Re: Account hacked using Blizzard's Password Reset Utility

On Sat, 22 Nov 2008 07:36:47 -0800, C J Campbell wrote:
On 2008-11-21 21:54:32 -0800, redvet <redvet@xxxxxxxx> said:

Precisely. This happens over and over, but Blizzard blames the victim,
citing all kinds of evil trojans, viruses, loggers, or whatever, but
without being able to name a single one that actually does this dirty
work. The real weakness is in Blizzard customer service, where someone
there can apparently be persuaded to give just enough account
information to someone requesting a password reset to enable a hacker
to steal the account.

What I found disturbing with regard to the customer service issue was
a clear attitude of 'you got your stuff, now go away'. I would have
thought, you know, some sort of investigation, beyond 'its your
fault'.

If you have a moment....What is this authenicator thingy people here
have mentioned? How does that work? I assume there is a charge; is it
a one time fee or is it attached to each billing cycle? - redvet

The Blizzard Authenticator is a SecureID token. This one is not
connected to the computer; you enter the randomly generated one-time
password manually. (RSA also makes tokens that connect to the USB port,
but this one does not do that.)

They are usually used to verify that someone logging onto a network is
authorized to do so. The level of security is higher than that of
asking for a simple password, but in theory it can be beaten, perhaps
by the sort of attacks that some here are claiming took place against
my network.

Yes and no.

In theory, a SecureID token can be broken by a "man in the
middle" attack, in which someone intercepts your randomly generated
password, redirects it to someplace else, then uses it to log on in
your place. He has to log on before the authentication key changes and
before you can log on.

True. But what DaFox (and maybe others described) was a scenario where it
was enough to "sniff" your network traffic to obtain your login data (for
e-mail and/or wow).

For an effective man-in-the-middle attack, the attacker not only needs
reading access to your network traffic, he must also be able to "spoof"
certain network addresses in order to intercept your traffic, otherwise your
login request containing the token would reach Blizzard before the attacker
could re-use it.

If someone were intercepting my email passwords in the manner that
DaFox suggested, for example, they would also intercept the SecureID
random number.

Yes.

A computer could redirect me to a screen that appears to
be WoW, but perhaps with a notification that the server is down.

Probably.

Meanwhile that computer would log on to the real WoW server in my
place.

Not as easily. To do that, it would need to not only read your traffic, but
be able to also "make it stop" at the hackers place.

Redirecting me to another server also prevents the real server
from receiving two simultaneous authentication requests, which, if the
SecureID system is implemented properly, would cause the server to
reject both requests.

I am not saying it's not possible, I am just saying it requires slighly more
knowledge and access than purely listening in on your traffic.

Personally, I am a bit of a security nut, which is one reason this
thing is so irritating to me.

That I can understand.

Cheers
Urbin

--
Dun Morogh-EU (PvE)
Urbin (72), Dwarven Hunter | Surana (64), Draenei Mage
Mymule (70), Gnomish Warlock | Kordosch (58), Human Death Knight
Sunh (70), Nightelven Priest | Juran (33), Nightelven Druid
.

Relevant Pages

  • Re: MiM Simultaneous close attack
    ... The problem is ARP requests are broadcasted to all the hosts on the network. ... The ethernet card requested replies to the request. ... man in the middle attack on a switched network. ...
    (Vuln-Dev)
  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
    (Focus-IDS)
  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
    (Focus-IDS)