Questo sito fa un ampio uso di JavaScript.
Per favore, abilitare JavaScript nel tuo browser.
Live
PTR
10.2.7
PTR
10.2.6
Beta
How to not be "hacked"
Invia risposta
Ritorna all'indice del forum
Messaggio di
TheReal
READ BLIZZARD'S TIP SITE
http://us.battle.net/security/
Automated account recovery
https://us.battle.net/account/support/account-recovery.html
I have been playing WoW for about 3 years now and have never had my account hijacked (what some people call "hacked," which most of the time is incorrect anyway). I have been studying IT security for the past two years and have learned a thing or two about information security. I'd like to share with you how to protect your WoW account and computer from all those evil baddies out there on the cloud. For starters, read
this
and
this
. We can categorize threats to our accounts in the following ways:
Voluntary Release of Account Information
Most of the time an account is compromised because its owner was tricked into providing the account name and password to a malevolent third party. I will call the following passage The Golden Rule. Repeat this until you know it and would willingly give up your eyes if you forgot it:
My account name and password should only be entered on the game's log-in screen and on the official site. There are no other cases in which I am to consider entering this information anywhere else.
Emails appearing to be from Blizzard sometimes ask you to provide account information because of suspected activity that goes against the game's ToS. Ask yourself this: Why would a Blizzard employee with access to my account information need me to give out the information? Trust me, If a Blizzard employee needs it, he or she will check your file. Just delete that email.
Another piece of information important to those who hijack accounts is the answer to your secret question. What's your secret question and answer? Don't know? You'd better find out and then become HIGHLY suspicious of anyone who wants to know anything that has to do with that question. Someone with access to only your account name and secret answer can hijack your account without your password. Be very protective of the answer and anticipate all the questions that could be asked of you to cause an accidental slip.
Oh, and never purchase powerleveling services. The powerleveler needs your account information to fill the order. Refer to the Golden Rule above.
Involuntary Release of Account Information
Here's where we get into the deep stuff. All manner of malware is capable of directly or indirectly stealing your account information. The most common form of malware that hijackers use is a keylogger. Keyloggers record your every keystroke and then email the log to a remote destination. The log of your key presses could very well contain your WoW account information. You can get your own keylogger by visiting a website that runs a script, exploits an unpatched vulnerability in your web browser, and installs the nasty bugger without your knowledge. Do not fret! Some
free
protections do exist against keyloggers, and we'll look at those in the next section.
Brute Force Attack
This kind of attack on your account is the rarest of the rare. Basically a hijacker learns an account name or guesses it, then tries every conceivable password he can think of. There are even programs out there that will try every word in a dictionary and every positive and negative number for 15 digits, then mix them together, then throw in special characters...basically, everyone's password can be cracked. All that's required is time.
Gryphon Ninja-Edited me! = )(##RESPBREAK##)8##DELIM##Gryphon##DELIM##
Messaggio di
TheReal
Protecting your Account
In light of the recent mandatory change to Battlenet, use an email address for your account that you do not use anywhere else. Create one if you have to. Yahoo, Hotmail, and Gmail (among others) are all free. Gmail can even be configured to forward mail to your usual email address.
Use the little box on the sign-in screen that's labeled "remember account name." If you don't have to type it in, some keyloggers cannot see it.
Choose a complex password for your account. "Password" is not a strong password. "tqbfjotld" is a little stronger but needs some numbers and/or special characters. Is it too hard to remember though? No. The quick brown fox jumped over the lazy dog; just using the first letters of each word in a common phrase provides better security than something like "qwerty." Go for a mix. "Ph560Yy!" is not entirely difficult and mixes things up nicely to help prevent brute-force attacks.
Change your password every so often. At the very least, change it every 60-90 days. The more often you change your password, the safer you'll be.
Use a password safe like
KeePass
to store your website passwords. Oh, you only use one password for all 50 sites you visit? Naughty naughty. With KeePass, you can use a different, randomly-generated password on each of those 50 sites and only have to remember the one password to open your password list. And yeah, it's free also. This keeps you from writing down your passwords too, which is also a big security no-no.
Be sure your antivirus and antispyware programs are fully up to date and perform regular scans at LEAST once a week and whenever you're done on the pr0n sites. A couple of the best free antimalware programs, I run
Malwarebytes' Antimalware
and
Spybot S&D
.
Install the latest version for any browser that you use. Internet Explorer is the most popular browser, so malware is more often written to target its vulnerabilities. Choosing another browser can be helpful as well.
