By now most gamers have head about the NSA watching games like WoW and SecondLife for dangerous individuals. If you’re also watching out for potential impacts from the NSA’s activities exposed recently, you’re probably now saturated with odd and scary stories.
A meandering thought or two is below.
Frankly the entire concept reads like fiction to me, and is scary enough that I’m seriously considering changing a huge amount of what tools I use and what I do online.
By way of really dreadful example – please consider these revelations about what is plausible for surveillance. It is an video explanation of the methods recently exposed. Actual hardware hacks, device exploits, and all other manner of “hacks and hijacks”.
Not the first, and not the last account security alert for a game company came yesterday from Blizzard. In short – their systems were significantly compromised sometime around Aug 4 2012, and while no credit card information, billing addresses, or real names were exposed, the basic message is that everyone needs to change their passwords and account information. Details here.
Honestly I think that this is a mess, and a mess that demonstrates a few points worth noting for organisations which have either a vocal population or sensitive information (yes, everyone):
- Anyone is vulnerable to a hack, even the monolithic software devs. Consider that the larger the company, the larger the revenue, and the larger the honeypot of information is that could be obtained. That makes Blizzard an exceedingly juicy target.
- Good tools and development principals can assist in protecting customers. The authenticator makes a big difference. The password storage mechanism inside the system/DB makes a huge difference.
- Telling customers the open truth will garner the best reaction. Following up with extra news and responses to questions will save the share price.
- Telling customers quickly is critical. If a customer finds out late then the vendor is on the hook for every poor experience in the customers mind from that point forward, however illogical they are.
- Always provide a plan of what to do next, and what is happening next.
It is not that companies need good security (they do), but they also need excellent protocols for security events. A gaff in dealing with a breach in security will hurt a long after the actual systems are restored. The public has a long memory.
This means that while trying to patch the issue Blizzard are also considering the PR damage control. It appears from my first review that Blizzard took the honest path – they spoke clearly about what happened. I think I read elsewhere that they also have involved external consultants to help. Even bloody better. Nothing makes a systems or a dev person stand up like having another techie review how you do things. In spite of the hack, its good to see.
So go update your passwords, I’m not sharing a “password reset” link as I distrust any links like this that I don’t type out myself. Continue reading
What the hackers want your account for
After two more guildmates got hacked last week, I decided to check and change my account security. I’ve used an authenticator since shortly after they were released, which I think is 90% of the protection that can be applied.
The other 10% is a combination of obvious email addresses, spyware, and repeated passwords for different purposes.
If for whatever reason you don’t have an authenticator then please get one. I really believe that if the hackers find an account with an authenticator then they’ll think about an easier target. Even if there are only 5% of players who don’t have them (only blizzard knows I guess), then that is still 550,000 of 11 million accounts. Would you rather be in the group that are easy targets, or the group that are significantly harder to hack?
Like most folks ReadID and the BattleNet integration was not around when I picked which email address to use, and my Warcraft account name was not too crazy, but still in the bounds of something I could remember. When we all changed to using our email addresses to login I kept with the default one I’d used for sign-up.
This is a bad idea, and needed to be changed.
Another of those emails to open our wow accounts received today, but this one was a direct copy of the Blizzard real email. I’m not re-posting the screen as its a pretty standard set of text with little value.
Account fishing scams are poor form, but par for the course now. Using an exact duplicate of the Blizzard change of account preferences is a much better approach for the hackers, as Gmail won’t filter it automatically and it raises the question in your mind if somebody else has opened your account. It could also be seen as legit if you did just change something on your account. So kudos you filthy hackers for evolving from pond scum.
The old advice still stands: Never click a link in an email.
Seeing the email quality rise is to be legible instead of the janglish junk that normally is spammed is perhaps a sign that spam filters are actually helping us. I know that I couldn’t live without one. I’m more worried now about somebody getting my gmail password than my wow account.