Author Topic: Recent Hacking Attempt  (Read 10142 times)

Offline x4000

  • Chris McElligott Park, Arcen Founder and Lead Dev
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 31,651
Re: Recent Hacking Attempt
« Reply #15 on: March 21, 2017, 11:37:13 am »
Seriously though, I swear I knew that Steam's 2-factor authentication had a hole in it. I refused to use it, and told them I thought there was a gap, but they refused to believe me swearing that it was secure.

Jerks. Should have listened to me and this wouldn't have happened to Chris.
The 2FA itself did fine. Actually it was key in our being able to respond as quickly as we did.

But 2FA is only one piece of steam's login security.

Yep, indeed.  I don't want to say more than that, because otherwise it will give sneaky people ideas.  Not anyone here, but this is public on the anonymous internet for anyone to find in google, after all.

But yes -- I'm not a bot.  Beep boop.

...I think I'd like to be called... Barbara...
Have ideas or bug reports for one of our games?  Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline Cinth

  • Core Member Mark II
  • *****
  • Posts: 2,527
  • Resident Zombie
Re: Recent Hacking Attempt
« Reply #16 on: March 21, 2017, 11:56:25 am »
...I think I'd like to be called... Barbara...

Are you sure about that?
Quote from: keith.lamothe
Opened your save. My computer wept. Switched to the ST planet and ship icons filled my screen, so I zoomed out. Game told me that it _was_ totally zoomed out. You could seriously walk from one end of the inner grav well to the other without getting your feet cold.

Offline x4000

  • Chris McElligott Park, Arcen Founder and Lead Dev
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 31,651
Re: Recent Hacking Attempt
« Reply #17 on: March 21, 2017, 12:24:03 pm »
Have ideas or bug reports for one of our games?  Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline Cinth

  • Core Member Mark II
  • *****
  • Posts: 2,527
  • Resident Zombie
Re: Recent Hacking Attempt
« Reply #18 on: March 21, 2017, 12:49:18 pm »
Quote from: keith.lamothe
Opened your save. My computer wept. Switched to the ST planet and ship icons filled my screen, so I zoomed out. Game told me that it _was_ totally zoomed out. You could seriously walk from one end of the inner grav well to the other without getting your feet cold.

Offline BadgerBadger

  • Arcen Volunteer
  • Hero Member Mark III
  • *****
  • Posts: 1,229
  • BadgerBadgerBadgerBadger
Re: Recent Hacking Attempt
« Reply #19 on: March 21, 2017, 12:50:49 pm »
So my headcanon is now that Chris is an android and Cinth is really a zombie. This only makes the game more entertaining!

Offline x4000

  • Chris McElligott Park, Arcen Founder and Lead Dev
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 31,651
Re: Recent Hacking Attempt
« Reply #20 on: March 21, 2017, 12:56:49 pm »
What am I?
A saint?

No miracles yet, and I'm told it takes 3 as well as being dead for a while.

So my headcanon is now that Chris is an android and Cinth is really a zombie. This only makes the game more entertaining!

It may not come as much of a surprise, but as a kid I was really into the Not Quite Human books, where the main character is an android trying to blend in to high school.  Cinth is more of a phoenix than a zombie -- he spent some time in the ol' Neinzul Regeneration Chamber, at least.
Have ideas or bug reports for one of our games?  Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline Cinth

  • Core Member Mark II
  • *****
  • Posts: 2,527
  • Resident Zombie
Re: Recent Hacking Attempt
« Reply #21 on: March 21, 2017, 02:33:49 pm »
No miracles yet, and I'm told it takes 3 as well as being dead for a while.

I'm pretty sure I can count 3 just with me ;)

Cinth is more of a phoenix than a zombie
That's a better analogy than Lazarus, though rising from the ashes hurts like a ****************.

Quote from: keith.lamothe
Opened your save. My computer wept. Switched to the ST planet and ship icons filled my screen, so I zoomed out. Game told me that it _was_ totally zoomed out. You could seriously walk from one end of the inner grav well to the other without getting your feet cold.

Offline Chthon

  • Sr. Member Mark II
  • ****
  • Posts: 398
Re: Recent Hacking Attempt
« Reply #22 on: March 22, 2017, 12:11:30 am »
Seriously though, I swear I knew that Steam's 2-factor authentication had a hole in it. I refused to use it, and told them I thought there was a gap, but they refused to believe me swearing that it was secure.

Jerks. Should have listened to me and this wouldn't have happened to Chris.
The 2FA itself did fine. Actually it was key in our being able to respond as quickly as we did.

But 2FA is only one piece of steam's login security.

No, actually there is a hole in the 2FA as well, and for similar reasons as Chris stated, I don't really go into that here. If the 2FA had actually worked right, this would have been more difficult for the hack.

