Paste your Google Webmaster Tools verification code here

↑ Return to Computer Security

News And Security – One Year On The Web

I’ve been doing this for a whole year!

What do you think of what I’ve done so far?

I started this in large part due to an incident of account hacking. I wanted to let everyone I know understand the risks and problems that this has caused me and many other gamers — as well as many non-gamers, for other online security breaches. But I also wanted a place to put the stuff I write about games for others to see. I have posted on game forums for a long time, for many games. I think my first serious review was for Sid Meier’s Civilization — the first one.

Writing a blog is a tradeoff to me. Much of what I write I would be happy to say and use in videos, as on Youtube. But my day job schedule just doesn’t give me the time for that. I like doing videos, and have a great appreciation for those who do good work putting together informative and entertaining things for me (and others of course) to watch. I feel I could reach a bigger audience that way. Writing takes time as well, but I can do it more easily on break times and other short downtimes, without needing the concentration and quiet needed to produce a good video. On the positive side, written information is easier to look at and analyze, much easier to grasp and review than a video stream. Something like symthic.com‘s stat reports wouldn’t be nearly as useful as a video.

Should things change and give me the time to make videos, I will certainly go back and do that. But for now, my work is going to continue in the form of words and information on a web page. I hope that is still something worth doing for gamers.

On the security side, a very high profile case involving Apple and the FBI is in the news, and it is actually rather relevant to account security. I’d worry about this being a short term topical question, but I doubt that it will be decided in court anytime soon. I’ll go over that more in a moment, but first, let’s look at the connection between Smartphone security and game (and bank and credit and everything else) account security. One of the measures used to increase security on online accounts is the two-step verification process. That adds a second device or account as a check to verify access or changes to your primary account, for example Steam or Origin. In my case, as with many others, it is our cell phone. That makes the cell phone in essence a physical security key, used to protect many other accounts. For example, my bank and credit cards also use this method. It does mean I need to have my phone, powered and working, in order to make changes. But it also means that no one can hack into any of these accounts, including my gaming accounts, unless they have my phone. And are able to access it.

That’s where the big deal security issue comes in. Apple and Google (and other phone makers) have provided simple security measures to protect our phones from use by others. The quality of that security is pretty important, because as I mention above, it also acts as a key security measure for all sorts of other accounts. Why does this work? Because it is a physical device, and its security protocols can’t be defeated by accessing it remotely. You must have the actual phone in order to do so.

Apple has made it so there is no simple way to defeat the security system it has put in place, because the phone hardware limits the speed at which access attempts can be made, And can lock it entirely, so no one can access the phone at all. While this can be frustrating to those who lose or forget their passcodes, or who don’t pass it on to someone in case of emergencies (or if they die), it also means that criminals or terrorists can’t use it to hack into your accounts either.

The battle between hackers and security systems is, for the moment, decisively on the side of security. Because the security protocols are embedded in the hardware, and only the hardware maker has access to their creation, no outsider has any chance of ever getting through. At least, not via purely software based methods, especially remote attacks, including malware.

In Apple’s case, they want to keep that situation, and even strengthen it for the future. For that reason, they are not going to surrender to the US government their right to determine their products security. It also gives them an incentive to make future products and upgrades even more resistant to government demands. Right now, at least for the phone in question, there is a technical possibility that Apple could weaken their security measures, with the huge hazard that once done, there is no way to ensure that it won’t be used again – -and not just by the government. But if the security protocols were all hard-coded/wired, then no update to the operating system could override them. There is a risk the Apple (and others) might find a fault which would require changing these, but the odds are small, and ability to say that no one — not even Apple — could create a hack to get past them would definitely make personal privacy and security assured.

About Account Security

One other issue relates to account security — the length and type of the passcode. A 4 digit pin isn’t very secure against brute force methods. Only 10000 combinations, even with a one per hour rate, you’d get through in less than a year. More than good enough for casual security, but is not for anything really important. A longer code, with letters and symbols, quickly brings the combinations up to the point where brute force is no longer practical, as long as the cycle time between attempts is long enough.

In fact, the classic 4 digit PIN isn’t all that secure at all. Its use is a compromise, short enough to remember and easy to implement, especially when it first came out. The only way to consider it useful is when the effect of a random guess getting access isn’t a serious problem. Fraud protection makes the risk to the owner of an ATM or credit account minimal if the PIN is guessed by a lucky thief. For a phone, a large part of its security is keeping the actual phone safe in your possession. No need to worry about it being hacked, if the hacker can’t get at the phone.

The major issue is that for many people, the phone isn’t just a phone. That has been the case for a while, but smartphones do a whole lot more than just talk, text, access the web and play games. It is the primary verification device for two step security for many applications, including game accounts and banking. As a universal remote control, it manages much more than just TVs. You can control home lighting and security, open your garage, remote start and unlock your car, etc. And a very big thing is as a quick, easy replacement for your wallet. Not just in online shopping (note that your phone accesses online stores — the APP stores if nothing else), but for many retailers as well. No need to carry credit or debit cards, one device (and sometimes account) replaces all of them, and is easier and smarter to use.

