Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

• Become a Quest giver in c... by Brontofobic [26 August, 2010, 16:15]
• Cataclysm 310% fly speed ... by madmike [16 August, 2010, 20:47]
• Arclores - Arcane mage by Arclores [13 August, 2010, 20:31]
• marksmen hunter by sweetfa [11 August, 2010, 20:54]
• New fishing bobbers ? by Brontofobic [11 August, 2010, 17:19]

Members

• Total Members: 62
• Latest: pedro

Stats

• Total Posts: 1502
• Total Topics: 508
• Online Today: 3
• Online Ever: 63
• (18 May, 2010, 07:20)

Users Online

Users: 0
Guests: 4
Total: 4

[Tig]

Yet again someone has been account hacked, err, twice.

So it's about time to start being secure I think. To do this there are a few considerations.

1) Ultimately, your account is wanted by another *cough* human being *sigh* which means you need to start thinking about things as they would/might. So you need to start thinking how they might conjure ways of trying to get your account details.

They understand that, for almost all users, all of the time, you type your details in. Because of this, they created key logging software to collect what you type.

They also understand that you are most likely to have anti-virus/spyware/hacking measures on your system that will eventually be able to detect and remove this software, so in addition to finding ways of hiding their software, they also find ways of quickly auto-updating it to new versions to keep avoiding detection.

Being "only human" themselves, they realise that these days we have myriad accounts and understand the simplicity behind only having one, or two passwords to protect this data (which when you think about it, isn't quite so protective now is it.)

They know that, for most of you, that one email account (probably protected by that same password) is where password updates/forgotten password requests and even emails with personal details might be found/sent to.

The list is endless, scary shit huh?

So it's about time to tackle as many of these problems as possible;

First, we need to stop rogue software from being installed/run on your computer. We need to think about how this software reaches us in the first place. Now, I could drone on about email but that is an unlikely place for WoW related rogue software to enter your system. So how about some likely ways;

1) Any software that is WoW related but doesn't come from Blizzard Entertainment is an obvious risk. This can include (but is not limited to) addons with executables, addon updaters, private server related software, software claiming to automate game play (bot software, hacks, etc)

There are only two non-Blizzard bits of software I trust; Curse Client and Uni Uploader. This doesn't mean you should trust them but I do and I'm willing to take that risk because I personally trust those who maintain and release them and I rely on their functionality.

I fail to see why any addon should need an executable to work and quite frankly would never trust one that needed to have an executable component. Many addons that need to upload xml data to/from a website have been adapted to use Uni Uploader or just require you to manually upload the file, it isn't that hard really.

Software used to automate or hack is just stupid anyway - If you can't play the game, don't pay for it and that's the simple solution. Not only is it totally against the Terms of Service, it doesn't make sense and is only begging for you to get banned or account hacked.

Private servers - Again, a perm-ban offence but if you really, really must do it, use a different machine. The server software itself is closed source and therefore risky as hell. The private servers are usually a patch level or two behind and offer to let you download an older version of the software, which is an obvious risk. However, part of the 'security' of the WoW client is to download an updated 'warden' binary that checks for known rogue software before launching the game. So what is to stop a private server from releasing their own warden software to keylog your system?

An additional note about private servers: Given these servers need you to register with them, meaning select your own account name and password, if you are stupid enough to use the same account name and password as your real wow account, then you really do deserve to be hacked!

That is enough about WoW specific attacks.

2) Limewire, Bit Torrent etc etc - If you really, really, really must download software from these places, be smart and don't run stuff that was released yesterday, at least wait until possible viruses contained in them might have been discovered and had anti-virus scanner updates made for them! If you are downloading anything other than software (movies, music etc) be smart and don't run straight from the client, download it, virus scan it and be careful that you don't get tricked into running an executeable file (especially if you have "known filename extensions hidden" as this means you won't see .exe at the end of a file and as executable files embed their own icons, they can appear to be, for example, an mp3 file - Of course, if you DO have hidden extensions, then xyz.mp3 would just appear as xyz because the mp3 would be hidden ;-)

If you MUST download stuff, pay for a news server account and get something like News Leecher.

Better yet, just buy your stuff!

3) System Security is a must; Personally I use the following software and to date haven't had a security compromise.

Windows Vista (but XP before that)

Automatic Operating System updates turned on and check for optional updates at least twice a month.
Windows built in firewall has been good enough for me as I also have a Broadband router with build in firewall, preventing in-bound attacks - Windows firewall is a bit crap for protecting software on your system from getting outside your network.
Windows Defender isn't too bad either so I keep it on and updated
Avast Free (personal) with update as required enabled (the default)

4) Passwords - As I said earlier, as we tend to have lots of different accounts these days, it's all too easy to just use one password and pray. However, not having an amazing memory doesn't mean you don't need to be a bit smarter about passwords.

Earlier I pointed out how important your email account is, given that most things are registered to send forgotten password requests to it, that you may have confirmation emails about accounts you open (somre are even dumb enough to remind you of your secret questions/answers for future reference - A dumb thing, given these are supposed to be memorable question and answer challenges for the very reasons of security.)

So, given how there are many different free email solutions out there (google mail is the one I love most) I'd suggest you have at least two email accounts, one for really private stuff like family/work email, bank account/utility bills/credit cards etc to be registered with. Then a second for stuff like website/forum registrations, game registrations etc.

Don't use the same password for your email account as you do for the accounts that know about that email address. eg: If your game email account has password: dog, then don't have any of your game accounts passwords set to dog (or even cat, to save lateral thinking hacking)

Being unique with passwords isn't actually that hard if you think about a formula. How about a simple formula password and what data you can use:

Your initials, nickname, year of birth (not date or date as those are too risky to expose), what the password is used for. The list is endless but these details alone can be useful.

Now lets think of a few things we need to protect.

Private Email
Account: me@private.com
Game Email
Account: me@havingfun.com
Forums
Account: mynick
WoW
Account: myname

Now how about a formula that is obvious to us but, without extra knowledge, seems a bit random to others.

My initials: M Y N (MIke Yani Name)
My Nickname: mynick
Year of Birth: 1980
First part of postcode: BS
private email: pma (Private eMAil)
game email: gil (Game emaIL)
forums: ru (foRUms)
WoW: of (world OF warcraft)

So how about: type (email/forums/WoW) initials birth year (last two digits) postcode first part

Private Email
 Account: me@private.com
 Pass: mamyn80bs
Game Email
 Account: me@havingfun.com
Pass: gilmyn80bs
 Forums
 Account: mynick
Pass: rumyn80bs
 WoW
 Account: myname
 Pass: ofmyn80bs

Of course, you could be a bit smarter and decide that emails don't use initials but use first full part of the postcode, or instead of year, use the last three digits of your telephone number.

When you break down the formula like that, it's actually much less to remember, fairly safe to write down (as you don't need to write down your initials, postcode, birth year, telephone number etc, only the formula and some special stuff like the digits for private email/game email/forums etc) but when you know one account, it isn't so easy to figure the others. Especially when most software/hackers try the known password against other known accounts and it fails, they usually give up!

One final note: Blizzard Authentication Keys are really cheap and guarantee that, without having physical posession of the key, you can't login - That said, if someone needs to login for you (eg: Me, when I'm in hospital) they need the key, so not great if that other person is an hour away and can't call to find out what the current code is ;-)

All the best,
Tig

[Rage]

Some very nice tips there Tig ty m8 

[sweetfa]

Thank goodness you do it all for me Tig

[Brontofobic]

`Tnxs for the tips m8 , 2 bad i got no credit card to buy sutch token device