Boards › Forum › I'll just leave this here
Watkins
172 posts
03-03-2010 7:09am
Homreker
3996 posts
03-03-2010 4:26pm
Yeah, I saw this on WoW.com yesterday... sucks dun-it?
Any idea if Blizz has a fix for it coming? I mean, short of "running AV" which everyone should be doing anyway?
Any idea if Blizz has a fix for it coming? I mean, short of "running AV" which everyone should be doing anyway?
Frenial
6901 posts
03-03-2010 4:44pm
Isn't the point of man-in-the-middle that the person who is supposed to be receiving the authenticated information (i.e. Blizzard) from the source (you) ... isn't? So how can they fix it? Short of allowing Blizzard to install something which lets them intimately control every program that runs on your computer (which I'm sure neither side wants), there's no way to prevent it. It's up to the user to control what gets run on their computer: use an AV program, get wise to how trojans appear in the first place, use common sense.
Linnaris
1840 posts
Clearly our only recourse now is retinal scanners. (Cue grisly scene of hacker/murderer/space pirate gouging out eyes)
Frenial
6901 posts
03-03-2010 7:08pm
All the smart hackers do it with custom built contact lenses. Much less mess on the carpets.
Watkins
172 posts
03-03-2010 9:29pm
Fren nailed it.
brendar
5729 posts
03-03-2010 9:42pm
Blue-stickied thread on how to remove malware/spyware from your PC. The process is fairly long if you are starting from scratch, but you should be running some if not all of these programs already.
I was wondering if any of our own computer nerds are familiar with HJT or know how to make sense of the logfiles. Would be nice if we had someone with that capability in-house rather than having to post on a larger board for help.
I was wondering if any of our own computer nerds are familiar with HJT or know how to make sense of the logfiles. Would be nice if we had someone with that capability in-house rather than having to post on a larger board for help.
Homreker
3996 posts
03-03-2010 9:44pm
Isn't the point of man-in-the-middle that the person who is supposed to be receiving the authenticated information (i.e. Blizzard) from the source (you) ... isn't? So how can they fix it?
Yes.
And, I don't know.
The WoW.com article (I know, don't believe everything they say) says: "Blizzard is very much aware of the issue and are actively looking for a solution." So, I was curious what course of action was being taken.
I can think of a couple. Neither of which is a perfect solution because it puts a great deal of burden on Blizzard.
1. For WoW to establish a virtual tunnel (like a VPN) to send the password. It is very hard to make a Trojan which verifies that you are connected to a VPN terminal that you aren't. I'm assuming this is not being done now and that we are simply submitting the passwords through a more standard protocol.
2. Have WoW check for these things at start-up. We know, for instance, that this one is called "emcor.dll" (obviously there will be variants). So, if upon startup the launcher searched for emcor.dll and offered to remove it so that your account would be more secure (or forced it) that would help.
Both of these methods might work. I don't know for sure. I do know that either of these things would entail a lot of work for Blizz. I mean, they would basically either have to find a way to optimize their environment through a VPN (which would likely take a big overhaul) or become an anti-virus company (something else they aren't probably interested in, and frankly shouldn't need to do.)
I will say, though, that with such low "impact potential" the Major AV company I administer at the Uni, doesn't consider this Trojan to be of major importance. Which means that users will have to wait for the weekly "full update" process instead of getting the update as "instant update" that would occur if it were considered a "high" or "critical" threat. We often like to believe our WoW world is important, but to the grand scheme of AV companies... it isn't, and it often gets left out of the loop.
Its also important to note that I also consider this to be of "low impact" in the grand scheme of things. And so, while some AV companies will detect it more readily than others, it is not safe to assume that simply by running an AV program and updating Windows that you will be safe from all of these programs. Things like HJT will help, but I will never tell an "average user" to use HJT because they will likely break something.
So, while I'm not really sure what they could do... I was wondering if a) they are trying and b) what they are trying...
I'm just sayin...
(LoL... I just emailed our support person to ask about it... apparently she's researching it to see how its categorized, she doesn't think its being detected at all... hmm... this should be interesting.)
Yes.
And, I don't know.
