open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: Account Security Improvements Part I - Phishing
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: [1] 2 3

Author Topic

CCP Fallout

Posted - 2011.01.20 22:53:00 - [1]
 

CCP Sreegs is back, talking to us about account security. His new target: phishing attacks.

Chribba
Otherworld Enterprises
Otherworld Empire
Posted - 2011.01.20 23:00:00 - [2]
 

Very Happy

Salyan
Twilight Sparkle Fan Club
Posted - 2011.01.20 23:05:00 - [3]
 

CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.

P.S. Chribba, sorry but your picture scares me now.

SXYGeeK
Gallente
do you
Posted - 2011.01.20 23:10:00 - [4]
 

well done Sreegs,

As always I'm particularly interested in multi-factor authentication.
I love how paypal sends me a text on my phone as a second factor.
It's cheap, effective, and could reach a large portion of your player base.

Keep us in the loop like you've done in this Blob and thing will only get better :)

Halvus
Minmatar
Sons Of 0din
Fatal Ascension
Posted - 2011.01.20 23:19:00 - [5]
 

Excellent blog. Keep up the good work :)

Wollari
Phoenix Industries
Wicked Nation
Posted - 2011.01.20 23:25:00 - [6]
 

I also got already some kind of eve newsletter where all URLs have been masked using tinyurl.com

Doctor Mabuse
Posted - 2011.01.20 23:32:00 - [7]
 

Have you considered GrIDsure as a form of two factor authentication?

Simple and no messing around with tokens...


CCP Sreegs

Posted - 2011.01.20 23:33:00 - [8]
 

Originally by: Wollari
I also got already some kind of eve newsletter where all URLs have been masked using tinyurl.com


Forward it to security@ccpgames.com if you can. Those have been getting nuked pretty quickly.

Jmarr Hyrgund
The Bastards
Posted - 2011.01.20 23:36:00 - [9]
 

Onions. He knows his. Read well and note his advice.

Awesome blog.

Grady Eltoren
Minmatar
Aviation Professionals for EVE
Posted - 2011.01.20 23:42:00 - [10]
 

Originally by: Salyan
CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.

P.S. Chribba, sorry but your picture scares me now.


LOL - my thoughts too. JK! : ) My guy has hair now too so I can't talk much. :) Apparently Incarna and Hairclub for Men go hand in hand.

On a serious note - how do phisher's even make emails look like they came from CCP? E.G. the email addresses?

Steve Thomas
Minmatar
Sebiestor Tribe
Posted - 2011.01.20 23:47:00 - [11]
 

Originally by: Salyan
CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.

P.S. Chribba, sorry but your picture scares me now.


not only do they do that but they actualy created even better bots if you will to detect thoes bots in the first place.

Seriously how big of a moron do you have to be to not think that one of the things they do is search for sights that have "bots" for EvE online.

or that they have people who have voluntered to host bots here in North American AND Europe AND Brazil for example, secificaly so they can monitor exactly what said bot does and when said bots get updated into account zombies?


Filodar
Posted - 2011.01.21 00:08:00 - [12]
 

Originally by: Doctor Mabuse
Have you considered GrIDsure as a form of two factor authentication?

Simple and no messing around with tokens...




Looks like a bad system, its overly complicated and would lead to a huge increase in support costs. And the attackers could still do it as a password reply, or phishing users by having a distinct number per square.

Steve Thomas
Minmatar
Sebiestor Tribe
Posted - 2011.01.21 00:09:00 - [13]
 

Originally by: Grady Eltoren
Originally by: Salyan
CCP reverse-engineers bots?!? That's awesome and much more than I ever expected you guys to do.

P.S. Chribba, sorry but your picture scares me now.


LOL - my thoughts too. JK! : ) My guy has hair now too so I can't talk much. :) Apparently Incarna and Hairclub for Men go hand in hand.

