Security Update Discussion

First Riot Post
Comment below rating threshold, click here to show it.

RepossessedSoul

Junior Member

08-20-2013

while it is nice of them to inform us that their servers have been hacked it would be even nicer if they would let those accounts that have records stolen know that their information has been stolen.

The other thing that is of concern is that this is only what they see, and more often a attacker that goes after something this large will take time and precautions to cover their tracks. So with that being said the main thing to worry about is what else may of been retrieved and/or is still being retrieved.

Know I understand that the security people at riot may not want to publicly state what encryption program they use or that they are still searching for the entrypath of the exploit but nonetheless people need to know that not only has the entry point been secured but a in depth analysis is being done in an attempt to identify other potential exploits. I know that you can never fully protect something, let alone a game server that is accessed by millions (and in RIOTs case potentially billions) every hour, but letting people know that they are upgrading their authentication system, their password system, and securing easily identified vulnerabilities is a must. Simply because this game and the company that owns it does a obscene amount of business every day.

Congrats RIOT welcome to the deep end of the industrial cybercrime pool where people that make a lot of money finding ways to break into your stuff to steal your money, or worse your client bases information, reside. Please dont let a repeat of the last hack, which ended with minor damages, happen now, because i can assure you that the people that are going to target you from here on out aren't going to make their hacks obvious or easily countered. If anything the scale of damages will only escalate.

I make the comment that it is a best case scenario where they only steal money from you (RIOT). This is best explained in metaphor; which is worse for the farmer? a fire that destroys 1.) his house 2.) his feed stores or 3.) all his livestock (plz sweet baby jesus dont get into a god damn sidebar arguement about farming subtypes and all that nonesense its a god damn analogy to try and make a point)

If a farmers house (in your case your program or your companies network and computer setup) is burnt that's not good but you can rebuild and in some cases if you have the ability upgrade, so that rules out #1 for the answer. While it does suck you can recover, in the long term its not that debilitating and can be recovered from.

If a farmers feed stores (in your case your financial accounts/assets) are burnt to the ground and lost things suck but they could be worse. You will still have the house (one of your means for managing your daily life and working towards making back the money and surviving till you recover, and you still have your livestock which is how you make your money. Also it's very hard to move large amounts of money (in any form nowadays over the internet, dont believe me? check out the anti money laundering departments of almost any bank and look at what they do, if a bank has money moved through it they can be held liable to pay back the money to the party that had money stolen from them, and banks dont like giving up money to anyone) So this too does suck rather hard in the short term, but it is recoverable and you can still go one and continue business as normal, ruling out #2

So finally the hardest answer to really prove is the worse for business but most definitely is the downright worse by almost all intents and purposes, #3. This is true for several reasons. First, the damage to user faith. If you are responsible for a large amount of user personal information to get stolen and then abused the faith that the people who pay you for your game and that you make your money off of will be irreparably damaged, and, more often then not, shattered. No person wants to give someone their financial information after knowing that the requesting party has been hacked twice and not given solid proof that they are doing more to solve the issue of their computer security, at least no sane person. The other main reason is one that is of greater concern IMHO then even that, CLASS ACTION LAWSUITS.

To me these can destroy companies way more effectively and way more assuredly then either of the first two answers or even the destruction of player faith. I'm not saying that RIOT hasnt tried to protect themselves from these krakens of the legislative world but no ship is fully capable of withstanding the wrath of a beast of legend and sailing straight afterwards. Lawsuits, in general, are ugly things that are used in a ever increasing move by anyone that thinks they can be successful with whatever they are suing for, case in point Prenda law. Prenda sent thousands (probably millions) of letters out to people threatening to sue them for illegally downloading something that has now been proven that they themselves uploaded, they were successful for years and made millions. That's just a example of a bunch of lawyers cooking up some halfway true set of actions and they made millions and ruined a bunch of peoples lives. What could a competitor that has a decent legal team do? Well lets ask Apple, Microsoft, Samsung, and Sony. They seem to have all sorts of experience with that.

