Bethesda hacked, user accounts info compromised

[100LBSofDogmeat]

elven.... a "salt" is something you add to the data to be hashed to further hide whats being hashed.

and nobody uses md5 for anything actually requiring any kind of security.

and using md5 to hash passwords is actually considered a security vulnerability at this point.

you should be using a 256 or 512 hash.

and using a salt for a forum board msg for anything that is "common knowledge" makes using a salt irrelevant.

and md5 is considered fully compromised nowadays.

You are correct, sir. I believe md5 takes about 10-15 minutes to crack these days. 256 or 512 hash is good.

And all passwords should be encrypted at all times, hash-matching only. I highly doubt this is the last of these attacks you'll see, so the gaming industry needs to get its shit together quick.

NMA up-to-date on their stuff? Not like we have anything to take, right?

 

[Walpknut]

Nowadays is nto black hats, no, they now use Guy Fawkes masks while their asmathic breath laughs at their own written memes.... some peopel find "anonymus" interesting, I find it just hillarious in the bad way.

 

[Korin]

NMA up-to-date on their stuff? Not like we have anything to take, right?

I don't believe this forum is up-to-date but it's hard to tell because it's been heavily modified. If I had to guess I would say it's 2.0.5? With the most recent (and deprecated) version of phpbb2 being 2.0.23. It may well be the latest already.

I wouldn't think it's a cause for concern unless Lulzec feels the need to bring their hammer of wrath down on NMA for it's hatred of Bethesda. Then again, this forum could have been hacked numerous times already if it is out-of-date. If you've ever hosted any kind of internet facing forum software before it's not unusual to see botted SQL injection requests in your server logs.

 

[Dead Guy]

A couple other forums I have accounts on, like Gearbox's, ended up getting hacked recently as well. Wonder if it's related?

Also, Bethesda... if you guys get hacked and there is any risk of user data being compromised, could you at least send out a fucking e-mail? No? Not at all? I have to read your stupid blog to find out?

COMMUNITY. MANAGEMENT. And these assholes get paid to be outright bad at their jobs.

I'm not defending Bethesda, but...

Incoming mail: your bank account was hacked, we from "insert bank name here" urge you to click on this link and reset your password.

Sounds familiar?

Of course, that's not what a legit mail would say. It doesn't ask you to click any links, and, in the case of Codemasters (who got hacked just last week), explicitly says that no information regarding credit cards or payment were at risk.

It only informs you that user names, e-mail adresses, IP-adresses and encrypted password information are believed to have been compromised, which is probably something you are pretty interested in. At least you should be.

 

[BReal]

Ah ffs. I don't even remember all the sites where I use my passwords/emails/nicks. Wish there was some sort of reset button.

 

[TheWesDude]

and nobody uses md5 for anything actually requiring any kind of security.

You would be surprised. This forum uses md5 hashed passwords. As did most of the compromised Sony websites. Md5 is probably the most common password storing method around. The mistake is that people know it's not reversible but there are extensive databases of the pre-hashed values and their md5 equivalents kicking around.

md5 is considered fully compromised. anyone who uses it anywhere is basically making their "password" publicly known at this point. md5 used to be worth something, but now its quite worthless. if this forum is using md5, then using a password is more of "security by trust" rather than any kind of honest security.

also, as there are only 128 bits used, that means that its not too hard to even brute force in todays world of broadband.

and yes, there are tools out there where you can put in the md5 hash and it will tell you the "value" within a few seconds.

and what you are talking about is called a "rainbow table" i believe.

 

[simdude]

Codemasters got the same thing too, just read about it.

Apparently alongside Sony, Nintendo, Eidos and Codemasters, now there's Beth too.

 

[Nology5890]

Codemasters got the same thing too, just read about it.

Apparently alongside Sony, Nintendo, Eidos and Codemasters, now there's Beth too.

And Mojang, and CCP, and the Escapist... They just hit all those within the past hour or so.

 

[Lexx]

Looks like they take up folks totally random now. That's getting really annoying.

 

[Brother None]

Yeah, you can just suggest targets now and they'll take em. Stuck-up idiot kids who should really be taught actions have consequences. Hopefully they will be.