Mozilla Firefox
or
Chrome
can emulate IE (using an add-on) for when you need to visit Internet Explorer specific websites.
Install the Mozilla Firefox add-ons
Web of Trust
,
Noscript
and
AdBlock Plus
. Web of Trust puts a color-coded icon representing a site's trustworthiness beside search engine results, Noscript takes care of those web sites that install keyloggers without your knowledge, and AdBlock Plus keeps spyware from loading too.
If you're using Windows XP, install
SnoopFree Privacy Shield
. This one is the most important because even if you do get a keylogger, telling SnoopFree to block ALL attempts to hook your keyboard renders keyloggers completely useless. Sure you may have 20 of them, but none of them can read your keystrokes.
I keep my password stored in a .txt file with about 50 more lines of garbage and simply ctrl-c to copy it and ctrl-v to paste the correct password into my log-in screen. I keep this file buried in subdirectories nowhere near my WoW directory and did not name it "WoW Password." Some keyloggers can read your clipboard, but many are too simple to have that functionality. It's just one more precaution.
Upload any suspicious file
and every new add-on
to
VirusTotal
. They'll scan it using 39 different virus scanning products and let you know with almost absolute certainty if the file is clean or not.
Contributed by Strandvaskeren - Only log into your WoW account from a computer you trust is clean. Logging on from an Internet cafe or a friend's computer can expose you to any malware risk previous users may have left behind, either intentionally or unintentionally.
Logging into your account over an unencrypted wireless connection is also risky. Packet sniffers can recover information sent over the network. Even though it's nice for Starbucks to offer a free wireless hotspot, don't use it for WoW.
Secunia PSI
helps you keep software vulnerabilities patched up. Did you know when Java updates it does not remove the old version? You can bet Java isn't the only program like this.
Contributed by Wowhead user lolstorm: Consider setting up the parental controls through your account management page. Make it so that you can only play when you'd normally play. By taking this measure, you can basically lock everyone out of your account while you're away on vacation or even while you sleep. The password to configure the parental controls is different from the regular account password, so this seems to be a very effective, additional layer of security.
The Blizzard Authenticator is an excellent tool that will help you maintain some degree of account security if you should choose to ignore the above bulleted points. Called a One Time Password Generator (OTP), the authenticator creates a second password that users need to log into the World of Warcraft. The password generated will only be good for about 15 seconds. The authenticator is less than $10 and is easily linked to your WoW account.
One may think that the authenticator is good enough to protect an account, but please see my response to Crimor below. There is also an interesting article
here
. The third principle in information security is defense in layers, and the ideal is influenced by the first principle: there is no such thing as absolute security. Even steel walls ten inches thick cannot keep a thief out of a safe full of valuables forever. My advice is to pile on the security mechanisms but never get too comfortable.
Recent Development
: emcor.dll is a man-in-the-middle type virus that was created to foil the authenticator. Read about it
here
.
Messaggio di
Crimor
Get an auth dongle thingy, problem solved, /thread.
It's even free if you have an iPhone(And soon any smartphone)
Messaggio di
TheReal
Get an auth dongle thingy, problem solved, /thread.
It's even free if you have an iPhone(And soon any smartphone)
Until an account hijacker claims he is you and lost the authenticator, produces your account information from his keylog of your computer, and hijacks your account. It has happened.
Edit: It may not have happened, as I've discovered, but the possibility exists because the only thing that keeps this from happening is a human following a security policy. Humans, as we know, are prone to errors in judgment as a result of social engineering.
Messaggio di
317554
This post was from a user who has deleted their account.
Messaggio di
338181
This post was from a user who has deleted their account.
Messaggio di
Kailhun
If you install Firefox etc, make sure you just use Firefox. If won't help if you keep using Explorer.
I'm not sure a hijacker can get all the info he needs from his keylog. The authenticator has a number on the back you use to link and unlink it to your account. If the authenticator breaks I would assume that Blizzard won't unlink until you give the number. The number (hopefully) isn't stored on your computer and only exists in the blizzard archive and on the back of the authticator (and perhaps your paper notebook). If you claim to have lost the authenticator I don't know what info they might ask. But it may be info you only gave when making an account.
In both cases it's info the hijakcer can't easily get at unless you store it on your computer or he breaks in (your house or the blizzard archives).
Besides the point of the authenticator is not to make it impossible to hijack the account, but to make it easier to hijack an account which doesn't have the authenticator. It's like a bicycle: you only have to put more or better locks on than there are on the next bike.
