. There are multiple ways this could have happened, but one common way is via SQL-Injection.
  2. One of their admins was infected on their own PC and their FTP login details were used by the malware to log in to the mmo-champion.com web servers and automatically infect their files.
Hackers often target legitimate web sites, especially high traffic sites, so that they get the widest exposure to their malware.

What is the malicious code designed to do?

According to a Gumbar Q&A, the malicious code redirects a user to a malicious web site that contains specially crafted PDF or flash files that automatically infect your machine if you do not have your Adobe flash player patched. The malware that it installs can redirect your google searches and replace search results with links to malicious sites. It also harvests FTP information from your machine so that it can try to automatically inject code on other web servers. Finally, it can open a back door so that your machine can be controlled remotely.

Could I have been infected from MMO-champion?

The team at mmo-champion claim that the malicious code was only on their site for 30 mins before it was detected, shut down and subsequently cleaned.

If you browsed the site in that time, you probably would have noticed an attempt to redirect your browser to another web site. Many browsers have in-built blocking mechanisms so you may have seen a big red message on your browser advising you that you are about to visit a malicious web site. If you proceeded, and the malicious web site was online at the time, then you would have been exposed to malicious pdf or flash files. If, and only if, your Adobe flash player was not patched, then these malicious files may have automatically executed. If you were running up-to-date and mainstream antivirus products then it should have been detected and stopped at this stage.

The short answer is, you may have been infected but you would have needed to have no antivirus (or poor antivirus), no recent patching of your Adobe flash player and would have needed to visit the site in the 30 mins when the code was there.

If you think your machine is infected then try this free web-based scanner - Housecall

Does it steal my WoW account info?

No, but if you were infected then you still need to clean it off your machine since it may compromise any FTP sites that you might visit, install a backdoor and your search engine results may be replaced with malicious sites. This is not the type of malware that you want on your PC.

Would the firefox 'noscript' add-on help?

Probably, although if you are a regular mmo-champion visitor then you would have been likely to nominate their site as a trusted site in noscript - resulting in noscript having no effect. Noscript is a great security measure, but it breaks a lot of sites. It is the old security vs usability trade-off.

What can I do to protect myself against these attacks?
  1. Make sure your software is fully patched - this includes your operating system (OS), browser, flash player, javascript, etc. Most people just worry about patching their OS, but there are many other avenues for exploiting software vulnerabilities on your PC.
  2. Make sure you run reputable anti-virus on your system - and make sure it is always updated.
  3. Don't ignore your browser when it tells you that the site you are about to go to is potentially dangerous.
  4. Get yourself an authenticator. Even though this malware is not written to steal WoW information, the next one might be. An authenticator is a last line of defense, and may prove to be your savior should all else fail.
Finally, don't assume you can't get infected by malware without user interaction - you can! You can pick up malware simply by visiting a web page and you won't even know it is happening. This is why you need several defense mechanisms in your security arsenal.