URGENT! LL security exploit

I am sorry to hear that. Obviously situations like that are not what I am talking about.

also i just tried creating a new alt to be able to atleast log in, and its telling me to change my password even tho i just created it today, i go to change the password and it cant even find the damn account, i hope ll is shitting themselvs right about now

Exactly. I've already spoken to three people, all of whom have long standing accounts with old email addresses and enough money in their accounts to be pretty worried right now.

With the exception of the credit card number and access to your email, they already have it all: real name and billing address via the exploit and any in-world information they could possibly need via an easily-written landroid. The pretext for the call is that you've lost access to your email. (Otherwise, you'd just use their online system.) The social engineer is more experienced at dealing with the situation and generally much more polite than you, because they aren't all pissed off and confrontational.

You can hope that Linden wouldn't reset anything without being provided your credit card number, but you certainly can't guarantee it.

Linden Lab lost your information. That's their fault.

You didn't store your bogus security answer. That's your fault.

You don't need to. You only have to get the employee to break policy or otherwise feel sorry for you in a way they'll try to 'make things right'. That's the real goal and people fall for it all the time by dancing around those very tidbits of information.

So you think a system with human customers should have no space at all for human error?

This is a VERY VERY concerning issue. My creditcard information as well as personal information is on their computers. There is no way that they encrypted my mothers madien name or my street address. That data needs to be retrieved quickly.

What has not been mentioned is any involvement of the FBI or other police services in solving this crime. I hope that someone has allerted the local bureau to ensure that a propper investigation is done and the culprit caught and the data secured. This is beyond the control of LindenLabs and should be in the hands of the FBI.

Why is there no statement that the the law services are assisting?

Can someone in Clif call the local FBI and find out if they are aware of this breach of security?

I don't know. I tried to call, but I lost my nerve.

I, myself, have already learned this lesson, and thus was able to avoid it by keeping my password information clear and easy for me to remember.

When I first found Second Life, it was from a MMO search engine back in 2003. I thought it looked interesting, and it was free to try, so why not?

I created an account, to which I still have the name, with a completely fake e-mail address, that I created on the spot with yahoo.com. I made up a completely random password that I'm convinced had something to do with 'bombastic, legos, and candy' all mixed into some horriffic word. Pretty tight password. Too tight. It didn't help that I was almost 100 years old according to my birthdate, and that my name was that of a fictional character and that my current residence was on "the moon".

I then tried the game, and deciding that the controls weren't tight enough, and that the learning curve was too high, I quit for another MMO you might recognize named Shadowbane.


Three years later,

I had been jumping from MMO to MMO until eventually I became totally bored with MMORPG and MMOFPS games in general due to their repeated objectives and lack of any real, tangible, result in the end.

If I got a character up to level 60 in Everquest and then quit, what was I left with?

I quit all of my MMO games and moved on to other things.

That's when I saw the Newsweek. That's right, the one with Anshe Chung on it.
Thinking of using some skills I picked up from a couple of months with 3DsMax, I jumped right back in. Unfortunatly, my first account was so completely riddled with false information and passwords that were made up on-the-spot and then quickly forgotten that I had to register a new account.

The new account had it's passwords and answers backed up.

Coming as it does, so soon after a particularly nasty asset server database 'issue', one that could be seen looming all week (15mins to load inventory anyone?), I'm having serious doubts about Linden Labs competence to run SL - never mind hold my personal information including CC number.

I've dealt with a few online organisations over the years, but none yet has demonstrated such a ludicrous level of ineptness. With an island to run, and I WAS contemplating a second, needing considerable funding in the CC that LL have details of, I'm very seriously considering the wisdom of contiuing with SL.

The continuing presence of serious issues affecting SL's highest paying customers is bad enough, but coupled with a demonstrated inability to maintain a stable system, or secure customers confidential and financial data, one wonders what on earth is going on?

The CEO burbles constantly about SL as a 'platform' - a platform for what? Commercial suicide?
Does he seriously expect any half sensible RL business to get involved in THIS shambles?
As for the investors... well, I know what my reaction would be if I had serious investment in SL and found out about this.

Fuck it! I'm going to have a drink and think about this. My gut feeling is that things have really gone too far this time.

This depends exclusively on the randomness and length of the salt, it doesnt take too much effort to make the salt of a length significant enough to avoid any collisions.

Edit:

The attack on the security question relies on having control of the accounts email address - since you do not get to pick where the password reset goes to.

It is FAR easier, given the attacker had a SQL injection - to simply update the password and salt of an account to something the attacker already knows the solution for.

wtf...

if a hacker DOES have the database, what good does the security question do? Its stored in the same database, so they'd have that too, and STILL have it - potentially making it even EASIER to change your SL password

whats easier to crack, an MD5 password, or taking a guess with your current address and using that as your security question, or just entering the security question if its stored as plaintext

this doesnt fix anything

Well, the intent seems to be correct, but the implementation is also causing problems.

Most of the friends and family I've convinced to create SL premium accounts are locked out till Monday at the very earliest (WTF?!?!?!), and if it remains true that the only way to reset a password is to reply to an email, then I've permanently lost an account I created because I supplied a fake email because I noticed that *the very day* that I signed up for my first SL account that I started getting *15* times the spam and didn't wanna make it 30x.

