Author Message

ghostcannon

Rank 5
ghostcannon
Joined
18 Jun 2009
Posts
3838
Location
Ghostown United States
PostedApr 16, 2013 11:34 am
Zimmey17 wrote:
ghostcannon wrote:


@Zimmey17: The difference between those companies being compromised and Aeria Games is that Aeria is responsible enough in Security Awareness and informing the community to be cautious. Those companies that get compromised lack of these awareness skills.  


Oh really? I always found those warnings to be more self-serving, a ego boost to the security prowess of Aeria. Disingenuous intent, quick to point out others failures. Ect ect ect.....  



You will have to understand what "Information Security Awareness" means. Specially, about hacking (by the use of the one mentioned above Trojans). The following are measures that Aeria Games are trying to communicate to its entire community based on the Security awareness they have been announcing...in contrary of what you think:


 
1) First, set expectations. End users may be scared to report an incident, the last thing anyone wants to admit is they have been hacked. Be sure your employees understand that bad guys are very persistent and very good, sooner or later it can happen to all of us. Make sure they understand there will be no retribution, in fact by reporting they are helping both the organization and themselves.

2. Second, tell them what to look for, what are indications of a compromise that a end user can detect? Some ideas include



  • Their browser is taking them to websites they do not want to go to.
  • Their anti-virus reports an infected file.
  • There are suspicious or un-authorized accounts added to the system.
  • There are suspicious or un-authorized programs added to the system.
  • Passwords no longer work or they are locked out of their account.


3. Finally, be sure to tell them how to report it, such as a website or email address. One thing I recommend is have this contact information on every communication you send out on awareness, such as on every email, newsletter, poster, screensaver, video, or presentation. You want to make your contact information as consistent and simple as possible. Be sure the contact information is not a person's name but an alias. You do not want changing the contact information every six months.
What are some of the most effective ways you have seen using end users as part of you detection mechanisms? How can we get end users to report incidents?  


You may report any suspicious threats via Contact Us. It is clear as water.

Credit to [GS]Abso for the Siggy
Advertisement

fairys_cloud

Rank 1
fairys_cloud
Joined
11 Aug 2012
Posts
265
Location
California Philippines
PostedApr 16, 2013 3:02 pm
thanks for the heads-up superman Smile btw, how are u one city away from me :O and here i was thinking that the SF servers were based on the East Coast cause of the East's lower ping ._. is there really an aeria office in the Bay too :O

[edit] nvm, just found the link for open positions in santa clara! idk if i qualify for any of those tho x3

Mystic155

Rank 1
Mystic155
Joined
07 Jan 2012
Posts
266
Location
Boston United States
PostedApr 16, 2013 5:13 pm
Well one thing you can do to boost Account security is.

1:Email Change Verification(As in order for you to change your email, you have to verify it first on your original email that you are planning to change email)

Because if we do password change it would probably have to do it through email. But if they change your email and then try to do password change through email they would have access to it. Does this make sense?

xF:mystic155|IjjI Forums:Metro20000 lMinerva Will Rise Once Again-2009

ghostcannon

Rank 5
ghostcannon
Joined
18 Jun 2009
Posts
3838
Location
Ghostown United States
PostedApr 17, 2013 9:57 am
Mystic155 wrote:
Well one thing you can do to boost Account security is.

1:Email Change Verification(As in order for you to change your email, you have to verify it first on your original email that you are planning to change email)

Because if we do password change it would probably have to do it through email. But if they change your email and then try to do password change through email they would have access to it. Does this make sense?  


It does not make sense. I do not get exactly what you are trying to say. To clarify your confusion, Aeria Games always requires that everyone who creates an account use legit e-mail accounts exactly for the purpose for receiving notification e-mails. Also, Aeria Games encourages players to use different passwords from those they used elsewhere (e-mail address). It will be dumb enough for someone to use the same password for his Aeria Account and for His e-mail account. If you have faced the situation whereas you have lost access to your account, then you should use the Account Recovery Process or file a Ban Appeal. Good Luck and hope this have cleared out some of your confusion. At all time, use Strong Passwords for all the accounts you have out there and don't use the same password on each of those accounts..always use a different one and change it regularly.

Credit to [GS]Abso for the Siggy

triti

Rank 3
triti
Joined
11 Dec 2008
Posts
1101
Location
In the world of dreams Iceland
PostedApr 17, 2013 10:34 am

Re: Industry Security Challenges

Superman0X wrote:
We have seen an increase in compromised accounts over the last few months. It is clear that this is more than just a cooincidence. We are continuing to push for security enhancements, but here is some information about similar situations:

http://massively.joystiq.com/2013/04/12/hacking-ring-infiltrates-trion-nexon-and-neowiz-game-servers/

http://usa.kaspersky.com/about-us/press-center/press-releases/kaspersky-lab-analyzes-active-cyberespionage-campaign-targeting

http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game  


I hope you do realize that Nexon is your Shaiya dev





And that there have been quite a few players reporting shaiya exe as an malware

...Just saying

ghostcannon

Rank 5
ghostcannon
Joined
18 Jun 2009
Posts
3838
Location
Ghostown United States
PostedApr 17, 2013 11:57 am
Zimmey17 wrote:
Mystic155 wrote:
Well one thing you can do to boost Account security is.

