I got hacked

Henq · **Posted:** Thu Nov 04, 2010 2:24 pm

Weena wrote:

That's exactly how it works.

The number works for a longer duration than a second though.

The viruses that targetted the authenticators didn't actually target the authenticators, they'd just bullshit the part that asked for the number.

You'd type it in, thinking it was the game, but then that number would siphon off to whoever and it would tell you it didn't match (which you know isn't uncommon if you've used one).

They'd enter it legitimately and pluck off whatever while you sat there going ... wat?

Similar thing has been done to Steam login. People were getting fake log in windows.

Right but that seems like a logic flaw to me.
If the salt/hash is down to the second, then even if they took you to an false login screen, the only useful information they would get from you is the email and password.

If they received your number: 123456 (my luggage combo)
Then in the transmission time + latency, there is only a small chance they would be able to turn that around in the next 500 milliseconds to log in. Of course that would be beneficial but only one time.

A smarter play would be to collect a large database of auth codes which are timestamped when collected. Then the parameters for the encryption can be gleened from that.

The only problem here is if someone were to submit an incorrect value from their authenticator, you have ruined your solution set and would have to start over. Since you would have no way to verify if the code was valid.

This is just me overthinking the problem I am sure.

TL;DR
The amount of time it would take to actually replicate your authenticator process, far outweighs the value of your account.

Henq · **Posted:** Thu Nov 04, 2010 2:32 pm

Baneleaf wrote:

We thought of using these types of security devices with a some of our equipment until we saw the prices involved so we did a little bit of research but not every detail. Alot of this was in blue post when they first had a report of the man in the middle attacks.

The prices of some of these security devices are staggering.
It is infinitely easier to right it yourself actually. The idea of RSA encryption is not difficult to understand or implement. The value comes in decrypting it being enormous factoring which no processor can handle. Notice that the RSA will keep getting more complex because as processor power increases, the ability to do those calculations increases. So encryption used 5 years ago that was deemed to take "10000 years to break!", takes 5 minutes now maybe.

*I typed out a big opinion piece on security equipment and fear mongering in the industry but I will save that dissertation for another time*

Quittermike · **Posted:** Thu Nov 04, 2010 2:37 pm

Henq wrote:

Right but that seems like a logic flaw to me.
If the salt/hash is down to the second, then even if they took you to an false login screen, the only useful information they would get from you is the email and password.

If they received your number: 123456 (my luggage combo)
Then in the transmission time + latency, there is only a small chance they would be able to turn that around in the next 500 milliseconds to log in. Of course that would be beneficial but only one time.

A smarter play would be to collect a large database of auth codes which are timestamped when collected. Then the parameters for the encryption can be gleened from that.

The only problem here is if someone were to submit an incorrect value from their authenticator, you have ruined your solution set and would have to start over. Since you would have no way to verify if the code was valid.

This is just me overthinking the problem I am sure.

TL;DR
The amount of time it would take to actually replicate your authenticator process, far outweighs the value of your account.

I think you're greatly underestimating the amount of slack time there is to enter in the code from the moment you get it from the authenticator. It's probably closer to 20-30 seconds, not 1-5 seconds. It is definitely easier to do a middle-man attack than trying to decrypt their algorithm, especially since every serial# is going to have a different salt that you don't know.

Baneleaf · **Posted:** Thu Nov 04, 2010 2:39 pm

Henq wrote:

Baneleaf wrote:

We thought of using these types of security devices with a some of our equipment until we saw the prices involved so we did a little bit of research but not every detail. Alot of this was in blue post when they first had a report of the man in the middle attacks.

The prices of some of these security devices are staggering.
It is infinitely easier to right it yourself actually. The idea of RSA encryption is not difficult to understand or implement. The value comes in decrypting it being enormous factoring which no processor can handle. Notice that the RSA will keep getting more complex because as processor power increases, the ability to do those calculations increases. So encryption used 5 years ago that was deemed to take "10000 years to break!", takes 5 minutes now maybe.