So while the destruction of your livestock wont immediately render your business defunct, it will sow the seeds for worse things to happen then having your servers shut down, leaderboards changed around, and names reset. It will pave the way for open legal warfare that will last years and cost sums of money that I really can't even begin to comprehend, lawyers being expensive and all while never really moving that fast for anyone, and that's assuming that you win and dont have to pay out some massive fine or settlement.

So in short what would be really good on RIOT's part is for them to reveal that they are upgrading their encryption protocols, hopefully to bcrypt scrypt or some other encryption protocol that takes forever to manufacture guesses for, and they update all their authentication protocols, this is needed because in order for the attackers to of gotten into the system in the first place they needed to authenticate in a way that could get them the access they wanted. Those are just the big two things that need to be updated and changed, not just secured. If you keep them the way there were and just update them its the same as updating a POS car with a new engine, just cause it has a new engine doesnt mean the thing wont lose a wheel when going down the highway.

Through all the negative stuff that has been thrown around so far there needs to be one thing made clear, people will not complain about something being bad if they can't see the potential for it to be good.

PLEASE RIOT TAKE THIS TO HEART AS A TIME TO STEP UP TO THE PLATE AND BE TRANSPARENT WITH YOUR PLAYERBASE

I was not aware that the hack had been going on for so long and now understand why the client was not acting as should be expected. With that being said i can understand a small window of time while you get to understand what is going on, but not 2 weeks, that's just terrible PR on your part and terrible operations on the part of your NOC. If your NOC isn't able to fully diagnose an issue within days of it occuring then you need to fire all of them and rehire from the ground up, preferably from GOOGLE (they hold contests to see who can hack their systems and networks and actually make an active attempt to reward people that come forward finding vulnerabilities who either work for them or are outsiders).

the final thing i have to say to the company personell that will (hopefully) read this is such, i hope to god that you guys adopt a better mindset for dealing with issues, you are only going to get attacked more and more as time goes on. This attack is not the first, and it is showing that it is still, relatively, easy to get data that can be turned into substantial reward. You either change this now and bring the hammer down on the offenders or you label yourselves as pushovers and will suffer the consequences of that.

To those that have no ideas what password security is or how to make a secure password, or even how a salted password really is not a secure method of encryption, i HIGHLY RECOMMEND that you take a trip to ARSTECHNICA and read their series of articles of password security and how easy it is for a modern hacker to break most of the common industrial encryption schemes.

here's a link to their site: http://arstechnica.com/

Hope everyone that is involved in this learns something. I personally am never giving out CC info to any game ever again, not that i have lately.

Anyone that wants to pay for something online should take a trip to walmart or to visa's website and get a prepaid card that they can put money into for online purchases, its one of the safer ways to pay for things. Get the prepaid card from, preferably a physical store, and preferably, refil it only at that store in person with a card, preferably cash, that you monitor. I understand that what i have just outlined is a bit much for most, but just getting a seperate CC that you dont have affiliated with any of your major bank accounts is one of the safest things you can do with the current era of online theivery and cyber insecurity.

-REPO


Comment below rating threshold, click here to show it.

Geonde

Senior Member

08-20-2013

It only took you 4 years and multiple compromises to FINALLY put the simplest of security features in play.

Really?


Comment below rating threshold, click here to show it.

Faethis Immortem

Junior Member

08-20-2013

TL;DR of what Repossessed Soul posted:
Riot screwed up, and probably didn't use a very strong password encryption (MD5 and SHA1 are NOT very strong). A good article as to why "BandGeek2014" is a terrible password can be found by reading this long, but very interesting article on arstechnica: http://arstechnica.com/security/2013...our-passwords/

The bottom line is that if you used your LoL password for anything important (like, say, your email or PayPal account), go ****ing change it. NAO.


Comment below rating threshold, click here to show it.

Vesh

Game Designer

08-20-2013
8 of 13 Riot Posts

Quote:
Originally Posted by Jiggybuns View Post
This is false information. See attached image. Vamp's compromised account contained purchase history from 2012.
Some clarification here - the transaction IDs are randomly generated guids and do not contain any information about credit cards or other billing info.

this is entirely separated from the hashed cards that were used for a specific payment system in 2011. these transaction IDs do not reveal anything about your billing or payment information. they are basically equivalent to receipt numbers.


Comment below rating threshold, click here to show it.

