Posts Tagged ‘security’

Blizzard Authenticator Warning: Only One Per Account

Just a quick heads-up here. I’ve now read on four separate sites that some people are ordering more than one Blizzard Authenticator for themselves, eg. if they play on a desktop computer and a laptop.

It doesn’t work that way, I’m afraid. You can use one single Authenticator for several accounts, but not the other way around. Multiboxing? One authenticator for all your boxes is enough. WoW, Scarcraft2 on battle.net and the future diablo 3 accounts can all be protected with the same Authenticator. But you can’t have two authenticators protect the same account twice.

From the Authenticator FAQ:

Can I apply my Blizzard Authenticator to more than one account?

Yes! You’re welcome to associate a single Blizzard Authenticator to as many accounts as you like. Please remember that you must have that Authenticator with you to log in to any of these accounts afterwards.

Can I keep one Blizzard Authenticator at home and another at work, and have both associated to the same account?

No. Each account can have only one Blizzard Authenticator linked to it at a time, so you would need to carry the Authenticator with you to log in from different computers.

Hope that clarifies it.

On Similar Matters

Blizzard Authenticator on EU Store – Sold Out?

At the time of this writing, the Blizzard Authenticator is marked as sold out. It isn’t entirely clear whether I missed the opportunity to buy it this morning (and they’ve gone like hot cakes) or they haven’t actually yet been offered for purchasing.

If it’s indeed the former, Blizzard needs to take preorders ASAP. If they’re already sold out, it is quite clear everyone is feeling, like me, that it has instantly become a mandatory tool to increase your account security.

EDIT: Looks like I’m not alone with this disappointment. Siha at Banana Shoulders echoes the sentiment.

On Similar Matters

Why the Optional Blizzard Authenticator will Become Quite Mandatory

Blizzard announced a new tool in the arsenal of measures to combat account theft, their authenticator. In short, you buy the authenticator for a small sum of money, tie it to one or more Blizzard game accounts, and from then on, whenever you want to log in, you will be prompted to type in not just your username and password, but also a short authentication code.

The authenticator should be a little RSA-like device which generates a new random code every minute or so, akin to what many banks are providing for e-banking. This will immediately make keyloggers moot – the key will be long expired by the time the information they provide is being used.

That doesn’t make WoW accounts hack-proof, by the way. It just raises the difficulty of doing so by several notches. Considering that at the same time, due among others to the new dailies, wow currency prices are dropping faster than ever, what we have here is a concerted approach by Blizzard to make the cost of cracking an account way too high compared to the potential profits it could generate.

But let’s not fool ourselves. By that same measure, as soon as the “optional” authenticator starts spreading, the pressure on the accounts not using it will intensify big time. As the pool of easy target decreases, attempts of account theft on them will start to multiply.

If you value your accounts at all, and I know you do, you’ll be well advised to buy the authenticator as soon as possible. If that’s not immediately possible, here’s a practical recommandation to limit your exposure a bit.

Go and download Ubuntu 8.x

You can now either burn it on CD then boot on it, or mount it using daemon tools, then run it under Windows and launch the “lite” installation version. In that case, it won’t repartition your hard drives, it will just install like a normal windows application and then show up as a Windows boot option when you restart (you can later deinstall it simply by using the windows control panel’ add/remove program option).

In either case, run Ubuntu, then launch Firefox and change your password regularly. Very regularly. Weekly.

Yes, I’m saying that you should download a full 700 MB ISO of a perfectly good operating system just for the sole purpose of changing your password weekly. Why Ubuntu? Because it’s so simple that even a half-wit like me can use it. And if I can do it, you all can.

Too much of a hassle? Fork out the money for the Blizzard authenticator. It’s only optional until it launches.

On Similar Matters

Misplaced Fearmongering by WoWInsider’s so-called Security Expert

In his latest column, the pretend computer security “expert” John Eldridge again raises FUD (Fear, Uncertainty and Doubt) around Warden, regurgitating the following urban legend:

“It (Warden) reads the text in the title bar of every window you have open including that really embarrassing Furry fan site you don’t want your friends to know about. Yes Nekudotayim, Bliz knows about your pr0nz.!

Yet in the following sentence, John contradicts himself (and actually gives a technically correct information):

“The Warden then creates a hash code (think fingerprint) of each window title and compares the results to a list of ‘banning hashes’ for potential matches and subsequent divine retribution.”

The rest of the post is full of the same ambivalence, alternating between factually correct information and fearmongering (comparing Warden to Spyware, insisting Blizzard knows about your browsing habits).

The key distinction John fails to make, though, is that while Warden “knows” without recognizing or understanding what is happening on your box, Blizzard doesn’t.

