Lotus Prince Let’s Play – Amnesia: the Dark Descent (Parts 7-9)
Xbox One Reveal Show and Trailer
BT Podcast 55: Suck My XBone
XBOX ONE in 5 seconds
Spring 2013 Show and Trailer!
Posted By Nobunaga about 9 months, 2 weeks ago
This isn't all that far away from Hollywood's retelling I'm sure…
It was really only a matter of time before another story of hackers gaining unauthorized access to a game company’s servers came to light, and this time Blizzard Entertainment has taken the hit, but is all as it seems? When the news broke yesterday that Blizzard Entertainment had suffered a “hack”, I grew suspicious… as a man who’s seen the Blizzard Campus for himself and seen behind the scenes of the gaming juggernaut, I had honestly believed that intrusion into their servers (after a hardware upgrade years ago) was largely impossible. Then again, nothing exists that is entirely unhackable but to say the task of breaking into an electronic fortress is daunting would be an understatement. I decided to have a bit closer of a look…
Yesterday a release was sent out by Mike Morhaime through Blizzard’s main website stating that they had discovered an unauthorized access to their network, that a list of e-mail addresses (of players outside of China), the security question of the e-mails in question, authenticator information pertaining to those addresses. In addition a list of heavily encrypted password were also accessed using Secure Remote Password protocol (SRP) which makes it essentially “more difficult than it’s worth” to crack a listing of passwords. Morhaime went on to say that there was no evidence to suggest that financial information had been accessed, but that they would be asking players to update their security question and password via an automated process in short order.
Since the story broke I’ve seen numerous stories suggest that Battle.net had been hacked, or even people suggesting that your financial information had been accessed (but Blizzard just doesn’t want you to know about it!)… I did a little investigating myself in order to discover if I did truly need to start changing passwords and cancelling credit cards, and what I found was at once troubling and comforting all at once.
In my investigation and personal knowledge from previous experience and conversations with Blizzard employees, security is taken immensely serious on the Blizzard Campus and in the company in general. There is a reason that leaks on the company’s projects either never appear or appear only a day or two before they were publicly announced to be released in the first place. Access cards are required, custom-written software and physical security exist on the Campus and staff are monitored heavily including their own executives. At Blizzcon once it was light-heartedly said that even Mike Morhaime has someone hired to watch him and file reports to the board. I can say for certain that’s not far from the truth.
So if Blizzard takes security so seriously, if Project Titan (their unannounced MMO project) is kept in a security lockdown building all it’s own and sensitive information requires layers of security access to get to, how does some hacker online slip through Battle.net’s security and retrieve our sensitive data? The answer is simple… they didn’t.
Even from another look at Morhaime’s letter to their customers, it becomes obvious that Blizzard’s online gaming network wasn’t compromised, but their local private network was compromised. Battle.net is primarily an external entity with server farms at several points across the world all tied together. And while it makes it possible for gamers around the world to play together, it does not directly link back into Blizzard’s internal network, but rather to another server all it’s own… the dreaded “Authentication Server”, which if it goes down (like many a current always-online DRM Diablo 3 players know all too well) makes it impossible to start up an (official) Blizzard game.
Now none of which provides access to the information listed above… but their internal network that is on-site at the Blizzard Campus does. In fact, a little digging brought up a worrisome fact that it was all too likely that an internal-network breach at a place like Blizzard means something had to be done to open their network to the outside. To say they take all matters of on-site security seriously is an understatement, so to have someone just run a few scripts and miraculously find themselves a wealth of information is practically impossible. What is possible however, if an on-site breach of electronic security in the form of, say, a USB drive slipped into a Customer Service agent’s computer that opened an OS exploit that was thought to have been patched.
Considering the information accessed, it doesn’t take a Blizzard Insider to see it was most likely the customer service department which suffered the breach. Financial (“Billing”) information is stored in an entirely different server rack and area of the Campus than “Customer Information”. A customer service agent doesn’t need passwords to access customer accounts, though they obviously do require a password all their own. A password easily accessed via a keylogger or other monitoring program installed… which when the customer service account was accessed outside of that staff member’s scheduled hours, could easily alert Blizzard’s in-place security.
