10K+ sites infected - SE response - RESTORATION, K?

[spooky]

I bet one of the questions Bercus sent was about hacking. >.>

[Olo401]

Yes, late, but still good. They better apply it retroactively though.

QFMFT.

[Lexa]

It seems that SE, like they've done in the past, is trying to make us believe they're doing good. A lot of times, though, nothing worth mentioning has come out of it, and a lot of the users are still left with nothing at all. A friend of mine recently got hacked, got his account back, but had nothing left, and they couldn't do anything about it. He had some pretty rare sellables, and every day now he's passing by a mule that suspiciously suddenly is selling every single item that he had on his character... Finding mules that bazaar these things aren't rare - finding a mule that's bazaaring all of these things at once?

I hope that this new policy or whatever will apply retroactively, and that good things will come out of this, but frankly, I'm not holding my breath.

[Bardicrune]

Off Topic and nitpicky:

I'm virtually certain they have regular tape backups of everything FFXI-related (it's common sense in the IT industry)

Generally tape backup's are not used in the larger IT industry anymore, mostly data is backed up and warehoused offsite on Network Attached Storage servers or they just use redundant offsite mirrored servers.

[Arkanna]

Off Topic and nitpicky:

I'm virtually certain they have regular tape backups of everything FFXI-related (it's common sense in the IT industry)

Generally tape backup's are not used in the larger IT industry anymore, mostly data is backed up and warehoused offsite on Network Attached Storage servers or they just use redundant offsite mirrored servers.

Point stands, regardless.

[Akucaen]

I like how it took ABC and another major news carrier for them to 'notice' and present better measures to restore characters than the bull they have in place now. Place on top of that abysmal lack-of measure in place to avoid hacking, like questions just to ALLOW you to change your password.

Eugh. Way to fail SE.

[Spekkio]

I like how it took ABC and another major news carrier for them to 'notice' and present better measures to restore characters than the bull they have in place now. Place on top of that abysmal lack-of measure in place to avoid hacking, like questions just to ALLOW you to change your password.

Eugh. Way to fail SE.

when we complain, management tells us to stuff ourselves and it dies there. when ABC prints it, shareholders hear about it and the negative impact it's having on their stock and this generates a fire i'd imagine.

[friend]

Interesting, Maybe I'll get Spookiness back eventually, rather than SE just telling me I'm Screwed.

[EagleCeres]

lolSE

The Web attack, which appears to be a coordinated effort run out of servers in China, was first noticed by McAfee researchers on Wednesday morning. Within hours, the security company had tracked more than 10,000 Web pages infected on hundreds of Web sites.

McAfee isn't sure how so many sites have been hacked, but "given how quickly some of these attacks have come on, it does seem like some automation has gone on," said Craig Schmugar, a researcher with McAfee's Avert Labs. In the past, attackers have used search engines to scour the Internet for vulnerable Web sites and then written automated tools to flood them with attacks, which ultimately let criminals use legitimate sites to serve up their malicious code.

The infected Web sites look no different than before, but the attackers have added a small bit of JavaScript code that redirects visitors' browsers to an invisible attack launched from the China-based servers. This same technique was used a year ago, when attackers infected the Web sites of the Miami Dolphins and Dolphins Stadium just prior to the 2007 Super Bowl XLI football game.

If the code is successful, it then installs a password-stealing program on the victim's computer that looks for passwords for a number of online games, including the Lord of the Rings Online.

These online game passwords are a popular hacker target, in part because many online gaming resources can be stolen and then sold for cash.

so... after getting a formal wake up call by two Media Companies and official research by an Anti Virus Conglomerate, they finally accept to work on something their own customerbase have been kicking/screaming/threatening to sue about for the last what, 6 months? jeez...

I love the game, dont get me wrong... I just hate how the people in charge of making the decisions go about making said decisions. Not necessarilly Too Little-Too Late, but i cant help to feel that they could be taking a more (pro)active approach once they started getting spammed by US, their loyal and paying customers... isntead of waiting until our drama became public.

[Kenji]

Curious. The reports say online gaming, and not FFXI officially. If this hacking wave is targetting other games, how effective has it been on those other games? What are the other companies doing? I'd be interested in a comparison of responses.

WoW's been having issues with keylogged accounts being used to spam RMT advertisement via whispers lately, actually. Gets around the "newbie barrier" Blizzard put up to prevent trial accounts and such from being used as adbots.

Interesting. I assume people are getting their characters stripped as well. How is Blizzard handling it? Are people who lost accounts getting them back, and all their items? How long does it take? What's involved?

[setzor]

Curious. The reports say online gaming, and not FFXI officially. If this hacking wave is targetting other games, how effective has it been on those other games? What are the other companies doing? I'd be interested in a comparison of responses.

WoW's been having issues with keylogged accounts being used to spam RMT advertisement via whispers lately, actually. Gets around the "newbie barrier" Blizzard put up to prevent trial accounts and such from being used as adbots.

Interesting. I assume people are getting their characters stripped as well. How is Blizzard handling it? Are people who lost accounts getting them back, and all their items? How long does it take? What's involved?

blizzard has a FAST turn-around on getting characters back, you get a majority if not all your items back... they don't fuck around when it comes to customer service it seems, they don't fuck around giving the banhammer to obvious RMT's or blatant system hackers either. and they serve up at least 20 times the number of active players as ffxi...last i checked.

every time SE says "investigating" replace the word with "taking our sweet fucking time because we don't really give a shit about"

Yes, we're still "investigating" your account.
Thanks for your RMT report, we'll be "investigating" that issue.

[Nyuneko]

Gonna lawl when the next "GM told me to get TFO when I reported my account got hacked" thread pops.

[ronin sparthos]

Curious. The reports say online gaming, and not FFXI officially. If this hacking wave is targetting other games, how effective has it been on those other games? What are the other companies doing? I'd be interested in a comparison of responses.

WoW's been having issues with keylogged accounts being used to spam RMT advertisement via whispers lately, actually. Gets around the "newbie barrier" Blizzard put up to prevent trial accounts and such from being used as adbots.

Interesting. I assume people are getting their characters stripped as well. How is Blizzard handling it? Are people who lost accounts getting them back, and all their items? How long does it take? What's involved?

blizzard has a FAST turn-around on getting characters back, you get a majority if not all your items back... they don't fuck around when it comes to customer service it seems, they don't fuck around giving the banhammer to obvious RMT's or blatant system hackers either. and they serve up at least 20 times the number of active players as ffxi...last i checked.

every time SE says "investigating" replace the word with "taking our sweet fucking time because we don't really give a shit about"

Yes, we're still "investigating" your account.
Thanks for your RMT report, we'll be "investigating" that issue.

Blizzard has alot more representatives (or perhaps they outsource) handling the issue, the SE information center has like 10 people manning the phones and 2 managers tops - SE is simply undermanned big time. I assume the people investigating hacked accounts are probably 2 people in tandem with a manager.

It comes down to also how the companies view issues as well.

[OctavoGilgamesh]

I guarantee this is just SE's way of showing that other games are affected by these hackings, not just ffxi. So not really day late dollar short, just their idea of player relations.

and the obligatory

OMGMYACCOUNTWASHACKEDFUCKINGSEYOUBASTARDSLOSTMYRAI NBOWCAPE

[Spekkio]

i get the feeling that the blizzard devs have a lot more of a hands on approach to their userbase than say the ffxi devs. consider for a second the "need or greed" system in WoW a friend of mine explained to me a while back.

as best i understand in WoW, a large chunk of the gold (gil in ffxi) comes from accruing drops in instanced zones and selling, often to NPC. this would cause players to lot things they couldn't wear or otherwise use but wished to have to NPC for gold. in order to enable players who would actually put the gear to use for more than vendor trash, prior to lotting, players would declare if they wished to lot it for "need" or "greed" IE, they want to wear it or NPC it respectively. if no player declared need, players who declared greed could lot it and the top lot got a couple of shinies. if anyone declared need, all players declaring greed would pass for those who declared need. this was a convoluted system though, akin to our shouting out for people who want to burn points on items with a limited time before it plunks into someone's inventory. blizzard responded after a bit by adding instead of 1 universal lot button a "need" button and a "greed" button, effectively automating the process. any player clicking need negated any greed lots, so all players needed to do was hit the right button and let the game as well as lady luck decide who was walking home with the item. blizzard saw a system players had implemented, albeit inefficiently managed by hand and automated the system. meanwhile, we can't bludgeon SE into forcing our coinage and af in dynamis out in a timely fashion.

while this may not be the world's best example, it does indicate the dogmatic differences between blizzard and SE. blizzard takes a more aggressive stance towards what the playerbase wants while SE seems to take the attitude of "we will tell you what you want. your concerns are pity and boring." it's depressing to watch such blatant mismanagement continue. customers of other large scale products, from relatively cheap products such as office suites to software solutions costing in the tens to hundreds of thousands of dollars, are the guiding force behind requirements specifications and feature additions, but SE seems to have forgone this tried and true model for one that more resembles "SE knows best." not until SE is made to look a fool will anyone step up and actively attempt to solve the problem in such a stagnant environment.