What exactly is a hash code? It’s quite simple. You take a word or sentence (for instance in the present case a browser window title), apply a non-reversible mathematical function (the same kind of operations used in modern encryption) and you get a relatively short alphanumerical code back – your hash code. As mentioned, the function is not reversible, in other words, from a given hash code, you cannot deduce the original word or sentence.

Blizzard takes a certain number of known cheat programs and sites and runs them through their hashing function. This gives them a dictionary of sorts, a list of suspect hash codes. Every 15 seconds, Warden hashes every running process name, the names of open windows and browser pages, and compares each hash code to that dictionary (or sends it back to Blizzard and the comparison is made there, it isn’t entirely clear where the action takes place). If any of those Warden-generated hash codes match what is on the dictionary, Blizzard’s processes against cheating will be set into motion. The rest of the hash code generated from your box is totally useless. There’s no way that Blizzard will be able to determine (and will even want to determine in the first place) that a specific code hashed by Warden on your computer is actually you looking at www.steamingtaurenaction.cw

Again, let me stress that point: Blizzard cannot identify any application, process or data gathered on your box which doesn’t match its list of potential cheating software.

Beyond that, my point made when patch 2.3 was launched still stands:

“As all the other reasonable commentators keep pointing out, if you do not trust Blizzard with your privacy, there’s only one solution, uninstall the game and quit now. What Warden does is totally irrelevant in that context, and focusing your ire on it at the exclusion of the rest of WoW basically just shows that what you’re really after is posturing on message boards.

Plus, face it, it’s not as if your private data was interesting anyway. Nobody cares about your secret pr0n stash on your home computer, least of all Blizzard. If it’s professional data, even simpler, you shouldn’t play WoW on a work computer no matter how lax your employer might be about that. The only thing Blizzard may want is your credit card number, and chances are, you gave it to them already.”

Face it, unless you’re cheating, your private information is not interesting to Blizzard (and anyone else). You’re not a special snowflake. Your draenei tentacle pr0n stash is boring. Your domestic accounting spreadsheet doesn’t matter to anyone but yourself. You disclose more information about yourself and your habits whenever you pay for your food with a credit or debit card.

WoWInsider has a long standing and bad habit to stir up controversy and fan flames in lieu of relevant discussion, starting at the very top with Mike Shramm himself. Computer security is, however, a grave enough subject that playing the same game of bait-and-switch hack posting representative of the worst the site has to offer is irresponsible and foolhardy. If you term yourself a computer security expert, feeding paranoia on false representation for the sake of generating comments and traffic is something which your work ethic should forbid you to do, at all costs.

On Similar Matters

Safely Changing your WoW Password

In the wake of another round of account hacking – Emeritus blogging tank HonorsHammer is one of the latest prominent victims – let me restate one important element of my advice regarding account security.

Change your password often, but don’t do it out of your normal browser. Go visit the LiveCD list, pick one distribution (I recently tried out Damn Small Linux and Ubuntu, both do the trick but the latter is also WiFi-friendly), download it and burn your Live CD. When you change your password, boot on it and use its browser to do your account management. There’s no way a keylogger can sneak into that CD.

On Similar Matters

How to Improve your Account Security

As you will have noticed, there’s a widespread account hacking activity going on at the moment, and many people, me included, aren’t exactly happy about the customer service options currently provided by Blizzard.

However, to be perfectly clear about one thing, keeping your PC secure isn’t anybody but your own business. And as this story from BRK’s guild shows, when you’re an officer and have guild bank access, you are a particularly fat goose to pluck and just changing the account password without cleaning up your computer first leaves the door wide open for an account thief to get back and start over.

We aren’t computer security experts, though, and some of the things may appear daunting and complex. Further, there’s little to no way to stop a really determined cracker to get in. There are however a couple of measures to take to ensure the casual fishing expeditions will come out empty, and they are tied both to tools and behaviour.

So without further ado, here are a couple of recommendations to tighten up your (windows-based, sorry Mac and Linux users) PC:

1. Get a decent personal Firewall. The default Microsoft one is pretty much worthless. If you don’t know where to start, I recommend either ZoneAlarm or Comodo Personal Firewall, which are both free for private use. Or just check out various tests and reviews and pick what gets the best mix of useability and security. If you’re reading independent test reviews, make sure to also check out feedback they got by various firewall producers, and you’ll probably do best to stay clear off these where the manufacturer blames the testing methodology.

2. Get an antivirus software. This should actually be as natural as protecting yourself during a certain type of real world encounters, but if you actually have no antivirus installed, go and get the free AVG antivirus from Grisoft. Install it, update it, then run a full scan

3. If you haven’t done so already, switch away from Internet Explorer, and use for instance Firefox. If you pick that one, also get the NoScript addon.

