Heightened Security on the Windows PlayOnline Viewer

[Feba]

Originally Posted by curewhore

I was recently hacked

That's nice. It's not SE's fault, and frankly they have better things to add to their software than something which makes people like yourself feel like you're even more secure when you're still just as at risk. They're doing you a disservice, if anything. If they have to assist people, spend the money they put into having their programmers implement this crap into hiring on some customer service reps to help people get their account backs. At least then you're actually doing something about stopping the abuse (getting the accounts out of their hands quicker, and back to your users with fewer problems) and not just stopping it for a month or two.

[Phanex]

Well there is a bit of difference between the players who used a 3rd party tool vs. someone who just went to a common website and DL the virus/worm/w/ever to their pc.

We all know that somepage was one of the few websites believed to be behind some of the earlier attacks, and we all know, if I remember correctly, that Somepage was hacked, and SE got in touch with them telling them what happened. I read all this on here, and I’m too busy to go back and look it all up.

So blaming the players cause they went to somepage, like they always did, is kinda foolish. If it were something an anti-spy/virus program could detect, then it wouldn’t have gone on as long as it did. In fact, SE customer service simply says there is NO way to remove/detect it as of yet, short of formatting your hard drive. And since it is a keylogger, and since not everyone can format their pc’s due to lack of cd’s or w/ever the case may be, this new security measure will help those folks out.

And didn’t the Flash player also have a security risk that SE told ppl to go update it as soon as possible? The hackers are using all the weakness of the Window’s system and other programs it uses to gain access to the player’s information. At least from what I can gather.

Will this solve future problems, I don’t know, but it might. I find it sad that some people go around saying, it’s the user’s fault cause they didn’t do this, the user should do that, yet them same people wont’ tell anyone where to go, what to do, which page to view, etc. Be part of the solution, not part of the problem.

And I don’t see McAfee or Windows spending their research money trying to solve this little keylogger program, at least until whoever made it starts using it to steal credit card info or making a bigger presence outside of the FFXI community.

And yes, there are the few ppl out there do “leave their car unlocked”, but don’t criticizes everyone else that’s in the same boat as they are.

[Mhurron]

Originally Posted by Phanex

So blaming the players cause they went to somepage, like they always did, is kinda foolish.

If you were up-to-date on your patches, you wouldn't have had a problem. The exploits that both of these waves used were fixed weeks or months before they were exploited.

Honestly, users have no one but themselves to blame.

[Phanex]

Please inlighten us what these "exploits" were and what update fixed them? Because people are still getting hacked to this day, and they need help.

I never got hacked, but my room mate did, and yes his auto update for windows is on, and always was. And he got hacked last year, around Dec 1. He's not the newer ones.

[Taskmage]

Originally Posted by Mhurron

If you were up-to-date on your patches, you wouldn't have had a problem. The exploits that both of these waves used were fixed weeks or months before they were exploited. Honestly, users have no one but themselves to blame.

Heck, in the second round of hackings, somepage got infected with the exact same RealPlayer exploit as before. The same site with the same exploit ... and even though there was mass panic about it the first time it happened there were still tons of people who never bothered to figure out what they could do to protect themselves and kept using the site. SE spoke with the site owners and that made everything ok I guess. It's like Dr Square came in and said "We've talked one of your sexual partners and they've agreed to seek treatment for their syphillus," and the userbase went "Great! Now I can go back to having unprotected sex with them and four other people!"

Which is exactly what's wrong with this update, or rather the reaction to it. SE has done something, a thing, so people are going to assume that they're safe when they're still very much not and continue to visit frequently compromised sites with unsecure browsers and a bunch of useless software on their system with year old security loopholes. Some of them won't even use the virtual keyboard, I bet, and when they get hacked they're going to say SE should have done more.
_______________

And now I'm officially a security snob like Mhurron and Feba.

[Mhurron]

Recent - FLASH: Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability DATE:Apr 08 2008 PATCHED: Apr 8 2008 EXPLOITED: Two weeks ago

Last year - REAL PLAYER/IE:https://forums.symantec.com/syment/b...age.uid=305543 DATE: Oct 19 2007 PATCHED: Oct 22 2007 EXPLOITED: Late November/Early December

Honestly Taskmage, people already assumed they were safe. Everyone always does until it bites them in the ass. Then they go around crying that someone should have done something about it.

