Welcome, Guest. Please login or register.
Did you miss your activation email?
December 10, 2018, 04:52:26 am

Login with username, password and session length
Search:     Advanced search
Savage: XR is a new patch for Savage, created by the Newerth.com staff. The XR1.1 Client is out now! Download it now!
189426 Posts in 10975 Topics by 18155 Members
Latest Member: fazijotrj
* Home Forum Wiki Help Search Login Register
+  Newerth Forums
|-+  Announcements
| |-+  Development News
| | |-+  AUTH server news
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] 2 3 ... 7 Go Down Print
Author Topic: AUTH server news  (Read 21669 times)
Daemon
XR Main Developer
Legendary Member
****
Posts: 4795


beware, for this is the everbroken...


View Profile
« on: September 30, 2014, 08:56:41 pm »

Hello.

As you probably know, a few days ago there was a rather large scale incident involving ingame accounts being abused by a hacker who obtained access to their passwords. In order to minimize the effects and to give us the time to find out what vulnerability was exploited by this Nolifer, we had to shut down the authentication server. Therefore, there are no ingame icons and no clan operations can be performed.

We've investigated pretty much every lead we had and tested every theory floating around. From the newly disclosed shell-shock exploit to db injection, from simply guessing passwords to the hypothesis that a Newerth admin with a grudge went berserk and used his access level to wreck havoc. Sadly, there's no hard evidence to support this theory at this time Smiley.

What we did find is that plenty players who registered on various clan forums use the same password for their ingame accounts. Stupid, right? Because not all forum software stores encrypted passwords. I bet it's the same password they use with their credit card security or their yahoo accounts! Not that hashed passwords would be full-proof but we have strong indications that the eXp clan forums store user passwords in a human-readable plaintext format. Plenty leads point to this forum or others just like it as the most likely means for the Nolifer to gain access to the ingame accounts. It might not be with the forum owners' consent, but it also came to our attention that exactly some of those that cried over hijacked accounts first, were actually playing the same tricks themselves, before. Sorry to see your accounts go!

So we're going to fire-up auth in a read-only mode as far as clans are concerned. That will prevent clans being wiped out or getting random players invited. In the meanwhile, a bunch of devs took the bull by the horns and are working on completing and securing Mohican's new Python authentication server with state of the art encryption algorithms and multi-layer protection. It's hard to tell when this undertaking will be completed but hopefully, it will be before lunch.

Thank you.
« Last Edit: September 30, 2014, 10:28:04 pm by Daemon » Logged

Haika
Newerth Donator
Sr. Member
****
Posts: 272



View Profile
« Reply #1 on: September 30, 2014, 09:02:40 pm »

I challenged someone 2 years ago or something to hack my password, cuz i thought the game was old and that it was an easy task to anyone with a bit knowledge.

he told me my pass within the minute. Luckily im not stupid enough to use my pass on any other things than the forum. hopefully this applies to everyone else Smiley

but thanks for caring and taking action.

Afro  Afro  Afro   Afro  Afro   Afro Afro
Logged
Oldman
Newerth Donator
Full Member
****
Posts: 161


View Profile
« Reply #2 on: October 01, 2014, 03:49:22 pm »

Hi guys!

Thx for warning. But I'm know a few people (sample Indi) who used one password for ingame account and other (!different!) password for clan forums. And his account was hacked. As I know, some players voted messages with ingame accounts and passwords. Do you check and validate their IP? May be publicate results of checking? Sad
« Last Edit: October 01, 2014, 06:10:14 pm by Oldman » Logged

valli
Quack or die!
Newerth Council
Super Hero Member
*
Posts: 1083



View Profile WWW
« Reply #3 on: October 02, 2014, 09:05:46 am »

In case of the WW forum intrusion, the intruder was smart enough to hide the ip.
Logged

He who controls the past commands the future, He who commands the future, conquers the past.
drk
Community Serveradmin
XR Coder
Hero Member
***
Posts: 544



View Profile
« Reply #4 on: October 02, 2014, 04:05:02 pm »

Because not all forum software stores encrypted passwords.
That is the most stupid thing ever made by admins (except not making backups  Grin). Is that so hard to store passwords in md5 or md5(md5) etc etc...
Sad story.
Logged