On a serious note - how do phisher's even make emails look like they came from CCP? E.G. the email addresses?
Its not realy hard to do, there still open email services out there where you bascialy send email out to the web with forged "from" information. heck check your spam filter, odds are you have or got mail stuck in it from days if not years in the future due to that kind of forgeing.

here is one header that showes where the mail actualy came from

suposedly it was from "Webaccountsecurity" at Twitter.com but it actualy was from someone at "xt07.verada.ru", and thats assuming that "xt07.verada.ru" was legit to start with!

Quote:
From Twitter Mon Dec 20 18:02:00 2010
X-Apparently-To: stevenwaynethomas@yahoo.com via 98.136.183.31; Mon, 20 Dec 2010 10:02:01 -0800
Return-Path: <webaccountsecurity@postmaster.twitter.com>
Received-SPF: pass (mta1004.mail.ac4.yahoo.com: xt07.verada.ru designates 18.381.165.058 as permitted sender)
X-YMailISG:
(Deleted massive wall of id number)
X-Originating-IP: [18.381.165.058]
Authentication-Results: mta1904.mail.ac4.yahoo.com from=nstr30j.verada.ru; domainkeys=pass (ok); from=verada.ru; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO xt07.verada.ru) (128.121.146.143) by mta1004.mail.ac4.yahoo.com with SMTP; Mon, 20 Dec 2010 10:02:01 -0800
Received: from verada.ru (localhost [127.0.0.1]) by xt07verada.ru (Postfix) with ESMTP id 53F8F74E4C5 for <Stevenwaynethomas@yahoo.com>; Mon, 20 Dec 2010 18:02:00 +0000 (UTC)
X-DKIM: Sendmail DKIM Filter v2.8.2 xt07.verada.ru 53F8F74E4C5
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim; t=1292868120; i=@verada.ru; bh=C28GCdbF451aVoXKHvtW1vhtn3w=; h=Date:From:Reply-To:To:Message-Id:Subject:Mime-Version: Content-Type; b=Q9iYzf4szHlPqCaLLFbDDCMm7wYMQI52Pm6kcNWqsgVNTTd3C38zf9UD0WuF8xDXr JUGZqvBd3HJjBdOHHzEnvkee3QpaasrG1V47RQDZeNzUfkOHmMgPJwJqk+l/Nx8JX6 sKobWRA8ovn5PGiNXhjDmvyMwoEl/u+UHcLhHczU=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 xt07.verada.ru 53F8F74E4C5
DomainKey-Signature: a=rsa-sha1; s=default; d=verada.ru; c=simple; q=dns; b=T3sVw6BWLbarybK55vzYegZua7dDKofchvgcC6Ois+9GSvplRc3NFWe1DLp2npcy5 FetkBiooKtB434G2P0fwA==
Date: Mon, 20 Dec 2010 18:02:00 +0000
From: This sender is DomainKeys verified verada.ru <welcome-Fgrirajnlargubznf=lnubb.pbz-4aacf@postmaster.verada.ru> Add sender to Contacts
Reply-To: noreply@postmaster.verada.ru
To: Stevenwaynethomas@yahoo.com
Message-Id: <4d0f9a18527d4_1b6b5e34aa46079@mx007.verada.ru.tmail>
Subject: Suspention of account, StevenWThomas!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=mimepart_4d0f9a185322b_1b6b5e34aa460852
X-Campaignid: welcome20100914phx
Errors-To: va <noreply@postmaster.verada.ru>
Bounces-To: va <noreply@postmaster.veradaru>
.

Ravcharas
GREY COUNCIL
Nulli Secunda
Posted - 2011.01.21 00:16:00 - [14]
 

Quote:
The reason these things exist RMT, Phishing, Forum Hacking for account harvesting, Bots, etc... is to squeeze money out of you and into the hands of a third party.

And remember kids, squeezing money out of you is CCP's job!

No no. I jest. Good read.

One aspect of botting and RMT is that it's kind of interesting that some people would rather not have to deal with ratting in Eve. They would, in fact, rather give their credit card number to some guy in Latvia than have to deal with it. I'm not trying to be mean here, my point is that one aspect of it is a game design thing. Wormholes and incursions are actually a step in the right direction here. Moving away from a repetitive and boring activity that is easily outsourced to a bot application into something else not only hurts botters, it also makes Eve more enjoyable for people with, you know, a pulse. In fact, implementing something like the wormhole ai for old school rats or simply having them scram you more often seems like a very cost effective way of dealing with botting. Anyway, I digress.