So what does all this mean in the end? Well it means it’s unlikely you yourself will be affected (as a former or current player of Blizzard games), but that it wouldn’t hurt you to change your password occassionally, with now being a mighty-good time to do so. But beyond that, this wasn’t “Just another video game company getting hacked” as many have been reporting, it’s actually something much more worrisome and I can assure you things are getting turned upside-down at the Blizzard Campus at the moment. Blizzard Entertainment suffered an immense breach of security that is being downplayed, but it wasn’t so much online-security that was breached but local network security perhaps even physical security…
Customer service agents only have access to limited information (the a fore mentioned Authenticators, e-mails and encrypted passwords) and use custom designed proprietary software to interact with their databases… but if hackers are now going to slip past all the electronic and software protections by physical means just to get access to information already largely available by other means, shows a certain level of intimacy with the company.
If hackers want the account information and financials of Blizzard customers, it’s far easier to do and has been done before on a mass scale. Years ago in an effort to hack the accounts of hundreds of thousands of Blizzard’s customers, a hacker created a flash-game based around teaching World of Warcraft players the mechanic of a certain part of the game by simulating a specific interface and button layout and allowing players to practice before throwing themselves into the situation. This flash-game however contained an unknown Flash Exploit which allowed the hacker to place keyloggers in countless computers across North America and resulting in one of the largest streaks of compromised accounts in the game’s history and which soon after saw the introduction of Authenticators as a result.
So what does this all mean really? Well it does of course hint that we’re all too comfortable on the internet and that game companies are still a vulnerable part of our industry… and that no matter how much protection a company seems to have, they aren’t completely immune to getting hacked or intruded upon. It’s immensely troubling that hackers are now going to the levels of physically compromising electronic security to do what they wish, but in the end not unexpected given the circumstances the industry has been rushing to put in place since the first onset of game-company-hacks of the last few years.
What can we do? Well not a whole hell of a lot… change your passwords and hold onto your butts. I doubt the trend of hacked video-game companies is going to come to an end anytime soon.
Ah yes, Nobunaga furiously slurping on Blizzard again. Of course, Blizzard is hack-proof. I mean, even the US Military network isn’t 100% secure, but Blizzard’s is impenetrable. And all those reports of people’s accounts being hacked, me being one of those lucky people who logged on one day to see their characters stripped bare 1 day after reactivating my account, on a brand new, clean computer, and being forced to convert to a battle.net account after 4 years of not so much as a phishing email being received on that address, totally fabricated. As always, blame the victim.
Sorry but I dont agree.
I and many people I know had the account hacked some people even twice, and all of them are carefull people, that never give away password, do not use third party softwere, and all of us have lost ONLY THIS PASSWORD, so if our system have been violated way not take the steam account, paypal, bank, other games, forum, mail and the other tons of password and account we use that have much more value?
The reply of blizzard? It’s impossible you are lying you have given the password to someone. When I have told them the history of contact of my account, that have connected and joined a game with a fake account (random name player with level 1 character)… they banned me for giving the player name of another player on the forum. banned to give the number of an account haker, because account hakker do not exist.
So all those “it’s impossible” trougth fanboy or offical channel is bullshit.
The big ammount of account empied is a reality and thay don’t give an explanation other that “all are laying this is not happening” for me after this Blizzard is dead.
Agreed. Using a username password COMPLETELY UNIQUE TO EVERYTHING ELSE, as well as NOT LOGGING IN FOR OVER 6 MONTHS, I had my account hacked.
I don’t reply to phishing e-mails. I didn’t use the same username, password, OR EVEN E-MAIL. I NEVER used addons, even offical ones.
And yet, my INACTIVE WoW ACCOUNT WAS HACKED.
That was the final straw, and I called Blizzard up and had them remove ALL personal data from their systems, ALL OF THEM, and I have refused to purchase, OR EVEN RENT a blizzard game, because I DID NOT COMPROMISE THE ACCOUNT. THEY DID AND DENIED IT.
And this was 2 years ago.
It’s not impossible. WoW has hacked servers. This is fact. BattleNet is most likely hacked. They have security holes that are still exploited every day.
Ull probably find somewhere down that road you and your friend along with millions of other ppl clicked a link on a Blizzard email on day that took you to a WoW website or even the battle.net log in screen and proceeded to login, having done this it usually takes you to said login account page like all is sweet but in reality that login screen was a fraud and you account email/name and password is in the hands of said unnamed gold farming agency hacking away at your now barren account
OHHHH holy crap. I’ll bet I know what you’re referring to at the end there. I’ll bet that was the flash simulator for the ghost part of the Teron Gorefiend encounter. I remember back when I joined up with my guild back in Burning Crusade they had me mess around with a flash that basically simulated the special mechanics of that encounter. Now that I think about it, it was some time after that that I got hacked. That is starting to make a LOT of sense now. Wow.
very well written. And thanks for actually looking up shit before going all crazy with the news