4. Get a spybot / adware cleaner, and run that one too. I’m personally partial to Ad-Aware but there’s plenty of decent ones out there too.

You should have a pretty much clean slate at this stage. Regarding the firewall, make sure that you set it so that it asks you before authorizing an application to reach the internet, and be wise about what you let go out. If you’re not sharing a printer between several computers, for instance, the Microsoft Spooler doesn’t need internet access. The default windows Explorer (not the browser)? Why does this even want to access the internet? Use caution. If something with a strange name requests access to the net, google for it before deciding.

5. Now we switch to user behaviour. Keyloggers are the most widespread tool used to gain control of your account. Now if you don’t type in your username when you log onto WoW, the only thing a hacker can get is your password. So remember to check the option to have the logon screen remember your username from now on.

6. If you are more than one player to access WoW on the same box, the best option to keep your accounts separate is to first have each of you using a separate windows user account, and second, to actually create multiple WoW installation folders. Yes, it’s a disk space hog, but that’s the safest way to ensure that if the worst came to worst, only one account is actually compromised

7. The simplest way a cracker will try to get you to download a keylogger or other malware is through AddOns. Here you should be extremely cautious in what you get from where.  Always run a virus check on any package you downloaded before you install it. Don’t hesitate to scan the content of an addon folder either – normally the legit files will be limited to .lua, .toc, .xml and some graphical files. Anything else may be fishy. Learn to know who maintains your most popular addons, read the comments from other users off the addon download site, and fundamentally distrust a new major version popping up out of the blue from someone who you never heard of. Read the patch and release notes, if you’ve been using Titan Panel 2.x for a year and suddenly Titan 3 gets released by someone other than the previous maintainer, there should be enough changes in there that there’s actually a difference. If you want to go further, open the new package and compare the different .lua files to the previous one, if basically only the .toc got changed but the main addonname.lua file is the same size, something might be fishy.

In general, err on the side of paranoia.

Now if you have been hacked, once your account has been locked, before you do anything else, do the following:

  • Get a Linux Live CD image and burn it to a CD. Yes, I know, you’re on windows and that’s complicated stuff. Just do it, for instance Knoppix does the trick
  • Boot from the Live CD, locate the browser (it’s called Konqueror on Knoppix for instance)
  • Do all your WoW account administration from here, in particular the password changes
  • Once you reboot, redo a full virus and spyware scan. If nothing has been found at all, consider your PC still compromised. Reinstalling the OS may be painful but your fastest option
  • Only when you are positive that your PC is clean can you return to the game.

Yes, it’s complicated, and it’s not funny, but get used to it or get used to be hacked (and distrusted with guild bank access). That’s, unfortunately, pretty much the price for safety.

Other basic security rules: make sure you get an unique and reasonably complicated password for WoW – if you use the same username and password than for everything else, your computer but potentially also your blog, your guild web site and your forums may get compromised. Did I say err on the side of paranoia?

For Guild Masters, make sure there’s a procedure in place allowing to remove guild bank access from a hacked member, even when you’re not around. If it’s a top officer nobody but you can demote in your absence, make it clear that you only promote people mature enough to /gquit once they return ingame, to get reinvited at a lower rank without bank access for a “security period” of two to four weeks.

On Similar Matters

Blizzard, Please fix Customer Service Response Times on Account Hacking

In case you haven’t noticed yet:

Breana (of Gun Lovin’ Dwarf Chick) has posted a frightening retelling of what happened when one of her guildmates got his account hacked. Basically, the whole guild had to watch while their friend’s account as well as their guild bank got stripped bare for several hours, powerless.

When a GM finally reacted (2 hours wait time on a Friday night. Come on, hire more people, anyway), he basically simply said there was nothing to do until the player could get in touch with Account Administration… during business hours only.

This post joins Kirk‘s CALL TO ARMS on this issue!

Blizzard is hereby requested to put a solution in place which will:

  • Lock any characters out of the game when a password change is effected until the password change gets confirmed back through the account holder’s e-mail.
  • Expand the Account / Password retrieval so that upon activation, the character is frozen until a re-activation is effected through a link sent out by e-mail to the account holder’s address, or any similar method.

Blizzard, please err on the side of caution. You know the success of WoW will make your customer particularly juicy targets.

If you aren’t able to post your voice on the US forums, please blog about it and / or (if you have no blog) contact WoWAccountAdmin@Blizzard.com to make your voice heard.

This Call to Arms has, to my knowledge, already been followed by:

On Similar Matters

World of Warcraft™ and Blizzard Entertainment® are all trademarks or registered trademarks of Blizzard Entertainment in the United States and/or other countries. These terms and all related materials, logos, and images are copyright © Blizzard Entertainment. This site is in no way associated with Blizzard Entertainment®