Offline x4000

  • Chris McElligott Park, Arcen Founder and Lead Dev
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 31,651
Re: Recent Hacking Attempt
« Reply #23 on: March 22, 2017, 10:39:47 am »
I believe you that there's a hole -- didn't mean to imply otherwise.  The main thing is that this particular hole wasn't used here, to my knowledge.  The vector this attacker took seems... well, again, I won't go into that here.  But I think this is a second thing rather than whatever you found.  If you want me to raise the issue with some of the higher-up Valve chaps regarding the 2FA hole, feel free to email me at chrispark7 at gmail.  I wouldn't PM that on the forums, just in case.  It's up to you, I'm not really wanting to get caught up in their security stuff.
Have ideas or bug reports for one of our games?  Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline Professor Paul1290

  • Sr. Member Mark II
  • ****
  • Posts: 395
Re: Recent Hacking Attempt
« Reply #24 on: March 24, 2017, 03:58:50 pm »
I smell [redacted, sorry -- Chris]

If it did then OH C'MON REALLY VALVE?! *grumpy noises*
« Last Edit: March 24, 2017, 04:28:11 pm by x4000 »

Offline x4000

  • Chris McElligott Park, Arcen Founder and Lead Dev
  • Arcen Staff
  • Zenith Council Member Mark III
  • *****
  • Posts: 31,651
Re: Recent Hacking Attempt
« Reply #25 on: March 24, 2017, 04:29:03 pm »
Redacted your comment, sorry about that.  ;)

*whistling*

In fairness, while that was a component, the method for duping it was super slick.
Have ideas or bug reports for one of our games?  Mantis for Suggestions and Bug Reports. Thanks for helping to make our games better!

Offline Professor Paul1290

  • Sr. Member Mark II
  • ****
  • Posts: 395
Re: Recent Hacking Attempt
« Reply #26 on: March 24, 2017, 05:24:42 pm »
Redacted your comment, sorry about that.  ;)

*whistling*

In fairness, while that was a component, the method for duping it was super slick.

Oh dammit, I was hoping to be wrong about that one for once.  ::)

Seriously, 2FA definitely helps but it's not going to stand up to targeted attack if they don't take care of issues with [redacted].
I mean, at the very least they Steam should provide a more secure form of [redacted] for important accounts like developers and such.

Unfortunately, Steam is far from alone in having security issues with [redacted].


EDIT:

All that said for anyone reading this you should definitely still use 2FA whenever practical because it does improve things a lot over just having a password, even in Steam's case.

I guess that's obvious, but I feel like I need to clarify that because more often than not when I complain about security issues I feel like someone might take it out of context and end up not doing something that would actually improve security for them because I'm complaining about it.  :P
« Last Edit: March 24, 2017, 07:30:46 pm by Professor Paul1290 »

Offline Chthon

  • Sr. Member Mark II
  • ****
  • Posts: 398
Re: Recent Hacking Attempt
« Reply #27 on: March 24, 2017, 11:32:24 pm »
I would use the 2FA if it weren't an app. There is a specific security flaw in making it an app. This is why Twitter, Google, and many others instead now send text messages instead.

Offline Cyborg

  • Master Member Mark III
  • *****
  • Posts: 1,957
Re: Recent Hacking Attempt
« Reply #28 on: March 24, 2017, 11:49:30 pm »
Yeah, Chris, I use 2FA, but it would be great if you could ask your valve contacts to get things independent of the app. It's annoying to use.
Kahuna strategy guide:
http://www.arcengames.com/forums/index.php/topic,13369.0.html

Suggestions, bugs? Don't be lazy, give back:
http://www.arcengames.com/mantisbt/

Planetcracker. Believe it.

The stigma of hunger. http://wayw.re/Vi12BK

Offline Professor Paul1290

  • Sr. Member Mark II
  • ****
  • Posts: 395
Re: Recent Hacking Attempt
« Reply #29 on: March 25, 2017, 01:05:55 am »
I would use the 2FA if it weren't an app. There is a specific security flaw in making it an app. This is why Twitter, Google, and many others instead now send text messages instead.

You are misunderstanding how 2FA works.

Getting 2-Step Authentication codes via SMS is NOT proper 2-Factor Authentication. It is not second factor because it is not "something you have". You have to be sent the code by the site in order for that to work and SMS can and has been re-directed for the purposes of account takeover.

Proper 2-Factor Authentication requires either an app (such as Authy, FreeOTP, or Google Authenticator) or a device (such as a Yubikey) because a proper 2FA involves running an algorithm, usually a TOTP algorithm.
2FA using TOTP does not require the service to send you anything (aside from maybe a message telling the app to generate a code for you for convenience), because the code is generated on both sides using a combination of the current time and a shared secret key that created when the 2FA was first set up.
Simply intercepting the generated codes is more difficult because they only need to be sent one-way and even if you can intercept them they would only work for individual login sessions. It's not practical to find the secret key using the generated codes because the algorithm used to generate codes from the secret key is very efficient going forward but requires an impractical amount of computing power and time to reverse.
In order to generate a valid code you need the secret key, which stays on the user's device and never needs to be sent over the network and because of that it can serve as an actual "something you have" second factor.
It even works offline provided device has its clock set correctly (try using a 2FA app without a network connection, it still works).

Technically Steam is doing 2FA correctly by using an app.

What Steam is doing wrong with 2FA, at least in my opinion, is that they've insisted on only using their own app rather than using an already established standard used by other 2FA apps.
If Steam did not stubbornly insist on using their app then users could choose whatever 2FA app they wanted (like Authy, FreeOTP, or Google Authenticator) and it would be much more convenient, especially for those of us who use 2FA regularly and already have already chosen an app we prefer.


Also, if anyone was wondering, account takeover via [redacted] does not involve 2FA in any way as it's taking over the account using a completely different mechanism that Steam and other sites really need to better secure.
In fact, part of the reason [redacted] has recently become a more common method of account takeover in some cases is because proper 2FA works so well that it's easier to find another way in rather than to try to attack the 2FA directly.
« Last Edit: March 25, 2017, 01:18:58 am by Professor Paul1290 »