[Ayato]

Curious. The reports say online gaming, and not FFXI officially. If this hacking wave is targetting other games, how effective has it been on those other games? What are the other companies doing? I'd be interested in a comparison of responses.

WoW's been having issues with keylogged accounts being used to spam RMT advertisement via whispers lately, actually. Gets around the "newbie barrier" Blizzard put up to prevent trial accounts and such from being used as adbots.

Interesting. I assume people are getting their characters stripped as well. How is Blizzard handling it? Are people who lost accounts getting them back, and all their items? How long does it take? What's involved?

Friend lost all his chars and items on Wow, he simply made a new char, called GM and told him what happened, GM asked him to logout, he did and found all his chars and everything restored, so its instantly

[Septimus]

OK, maybe I am oversimplifying things here or maybe giving their system too much credit.

How about they put in a tracking system where if an account appears with a new IP address (especially one that originates in China) and attempts to change password, that a huge red flag pops up for investigation? Or that several different accounts that had completely different IP addresses have their passwords changed from the same IP address, that a huge red flag pops up for investigation? Or how about you have to input your whole credit card number before you can change the password?

Or how about all of the above? Seriously, how can I get this to the dev team?

[ismarc]

OK, maybe I am oversimplifying things here or maybe giving their system too much credit.

How about they put in a tracking system where if an account appears with a new IP address (especially one that originates in China) and attempts to change password, that a huge red flag pops up for investigation? Or that several different accounts that had completely different IP addresses have their passwords changed from the same IP address, that a huge red flag pops up for investigation? Or how about you have to input your whole credit card number before you can change the password?

Or how about all of the above? Seriously, how can I get this to the dev team?

They would have to do this based on IP Blocks owned by providers and the password being changed from outside that block. I myself have 6 unique public IPs at home, 4 of which could be used at any given time to sign into FFXI. And this isn't counting when I'm over at a friends house, or working seriously late at night at work and have it running on a laptop while I fish or campaign.

However, I would recommend a two-pronged approach to increasing the security of the accounts.
1) As others have suggested, a security question/answer required to change the password. This will prevent those not easily guessed from being able to completely remove access to the account.

2) Have an option to generate a security hash. The security hash would be an option located under the account management section of POL and nowhere else. You click a single button and the hash is generated (method can be completely random, it doesn't matter so long as it's long/complicated enough to not be guessed). The hash is displayed to the user and is stored in POL/SE's databases. Each time you do this, it adds another entry. There is no method of seeing past security hashes, only the one you just generated. This security hash can then be used as initial verification of ownership of the account so that alternate characters can request a lock to the account from a GM or can be used by the user for verification with callcenter personnel to lock the account. ANY security hash can be used to lock the account. Once locked, the user has to go through the process of contacting the callcenter to re-gain access to the account. While this would require users to proactively prepare for security issues, it guarantees they will be able to stop access the instant they discover unauthorized access has occurred.

[Spekkio]

OK, maybe I am oversimplifying things here or maybe giving their system too much credit.

How about they put in a tracking system where if an account appears with a new IP address (especially one that originates in China) and attempts to change password, that a huge red flag pops up for investigation? Or that several different accounts that had completely different IP addresses have their passwords changed from the same IP address, that a huge red flag pops up for investigation? Or how about you have to input your whole credit card number before you can change the password?

