Post by Feralan on Jul 30, 2009 9:30:40 GMT 1
Everyone knows the horror stories of people having their accounts stolen and stripped to the bone. I think we should have a threat on security measures to help people prevent further incidents.
I saw this post today which really sums it up well:
www.stabilizedeffortscope.com/?p=888
Quoted below with all credit due Rilgon of the Stabilized Effort Scope site:
1: Get a non-fail web browser.
This primarily means Mozilla Firefox, available from the Mozilla Group here. Why Firefox and not Chrome, Safari, Opera, or its other open-source competition? That’s number 2.
2: Get extensions for Firefox to secure your ass.
Primarily, this means NoScript and AdBlock Plus. Combined, these powerful addons to Firefox will keep out 99% of bad stuff that you don’t want in. NoScript has a learning curve – in its default state, it blocks ALL JavaScript, ActiveX, Silverlight, Flash, and other non-HTML includes in ALL websites. You will need to re-evaluate your browsing habits and begin whitelisting select domains to allow through your gate of safety – remember, the more you let in, the more “vibrant” the web is, but the less secure you are! Only let in what you need for your websites to work. NoScript also allows for temporary permissions, so you can test and see what you need to let in for good for your websites to work. AdBlock Plus, on the other hand, will prevent most ads on the internet from showing up – this can save you if a site like Curse, WoW.com, or the like gets an infected ad on their website. But these “infected” ads take advantage of vulnerabilities in non-updated systems, which leads me to number 3.
3: Patch your operation system REGULARLY.
Please, for the love of the Naaru, make sure Windows Update or whatever you Mac floozies use is on. These vulnerabilities that OS patches resolve are often zero-day exploits – that is, code to exploit them has been discovered by the black hats (the bad guys) and IS IN USE IN THE WILD. This will prevent “bad ads” from nailing you.
4: Use a SMART password. A powerful password.
Another IT best practice here, folks – use a good password. My definition of a “good password” is – 8 characters long or more, at least three of: capital letters, lowercase letters, numbers, non-alphanumberic characters (like parenthesis, periods, commas, etc.), and rotated MONTHLY. Yes, change your password monthly. But even changing your password won’t help you if you get keylogged, which brings me to numbers 5 and 6.
5: Use smart browsing habits.
Your World of Warcraft/Battle.NET login credentials should NEVER, EVER BE ENTERED INTO ANY WEBSITE WHOSE DOMAIN IS NOT battle.net OR worldofwarcraft.com. EVER! Don’t EVER DO IT EVER. If the url says www.stabilizedeffortscope.com/cgi-bin/worldofwarcraft.com/account/ – that is someone (i.e. me, in this case) TRYING TO STEAL YOUR ACCOUNT. Be aware of the REAL URL that you’re at – don’t just look at the end and go “oh, it’s the wow account login page, that’s fine” – if some other domain is before it, you’re done. GG! And furthermore, be aware of where you’re going. All browsers show you the URL of a hotlink if you mouse over it and look at the bottom of the screen. Don’t go somewhere that looks suspicious. .cn (Chinese) domains are especially bad. I know it sounds racist, but since they run the gold selling companies, they’re the ones that want your gold for their profit…
6: Clean your system well!
I don’t care what some people say about not needing an anti-virus if you’re intelligent – you need one. Yes, they’re mostly right, but everyone makes mistakes, even me. You do NOT want to be unprotected if and WHEN it happens. You need an anti-virus – there’s plenty of good, free ones like AVG Antivirus or ClamWin (the Windows port of the majorly powerful ClamAV server antivirus for Linux). You need an anti-spyware – Spybot Search and Destroy is the best for this. You need anti-malware – MalwareBytes is THE single best software for malware (this includes keyloggers!). Get them. Clean your system, then change your password. Then keep your system clean!
7: Stay vigilant!
Even once you get your system pristine and secure, you have to keep it that way. Remember, the bad guys are CONSTANTLY trying to find new ways to steal your stuff – be it a “OMG LOG IN HERE TO BUY A SPECTRAL TIGER MOUNT” (who wants that stupid ugly piece of crap, anyways) to new keylogger posts on the WoW official forums. You have to be aware and attentive – one mistake can cost you your whole account and cause you weeks of headache dealing with Blizzard’s support. Don’t treat security trivially!
End quote.
One of the comments includes a password-related suggestion that I have been using for a long time, too:
Also, don't share your password. A spiteful ex or a drunken friend can run haywire with your stuff, I have seen both happen. Happy married couples like our lovely Finnish duo are an exception of course, but generally caution is best.
Never follow a link from the official WoW forums, especially if it promises free stuff, sex pictures or a funny video. These are always keyloggers posted from accounts that are already compromised. Usually it's very blatant, but some are tricky. Many keyloggers have .cn as part of their URL so your alarm bells should go off loudly when you see that.
Watch out for in-game scams as well. I need not mention gold selling or powerlevelling advertisement spammers, those scum are well known and should be instantly reported (SpamSentry is a good addon for that). Another popular trick is to pretend to be the new alt of a friend or guild officer (especially with a name like, say Féralan or Ferabanker if they lied about being me) and asking to be invited to one's guild. Then, the scammer will ask for a high enough rank to access the guild bank -- and clean it out immediately, mail everything away and then run off, having "ruined" a guild in a matter of minutes. We are less at risk of that of course, since we're a little fringe RP guild with mainly silly old junk in the bank, and not a big bunch of raiders with super-expensive purples and materials. But still, it is a dirty trick to be aware of, especially if you also have a character in a raid guild, or friends who do. A "new alt" should always be confirmed and named by one of the player's known, trusted chararcters before being invited.