Messaggio di
292411
This post was from a user who has deleted their account.
Messaggio di
334295
This post was from a user who has deleted their account.
Messaggio di
TheReal
I think you need to add: only log on from a system you trust. I only log on to wow from my own computer. Never at a friends house, the net cafe or any other place.
Done. Great call.
What free anti virus do you reccomend? I've been using spybot snd but it has missed a few things and I'd like something that runs active scans as I receive files.
Avast
is a very good, free antivirus program (Added because of aptana's suggestion).
Avira
is pretty well respected and it's been
proven
to be the best at both detecting viruses and making false positives.
AVG
is another option, but I personally wouldn't buy any stock in it. The problem is that Antivirus programs integrate with your OS shell quite tightly, so you can really only use one reliably. What you say about brute force getting through a difficult password is true, though there is a freak chance a brute force program could happen upon the correct password abnormally early. The point is that it
could
happen, not that it's likely to happen.
When scanning your computer for viruses, the best way to nail one WoW-related is to start your computer in safe mode WITHOUT networking (press F8 at startup), launch WoW through launcher.exe (without entering account details), then alt-tab out and start your virus scan. Some malware is sophisticated enough to only start after WoW.exe is started.
Messaggio di
292411
This post was from a user who has deleted their account.
Messaggio di
187668
This post was from a user who has deleted their account.
Messaggio di
NeoBlackheart
WHY IS THERE NO REQUEST STICKY BUTTON!1!
On anouther note I have had my account hacked and it was by none of the above.
Be carefull of your email if anyone can get into your email they can do a forgot password and send it to the email then make it so they never even was there. Exept mine forgot to delete the Trash folder items so I got lucky on that.
Messaggio di
133454
This post was from a user who has deleted their account.
Messaggio di
yawgmoth
dongle heheheheheheheheheheheeeee.
*cough* erhm. <.<;;
Messaggio di
TheReal
Just an extra thought. Maybe you could type half your password, throw in a string of random gibberish, then highlight said string and backspace.
eg. password= spaceballs, type in spa
fens
ceba
fes
lls and highlight backspace the bolded parts.
That should also stop keyloggers from tattling on what your password is, right?
That may fool some simpler keyloggers, but the more advanced ones report all input like cursor position and such. I do suppose the extra precaution can't hurt, but it's quite the cumbersome precaution don't you think?
Messaggio di
267241
This post was from a user who has deleted their account.
Messaggio di
303016
This post was from a user who has deleted their account.
Messaggio di
twsX
Great! We really needed something like this. *votes for sticky*
A few notes:
Keyloggers can be loaded into your computer without your knowledge because you visit a web site that runs some Javascript to put it there.Javascript can't save anything on your system, let alone execute it. Yes, sometimes there are buffer overflow vulnerabilities related to JS, but this is usually not how people get viruses. Usually, it's either poor poor IE users who get infected through a malicious ActiveX applet, Java applet or simple .exe file download (i.e. INSTALL DIS IT WILL SPEED UP YER PC!1)
Choose a complex password for your account. "Password" is not a strong password. "tqbfjotld" is a little stronger but needs some numbers and/or special characters. Is it too hard to remember though? No. The quick brown fox jumped over the lazy dog; just using the first letters of each word in a common phrase provides better security than something like "qwerty." Go for a mix. "Ph560Yy!" is not entirely difficult and mixes things up nicely to help prevent brute-force attacks.I recommend remembering a sentense and using the first letters including all special characters. Example:
I usually eat 5 hamburgers a day! = Iue5had!
This will get you a password with lower- and upper-case characters, numbers, and special characters.
Install Mozilla Firefox
Although Firefox is obviously a huge security upgrade for an IE user, it's not exactly the safest browser either. This may not be as comfortable and "simple" as you want, but if security is your primary goal, you should go with Opera or Google Chrome.
I keep my password stored in a .txt file and simply ctrl-c to copy it and ctrl-v to paste it into my log-in screen. Some keyloggers can read your clipboard, but many are too simple to have that functionality. It's just one more precaution.I seriously recommend you do
not
do that.
This is close to as careless as giving your password to a friend of yours.
Edit: Oh, and a paragraph with a short explanation why people should stop presuming they were
hacked
would be awesome.
Messaggio di
410279
This post was from a user who has deleted their account.
Invia risposta
Non hai effettuato l'accesso. Per favore,
accedi
per inviare una risposta o
registrati
se non hai ancora un account.