Yay!!! Nobody can get into our accounts now!!!
WTF!!! We can't get into our accounts now!!!

Capacity to absorb human error is linearly proportional to vulnerability to human exploit. So while it should exist, it should be absolutely minimal.

But at least you're admitting you made an error.

In all likelihood, on Monday, you'll be able to call them up, read them your credit card number, and get your account reset, hopefully via a process that includes verification through your existing email address.

The three-day wait the consequence you get for screwing up your security answer. Suck it up, it's not the end of the world.

If your password, security answer, and email address were all simultaneously screwed up and I were in charge, you would be able to look forward to mailing in notarized copies of the front of your credit card and your driver's license and paying some kind of fee. If you're outside the US and unable to do those things, then you'd probably be completely out of luck. But I take security seriously, and would not have seen the value in pointlessly invalidating your password in the first place.

I'm not saying not to be mad at Linden. I'm just saying don't be mad at them without also being mad at yourself. You both had to screw up in order for you to be locked out right now.

I too am locked out of my account. When I provide the answer for my security code, the Second Life website says that information is incorrect. I don't know how that can be since I wouldn't have forgotten where I was born.

What I don't understand is why I can access my account to leave a message but I can't reset my password? Obviously I have access to the email account I used to register myself with Second Life...shouldn't that count as proof of my identity?

Why isn't Linden helping people solve this problem today instead of waiting until Monday?

Very confusing. I was looking forward to playing this weekend and now this happens.

You would be right, except it sends the password change request to the users e-mail. but your right, it does'nt ask you to change your hint question.

Also I don't think its a precaution to make us change passwords. If they use encryption something like windows you can break an encrypted password is seconds using rainbow tables or some other time-memory attack.

What im upset about is that they store personal informaion un-encrypted. Lucky me, im moving tomorrow, so the address is invalid, sucks for the rest of yas though, lol.

My email wasn't even wrong. I just can't answer the security question. There's the marginal for human error I want. If I enter a false email, fine... but if my memory fails me and I don't remember a question (but can still access my email)?

That said, I'm perfectly willing to give my CC number for the support to fix this. But no, they abandon support.

a diligent hacker would have the tools to hijack the email account already as well more than likely

Too bad you didn't quote the part of the message where I said exactly that. But we don't know if there's a salt, how big it is, or what collision avoidance measures exist. And even 100% unique doesn't stop a dictionary attack, just slows it way, way down. If I've got, say, a botnet full of zombie PCs, I'm still in good shape.

The measure of a good hash algorithm is the ability to post the source code right here in front of us without diminishing its validity. But I seriously doubt that'll be happening, as much reassurance as it would provide.





What? Where was a SQL injection discussed? This sounds like speculation on your part. If the attacker had update capability, all bets are off.



A detail I missed before... they got the "encrypted payment information" as well as the "encrypted account passwords."

Payment information isn't useful unless it's decrypted, which means it's not stored in a hashed form. This also casts some doubt on whether the passwords are hashed as we supposed or actually encrypted. But forget cracking the passwords, put the botnet on decrypting the payment information. Crack one key, get a lot of high-limit credit card numbers.

Hopefully because they are thinking very carefully and very hard about what step to take next before they do something rash and make things worse.

Resetting the passwords, for example, was a rash action that wasn't thought all the way through. (At least, not if it was based on the information we've been given.) And it made things worse.

So yeah, let's have them stop, think about it, take their time, and come up with a measured, appropriate response that actually makes things better.

I seriously hope they do that.

But I can't help but imagine everyone happily going home and having milk and cookies like nothing happened.

I don't know you but you make me so happy

That's pretty hard to pull off. Sure they can encrypt it, but with what key? If they just encrypt it all with the same key, it would have to be known to the webserver anyway so that it can display your own details, for instance. So it'd be useless, the attacker would get it with the rest of the stuff.

Alternatively, they could use your own password to encrypt your data. That would work, but it'd now require them to keep your unencrypted password somewhere. That has nasty security issues attached though, either the password would be in cleartext right there, or in some other database in a safer place. But the second case means they'd have to update your password in that other database, and that'd mean opening a way that might be used to penetrate deeper into LL's network.

From what I understand, the attack was an SQL injection via the web servers which wernt secured properly. But even with a bot net you arnt in fantastic form if say, the salt is a UUID. LL does use MD5 for the hashes on the passwords, but I dont know the length of the salt (which seems to be a critical unknown here)

A dictionary attack is also slightly weaker here since (and having dealt with this doing login for libsecondlife) the login server recieves a MD5sum of the original password - which is then MD5'd again with the salt and compared against the stored entry. The extra MD5sum adds to the computing time required to generate a collision.

Payment info's on a seperate database which wasnt touched apparently. My bet is the attackers probably just got off with the `avatars` table, and even that seems to be unknown.

The more I think about this the more questions I come up with. I am no computer genius but the way I see it is. The store my credit card number in an encrypted form. But they need to read this number to tell the creditcard company when they bill me. I can also see the beginning of my credit card when I look at my account. If they can do it why can't the hacker given time. Once they crack one then they got them all no?

Just because they are encrypted isn't it a matter of time before they are cracked as the system was?