Stringer
The guy who doesn't know anything
Newerth Council
Full Member
*
Posts: 125



View Profile
« Reply #5 on: October 02, 2014, 05:43:34 pm »

Is that so hard to store passwords in md5 or md5(md5)
MD5 is bruteforceable in reasonable time on modern hardware, and using md5(md5) will make no difference.
Everyone should use SHA.
Just to clarify.
Logged

Be wise
jazzking
Melee enthusiast
Newerth Shoutcaster
Hero Member
*****
Posts: 687


Duels Duels Duels


View Profile WWW
« Reply #6 on: October 02, 2014, 07:00:49 pm »

I imagine the point of md5(md5) is that the hacker is less likely to find a rainbow table for md5(md5).  They will also waste time bruteforcing pure md5 the first time around.

I'm reading about this now and it also appears that the use of a salt is also important, even with a better algorithm like sha.
Logged

Daemon
XR Main Developer
Legendary Member
****
Posts: 4795


beware, for this is the everbroken...


View Profile
« Reply #7 on: October 02, 2014, 07:08:18 pm »

We got that covered. Even i know now a shitload about encryption thanks to Gridfon, Clemens and valli's efforts Smiley. The problem is how much the Nolifer has already.
Logged

drk
Community Serveradmin
XR Coder
Hero Member
***
Posts: 544



View Profile
« Reply #8 on: October 02, 2014, 07:12:50 pm »

MD5 is bruteforceable in reasonable time on modern hardware, and using md5(md5) will make no difference.
Everyone should use SHA.
At least something instead of the plain text  Tongue
Logged

Daemon
XR Main Developer
Legendary Member
****
Posts: 4795


beware, for this is the everbroken...


View Profile
« Reply #9 on: October 02, 2014, 07:46:13 pm »

MD5 is bruteforceable in reasonable time on modern hardware, and using md5(md5) will make no difference.
Everyone should use SHA.
At least something instead of the plain text  Tongue

Drk are you talking about Newerth? Because i wasn't. The plain-text passwords part is about eXp and OTHER forums. We do have encrypted passwords. Which sucks if you forgot your password. Gotta switch to ROT13!
Logged

drk
Community Serveradmin
XR Coder
Hero Member
***
Posts: 544



View Profile
« Reply #10 on: October 02, 2014, 07:53:29 pm »

Drk are you talking about Newerth? Because i wasn't. The plain-text passwords part is about eXp and OTHER forums. We do have encrypted passwords. Which sucks if you forgot your password. Gotta switch to ROT13!
I didn't say a word about newerh  Wink
Just generally about different forums and their dbs (for ex. exp - if you say that they are using passwords without any encrypting).
Logged

Hakugei
XR Coder
Legendary Member
***
Posts: 3834



View Profile
« Reply #11 on: October 02, 2014, 07:56:55 pm »

It gets even worse when said sites have access to the plain text passwords themselves. Afro
Logged
Thollmigul
Breaking through~
Newerth Donator
Jr. Member
****
Posts: 78


"Nanba-9"


View Profile
« Reply #12 on: October 02, 2014, 08:43:45 pm »

u can update shit all u want , come up with any encryption -- no diff
cause pwds are in public domain thanks to very very stupid selfish admin with alt phobia who got demoted (& his accomplice)

Jmz

TO explain more : JmZ ( and prolly Groentjuh with him) made it possible for simple USERS to query a ppls IPs, passwords, etc
he make it on purpose or not ? u decide ...

Disclaimer: im not Thollmigul, i didnt change his PWD
« Last Edit: October 02, 2014, 09:19:11 pm by Thollmigul » Logged
blame!
Newbie
*
Posts: 28



View Profile
« Reply #13 on: October 02, 2014, 09:32:59 pm »

Logged

FORTOCHKA(ua)
Newbie
*
Posts: 25



View Profile WWW
« Reply #14 on: October 02, 2014, 10:05:51 pm »

oh no!its terrible!Jmz how do u explain it?
Logged

Pages: [1] 2 3 ... 7 Go Up Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2007, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.039 seconds with 19 queries.