Marks reviews off topic that are not.
Continue reading “Hotcakes: Valve Fails The Community Yet Again On Reviews”
Tag: security
FYI: Rose Online Has Already Been Hacked
PSA: Denuvo Anti-Cheat In Doom Eternal Is Kernel-Level Driver
Thought you ought to know.
Continue reading “PSA: Denuvo Anti-Cheat In Doom Eternal Is Kernel-Level Driver”
Epic Games Will Periodically Require 2FA For Free Games
Riot Games Offers Statement On Valorant’s Anti-Cheat
Anti-cheat runs at root level and always launches at boot until uninstalled.
Continue reading “Riot Games Offers Statement On Valorant’s Anti-Cheat”
PSA: Update Windows 10 Right Now, NSA Posts Critical Vulnerability
You know a security issue is going to be a big problem when the National Security Agency is posting an APB for people to update their computers as soon as possible.
The United States Department of Defense has issued a critical security warning advising users of Windows 10 to ensure that their operating systems are up to date. The NSA identified a vulnerability that will allow malicious software to be installed on a machine by fooling Windows into thinking that it is an official update. The most up to date versions of Windows have allegedly patched this bug, and the department warns that it expects exploits to start cropping up in the very near future.
NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.
Source: NSA
Bungie’s Statement in Regards to Destiny 2 Bans
Bungie has released a statement regarding the Destiny 2 bans that MMO Fallout reported on last night. For the sake of clarity, we are posting the statement in its entirety.
We have seen lots of questions about bans being issued in the PC version of Destiny 2. To provide some information, we would like to share some facts.The following is true:
- Destiny 2 cannot automatically ban you, only Bungie can ban a player after a manual investigation
- Yesterday, we banned approximately 400 players on PC
- Bans were applied to players who were using tools that pose a threat to the shared ecosystem of the game
- We did not (and will not) issue any bans for the use of overlays or performance tools, including Discord, Xsplit, OBS, RTSS, etc.
- Information on using third-party applications can be found here: https://www.bungie.net/en/Help/Article/46101
- We are overturning 4 of the bans that were issued during the PC Beta
We are committed to providing an experience that is fun and fair for the millions of players who have joined us in this community.
Necessary Security Features
Security is a constant back and forth on the internet, a never ending battle between business, thieves, and customers, and while customers have an obligation to do more to secure their accounts, the onus also falls on businesses to keep their back end safe. Securing accounts has become more and more of a legal issue in this day and age, with businesses facing heavy ramifications in the form of civil lawsuits and criminal penalties for not keeping their customer’s data safe. With that in mind, we’ve compiled a list of security features that should be utilized by all services, but for some reason may not be.
- Lockout timers: Brute force attacks should be the easiest method of account theft to deter, but for some reason is still an issue. Many games that carry lockout timers on their website do not offer the same protection inside the game client, and if you can figure out someone’s password by brute forcing a client then the entire feature is pointless.
- Notification: This goes hand in hand with the lockout timer. If someone tries to get into my account and fails, I want to know. If someone logs in with the correct password but can’t get past the two factor authentication, I want to know because it means someone has my password and there might be a virus on my computer. Businesses have the ability to detect suspicious activity, and they have an obligation to inform the user if something strange is going on.
- Case sensitive passwords: I shouldn’t even have to add this to the list, but here it is. In 2014, RuneScape still does not use case-sensitive passwords. Blizzard apparently does not use case-sensitive passwords on their website. Couple this with #1 and you make brute forcing an account a very time-consuming endeavor.
- Two-factor authentication: There are so many ways that two-factor authentication can be utilized that it isn’t funny. By text, by phone call, smartphone apps, tablet apps, point-and-click PIN tools, physical dongles, desktop-based authenticators like Google Auth, and more. There are no more excuses as to why developers would not have some form of two-factor authentication.
- One-click purchases: RuneScape will not allow me to buy/sell anything in-game if I don’t enter my pin first, nor will they allow me to use the Grand Exchange on the companion app if I don’t have two-factor authentication enabled on my account. I won’t deny businesses the power of impulse-buying that one-click purchases allows for, but you should not afford your customers this pleasure unless they have two-factor authentication enabled. Cleaning out an account is one thing, those items can be restored by customer support, but allowing someone to go hog-wild and start racking up credit card charges? You’re asking for a lawsuit, and you deserve one.
And of course, our list for consumers:
- Passwords: Never use the same password twice, and especially don’t use passwords on fan sites that could be compromised and not even know it. Avoid passwords.
- Make it up: One way people can get into your accounts is by figuring out your personal details and simply getting it through customer support. Use fake birth dates, addresses, and the like and keep them written down so you don’t forget. Remember back in the day when you’d use a fake birth date to get into websites? Same concept, different reason.
- Updates: Keep your computer up to date, and that means all of your software. Plugins like Java regularly update to patch security holes, do not allow yourself to fall behind.
- Anti-virus: Have an anti-virus, a good one. Norton and Mcafee are not good anti-virus programs, utilize tools like Avast and Windows Defender. Recognize that this isn’t 100% foolproof.
- Operating System: Don’t use a pirated copy of Windows, for crying out loud. I know you don’t want to pay the cost of the OS, but these are very often filled with backdoors at an OS level that even anti-virus programs won’t detect.
- Take Security Seriously: Keep up to date on security news.
It will likely never be possible to 100% secure an account, it is impossible, but we can do a hell of a lot more to protect customer data.
Trion Worlds Denies Security Breach
If you’ve been following ArcheAge discussion, you’re likely aware of a surge in player claims that their accounts were being subjected to unauthorized attempts to purchase the ArcheAge founders pack. Community Manager Scapes has responded to the allegations by stating that Trion Worlds has not been breached and the purchase attempts are a symptom of the same old account theft that goes on every day.
What happened in the last few hours is sadly nothing new: Every day, bots obtain user credentials from various unprotected sites around the Internet, build lists of login and passwords, and try them on Trion’s servers (along with many other sites). If players consistently use simple or repeated passwords across different online services, these bots may get access to their accounts. Because of the current momentum around ArcheAge, hundreds of millions of such attempts were made from well over a million different IP addresses in the last few weeks, only a fraction of which ended up being successful today.
All players affected by fraudulent charges will be refunded by Trion Worlds, and the Glyph client is being boosted with additional security features.
(Source: ArcheAge forums)
FFXIV Accounts Being Stolen Via 3rd Party Websites
Gold farmers often make use of accounts stolen from their previous customers or by breaching security at third party websites and matching lists of usernames and passwords, and as with any big MMO launch, Final Fantasy XIV is already seeing a surge in stolen accounts. In a post on the FFXIV forums, Square has confirmed that a third party source is using a list of stolen accounts from an outside website in order to break into player accounts and use them for gold farming and chat spam.
Currently, we have confirmed that a third party is using account names and passwords, thought to be obtained from security breaches of other companys’ online services, in attempts to gain unauthorized access to Square Enix accounts. If you are using the same account name or password as your Square Enix account on other online services, there is a much greater chance that a security breach at any of the other online services could potentially lead to your Square Enix account being compromised.
Accounts suspected of being stolen will be restricted until the user can verify their ownership.
(Source: FFXIV)
MMO Fallout 