FrozenXylaphone

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

Quote:
Originally Posted by RepossessedSoul View Post
while it is nice of them to inform us that their servers have been hacked it would be even nicer if they would let those accounts that have records stolen know that their information has been stolen.

The other thing that is of concern is that this is only what they see, and more often a attacker that goes after something this large will take time and precautions to cover their tracks. So with that being said the main thing to worry about is what else may of been retrieved and/or is still being retrieved.

Know I understand that the security people at riot may not want to publicly state what encryption program they use or that they are still searching for the entrypath of the exploit but nonetheless people need to know that not only has the entry point been secured but a in depth analysis is being done in an attempt to identify other potential exploits. I know that you can never fully protect something, let alone a game server that is accessed by millions (and in RIOTs case potentially billions) every hour, but letting people know that they are upgrading their authentication system, their password system, and securing easily identified vulnerabilities is a must. Simply because this game and the company that owns it does a obscene amount of business every day.

Congrats RIOT welcome to the deep end of the industrial cybercrime pool where people that make a lot of money finding ways to break into your stuff to steal your money, or worse your client bases information, reside. Please dont let a repeat of the last hack, which ended with minor damages, happen now, because i can assure you that the people that are going to target you from here on out aren't going to make their hacks obvious or easily countered. If anything the scale of damages will only escalate.

I make the comment that it is a best case scenario where they only steal money from you (RIOT). This is best explained in metaphor; which is worse for the farmer? a fire that destroys 1.) his house 2.) his feed stores or 3.) all his livestock (plz sweet baby jesus dont get into a god damn sidebar arguement about farming subtypes and all that nonesense its a god damn analogy to try and make a point)

If a farmers house (in your case your program or your companies network and computer setup) is burnt that's not good but you can rebuild and in some cases if you have the ability upgrade, so that rules out #1 for the answer. While it does suck you can recover, in the long term its not that debilitating and can be recovered from.

If a farmers feed stores (in your case your financial accounts/assets) are burnt to the ground and lost things suck but they could be worse. You will still have the house (one of your means for managing your daily life and working towards making back the money and surviving till you recover, and you still have your livestock which is how you make your money. Also it's very hard to move large amounts of money (in any form nowadays over the internet, dont believe me? check out the anti money laundering departments of almost any bank and look at what they do, if a bank has money moved through it they can be held liable to pay back the money to the party that had money stolen from them, and banks dont like giving up money to anyone) So this too does suck rather hard in the short term, but it is recoverable and you can still go one and continue business as normal, ruling out #2

So finally the hardest answer to really prove is the worse for business but most definitely is the downright worse by almost all intents and purposes, #3. This is true for several reasons. First, the damage to user faith. If you are responsible for a large amount of user personal information to get stolen and then abused the faith that the people who pay you for your game and that you make your money off of will be irreparably damaged, and, more often then not, shattered. No person wants to give someone their financial information after knowing that the requesting party has been hacked twice and not given solid proof that they are doing more to solve the issue of their computer security, at least no sane person. The other main reason is one that is of greater concern IMHO then even that, CLASS ACTION LAWSUITS.

To me these can destroy companies way more effectively and way more assuredly then either of the first two answers or even the destruction of player faith. I'm not saying that RIOT hasnt tried to protect themselves from these krakens of the legislative world but no ship is fully capable of withstanding the wrath of a beast of legend and sailing straight afterwards. Lawsuits, in general, are ugly things that are used in a ever increasing move by anyone that thinks they can be successful with whatever they are suing for, case in point Prenda law. Prenda sent thousands (probably millions) of letters out to people threatening to sue them for illegally downloading something that has now been proven that they themselves uploaded, they were successful for years and made millions. That's just a example of a bunch of lawyers cooking up some halfway true set of actions and they made millions and ruined a bunch of peoples lives. What could a competitor that has a decent legal team do? Well lets ask Apple, Microsoft, Samsung, and Sony. They seem to have all sorts of experience with that.

So while the destruction of your livestock wont immediately render your business defunct, it will sow the seeds for worse things to happen then having your servers shut down, leaderboards changed around, and names reset. It will pave the way for open legal warfare that will last years and cost sums of money that I really can't even begin to comprehend, lawyers being expensive and all while never really moving that fast for anyone, and that's assuming that you win and dont have to pay out some massive fine or settlement.