1:Email Change Verification(As in order for you to change your email, you have to verify it first on your original email that you are planning to change email)

Because if we do password change it would probably have to do it through email. But if they change your email and then try to do password change through email they would have access to it. Does this make sense?  


I get what you are say Mystic. Before you can change your password you would like to see a token system in which a email is sent to the said email address before changes could be made to the password. The only problem with that is, if a hacker could get to the point to where they could attempt to change your password its to late.

If Aeria was serious about security they would implement security in layers. If you post in the forums, Aeria has already given half of your security features to the hackers. As it stands now your password is your only real protection.

Adding stuff like secret visual pictures or mouse click codes would greatly enhance Aeria's security. Even having a different game user id then your forum user id would greatly increase your security.  


Thank you for clarifying Mystic point. Your suggestion at the end would make sense as a security authentication practice, but before an authentication tool or control is implemented in a company or organization, there are many things behind scene that should be evaluated for its effectiveness and efficiency and these are:

Cost. This includes the total cost of ownership (e.g., procurement, installation, implementation, training, replacement, and maintenance costs).
Awareness and resistance. Awareness refers to the proper training of staff on the tool's proper use, while resistance refers to the system's ability to withstand malicious attacks, including spyware, keylogging, Trojan, denial-of-service, and virus attacks.
Strategic fit. This refers to the authentication method's ease of use; its ability to address the needs of different users and support existing operating systems, platforms, and applications; its roll-out period; centralized administration capabilities; and availability of customer support.
The effectiveness of the authentication process. This refers to the authentication system's level of confidence. For instance, have user and customer confidence levels increased after the authentication mechanism's implementation?
Scalability. This is the solution's ability to cater to existing and future users and business needs without changing the hardware's or the network's architecture and its capacity to address e-mail security and physical access to a particular system.
Reliability. This refers to the algorithm's and technology's strength, the authentication tool's adequacy in protecting confidential information, its ability to address regulatory requirements, and its overall safety.
Management support. This refers to senior management's support of the authentication mechanism in use. One way management can show support is by establishing the proper tone at the top and ensuring that employees have the right technical competencies to use the authentication tool effectively.


Best authentication controls that Aeria should adopt is the following (in my opinion as an I work in the IT Security field):


  • Challenge response. This activity consists of a question-answer dialog where the user responds to a set of pre-recorded questions, such as the mother's maiden name, or a token device that generates passwords or responses based on a pre-determined algorithm. When using a token device, the authentication system displays a challenge in the form of a code or a password phrase. The user then enters the challenge into the token device, which provides a response containing the code or password phrase the user must reenter into the system for authentication.
  • Out-of-band authentication. Under this method, the authentication device accepts the person's credentials and sends a secret password to the user through an out-of-band medium, such as an e-mail, short message service, or phone call. The password is then valid for a one-time use only.



Best thing we all can do for now is use strong password and secure our account by not sharing it with anyone and not accessing it from any place that is not completely in a secured network. Good luck All!

Credit to [GS]Abso for the Siggy

zakuzato

Rank 0
Joined
28 Jan 2008
Posts
1
Location
Chicago United States
PostedApr 17, 2013 6:11 pm

yup

hi

Superman0X

GameMaster: USA
Superman0X
Joined
11 Jun 2007
Posts
12163
Location
San Jose United States
PostedApr 19, 2013 9:29 am
OP Updated with WoT info.

boldpaste2

Rank 4
boldpaste2
Joined
11 Apr 2009
Posts
2893
Location
United States
PostedApr 19, 2013 9:46 am
AznMaggot wrote:
Proud to say that I was one of those compromised accounts :3  


yup, my nexon was compromised. glad all my passwords are random 256 bit keys xD

xybolt

Rank 5.2
xybolt
Joined
10 Sep 2008
Posts
15073
Location
Balegem, flemish region Belgium
PostedApr 21, 2013 6:22 am
ghostcannon wrote:
Best authentication controls that Aeria should adopt is the following (in my opinion as an I work in the IT Security field):


  1. Challenge response
  2. Out-of-band authentication
 


-1-) Since the popularity of facebook and other social networks, this "additional" security feature is very ancient now. It's not safe to implement such auth controls. Those questions are based on simple answers which you can find on social networks. Not to mention that we like to forget such questions if it's selectable. It's not so high on humans priority to remember it. I have forgotten the questions whose i've selected at my MS account ...


-2-) This requires money or more "administrative" tasks at user's end. It's a solid tool, true, but people tends to be impatient at most things, even when authorizing their account on an online game >.>




Supe has also posted such threads like this one in the past, to warn us. That's a good job, but i know that the account database on AGE got compromised before. Ironically enough, there are no reports of it. Maybe they are good in cover-ups ?

signature of xybolt
Display posts from previous:   Sort by: