I don't know how Steam does theirs, but FFXIV and I think maybe WoW have an app you can use instead of the physical authenticator. I think they normally have some code that is generated when it is linked to your account so that if your phone dies or whatever you can recover it.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited October 2015
Steam also has an app, but it appears to be just the actual Steam App itself, rather than an authenticator app like Blizzard or Google use. In other words, you have to log into the Steam app on your mobile device before you're given a one time use code, and then that code can be used with your credentials to log into your account on your computer. The issue being here that since you have to log into your account through your mobile before you get the code, someone can just compromise your phone and you're hosed (they'll get both your credentials and the code). The other Authenticators I've seen either send a code via SMS to a known number upon login from any point, or else have a constantly rotating code shown via an app that requires no credentials.
I realize that mobile malware isn't a huge concern to everyone, but it still feels fundamentally flawed as a single point of failure. Unless I'm completely misunderstanding how it works? I fully admit that I might be! I'm pretty keen on the extra layer of security that two factor authentication gives any account, but I'm less than enthusiastic about using a mobile device to log into my Steam account (as in, I'm not big on the idea of full account control and purchases being done via my phone).
Hmmm, as far as protecting your steam account on your PC, it's probably no worse than any other 2fa scheme. It probably does dick all to protect your account on your phone, unless it has a different scheme when you log in there.
Slightly diverting for this, but I was curious if anyone has any experience with the Steam 2-Factor authentication? Usually I get into 2-Factor Auth for anything I can, but for Steam it's not just an authentication app, but the actual mobile Steam app you have to use. That means that you're introducing a single point of failure, specifically your mobile device. Seems to really defeat the purpose of 2-Factor auth, but I might just be interpreting it incorrectly.
Is this different than steam guard? I have steam guard enabled, and it basically just sends me an email with an authorization code if I'm logging on from somewhere different.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited October 2015
It seems different, in that it's requiring you to have access to your mobile device as a second "key" in all situations. Theoretically if your main Steam running computer gets a keylogger, you're hosed even if you're running Steam guard - because whoever's compromised your machine will have access to your email account as well as your Steam account at that point. With two-factor authentication, even if your Steam running computer was completely keylogged, and you logged in and had your password stolen, then the offender couldn't compromise your account or reset your password because they wouldn't have access to your mobile device. Whereas without two factor auth in place, they could get into your account or reset your password via your email account (which they now also control).
That's sort of the source of my head-scratching on Steam's two factor auth, though. Because the same thing applies if you're putting your credentials into your mobile along with receiving your auth key there. Now if someone compromises just your phone, your account is lost. Whereas in other two factor auth schemes, it would require a simultaneous compromise of both devices.
TetraNitroCubane on
0
Options
FencingsaxIt is difficult to get a man to understand, when his salary depends upon his not understandingGNU Terry PratchettRegistered Userregular
This may be a stupid question, but I only need 1 anti-virus program, right?
This may be a stupid question, but I only need 1 anti-virus program, right?
Yes, anymore and they will cause conflicts with each other.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited October 2015
If you're talking about an active antivirus scanner that's always monitoring things, absolutely correct: You should never run more than one at a time.
You can run some malware scanners in conjunction with an antivirus if you want, like MBAM or Windows Defender, but you should never run, say AVG and Kaspersky at the same time - It will cause major conflicts and serious problems.
That being said, you absolutely should not assume antivirus is enough on its own. A layered approach is essential, because no antivirus will ever catch everything. But what I mean there, is running other programs or taking other measures to ensure that you're safe on TOP of the antivirus. So, antivirus plus scriptblocking in your browser, with a sandboxing program, with appropriate limited user accounts, etc.
If you're talking about an active antivirus scanner that's always monitoring things, absolutely correct: You should never run more than one at a time.
You can run some malware scanners in conjunction with an antivirus if you want, like MBAM or Windows Defender, but you should never run, say AVG and Kaspersky at the same time - It will cause major conflicts and serious problems.