So in short what would be really good on RIOT's part is for them to reveal that they are upgrading their encryption protocols, hopefully to bcrypt scrypt or some other encryption protocol that takes forever to manufacture guesses for, and they update all their authentication protocols, this is needed because in order for the attackers to of gotten into the system in the first place they needed to authenticate in a way that could get them the access they wanted. Those are just the big two things that need to be updated and changed, not just secured. If you keep them the way there were and just update them its the same as updating a POS car with a new engine, just cause it has a new engine doesnt mean the thing wont lose a wheel when going down the highway.

Through all the negative stuff that has been thrown around so far there needs to be one thing made clear, people will not complain about something being bad if they can't see the potential for it to be good.

PLEASE RIOT TAKE THIS TO HEART AS A TIME TO STEP UP TO THE PLATE AND BE TRANSPARENT WITH YOUR PLAYERBASE

I was not aware that the hack had been going on for so long and now understand why the client was not acting as should be expected. With that being said i can understand a small window of time while you get to understand what is going on, but not 2 weeks, that's just terrible PR on your part and terrible operations on the part of your NOC. If your NOC isn't able to fully diagnose an issue within days of it occuring then you need to fire all of them and rehire from the ground up, preferably from GOOGLE (they hold contests to see who can hack their systems and networks and actually make an active attempt to reward people that come forward finding vulnerabilities who either work for them or are outsiders).

the final thing i have to say to the company personell that will (hopefully) read this is such, i hope to god that you guys adopt a better mindset for dealing with issues, you are only going to get attacked more and more as time goes on. This attack is not the first, and it is showing that it is still, relatively, easy to get data that can be turned into substantial reward. You either change this now and bring the hammer down on the offenders or you label yourselves as pushovers and will suffer the consequences of that.

To those that have no ideas what password security is or how to make a secure password, or even how a salted password really is not a secure method of encryption, i HIGHLY RECOMMEND that you take a trip to ARSTECHNICA and read their series of articles of password security and how easy it is for a modern hacker to break most of the common industrial encryption schemes.

here's a link to their site: http://arstechnica.com/

Hope everyone that is involved in this learns something. I personally am never giving out CC info to any game ever again, not that i have lately.

Anyone that wants to pay for something online should take a trip to walmart or to visa's website and get a prepaid card that they can put money into for online purchases, its one of the safer ways to pay for things. Get the prepaid card from, preferably a physical store, and preferably, refil it only at that store in person with a card, preferably cash, that you monitor. I understand that what i have just outlined is a bit much for most, but just getting a seperate CC that you dont have affiliated with any of your major bank accounts is one of the safest things you can do with the current era of online theivery and cyber insecurity.

-REPO

dat wall


Comment below rating threshold, click here to show it.

Gum Cuzzlin

Member

08-20-2013

Riot... I am a California Citizen and I want an email discussing what personal information of mine was jeopardized.

Here is the law:

http://www.dmv.ca.gov/pubs/vctop/app...civ1798_82.htm


Comment below rating threshold, click here to show it.

Goldosmith

This user has referred a friend to League of Legends, click for more information

Junior Member

08-20-2013

Same as Gum Cuzzlin, I too demand an email discussing the security breach of my personal information as I am also a California citizen.


Comment below rating threshold, click here to show it.

Shiister

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

Quote:
Originally Posted by Gum Cuzzlin View Post
Riot... I am a California Citizen and I want an email discussing what personal information of mine was jeopardized.

Here is the law:

http://www.dmv.ca.gov/pubs/vctop/app...civ1798_82.htm
From the Department of Motor Vechicles? Um...


Comment below rating threshold, click here to show it.

MandyMemory

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

Why do 30 character passwords still require a number? Why is a special character not valid to use instead of a number?


Comment below rating threshold, click here to show it.

Layla

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

People have been complaining about the lack of security features here for years and you're just now getting to work on that? You hear about security compromises in the news all the time and it didn't occur to you not to make the same mistakes those companies made? No better than those idiots who speed, get caught, and end up wasting more time than if they drove at the speed limit.