Looking forward to the next installments.

Sarinat Talen
Celestial Arms Manufacturing and Operations
New Eden Research.
Posted - 2011.01.21 00:22:00 - [15]
 

Edited by: Sarinat Talen on 21/01/2011 00:22:34
Good work CCP, and thanks for you efforts. As someone who has gotten one of these phishing emails I really appreciate the upcoming countermeasures.

Caiman Graystock
Caldari
Cornelius Starship and Computer Design
Posted - 2011.01.21 00:27:00 - [16]
 

You guys are doing a really great job and it is much appreciated.

Xituqtra
Posted - 2011.01.21 00:42:00 - [17]
 

nice blog and great information in there and you even made me check my browser settings

And for that I will give you much love <3 <3 <3

Daedalus II
Helios Research
Posted - 2011.01.21 00:49:00 - [18]
 

I got a great idea!

You CCP guys should know your game pretty well, right? So you could build a kick-ass bot that is better than any other bot right? So you do this, and distribute it through some fishy channels. It works just as it's supposed to and outperforms all other bots, except that when the user isn't looking it's sending a mail to a specific CCP character identifying itself. After a moderate time you ban the sender on grounds of botting. If the timing is right they don't suspect the program, and use it again if they continue, and that way you can ban them again and again Very Happy

Essentially it's a honey-pot I guess.

Estel Arador
Posted - 2011.01.21 00:50:00 - [19]
 

Edited by: Estel Arador on 21/01/2011 00:50:41
Can we get authenticators and the option to whitelist IP addresses?

Vilgan Mazran
Aperture Harmonics
K162
Posted - 2011.01.21 01:03:00 - [20]
 

SPF records have been pretty mandatory for ages. How has CCP not been getting emails rejected essentially saying "your SPF records are nonexistant or not specific enough, contact your postmaster". Like wtf :P

CCP Sreegs

Posted - 2011.01.21 01:07:00 - [21]
 

Edited by: CCP Sreegs on 21/01/2011 01:09:30
Originally by: Vilgan Mazran
SPF records have been pretty mandatory for ages. How has CCP not been getting emails rejected essentially saying "your SPF records are nonexistant or not specific enough, contact your postmaster". Like wtf :P


The SPF records exist they just need to be tweaked a bit. If there weren't SPF records set a giant pile of you wouldn't be receiving our emails.

:edit: Which is pretty much what you just said it would seem, heh

PC l0adletter
Posted - 2011.01.21 01:15:00 - [22]
 

Authenticators, please.

Originally by: CCP Sreegs

Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.



I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.

Ravcharas
GREY COUNCIL
Nulli Secunda
Posted - 2011.01.21 01:25:00 - [23]
 

Originally by: PC l0adletter
Authenticators, please.

Originally by: CCP Sreegs

Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.



I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.

I was wondering how long it would take for someone to quote that.

Anyway, the subject of the devblog isn't quite what I'd call specific in nature. So leave Sreegney alone.

CCP Sreegs

Posted - 2011.01.21 01:26:00 - [24]
 

Originally by: PC l0adletter
Authenticators, please.

Originally by: CCP Sreegs

Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.



I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.


This blog was presented to the CSM prior to that post being made and they were told at the time that it would be given to the playerbase in the form of a dev blog. I tried after that post to make it clear that the question was academic in nature, as I can make changes to my messaging based on what you (players) tell me you'd like to know. I guess you could call it an apparently clumsy attempt to get around specific detail requests and get to the nature of the question.

To expand a bit, a lot of security-related questions tend to focus on specific solutions or cookie cutter types of individual requests and to really solve a lot of problems you need to look at bigger pictures. As you can see in this blog at least I don't consider any one thing to be a magic solution. There's a lot of different moving pieces of vulnerability that each need to be addressed individually. My hope was that by framing the question a particular way I could get some thought flowing and get some interesting responses, which did happen.