That being said, you absolutely should not assume antivirus is enough on its own. A layered approach is essential, because no antivirus will ever catch everything. But what I mean there, is running other programs or taking other measures to ensure that you're safe on TOP of the antivirus. So, antivirus plus scriptblocking in your browser, with a sandboxing program, with appropriate limited user accounts, etc.
You forgot nightly prayers that nobody with PII gets breached.
A password manager is another layer to consider. Because good passwords are not human-compatible. At least, not in the quantity we're expected to somehow have.
Can any of you fine folks recommend a VPN for gaming use? Unpaid ideally but paid not a dealbreaker. Not strictly a security thing, but my ISP is borking my gaming traffic management during prime time and I've been told by the support team for an affected game that a VPN can bypass the problem. This seemed to be the best place to ask! Thanks.
How worried should I be about this 000webhost hack? Any big sites use it that I should be changing my password to?
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
It looks mostly like the compromised accounts were those who registered with 000webhost to host a webpage or other content. As for other sites that were using 000webhost, I'm not sure if there were any big ones.
It also looks like the 000webhost hack dump has been added to Have I been pwned. I'm always uncertain how safe these registries are, but in recent years Have I been pwned has proved pretty legit. If you're concerned, you could check there.
LasbrookIt takes a lot to make a stewWhen it comes to me and youRegistered Userregular
So I did something stupid and my computer started acting weird, like intermittent periods where my network connection would be dead, pages wouldn't load at all and/or programs would hang including explorer. It would get like this but eventually return back to normal for a while until it did it again.
I haven't gotten hit by anything in like forever, so far I have gone into safe mode and run full scans with both MS Security Essentials, MBAM, some Kapersky security scan thing I downloaded thinking it was and online scanner and eset's online scanner. Oh and rkill too. MBAM picked up some things and I took care of them and haven't seen anything since(I've been lazily poking at this for days).
At some point during all this my MS Security Essentials started hanging during full scans but I dunno if that's something I caused or what.
My question is should I just take it at face value that I'm clear or just stick with being ultra paranoid and wipe and reformat?
I've got a strange thing that I don't know if I should go for a rebuild on my laptop or not (maybe finally go to Win 10). On Win 8.1, I randomly see the current window lose focus then regain focus (like someone de-selected it and then re-selected it) while the computer is idle. I was thinking maybe its some kind of silent program running as a hidden window but I'm not seeing any strange processes running as far as I can, MBAM and MS Security Essentials can't find anything and I haven't installed anything new in a while.
I think MBAM's problem is more that they keep making the UI less useful as they simplify it, looking more and more like AV malware itself the process.
If you don't trust it, I am also partial to the Kysperski free scanner, though you'd need to actually purchase the software to remove anything it finds.
I'm really not a fan of kav, it's only redeeming quality is it can heuristics block cryptowall but it tends to break a lot of stuff. It also sucks at detecting adware
My laptop does that quick unfocus/focus thing too.
I'm still not completely positive, but I think it has something to do with Windows and the Win10 update program (the one that downloads all the required stuff to patch) wanting to run. Still, not 100% verified but I've seen some weird stuff with that update.
My laptop does that quick unfocus/focus thing too.
I'm still not completely positive, but I think it has something to do with Windows and the Win10 update program (the one that downloads all the required stuff to patch) wanting to run. Still, not 100% verified but I've seen some weird stuff with that update.
You know, that actually makes a lot of sense. I did sign up for the upgrade but haven't taken it yet. And that dumb upgrader service thing is always running...
Get another scanner to be sure, MSE is pretty good at missing things now.
@Xeddicus true that. What scanners are good these days? I used to swear by MBAM but I've heard not so favorable things about it lately.
Give BitDefender free a whirl, it's pretty unobtrusive and far as I know doesn't miss much. Do need to sign up with them, but once you do it's automatic and you can pretty much ignore the entire thing. Scanning entire system is hidden behind right click context menu, only complaint I have.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Regarding the Win10 updating thing, if you currently do not want to have Windows Nagging you to update, go to Windows Update and uninstall KB 3035583. After rebooting, go to Windows Update and find that same KB, and right click and hide it on the update list. This will remove it from your taskbar and halt the nagging.