[WishMaster3K]

I just, generally, stay away from both IE and Realplayer.

[Aksannyi]

Want to know what I learned today?

I learned that POL doesn't accept any of these !@#$%^&*() characters in passwords. You see, I changed my password last night on my laptop, and it contained a * when I typed it. I do this with passwords becaues it makes them harder to figure out.

Well I tried to log in today on the PC, and obviously my new password hadn't been saved on the PC yet, so I knew I'd have to put it in and re-set it. Only I kept getting an "incorrect password" message. Um ... what? I tried it with the CAPS on, just in case I was retrarded enough to change my PW with it on. No dice.

So I close POL on the PC and open it on the laptop, just to make sure that I can actually log into my account. And I can, so (whew) I wasn't hacked. So I figured I'd go into the password menu to maybe see what I could find out, and the soft keyboard thing pops up, with ... you guessed it ... no !@#$%^&*() on it.

Sure enough, I counted the characters of the password I'd saved and it was exactly one less than I thought. Tried it without the * on the PC and I'm in game.

So, this is interesting and pretty stupid. If I want an * or a % in my password, why can't I have one? That makes our passwords stronger, doesn't it? So I went out of my way to make a password that contiained numbers, lowercase, uppercase, and special characters but SE wouldn't allow it. WUT?

Also I cussed out my computer for a solid 3 minutes over this.

[Mhurron]

Originally Posted by Aksannyi

If I want an * or a % in my password, why can't I have one? That makes our passwords stronger, doesn't it? So I went out of my way to make a password that contiained numbers, lowercase, uppercase, and special characters but SE wouldn't allow it. WUT?

Input it once when you know it's clean and let it save the password.

Then use this feature:

Quote:

- Security Settings We introduced "Security Settings" to manage PlayOnline passwords with even further heightened security. Because passwords entered on the PlayOnline Viewer are encrypted and saved to the hard drive to prevent other computers from decrypting them, even if the corresponding file is stolen, no password information will be accessible. To advance our security technology even further in dealing with spyware, we have made the encryption key for each computer randomly generated and saved to a destination folder the user designates in "Security Settings." For example, if the user saves the key file to an external device such as a USB memory card and disconnects the device when it is not needed, security will be considerably strengthened. "Security Settings" has been added to the PlayOnline Viewer's Login menu. After selecting it and designating a destination folder for the encryption key, a file name composed of random alphanumeric characters will be created in that folder.

If you're the only user of your system, don't bother with the software keyboard. Let it save the password so you don't have to enter it anyway. You'll only need to enter it then for doing other account related activities, which for most people are relatively rare.

[Aksannyi]

I did save the password. It saved it without the *. And I actually typed it in, I just never realized that it didn't accept the asterisk. But that made the password incorrect when I entered it on the PC.

[Feba]

Originally Posted by Taskmage

It's like Dr Square came in and said "We've talked one of your sexual partners and they've agreed to seek treatment for their syphillus," and the userbase went "Great! Now I can go back to having unprotected sex with them and four other people!"

Quite possibly the best analogy I've ever heard.

For as much porn as there is on the internet, it's sad people don't realize how close it can be to sex sometimes.

Aksannyi, Mhurron was saying "Don't worry about that, just do this, it's even MORE secure than adding one little character to your password".

[Mhurron]

I always keep all my passwords 1234, the same a my luggage. It's just easier that way.

[Feba]

Oh?

I thought your password was "ManIAmFuckingAwesome".



I assumed you just had your luggage custom made.

[Aksannyi]

Originally Posted by Feba

Aksannyi, Mhurron was saying "Don't worry about that, just do this, it's even MORE secure than adding one little character to your password".

Ahh, okay. I mis-read him then.

[Phanex]

Quote:

Last year - REAL PLAYER/IE:https://forums.symantec.com/syment/b...age.uid=305543 DATE: Oct 19 2007 PATCHED: Oct 22 2007 EXPLOITED: Late November/Early December

LOL as Feba would say, That's nice. But he didnt' have real player on his PC, he only used Window's media player.