Or how about all of the above? Seriously, how can I get this to the dev team?

i ran that idea, but unfortunately it fails.
evolutionary step 1: SE bars IP addresses from china outright (ignoring the chinese players who actually play)
evolutionary response 1: CGF begin using open US proxies to reroute traffic and avoid IP block ban.

evolutionary step 2: SE bars IP address changes from any IP addresses that has not been the only address to access the account for at least 24 hrs.
evolutionary response 2: CGF will loot the chars even if they can't change the password. CGF will develop new keyloggers that not only steal passwords but change the password via the local machine, bypassing all IP checks.

evolutionary step 3: SE bans password changes and cc changes without the last 4 digits of the most recent credit card on file.
evolutionary response 3: CGF will loot the char stealing and NPCing anything they can take. the account will be protected but will be largely unusable due to losing virtually anything of value.

the problem with most of these solutions is that they all hinge on trusting the computer to be secure, which is always violated when an account is stolen. rsbo.exe was the tip of the iceberg. having not looked at it, but guessing based on the accounts i've heard, it's not all that sophisticated. it's easily identified, removed, and offers almost no self-defense tools against anti-malware products or the like beyond simply sufficient obscurity to avoid detection. it was only effective due to the CGF playing the first strike card. knowing that we would be slow to react to such a new threat, even a simple tool would be enough to harvest hundreds of accounts. still, this is only the opening salvo in the war.

as our reactionary countermeasures increase, so too will the offensive measures that the CGF take. rootkits will be implemented. more complex and automated tools will be used to steal the account and change the passwords. these attacks are in their infancy and will only increase in scope and capacity. from IP policies to security tokens, no solution is foolproof. just look at the violation of the chip and pin system used for credit cards and bank cards in europe. not only have methods been developed to violate the security of it, but due to the supposed impregnability of the system, cardholders who have been ripped off are treated as criminals filing false testimony and not victims when they report it. both solid upfront security and solutions to solve inevitable breeches when they occur are necessary to ensure a viable working environment.

btw, i do like the idea of a security hash or a "locking password." if the account is compromised at any point, go to SE's website and key in the account name and the locking password. this freezes the account until such time as a phone call is placed to SE (note, BYPASSING THE COMPUTER which is known to be infected!) and the account is unlocked. a very clever trick.

[ronin sparthos]

the problem with most of these solutions is that they all hinge on trusting the computer to be secure, which is always violated when an account is stolen. rsbo.exe was the tip of the iceberg. having not looked at it, but guessing based on the accounts i've heard, it's not all that sophisticated. it's easily identified, removed, and offers almost no self-defense tools against anti-malware products or the like beyond simply sufficient obscurity to avoid detection. it was only effective due to the CGF playing the first strike card. knowing that we would be slow to react to such a new threat, even a simple tool would be enough to harvest hundreds of accounts. still, this is only the opening salvo in the war.

as our reactionary countermeasures increase, so too will the offensive measures that the CGF take. rootkits will be implemented. more complex and automated tools will be used to steal the account and change the passwords. these attacks are in their infancy and will only increase in scope and capacity. from IP policies to security tokens, no solution is foolproof. just look at the violation of the chip and pin system used for credit cards and bank cards in europe. not only have methods been developed to violate the security of it, but due to the supposed impregnability of the system, cardholders who have been ripped off are treated as criminals filing false testimony and not victims when they report it. both solid upfront security and solutions to solve inevitable breeches when they occur are necessary to ensure a viable working environment.

btw, i do like the idea of a security hash or a "locking password." if the account is compromised at any point, go to SE's website and key in the account name and the locking password. this freezes the account until such time as a phone call is placed to SE (note, BYPASSING THE COMPUTER which is known to be infected!) and the account is unlocked. a very clever trick.

This is why SE needs to be 100% on its toes ready to accept that this was only the start of a long an protracted battle that ALL MMOs fight constantly. FFXI was lucky in the sense it took nearly 4years for hacking to go mainstream but now its happened the typical SE response speed (4months-1year) to resolve issues is not going to cut it especially when CGF are only going to keep picking at this option for making money especially as the STF starts to shut them down on the ingame front.

SE is quick to point out that many players have unsecure computers and they are completely right - some people arent running the most secure stuff HOWEVER SE has some major flaws of there own as well. Currently if CGF breech you while the information center is closed: your fucked - 24/7 customer service is too hard to ask for? Even if it means calling the EU center during NA centers downtime and vice-versa? This is a huge flaw and CGF are more than happy to wait until the centers down/weekends to gank and be completely free to do whatever until monday. Is paying workers minimum wage too hard to ask for 2more days on top of the usual?

Blocking IPs and trying to keep the RMT out is a massive undertaking: giving the users more ways to secure themselves within POL and within the Square-Enix umbrella of influence is much more simple to mainstream. You can deter the RMT into a situation where it isnt as feasible and so salivating to try to keylog and hack people. Quicker response to people affected by hacking is only the start, no reason why it should take 3-4months to respond to an issue.