Comments on: Blizzard is taking your computer security into their own hands http://www.restokin.com/2009/09/blizzard-is-taking-your-computer-security-into-their-own-hands/ Lissanna's blog about druids Sat, 13 Mar 2010 18:23:28 -0500 http://wordpress.org/?v=2.9.2 hourly 1 By: Lissanna http://www.restokin.com/2009/09/blizzard-is-taking-your-computer-security-into-their-own-hands/comment-page-1/#comment-1691 Lissanna Tue, 08 Sep 2009 20:44:08 +0000 http://www.restokin.com/?p=2366#comment-1691 The authenticators they use are the same types that get sold to banks and such for security. Blizzard sells the keyring version basically at a loss, since it saves them money in the long run compared to the man hours it takes to recover compromised accounts. Hackers aren't going to be able to devote the amount of time needed to bypass an authenticator, and those type of people are just more likely to move onto easier pray (ie. an account without one). http://www.vasco.com/ The authenticators they use are the same types that get sold to banks and such for security. Blizzard sells the keyring version basically at a loss, since it saves them money in the long run compared to the man hours it takes to recover compromised accounts. Hackers aren’t going to be able to devote the amount of time needed to bypass an authenticator, and those type of people are just more likely to move onto easier pray (ie. an account without one).

http://www.vasco.com/

]]> By: MuShU http://www.restokin.com/2009/09/blizzard-is-taking-your-computer-security-into-their-own-hands/comment-page-1/#comment-1690 MuShU Tue, 08 Sep 2009 20:31:37 +0000 http://www.restokin.com/?p=2366#comment-1690 1. it's trivial to bypass the WoW "Warden" scanner and I don't know why trojans/keyloggers/viruses haven't figured that out yet? I won't say how just in case :) 2. the authenticator is a rather poor example of security, as anyone knowledgeable of such things understands that "security by obscurity is no security". There is no way Blizz can sell satelite fobs at this price that have a receiver inside. Thus (without having taken one apart) I assume it is a RNG with a hash based on some aspect of your account info plus the fob unique serial#. This is why you had to log in to their website and attach that fob to your account. Thus their server would know which hash to use and would come up with the same RNG when you log in to play. This means it is a static algorithm, and being a Turing machine, can be reverse-engineered (or hacked). 3. it will be a never-ending game of cat-n-mouse for Blizz to attempt to keep updating Warden to detect the latest "Zer0-dAy" exploits and the bad guys will always have the upper hand. Unless they invest tons in implementing a heuristic detection method that ascertains what a particular chunk of software code is actually going to DO, the best direction to go is to "whitelist" the types of known good code and allow the user to block or allow any unknown code. This again puts the onus squarely in the hands of the platyer...which, as we know, is a "lolwut?" moment since "fail n00b is fail." 1. it’s trivial to bypass the WoW “Warden” scanner and I don’t know why trojans/keyloggers/viruses haven’t figured that out yet? I won’t say how just in case :)

2. the authenticator is a rather poor example of security, as anyone knowledgeable of such things understands that “security by obscurity is no security”. There is no way Blizz can sell satelite fobs at this price that have a receiver inside. Thus (without having taken one apart) I assume it is a RNG with a hash based on some aspect of your account info plus the fob unique serial#. This is why you had to log in to their website and attach that fob to your account. Thus their server would know which hash to use and would come up with the same RNG when you log in to play. This means it is a static algorithm, and being a Turing machine, can be reverse-engineered (or hacked).

3. it will be a never-ending game of cat-n-mouse for Blizz to attempt to keep updating Warden to detect the latest “Zer0-dAy” exploits and the bad guys will always have the upper hand. Unless they invest tons in implementing a heuristic detection method that ascertains what a particular chunk of software code is actually going to DO, the best direction to go is to “whitelist” the types of known good code and allow the user to block or allow any unknown code. This again puts the onus squarely in the hands of the platyer…which, as we know, is a “lolwut?” moment since “fail n00b is fail.”

]]>