At the very least you can try that and see if it resolves the loss of focus issue.
Also, nuts to that nagging update. It belongs in the garbage.
Regarding the Win10 updating thing, if you currently do not want to have Windows Nagging you to update, go to Windows Update and uninstall KB 3035583. After rebooting, go to Windows Update and find that same KB, and right click and hide it on the update list. This will remove it from your taskbar and halt the nagging.
At the very least you can try that and see if it resolves the loss of focus issue.
Also, nuts to that nagging update. It belongs in the garbage.
I swear they have been pushing that dumb KB 3035583 several times to Windows 7 machines.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Regarding the Win10 updating thing, if you currently do not want to have Windows Nagging you to update, go to Windows Update and uninstall KB 3035583. After rebooting, go to Windows Update and find that same KB, and right click and hide it on the update list. This will remove it from your taskbar and halt the nagging.
At the very least you can try that and see if it resolves the loss of focus issue.
Also, nuts to that nagging update. It belongs in the garbage.
I swear they have been pushing that dumb KB 3035583 several times to Windows 7 machines.
They have been. Even if you decline the update and hide it, about once a month they auto-unhide it again and it gets rolled into all the other updates you need to install. I've had to uninstall it about three times now. Really has been frustrating to me.
I mean, I'm sure Windows 10 is very nice, but I've got security software running that's not going to play nice with it. I'd prefer the OS not brick itself without letting me know what's going on.
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
And I just object to not being in control of updates (as well as all the privacy invasion features).
A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.
Vickery contacted Salted Hash and Databreaches.net about the leaked data Saturday evening.
The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.
That's a lot of data.
I'm struggling to come up with a pun or joke about the situation, given where the leak happened, but instead I'm just reminded that all the client-side security in the world doesn't mean a damn thing if the people you're entrusting with information are pants-on-head-backward about security.
At this point I think we just need the law to say anyone using anything short of salted hashes for password storage is liable for negligence. Having the courts start handing down big fines is about the only way to get companies to stop being so damned stupid about it.
I mean, the best practices for this are not hard to implement... and hell you've already paid for the database software. Hire a half-competent DBA and fix your shit.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The Holiday Steam Debacle is, of course, old news by now. But it was a security issue, and I did find this "Layman's" explanation video really interesting.
Once again, security winds up being compromised in a location where people weren't expecting it. No malicious intent, no intrusion. But still, lots of leaked data.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited December 2015
And now we get the Full Steam Story. No real surprises. Though it is rather unsettling how they dismiss the impact. Most of this information can't be used to do anything directly to an account, true, but there are loads of social engineering opportunities.
And now we get the Full Steam Story. No real surprises. Though it is rather unsettling how they dismiss the impact. Most of this information can't be used to do anything directly to an account, true, but there are loads of social engineering opportunities.
If they follow through on figuring out who's account info was shown, that will be a big step in the right direction by giving them some forewarning about the possibility. I have to say I'm a little annoyed by the utter lack of any kind of apology about it though.
Posts
I realize that mobile malware isn't a huge concern to everyone, but it still feels fundamentally flawed as a single point of failure. Unless I'm completely misunderstanding how it works? I fully admit that I might be! I'm pretty keen on the extra layer of security that two factor authentication gives any account, but I'm less than enthusiastic about using a mobile device to log into my Steam account (as in, I'm not big on the idea of full account control and purchases being done via my phone).
Is this different than steam guard? I have steam guard enabled, and it basically just sends me an email with an authorization code if I'm logging on from somewhere different.
That's sort of the source of my head-scratching on Steam's two factor auth, though. Because the same thing applies if you're putting your credentials into your mobile along with receiving your auth key there. Now if someone compromises just your phone, your account is lost. Whereas in other two factor auth schemes, it would require a simultaneous compromise of both devices.