Not that Anon's attack on Sony and other targets, widely victimizing consumers, was much better, but at least it had some rationalization.

 

[ramessesjones]

For all their talk about being harbingers for social change or whatever bullshit they claim, attacking something as trivial and unimportant as gaming communities is especially retarded. They are no better than petty vandals, spray painting an anarchy symbol on a road sign.

 

[LinkPain]

I get the thing, they hacked almost everyone. Some had it coming. My question is, did they do anything besides breaking into the system?
Like leaks of games or stealing money which was basically stolen anyway...

 

[Korin]

They haven't made any claims to say that they have. They're just compromising sites for the sake of compromising them.

 

[OakTable]

If EVE Online was off longer, than I suppose there might have been retaliation from the neckbeard Easter Europeans that play that game.

 

[LinkPain]

So they have been able to hack into major players around the world, and it's their fault because these guys don't spend money to update the system?
It's not easy to hack so many in so little time. I'm not defending the act but come on, why do they cry when they have money to update themselves against it. This is like those statements on piracy conspiracies.

 

[Brother None]

Yeah, they were totally asking for it, dressing up like sluts.

Blaming the victims is the most asinine attitude imagineable. No, LinkPain, they were not "just asking for it", don't be an idiot.

 

[Korin]

It's a question of risk reduction. You wouldn't leave your home without locking the door. You wouldn't leave a wad of money sitting on the dash of your car in a dangerous neighbourhood.

To be honest, their attacks should be a real eye opener to both the end-user and the companies with which they trust their personal information. It's tantamount to putting your money in a bank under the assumption that it's safe because, hey, it's a bank. But they're really just stuffing it in a pillow case.

This is a symptom of a wider problem, which is that the people who run these companies don't prioritize security (due to a lack of understanding or any number of reasons) and the people who understand the problems can't get any traction on fixing them. Too many companies treat security concerns as something they should react too rather than be proactive about.

 

[Elven6]

elven.... a "salt" is something you add to the data to be hashed to further hide whats being hashed.

and nobody uses md5 for anything actually requiring any kind of security.

and using md5 to hash passwords is actually considered a security vulnerability at this point.

you should be using a 256 or 512 hash.

and using a salt for a forum board msg for anything that is "common knowledge" makes using a salt irrelevant.

and md5 is considered fully compromised nowadays.

Thanks for the clarification, I've mostly worked with MD5 in the past but SALT is something I'm trying to transition to.

 

[LinkPain]

No, LinkPain, they were not "just asking for it", don't be an idiot.

Then why is today almost everything provided via online checking, like when you buy a game and have to always check it to enable it to work. I buy a shovel and have to check online with a pass-code to use it every time. It's a faulty system made to break one way or another since Internet as free as it is, is not safe too much. And it's not multiplayer I'm talking about. Of course there would be major hacking attempts, they happen everyday in WoW and god knows where more. At least here people can change their passwords in time, which they SHOULD do regularly (and not make some like grass2free passwords...). I'm not blaming the victims, but I'm not blaming the hackers too. This was bound to happen one day at least. Heck, I would do it just for funs sake, but I would not know what to do with the users accounts from Bethesda or Sony. Well I wouldn't do anything because I broke the goddamn system, that one is enough.

 

[TheWesDude]

eleven, again... you seem to be mis-using the idea of salt.

if i take data and hash it, i get a value.

if i take data and add a pre-defined "padded" data and add it to the information before i hash it, and then hash it and use that new hash to verify the data, i can be sure of the source.

a "salt" is pre-determined data that will be ADDED to the original data BEFORE it gets hashed.

it is much less useful when hashing smaller volumes of data and much more useful when hashing larger volumes of data.

plus there is the consideration of how do you "share" the salt before you hash said data, as if it is shared in a way that is in of itself unsecured, it becomes a vulnerability to use that "salt".


and if they are breaking into all these sites, my question is, are they using md5 or something bigger? do these sites they are breaking into have methods of detecting people attempting to brute force their servers?

if you dont have some methods of detecting and stopping someone from brute forcing your servers, then anyone can break into your server. it seems like lots of places have forgotten or stopped using basic and core security considerations in favor of usability.