Tobold's Blog
Friday, June 10, 2011
Codemasters hacked

These sort of mails are getting depressingly common in my mailbox:
Dear valued Codemasters customer,

On Friday 3rd June, unauthorised entry was gained to our website.
We believe the following have been compromised: Customer names and addresses, email addresses, telephone numbers, encrypted passwords and order history. Please note that no personal payment information was stored with Codemasters as we use external payment providers, meaning your payment details were not at risk from this intrusion.

Members' names, usernames, screen names, email addresses, date of birth, encrypted passwords, newsletter preferences, any biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags are all believed to have been compromised.
This pretty much answers my question whether Sony had unusually bad protection, or whether they had protection according to insufficient "industry standards", and any determined hacker could in fact get data from pretty much any game company he wants. On how many game sites is YOUR personal information stored? And for how many of them do you use the same combination of UserID and password?
This comment has been removed by the author.
As for usenames and passwords, I suggest the use of Keepass. I won't go into detail here. But this program is not only much safer than trying to remember passwords, it also makes handling passwords more convenient.

For example, if I log in to google, I just press a hotkey-combination and the program puts in the 35-char password for me. It does so in a way that is even quite safe against keyloggers.
The program is open-source, of course.
Sadly I have just had to make a very similar post on my own blog. I don't know how worried to be about this but it does make one a bit less enthusiastic about this wonderful new connected online world we live in.

By the way I strongly endorse Nils recommendation of Keepass.
...and in other news, they just nabbed three Spanish guys suspected for involvement in the PSN attack. Win some, lose some? :)
Regarding breaches of internet security; it's not a matter of if you will get attacked, but when.

Given enough resources any site is vulnerable. Sites that haven't been hacked yet, are just sites that haven't been focused on yet.
After spending some time trying to figure out why I even have a codemasters account, I think I figured out what the hackers were after.

They just want to get a copy of Jumpgate Evolution.
Yeah, it wasn't just Sony. Computer security is extreme lax in far too many places. It's just that when it comes to a big company like Sony I think a lot of us feel like they should have the resources to do security properly. No security system is foolproof, but theirs was apparently astoundingly vulnerable.
I never use the same combination of username/password, except for sites (=forums 99% of time time) I don't give a damn about. Even there, with firefox being able to remember passwords, I can just type in random stuff and be happy.

Where the problem starts, it's when real money gets involved, since you need to provide true data at that time. Even if using pre-paid cards for payment, any place which must send you stuff will need your name and address (and phone number if they need to arrange for a delivery).
At times I'd like to be able NOT to create an account and just re-provide all my data every time, with zero data being stored on their servers. This is rarely possible, since sellers really want to be able to keep pestering you (not to mention sell your data to advertising agencies).

For Codemaster, since I was VIP for a few months, the bad guys definitely have all my data..... well, at least with the lotro migration I had to change all my logins (and I also used the occasion to change the passwords).

I'm not sure I would trust keepass (or any other program running on the same hardware), if your machine is compromised, everything will be accessible, end of story. But at least it allows you to easily have different id/password combinations, so that your data on one site is unusable on all others.

BTW a 35-char password is vast overkill. A random (really random) 8-char password is already very very hard to brute-force.
there is no way for some external entity to gain access to a network and manage to steal data from, supposedly, a database without staggering ammounts of incompetence.

although not impossible it's more likely that a disgruntled IT employee stole the data and gave the files to the "hackers"
"and any determined hacker could in fact get data from pretty much any game company he wants. "

This assertion is in error...

Has XBox 360 had any issues? Exactly.

Quality companies with Quality revenue streams that can afford to hire quality IT management and security are worth the money. Another downside to Free to Play perhaps hmmmm?

And please don't listen to anyone touting a password escrow service... Please... It's like trusting the fox to correctly count your chickens, really.

Quick reality check... how much you pay for said service? Is the value of the accounts you link to them GREATER to a hacker/key site than the value of your "payment"..... Hmmm...

Oh and of course you:

Researched their domain name for registration to a good place with cyber laws.

Have contractual assurance that they use only personnel from said place with good cyber laws.

Have checked that any encryption they use is up to standards ISO/NIST.

Have checked that their personnel's backgrounds have no connection with cyber criminals.

No of course you and all the nimrods that tout "go to site x to solve security problem y" are just going from the Chinese hacking community to the Russian hacking community. Great job.
Password help that does seem to work reasonably well.

Use a standard "salt" in all your password combinations. This can be something like the following:

Phrase you can remember (like a song) say this:
I'd like to by the world a Coke

becomes after using 1st letter in the above words:

Notice the quotes used as special characters and notice the capitals.

This now becomes your base passcode to build site specific passwords.

Say you want to go to use the last 2 letters before the domain name to prepend your final password


and append a number either the year OR you can get real fancy count the letters Blizzard = 8

so voila your final passcode that is not dependent on you remembering anything beyond a phrase and your method to make it website specific. IS


so if blizzard gets hacked... only your Blizzard password is compromised.

Game Angry my friends
Game Angry
Helistar, Keepass's databases are quite save. Much more safe than Firefox's ;)
Of course, if someone has 100% access to your computer you're in trouble. But even then it is not easy to get these passwords.

Also, 35 char randomized passwords are, of course, overkill. But for me it doesn't make a difference, whether it is 8 or 35 chars. The only password I need to care about is the master password and the key file. And by forcing myself every morning to type that master password in, I can have a real long one without running danger of forgetting it.
Angry Gamer's password salting is a really smart idea. However, the problem is every site seems to have different restrictions. Some limit the length. Some only allow alpha-numeric. Some are "pin numbers" only, rather than passwords. There is no standard.

In the earlier days of Internet security, this was to be expected, but even now, after all these years of security being a popular topic, it amazes me that there are still limitations to passwords. Enforce strong passwords, sure, but don't limit HOW strong they can be, please!

Until that happens, most people will continue to use the same password between accounts, or they will use a password broker.

For the record, password brokers are definitely a better alternative, as long as you are smart are securing your local database of accounts.
Post a Comment

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool