URGENT! LL security exploit

The website seems to be dying hard and despite knowing what my security question SHOULD be it doesn't actually seem to be it, so this is going to take forever.

GRAWR

I NEVER fill in something I would remember in that stupid password question form. How am I supposed to change my password now? This is REDICULOUS. I am pretty much locked out of my own account forever.

I think this issue will be haunting LL for weeks...maybe months to come. Seeing the posts already come in droves about alts being lost and so forth. This means the active number of SL members will be plummeting.

Keyboard error. Press F1 to continue.

Just to remind everyone, the passwords were encrypted, this is a security precaution to prevent any further security/account issues.

I originally was going to say:

"Lucky for you that yours is a short one, Josh."

but I tried to show a bit of restraint. I'm classy that way.

Ya i heard that too.. waits for e-mail

I would like someone at LL to reply to my e-mail asap, this is BS

the support line doesnt even give you a choice to talk to a person just a recording that says there has been a security incident you must change your pass word at https://secondlife.com/password you can not change your password over the phone, goodbye


WTF
WTF
WTF
WTF
WTF
WTF
WTF
WTF
WTF
WTF
WTF
WTF
WTF

YEA THATS SUPPORT ALLRIGHT LL


SOMONE GET ME PHILLIP'S CELL PHONE NUMBER!

Monumental blunders aren't unknown in the world of online gaming, such as that which happened at Horizons: Empire of Istaria.

Artifact Entertainment developed Horizons: Empire of Istaria and eventually filed for Chapter 11 bankrupcy.

In an extremely controversial deal, Artifact Entertainment's assets (including Horizons: Empire of Istaria) were sold to Tulga Games. Tulga Games was then privately funded.

When the individual privatley funding the project decided that it was time to pull out he sold Horizons: Empire of Istaria to EI Interactive (a week ago).

EI Interactive changed the billing system for Horizons on August 1st.

Here's where the blunder of epic proportions comes in...

Their new billing system was a site without an SSL certificate. On top of that it's running on an Apache server which is known to have a number of remote control vulnerabilities. It gets worse... When a client updated their billing information it was saved to a TEXT FILE in a PUBLIC DIRECTORY! If you read the source code of the form on the HTML page you knew exactly where the text file was being saved. When you opened up the directory you got a listing of ALL the TEXT files containing account information, personal addresses, and billing information - all unencrypted.

EI took the billing site down, but within hours put it back up without applying any new security! They did, however, add a new payment option: send your credit card information BY MAIL!

Lewis

Er, no, it's perfectly possible. LL has half a million accounts right now. Lots of those are going to have really stupid passwords, like "password", "secret", their own name or birth date (which was in the same table), a word found in a dictionary...

At school I cracked most of the password database as a demonstration. In a couple of hours I had 90% of the passwords. Some of them were found almost instantly. The admin's password took just a couple minutes. I hope the Lindens have good passwords.

Conspiracy theory du jour. Could it just be, maybe possibly kinda couldbe, that the whole p'word 'sploit thing is ackshully a sneaky way to kill orf a shedload of alts?

If you're the kinda punter who used a disposable email account to set up yer alt, what's the chances you'll remember the email account password and stuff?

Nah. That would be just too evil...

Are you fucking kidding me, LL?

It just took me a half an hour with the site timing out to change my password, thank christ I remembered my security question.

My two alts... jesus, I guess I'll find out later. One I use to shop with and just last night gave her money. Sheeet.

Yes, it must be hell in SF right now, but it's their own damn fault.

1-800-867-5309

That is patently false. The efficiency of a dictionary attack on a salted list increases with the square of the number of accounts due to salt collisions. The square of 630,000 is a big number. They don't need to crack all the passwords. Cracking any passwords is a victory, and the law of large numbers is on the side of the attacker.

They use MySQL for backend storage so their password formats, if encrypted at all, are almost certainly MD5 or SHA1 based. Unless they used the MySQL PASSWORD() function, which the MySQL documentation advises against in the strongest possible terms, and which may or may not have a salt.

Both MD5 and SHA1 are designed for speed, unlike the original Unix crypt() function, which is still blisteringly fast on today's hardware.

That's assuming the passwords are encrypted, which in the absence of evidence to that effect, is a risky assumption.



If the passwords are likely secure, then it's an utterly bogus thing to do, since the (apparently immutable) security question and answer are far more likely to be vulnerable to a leak of this nature.

Summary quiz to see if you're paying attention:

Given that your SL name, your real name and your home (or billing) address are compromised (which is actually factually confirmed by the blog), and assuming in the most favorable case that that's ALL that was compromised, which is more viable for an attacker to recover?

A) Your mother's maiden name.
B) A string of cryptographically strong random letters and numbers.

The answer, in case you're not following along closely, is A. And that's the best case scenario. Sure, I used cryptographically strong gibberish to answer my security question, and I stored the gibberish in an encrypted file, so I had no problem resetting my password. However, if my security Q & A were also compromised, I'm not measurably more secure than I was an hour ago.

(In case you're wondering how to exploit the security Q & A, you wait a few months for the furor to die down, then pick the account you want, call up support and tell them that your email address doesn't work but you need to get back onto SL but you can't reset your password. Could they please help? Why yes, you sure do know your security answer....)

By "encrypted" I suppose you mean they were hashed somehow.

Thank god. Otherwise I would have quit SL that very second.

I am fucking tired of companies that do bone-headed shit like store passwords plaintext in their flatfile database.

I can't access.

I can't remember my security question.

I'VE SPENT FUCKING OVER A HUNDRED DOLLARS ON THIS GAME.

If they don't reply to my email soon... isn't me being HERE ENOUGH PROOF THAT I OWN THE ACCOUNT?

Earlier, I posted this:



Not quite what I had in mind, but I guess Shiva the Destroyer was listening.

Get in line.

I supose theres no chance at re instating the passwords of users who dont know the email they used? I have a bunch of unverified alts i cannot use anymore. thank goodness none of them were given any money or important stuff.. except for 1 who owns a luskwood fox avatar... Another one of the alts had a name i really wanted to use, that i used when i played EverQuest. :/ i was hoping to bring my Iksar SK to SL.

That's something, anyway, assuming you actually mean hashed (a one-way function resulting in a fixed-length representation) and not encrypted (meaning they can be decrypted and may also be leaking information about their length).



That's a complete non-sequitur, but anyway...

is that auctualy his number? how did you get it?

if it is, lets all give him a call or three

my those lindens sure have a sense of humor.

and I'm pretty sure my security question answer was something like "adasdasdfasdfasdfasdfsdf"

Oh, another set of questions:

Can we get an exact list of what was stolen?

Also, as Tuach pointed out, hashing isn't %100 fullproof. Sure, it's unlikely someone will use the same salting/hashing methods as LL, but I've seen companies do really braindead things before. (Such as rely upon built-in hashing functions and not salting at all, for example.) After all, ROT13 is "encryption" of a very simple substitution sort...