Yes, anymore and they will cause conflicts with each other.
You can run some malware scanners in conjunction with an antivirus if you want, like MBAM or Windows Defender, but you should never run, say AVG and Kaspersky at the same time - It will cause major conflicts and serious problems.
That being said, you absolutely should not assume antivirus is enough on its own. A layered approach is essential, because no antivirus will ever catch everything. But what I mean there, is running other programs or taking other measures to ensure that you're safe on TOP of the antivirus. So, antivirus plus scriptblocking in your browser, with a sandboxing program, with appropriate limited user accounts, etc.
You forgot nightly prayers that nobody with PII gets breached.
A password manager is another layer to consider. Because good passwords are not human-compatible. At least, not in the quantity we're expected to somehow have.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
It also looks like the 000webhost hack dump has been added to Have I been pwned. I'm always uncertain how safe these registries are, but in recent years Have I been pwned has proved pretty legit. If you're concerned, you could check there.
Lastly... Really? Plaintext password storage? REALLY?
Anything short of salted hashes should really, but especially fucking plaintext storage.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
I haven't gotten hit by anything in like forever, so far I have gone into safe mode and run full scans with both MS Security Essentials, MBAM, some Kapersky security scan thing I downloaded thinking it was and online scanner and eset's online scanner. Oh and rkill too. MBAM picked up some things and I took care of them and haven't seen anything since(I've been lazily poking at this for days).
At some point during all this my MS Security Essentials started hanging during full scans but I dunno if that's something I caused or what.
My question is should I just take it at face value that I'm clear or just stick with being ultra paranoid and wipe and reformat?
Steam
@Xeddicus true that. What scanners are good these days? I used to swear by MBAM but I've heard not so favorable things about it lately.
If you don't trust it, I am also partial to the Kysperski free scanner, though you'd need to actually purchase the software to remove anything it finds.
I'm still not completely positive, but I think it has something to do with Windows and the Win10 update program (the one that downloads all the required stuff to patch) wanting to run. Still, not 100% verified but I've seen some weird stuff with that update.
You know, that actually makes a lot of sense. I did sign up for the upgrade but haven't taken it yet. And that dumb upgrader service thing is always running...
Give BitDefender free a whirl, it's pretty unobtrusive and far as I know doesn't miss much. Do need to sign up with them, but once you do it's automatic and you can pretty much ignore the entire thing. Scanning entire system is hidden behind right click context menu, only complaint I have.
At the very least you can try that and see if it resolves the loss of focus issue.
I swear they have been pushing that dumb KB 3035583 several times to Windows 7 machines.
They have been. Even if you decline the update and hide it, about once a month they auto-unhide it again and it gets rolled into all the other updates you need to install. I've had to uninstall it about three times now. Really has been frustrating to me.
I mean, I'm sure Windows 10 is very nice, but I've got security software running that's not going to play nice with it. I'd prefer the OS not brick itself without letting me know what's going on.
That's a lot of data.
I'm struggling to come up with a pun or joke about the situation, given where the leak happened, but instead I'm just reminded that all the client-side security in the world doesn't mean a damn thing if the people you're entrusting with information are pants-on-head-backward about security.
I mean, the best practices for this are not hard to implement... and hell you've already paid for the database software. Hire a half-competent DBA and fix your shit.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
Passwords hashed with MD5 should be punishable by a very large fine.
Storage of passwords or password recovery information in plaintext shall be punishable by public taring and feathering.
And if your company ever sends a user their password in plaintext over email? The total contents of the company CEO's phone shall be made public.
Edit: Enforcement only kicks in starting 2018
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
https://www.youtube.com/watch?v=dkSslseq9Y8
Once again, security winds up being compromised in a location where people weren't expecting it. No malicious intent, no intrusion. But still, lots of leaked data.
If they follow through on figuring out who's account info was shown, that will be a big step in the right direction by giving them some forewarning about the possibility. I have to say I'm a little annoyed by the utter lack of any kind of apology about it though.