Sunday, September 19, 2010

Guild Ranks To Include Authenticators

Image courtesy of WoW Insider

The latest news from the Cataclysm beta program, via WoW Insider, is that guild masters have the option tp set guild ranks to require the player to have an authenticator on their account.

The obvious use for this is to have the guild master set this on any guild rank that has guild bank access. This will help reduce the chance of the guild bank being stripped in the event of an account compromise.

However, guild masters can go further by mandating that all of their raiders, and even all of their members, have an authenticator.  Too often we see raiding disrupted when key players have had their accounts hacked.  Just imagine the inconvenience when a progression raid gets cancelled because the main tank is waiting for his/her account to be restored after a hack.

This is a great initiative by Blizzard and will surely give people one less excuse for players to adopt this technology.

Some of the more common excuses for people not having an authenticator include:
  1. "I don't have a credit card" or "They don't deliver to my country" - download the free authenticator app for your mobile phone or ask a guild mate to purchase one for you and mail it to you
  2. "I am too smart/cautious to get hacked" or "I have never been hacked" - Vulnerabilities in your operating system and applications can very easily result in you downloading a keylogger by simply visiting a legitimate web site that may have been compromised.  For well-written exploits, no user interaction is required to become infected - you just need to visit a compromised web site.  Your game login and password is then shipped off to the bad guys.  See the recent Adobe example. Additionally, common passwords can be attacked by automated processes - you don't even need a keylogger on your system to fall victim.
  3. "I own a Mac" - Yes, you are less likely to pick up a keylogger since most are written for Windows however, owning a Mac won't stop you falling for phishing attacks.
  4. "I pay for this service, authenticators should be free" - I doubt that Blizzard are making any real revenue on a product that sells for $6.50 - they are just aiming to recover costs.  Think of the amount of money you have paid for your subscription to date, and then ask yourself if it is worth the extra $6.50 to reduce the chance of all your hard work being compromised.
  5. "It is inconvenient to type in the code" - the extra ten seconds required to login is a small price to pay for the extra security that it provides.
  6. "Authenticators have been hacked" - well, it was not the authenticator that was hacked, it was more that a keylogger picked up the authenticator code and, in real time, shipped it off to the bad guys.  This was a fairly sophisticated attack and required people power to do the real time processing.  Keep in mind that security is never 100% and that the authenticator is just making it more difficult for the bad guys to get into your account.  An authenticator is still a very effective tool in your security arsenal.
  7. "I don't care, Blizzard can restore my account after a few days" - if you are in a raiding guild then the delay in reporting and restoring your account may mean you miss out on raiding, potentially impacting your entire raid group.  This may even put your guild membership at risk if this happens regularly.
Check out Ten Easy Steps to Securing WoW for more security tips.

Thursday, September 16, 2010

Adobe Announces New Flash Vulnerability

Adobe Systems has recently disclosed a vulnerability in their Flash Player 10.1.82.76 for Windows, Mac, Linux and Solaris. The vulnerability allows the execution of code from a specially crafted PDF or Flash file. Adobe mention that they have seen this being actively exploited.

Put simply, this type of vulnerability could see you become infected with a keylogger simply by browsing a web site that has been compromised. We have seen WoW keyloggers installed via this type of Adobe vulnerability before in June and February.

Adobe has not released a patch for this as yet, but plan to have something available during the week of September 27.

You can reduce the chance of becoming subject to this attack by patching your flash player as soon as a patch is released and by running a PDF/flash blocker such as noscript in the meantime.

You can find more information on this at the Adobe Security Advisory site.