The WoW.com article (I know, don't believe everything they say) says: "Blizzard is very much aware of the issue and are actively looking for a solution." So, I was curious what course of action was being taken.
I can think of a couple. Neither of which is a perfect solution because it puts a great deal of burden on Blizzard.
1. For WoW to establish a virtual tunnel (like a VPN) to send the password. It is very hard to make a Trojan which verifies that you are connected to a VPN terminal that you aren't. I'm assuming this is not being done now and that we are simply submitting the passwords through a more standard protocol.
2. Have WoW check for these things at start-up. We know, for instance, that this one is called "emcor.dll" (obviously there will be variants). So, if upon startup the launcher searched for emcor.dll and offered to remove it so that your account would be more secure (or forced it) that would help.
Both of these methods might work. I don't know for sure. I do know that either of these things would entail a lot of work for Blizz. I mean, they would basically either have to find a way to optimize their environment through a VPN (which would likely take a big overhaul) or become an anti-virus company (something else they aren't probably interested in, and frankly shouldn't need to do.)
I will say, though, that with such low "impact potential" the Major AV company I administer at the Uni, doesn't consider this Trojan to be of major importance. Which means that users will have to wait for the weekly "full update" process instead of getting the update as "instant update" that would occur if it were considered a "high" or "critical" threat. We often like to believe our WoW world is important, but to the grand scheme of AV companies... it isn't, and it often gets left out of the loop.
Its also important to note that I also consider this to be of "low impact" in the grand scheme of things. And so, while some AV companies will detect it more readily than others, it is not safe to assume that simply by running an AV program and updating Windows that you will be safe from all of these programs. Things like HJT will help, but I will never tell an "average user" to use HJT because they will likely break something.
So, while I'm not really sure what they could do... I was wondering if a) they are trying and b) what they are trying...
I'm just sayin...
(LoL... I just emailed our support person to ask about it... apparently she's researching it to see how its categorized, she doesn't think its being detected at all... hmm... this should be interesting.)
Demondoodle
2310 posts
03-03-2010 11:01pm
Only easy fix I see here is to make the authenticator number only good for one use. If you need to reconnect quickly after already connecting you will have to wait for a new number to pop up.
Seems simple or am I misisng something.
Seems simple or am I misisng something.
Sapphyre
12995 posts
Only easy fix I see here is to make the authenticator number only good for one use. If you need to reconnect quickly after already connecting you will have to wait for a new number to pop up.
Seems simple or am I misisng something.
Later in the thread someone explains:
"It is only good for one attempt. What happens is the virus intercepts the code inputted, then inputs something incorrect, so it tells you that the code is not valid. The hacker then has a few seconds to use the code and BAM they are in your account."
And as someone who has 2 accounts, I can verify that this is true. I cannot log into both accounts using the same authentication number. I have to wait for a new one to be generated.
Seems simple or am I misisng something.
Later in the thread someone explains:
"It is only good for one attempt. What happens is the virus intercepts the code inputted, then inputs something incorrect, so it tells you that the code is not valid. The hacker then has a few seconds to use the code and BAM they are in your account."
And as someone who has 2 accounts, I can verify that this is true. I cannot log into both accounts using the same authentication number. I have to wait for a new one to be generated.
Foxfyr
12982 posts
03-03-2010 11:29pm
I think it is only good for one use. The problem is that the Man in the Middle prevents your submission of it from taking place.
I think the numbers need to expire quicker. I believe I read somewhere that the code will last for 5 minutes after it disappears from your authenticator which is more than enough time for a hacker to enter it on their end. Homreker clearly has a much better grasp on this issue than I though, so I'll leave the theorizin to him :)
I think the numbers need to expire quicker. I believe I read somewhere that the code will last for 5 minutes after it disappears from your authenticator which is more than enough time for a hacker to enter it on their end. Homreker clearly has a much better grasp on this issue than I though, so I'll leave the theorizin to him :)
Maligner
1923 posts
Only easy fix I see here is to make the authenticator number only good for one use. If you need to reconnect quickly after already connecting you will have to wait for a new number to pop up.
Seems simple or am I misisng something.
If you read the thread, apparently the password is only good for one use. The trojan intercepts yours and sends a bogus one and then uses your good authenticator password to access the account while you wonder how you mistyped the code.
My question is, does that make everyone a crack whore? :0
Seems simple or am I misisng something.
If you read the thread, apparently the password is only good for one use. The trojan intercepts yours and sends a bogus one and then uses your good authenticator password to access the account while you wonder how you mistyped the code.
My question is, does that make everyone a crack whore? :0
Watkins
172 posts
03-03-2010 11:41pm
I think it is only good for one use. The problem is that the Man in the Middle prevents your submission of it from taking place.
I think the numbers need to expire quicker. I believe I read somewhere that the code will last for 5 minutes after it disappears from your authenticator which is more than enough time for a hacker to enter it on their end. Homreker clearly has a much better grasp on this issue than I though, so I'll leave the theorizin to him :)
I heard it was 30 seconds, but where I couldn't say. Any quicker and Blizz will lose the 40% moron base :D
I think the numbers need to expire quicker. I believe I read somewhere that the code will last for 5 minutes after it disappears from your authenticator which is more than enough time for a hacker to enter it on their end. Homreker clearly has a much better grasp on this issue than I though, so I'll leave the theorizin to him :)
I heard it was 30 seconds, but where I couldn't say. Any quicker and Blizz will lose the 40% moron base :D
Homreker
3996 posts
03-03-2010 11:58pm
I heard it was 30 seconds, but where I couldn't say. Any quicker and Blizz will lose the 40% moron base :D
I think the expiration time is different if your using the iPhone app vs the key fob. But I don't really know why. I'm seeing a lot of key-fob users reporting up to 5 minutes... but I'll try it tonight and see what I can figure out...
I think the expiration time is different if your using the iPhone app vs the key fob. But I don't really know why. I'm seeing a lot of key-fob users reporting up to 5 minutes... but I'll try it tonight and see what I can figure out...
Tourach
154 posts
03-04-2010 1:05am
There are a few solutions Bliz could implement that would have minimal to no impact on the user base, yet complicate the hackers lives considerably.
PGP-like multipart crypto key exchanges.
(As long as your initial install of WoW is secure)
player IP subnet verification (your IP may change, but it's rare that your house is dynamically reassigned to a new neighborhood).
Authorized PCs, ala iTunes. up to 5 different computers are authorized to play WoW. Any non-authorized systems cause further authentication procedures.
etc, etc.. plenty of solutions that would involve very little overhead to a legitimate player/system ("what is your CPUID? What is your MAC address?"), but in combination, would terribly complicate a hacker's life.
PGP-like multipart crypto key exchanges.
(As long as your initial install of WoW is secure)
player IP subnet verification (your IP may change, but it's rare that your house is dynamically reassigned to a new neighborhood).
Authorized PCs, ala iTunes. up to 5 different computers are authorized to play WoW. Any non-authorized systems cause further authentication procedures.
etc, etc.. plenty of solutions that would involve very little overhead to a legitimate player/system ("what is your CPUID? What is your MAC address?"), but in combination, would terribly complicate a hacker's life.
Homreker
3996 posts
03-04-2010 1:19pm
PGP-like multipart crypto key exchanges.
(As long as your initial install of WoW is secure)
player IP subnet verification (your IP may change, but it's rare that your house is dynamically reassigned to a new neighborhood).
Authorized PCs, ala iTunes. up to 5 different computers are authorized to play WoW. Any non-authorized systems cause further authentication procedures.
etc, etc.. plenty of solutions that would involve very little overhead to a legitimate player/system ("what is your CPUID? What is your MAC address?"), but in combination, would terribly complicate a hacker's life.
I certainly think all of these methods could work. They actually already look at IP Subnets (you can ask Khros his experience with that), but they have to be careful because if you go on vacation and take your laptop your sub net will change.
I don't know if Authorized PCs would prevent multiple users from using the same PC, single users with multiple accounts for that matter. That would definitely be something that would need to be addressed.
I like the PGP style crypto method. I think it probably requires a bit more overhead than you think, but it certainly wouldn't impact gameplay, it would just require some additional resources on Blizzard's end. So, hopefully that's the way they'll go.
Of course, they may continue the stance of "You deal with your own security" which I'm not entirely against either.