Sorry if that left the impression that I was on some super secret need to know CIA spy kick or something as I really tend towards the opposite philosophically and I don't believe in any way that people are best served by being left in the dark, though there are and will be cases where full disclosure just doesn't benefit anyone.

PC l0adletter
Posted - 2011.01.21 02:21:00 - [25]
 

Originally by: CCP Sreegs
Originally by: PC l0adletter
Authenticators, please.

Originally by: CCP Sreegs

Just out of honest curiosity, what positive outcome do you think would come from detailing specific counter-hacking/botting methodologies? What would you gain from this knowledge personally? I understand that you WANT to know things, but I'm having a hard time wrapping my head around how some knowledge being public information would be to anyone's benefit and I'd like to hear an alternative viewpoint.



I'm gonna go ahead and hope that this devblog is evidence that you're reconsidered. Reckless, I know.


This blog was presented to the CSM prior to that post being made and they were told at the time that it would be given to the playerbase in the form of a dev blog. I tried after that post to make it clear that the question was academic in nature, as I can make changes to my messaging based on what you (players) tell me you'd like to know. I guess you could call it an apparently clumsy attempt to get around specific detail requests and get to the nature of the question.

To expand a bit, a lot of security-related questions tend to focus on specific solutions or cookie cutter types of individual requests and to really solve a lot of problems you need to look at bigger pictures. As you can see in this blog at least I don't consider any one thing to be a magic solution. There's a lot of different moving pieces of vulnerability that each need to be addressed individually. My hope was that by framing the question a particular way I could get some thought flowing and get some interesting responses, which did happen.

Sorry if that left the impression that I was on some super secret need to know CIA spy kick or something as I really tend towards the opposite philosophically and I don't believe in any way that people are best served by being left in the dark, though there are and will be cases where full disclosure just doesn't benefit anyone.


Well, at least I only got my hopes up for a minute....

There are a lot of botters out there. Have you looked at the thread in general discussion where they ask for questions about incarna? 20% of the questions are about botting. Players take the fairness and integrity of the gameplay environment seriously, and we see a lot of really blatant botting going on. Personally, I don't care if you blurgh about it or not, so long as it stops.

Nye Jaran
Posted - 2011.01.21 03:15:00 - [26]
 

Say it with me... auth-en-tic-a-tor.

Frug
Omega Wing
Snatch Victory
Posted - 2011.01.21 03:30:00 - [27]
 

While I can understand the reasoning for your fighting phishing attacks, I am in need of many different forms of male enhancement due to a condition I have which requires me to take a multi-pronged approach to enlargement options. If you continue to combat the providers of my enhancement services which offer both cheap pills and payment options that are incredibly easy to use and bill me automatically without all the effort of most sites, I may have to cancel my subscription.

Noun Verber
Gallente
Posted - 2011.01.21 03:38:00 - [28]
 

Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.

still hack-a-ble

Mielono
Caldari
SWARTA
Posted - 2011.01.21 04:30:00 - [29]
 

Originally by: Noun Verber
Originally by: Nye Jaran
Say it with me... auth-en-tic-a-tor.

still hack-a-ble


and bullet proof vest dont always work, but for some reason people still wear them

Bhattran
Posted - 2011.01.21 04:45:00 - [30]
 

Edited by: Bhattran on 21/01/2011 04:46:35
This is promising, both in what is done and talked about, I eagerly await moar information.

I still wonder what the fate of locking a character or account so the character(s) cannot be transfered ever, or only after a set time period has passed ie a month, 3 months, a year is. The 'worst' situation for a player besides having their account hacked/compromised and/or having stuff sold off, isk transferred is losing the irreplaceable, the characters.

Certainly curtailing situations where people put themselves in jeopardy is great, protecting our communications etc but how about letting us stop someone from abusing the system CCP created for character sales? *I* don't ever want to sell my character but because CCP allows it, presumably to stop ebay sales of accounts as well as to make some money from people wanting and willing to do it, I am 'vulnerable' to losing my character should my account get compromised, we all are.




Pages: [1] 2 3

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only