*I typed out a big opinion piece on security equipment and fear mongering in the industry but I will save that dissertation for another time*

My boss got the idea from seeing me and Kal use our authenticators one day at lunch. He asked if it would be possible for us to use them instead of having to change our passwords monthly. When we let him know that we did not missplace a decimal in the very basic pricing we had found, that project quickly died, lol.

Dotzilla · **Posted:** Thu Nov 04, 2010 3:26 pm

game's crappy. you're better off.

Meowth · **Posted:** Thu Nov 04, 2010 4:56 pm

Poor Mans Authenticator

you should be able to see this

thegodslayer · **Posted:** Thu Nov 04, 2010 6:42 pm

My company uses RSA devices, occasionally the vendors come in with their tech guys and I asked the "How does it work man" his reply was much of what Henq said although the time doesn't mean nearly as much. Not to mention how minimal the bandwidth it would take to send a string of info like that could steal and send in a matter of seconds. I tested the security of the blizzard authenticators I was able to use the previous code as much as 4 second after it changed give or take some milliseconds. The servers have to have the time to do the calculation or go through the algorithym based on the account sending it and it's authenticator serial.

The RSA's at my work also have an interface in case they get lost to set a static code.

Usdk · **Posted:** Thu Nov 04, 2010 6:45 pm

you'd be surprised what you gotta do to get your shit back.

thegodslayer · **Posted:** Thu Nov 04, 2010 6:47 pm

To add I am sure companies do it differently and I don't see any of them giving all their secrets!

thegodslayer · **Posted:** Thu Nov 04, 2010 6:58 pm

Aestu wrote:

Calling BS. All NSA work is top secret and it's very illegal to disclose

Oh hi wikileaks

Aestu · **Posted:** Thu Nov 04, 2010 6:59 pm

Meowth wrote:

Poor Mans Authenticator

you should be able to see this

Authenticators are what, $5? How poor we talking?

thegodslayer wrote:

Oh hi wikileaks

Hi Finland!

Mns · **Posted:** Thu Nov 04, 2010 7:01 pm

Usdk wrote:

you'd be surprised what you gotta do to get your shit back.

I just put in a ticket and everything was completely restored, but this was TBC. I wouldn't put it past blizzard to throw unnecessary roadblocks in (EDIT: order) to make you buy that authenticator.

cziiki · **Posted:** Thu Nov 04, 2010 7:25 pm

Mns wrote:

Usdk wrote:

you'd be surprised what you gotta do to get your shit back.

I just put in a ticket and everything was completely restored, but this was TBC. I wouldn't put it past blizzard to throw unnecessary roadblocks in (EDIT: order) to make you buy that authenticator.

I got hacked my 2nd week back from my break back in......the summer? Took a while, meh didn't ask for much.

Jushiro · **Posted:** Thu Nov 04, 2010 7:26 pm

sending blizzard a DNA sample and a scan of my passport

Jubbergun · **Posted:** Thu Nov 04, 2010 7:29 pm

Aestu wrote:

Calling BS. All NSA work is top secret and it's very illegal to disclose even the existence of a contract, and they probably front their work through puppet companies.

Not all NSA work is top secret. I'd have to ask one of my old associates, but I don't think it's against the rules for him to say he works there...but it would probably be against the rules to say what he does. I only assume the "can't say what I do part," because he's hinted at me that I should fill out the 8 million forms necessary to come work with him, but won't tell me what he does.
I don't know actually know which agency he's with, either, because he's not really said, but I know he works in or near Langley. He is, however, very discreet. Giving out unnecessary information about yourself being one of those things we had beaten out of us.

Aestu wrote:

Authenticators are self-contained. They can't be "disrupted" or "rendered useless". A hacker with a ton of time and processing power could get enough codes from packet sniffing to guess at the authenticator's cipher, but there would be no point in doing so unless someone can spend months and millions of dollars on hacking one account.

I don't think it's that complicated. The authenticator basically just provides a random second password. Once someone can determine how that works, they can mimic it and they're in. Like any technology people want to exploit, someone will eventually find a way to defeat it, then you'll have to have an authenticator for your authenticator. People have been beating encryption since the 40s before there were any computers involved, authenticators are just a new hurdle to jump.

Your Pal,
Jubber

Bucket Guild | FUBU BH Forums

I got hacked

Who is online