The key to making this utility secure is all about having good security hardware, software, and most importantly, a good passcode. We know that a 4 digit PIN ist very secure, so what else is needed?

Bigger is better. The most important factor in password security is the length of the pass phrase. Let’s run some short numbers as examples.

4 digit PIN has 10000 combos.
8 digit gets 100 million.
12 digit? 1 TRILLION. Or for only three times the size, provides 100 million times the protection of the simple 4 digit pin.

While people can have a hard time remembering 12 digit numbers, a 12 letter word or phrase is pretty easy. Like “twelve letter,” for example. Which is why most online sites are happy to use words for the passcode. They usually impose a couple additional rules, like at least one capital letter, and a number or symbol.

What do those add? There are three basic methods to break a passcode. The first, and the one relevant to the Apple phone case, is brute force. That is the least efficient, most time consuming method. All you do is try every possible code until you hit the one that works. If your passcode has capital letters and numbers in it, as well as lower case letters, then that increases the number of codes to try by a lot. For example, a passcode of length 4 using that gets 14776336 combos — over a thousand times that of just using numbers — and this effect only increases with the length chosen.

The second method to get a passcode is the dictionary attack. This uses a list of words (and known popular passcodes), and tries them all until it hits one that works. This is smarter than the brute force method, obviously, and works very well to get passcodes which are made up only of common words. Modern computers are fast enough, though, to add things like adding numbers after or between words, in order get passcodes like “Apple1984”. Still, the longer the code and the more uncommon the words and placement of numbers and symbols, the longer it will take.

Using one or two (or more, if you can remember them) symbols other than letters and numbers greatly increases the difficulty of matching your code via a dictionary attack. This is just part of the the larger defense measure: don’t use a passcode made up of only common words or numbers.

While length is good, it doesn’t help if the passcode you choose is a phrase likely to be selected in a dictionary attack. “Maytheforcebewithyoulukeskywalker” is strong on length, and will resist brute force well, but will fail quickly to an attack which includes popular movie quotes. You don’t have to reject memorable quotes entirely, as they do make it easier to remember long phrases. Just make sure to change part of it, and adding one unusual word and symbols (both ideally) will gain you the advantage of length and resistance to dictionary guesses.

Unlike hacking in video games and movies, a partial match gives you no clues at all, for a properly designed security system. All you get is a “wrong passcode” message, forcing you to try again.

Now, your phone and online site portals will limit the speed and number of passcode attempts, which will generally stop both dictionary and brute force attacks. As long as the physical device or site server itself isn’t compromised, is no way to get through simply by repeating codes until you find the one that works. That is why most passcode “hacking” doesn’t use either of the above technical methods.

Social engineering is a broad term, but pretty much comes down to tricking the passcode creator into revealing what their code is. Or simply guessing the code, based on personal information obtained about the target.

The classic movies Wargames and Ferris Bueller’s Day Off show these methods, multiple times. Ferris Bueller is able to access the school computer, because the frequently changed code is written down on a sheet of paper. In Wargames, knowing the name of the programmer of the system allows the hacker to look up his history and family information, and he guesses the backdoor passcode — the name of his son. A lot of people use family and pet names in passcodes. That is a winning choice for beating dictionary attacks, if the names are not common words. But it presumes that a hacker won’t be able to find such personal information about you. In this world of Facebook, Twitter, and Instagram, that’s a bad presumption. A random outsider, no problem, but a smart directed attack looking specifically to get into your data, you can’t afford to use information which can be picked up so easily.

A lot of celebrity hacks and and con artist attacks happen just because of this sort of social engineering. Call it the high tech art of the con, if you will.

Compromised security is more technical and automatic than classical social engineering, but it still depends on the user making a mistake and revealing the information. Malware such as keyloggers and password hijackers, open wifi and unencrypted connections, and anything else which bypasses the designed security measures in place when you go online. On your own systems, make sure that your security software is up to date and working. If you suspect compromise, or any sign of malware, STOP USING IT.

On your own systems, you can easily just stop using the system until you can correct the problem. If you are using someone else’s system, you can report the problem, but the only thing you can do to keep your information safe is to stop using it online at all.

In my case with my Origin account, I may never know exactly what happened, but my best guess would be a compromised system that I used somewhere. Logged on Battlelog website on a public network or computer, and my ID and passcode were collected for use later. It is also possible that at some point in the past, I used the same email (Origin uses email address as ID, as well as user name) and a similar passcode, and someone got access to that user list (another sort of hack, access the servers directly and harvest data), Phishing sites, which fake the look of real ones (banks and Facebook are popular), also work, and these also work with compromised systems. Since no other account has shown any signs of security problems, it seems like my nightmare is over.