Thursday, August 9, 2012

The Great Battle.net Compromise

Blizzard has recently announced that their battle.net database, the database that holds all of their usernames and password for games such as World of Warcraft and Diablo, has been compromised:
Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts. We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. 

What are the implications of this?


  1. Your battle.net ID/email address are now out there - not only does this put your account at more direct risk from a targeted attack, if the email lists fall into the hands of the bad guys then you are much more likely to receive phishing emails.
  2. Your personal security questions/answers are out there - making a social engineering attack on your account, like the recently published attack on Apple, somewhat easier.  Blizzard have vowed to get us all to enter new security questions and answers shortly - let's hope they also advise their tech support teams to be especially vigilant in the meantime.
  3. It appears that the Mobile Authenticator serial numbers/seeds and account link information has been stolen - if this is the case then it is quite feasible that mobile authenticator codes could be generated and used for users with mobile authenticator accounts.  Authenticators rely on the account link info and serial numbers to be kept secret for them to be effective - the algorithm for such schemes is often available in the public domain.  While this type of attack would require some level of sophistication, it is not out of the realm of possibility for modern-day hackers.

What should you do?


First and foremost, go and change your battle.net password.  Yes, the stolen passwords were hashed, but there are techniques for comparing the frequency of hashed passwords to work out which passwords are more likely to be one of the more commonly used passwords.  A "salted" password helps protect against this but we don't know exactly what form Blizzard stores their passwords in (other than they are "cryptographically scrambled").

Second, go buy a hardware authenticator.  The hardware authenticator serial numbers were reportedly not stolen and the technology is developed by a security vendor (Vasco) as opposed to the mobile authenticator app which was developed by Blizzard.  This is not to say the mobile authenticator is bad - it is certainly better than not having an authenticator at all, but the hardware authenticator is the best.  I certainly have one on my account!

Third, be particularly wary of phishing emails.  If your email is now in the hands of the bad guys then you will certainly get hammered with more of these. 

Lastly - don't stress too much.  Our good friends at Blizzard will restore accounts that have been compromised and given that raiding is currently in a quiet time, I am sure that your guild will forgive you.


Tuesday, May 22, 2012

Blizzard Confirms a Rise in Diablo 3 Hacks

Diablo 3 account compromises are currently happening and there are a string of accusations kicking around from the victims of these attacks.  Fingers are being pointed at Blizzard and at each other.

The vast majority of these incidents, in fact close to 100%, are occurring where the victim not having an authenticator attached to their battle.net account.

Blizzard has published a lengthy statement on the issue and have confirmed that they are seeing an increase in account compromises:

LYLIRRA: We'd like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game -- such as a World of Warcraft® expansion -- will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III. 

While they don't explicitly say that they have not had their own systems compromised, they go on to say that their authenticator is the best form of defense against these attacks and that everyone should go and pick up either the hardware token or one of the (free) mobile authenticator apps.

While I can't comment on Blizzard's internal security status, I can certainly comment on the value of the authenticator. For those that may be new to the concept of authenticators, let me take a quick moment to explain how they work.

The authenticator is a device (either a hardware token or a mobile application) that has a built-in clock and algorithm that generates codes every 30 seconds. These codes are in a unique sequence that is tied to a "seed" that is contained in the device/application.  This seed is paired to the serial number of the device.   When you attach it to your battle.net account, you tell battle.net what the device's serial number is and the battle.net server can then derive your unique "seed" and generate it's own stream of codes that should match yours.

When you login to battle.net via Diablo 3 or WoW you will need to grab your authenticator/mobile app, generate the code and enter it in. Meanwhile the battle.net server is doing the same code generation on its end to validate your code.

This adds an extra layer of security by requiring you to be in physical possession of the authenticator - in the security world we call this 2 factor authentication and the authenticator becomes "something that you have".  (You are also required to enter your battle.net password - we call this "something that you know")

In asking for a code, the authenticator virtually eliminates the effectiveness of a dictionary attack on your password.  Additionally, with its rolling number sequence, the authenticator also drastically limits the opportunity to brute-force the authenticator code itself. Phishing attacks become useless unless they capture the authenticator code as well - and even if they do - they have a very limited time in which to use it before it expires.

I have worked with around 30-40 people that have had their battle.net accounts hacked over the years and all of them had no authenticator.  I am yet to find someone that has been hacked when they have had an authenticator attached to their account.  Now, I am not saying that it can't happen - it can - but I would estimate that having an authenticator will improve your security and reduce your chance of getting hacked by a factor of 50 to 100.  It is not 100% safe - no security mechanism is - but it will add a very solid security layer to your gaming account.

Here are my ten simple steps you can do to reduce the chance of your battle.net account being compromised:

  1. Don't share your game password with anyone and pick a password that is not easily guessed 
  2. Don't use the same password for subscribing to fan sites 
  3. Keep your operating system, browser and other software fully patched - start with Windows Update 
  4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption 
  5. Don't click on email attachments, especially when you don't know the sender 
  6. Don't download and run executable files from web pages 
  7. Don't enter your game password into any web site other than the official game sites 
  8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised 
  9. Be very suspicious if an addon requires some form of install package to be run 
  10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone
Follow these steps to help protect your most valuable asset - your gaming account.  There are a lot of bad people out there trying to get into your account so make it hard for them and don't become a statistic.