I saw this post today which really sums it up well:
www.stabilizedeffortscope.com/?p=888
Quoted below with all credit due Rilgon of the Stabilized Effort Scope site:
1: Get a non-fail web browser.
This primarily means Mozilla Firefox, available from the Mozilla Group here. Why Firefox and not Chrome, Safari, Opera, or its other open-source competition? That’s number 2.
2: Get extensions for Firefox to secure your ass.
Primarily, this means NoScript and AdBlock Plus. Combined, these powerful addons to Firefox will keep out 99% of bad stuff that you don’t want in. NoScript has a learning curve – in its default state, it blocks ALL JavaScript, ActiveX, Silverlight, Flash, and other non-HTML includes in ALL websites. You will need to re-evaluate your browsing habits and begin whitelisting select domains to allow through your gate of safety – remember, the more you let in, the more “vibrant” the web is, but the less secure you are! Only let in what you need for your websites to work. NoScript also allows for temporary permissions, so you can test and see what you need to let in for good for your websites to work. AdBlock Plus, on the other hand, will prevent most ads on the internet from showing up – this can save you if a site like Curse, WoW.com, or the like gets an infected ad on their website. But these “infected” ads take advantage of vulnerabilities in non-updated systems, which leads me to number 3.
3: Patch your operation system REGULARLY.
Please, for the love of the Naaru, make sure Windows Update or whatever you Mac floozies use is on. These vulnerabilities that OS patches resolve are often zero-day exploits – that is, code to exploit them has been discovered by the black hats (the bad guys) and IS IN USE IN THE WILD. This will prevent “bad ads” from nailing you.
4: Use a SMART password. A powerful password.
Another IT best practice here, folks – use a good password. My definition of a “good password” is – 8 characters long or more, at least three of: capital letters, lowercase letters, numbers, non-alphanumberic characters (like parenthesis, periods, commas, etc.), and rotated MONTHLY. Yes, change your password monthly. But even changing your password won’t help you if you get keylogged, which brings me to numbers 5 and 6.
5: Use smart browsing habits.
Your World of Warcraft/Battle.NET login credentials should NEVER, EVER BE ENTERED INTO ANY WEBSITE WHOSE DOMAIN IS NOT battle.net OR worldofwarcraft.com. EVER! Don’t EVER DO IT EVER. If the url says www.stabilizedeffortscope.com/cgi-bin/worldofwarcraft.com/account/ – that is someone (i.e. me, in this case) TRYING TO STEAL YOUR ACCOUNT. Be aware of the REAL URL that you’re at – don’t just look at the end and go “oh, it’s the wow account login page, that’s fine” – if some other domain is before it, you’re done. GG! And furthermore, be aware of where you’re going. All browsers show you the URL of a hotlink if you mouse over it and look at the bottom of the screen. Don’t go somewhere that looks suspicious. .cn (Chinese) domains are especially bad. I know it sounds racist, but since they run the gold selling companies, they’re the ones that want your gold for their profit…
6: Clean your system well!
I don’t care what some people say about not needing an anti-virus if you’re intelligent – you need one. Yes, they’re mostly right, but everyone makes mistakes, even me. You do NOT want to be unprotected if and WHEN it happens. You need an anti-virus – there’s plenty of good, free ones like AVG Antivirus or ClamWin (the Windows port of the majorly powerful ClamAV server antivirus for Linux). You need an anti-spyware – Spybot Search and Destroy is the best for this. You need anti-malware – MalwareBytes is THE single best software for malware (this includes keyloggers!). Get them. Clean your system, then change your password. Then keep your system clean!
7: Stay vigilant!
Even once you get your system pristine and secure, you have to keep it that way. Remember, the bad guys are CONSTANTLY trying to find new ways to steal your stuff – be it a “OMG LOG IN HERE TO BUY A SPECTRAL TIGER MOUNT” (who wants that stupid ugly piece of crap, anyways) to new keylogger posts on the WoW official forums. You have to be aware and attentive – one mistake can cost you your whole account and cause you weeks of headache dealing with Blizzard’s support. Don’t treat security trivially!
End quote.
One of the comments includes a password-related suggestion that I have been using for a long time, too:
"What I always tell people is to think of a sentence and use the first letter of each word to make the actual password. Then add numeric and special characters in where you can."
Also, don't share your password. A spiteful ex or a drunken friend can run haywire with your stuff, I have seen both happen. Happy married couples like our lovely Finnish duo are an exception of course, but generally caution is best.
Never follow a link from the official WoW forums, especially if it promises free stuff, sex pictures or a funny video. These are always keyloggers posted from accounts that are already compromised. Usually it's very blatant, but some are tricky. Many keyloggers have .cn as part of their URL so your alarm bells should go off loudly when you see that.
Watch out for in-game scams as well. I need not mention gold selling or powerlevelling advertisement spammers, those scum are well known and should be instantly reported (SpamSentry is a good addon for that). Another popular trick is to pretend to be the new alt of a friend or guild officer (especially with a name like, say Féralan or Ferabanker if they lied about being me) and asking to be invited to one's guild. Then, the scammer will ask for a high enough rank to access the guild bank -- and clean it out immediately, mail everything away and then run off, having "ruined" a guild in a matter of minutes. We are less at risk of that of course, since we're a little fringe RP guild with mainly silly old junk in the bank, and not a big bunch of raiders with super-expensive purples and materials. But still, it is a dirty trick to be aware of, especially if you also have a character in a raid guild, or friends who do. A "new alt" should always be confirmed and named by one of the player's known, trusted chararcters before being invited.