A little education: Hacking vs Compromising

General Discussion
I think it is time someone steps in and tries to clear the air a little, doing so through education. It is getting fairly old having to filter through the garbage on this forum to find the constructive threads. As of late this garbage as been that of someone screaming the sky is falling and that they were "Hacked". It has gotten to the point that everyone and their grandmother, according to the people doing the yelling, has been hacked. That of course it wasn't their system that was hacked, but the multi-billion dollar company who has spent more on security than most will see in five lifetimes. The lack of accountability would be astonishing, except the mentality in today's world is that of "It isn't my fault, but his/her/it".

Now the problem is that most of the people throwing around the term have absolutely no idea what it actually means. So for everyone that is screaming "I was hacked!", please keep reading, you are about to be told of the difference between hacking and compromising.

Hacking is generally accepted to be the act of intentional and malicious attempts to breach layers of security to gain access to a system or systems you are not authorized to access. This is further defined as the act of altering hardware and/or software in order to accomplish the previously mentioned task. Often people refer to this as a "Brute Force" attack, where those on the offensive directly attack the system. This is typically not the way it is done today, as it is very noticeable, especially on a closely monitored and secured system.

It isn't to say that it can't be done in today's world, it just isn't that common because it is so announced. It is akin to the person trying to rob your house making an attempt to kick in the front door, if someone is watching or at home, it doesn't go unnoticed.

So to be clear; Hacking is generally defined as an attempt to gain access to systems the person isn't authorized for, involving the altering of hardware and/or software. This is typically extremely difficult to do on major systems and only a very small and select group of people have the skills and resources.

Compromising is entirely different, it is often referred to as phishing. It involves the aggressor bringing into light, or exposing, information about the victim. This can be accomplished in many different ways, usually involving social engineering. The key aspect of this is that the victim often doesn't know they are the victim. Even further the victim is often compromised for a long period of time before noticing something is "off".

The most obvious form of this are the horribly written e-mails we have all received that claim they are someone, or something, they obviously aren't. What goes unnoticed are the very well written ones, the ones that go as far as to duplicate well known websites down to every detail, even providing a confirmation message once you enter data. In these cases about the only way to tell they are fake is to look at header information, within the e-mail, or other behind the scenes data. Luckily for the aggressor, however, the majority of the targets do not even know how to do this.

The above example being given as it is the most easily relatable, after all everyone with an e-mail has won the National Zimbabwe Lottery, or helped a crowned prince transfer money for a car.

The lesser known ways of compromising an account are actually the easiest. First in line is simply guessing the password to an e-mail account. Not using a brute force attack with a dictionary, but simply guessing it. This is usually done because the password is extremely weak or by answering the "Secret Question", typically the "What is your favorite food" and the answer of "Pizza". You might be surprised as to how common this example is. Another great example I have seen was the question of "Who is the third one?", the answer was the persons third child's first name.

Now having mentioned the e-mail above, this is typically the weak link to it all. Most people use the same password for everything, so once they have the e-mail password it is typically easy to get into any account that uses the e-mail password. But which accounts use it? Just search the e-mail inbox for that answer. Someone smart enough to not use the same passwords? Well simple enough, they have the e-mail address to the account they actually want. They simply use the handy "Forgot Password" function and there you have it. A key aspect of this is that you have no idea it is happening. They aren't changing passwords, they aren't changing usernames. They are simply viewing the data they need and sitting on it, until you have what they want.

This is being compromised. Information you don't want others to have is brought to light, either by unknowingly telling someone or by not using proper security. Things like weak passwords and easy to guess "Secret Questions".

Again to be clear on compromising; It is simply the act of bringing into light information that is private or sensitive in nature. Often obtained directly from the victim without their knowledge or by using readily available information about the victim to extract further information.

So now that we understand hacking is the altering of software and/or hardware to obtain access to a system, and that compromising is simply obtaining information from the victim, we can understand what is really going on. In most cases people were compromised long ago, not in the last 10 days, and they have been watched for awhile. Only until people obtain certain gold levels and items do things go missing. Now why would this be happening? Because there is a market for it. There are enough people that want to buy gold and items that the black-market sellers have turned to compromising accounts. We all know they can't farm gold and items fast enough to sell them, so they have to steal it. That is the only way for them to meet supply, period.

So how are they doing this? Very easy, considering the amount of information they are given by the victim. Anecdotally, I have yet to meet a single person that has used gold selling services that hasn't been compromised. The reason for this is that in order to use their service you need to pay them via debit/credit card. In order to do this you have to give them; Name, Address, Billing Phone Number, Credit Card Information, E-mail Address, In-game Account Name, and in some cases Date of Birth. You are better off to just give them keys to the castle at that point.

While others e-mail addresses are obtained, and further compromised, by the purchasing of spam lists. Or by the friend that used their service and was nice enough to give them a "Referral" for a few extra in-game gold.

Finally, there is a reason why people with authenticators haven't been compromised. It is called Multi-factor Authentication. While not convenient, it is far more secure than the standard username/password that is seen.

Being compromised is not being hacked, there is a difference!
05/28/2012 06:54 PMPosted by PostalTwinki
. That of course it wasn't their system that was hacked, but the multi-billion dollar company who has spent more on security than most will see in five lifetimes. The lack of accountability would be astonishing, except the mentality in today's world is that of "It isn't my fault, but his/her/it".


see " Rift " ...atleast they manned up and admitted it .
. That of course it wasn't their system that was hacked, but the multi-billion dollar company who has spent more on security than most will see in five lifetimes. The lack of accountability would be astonishing, except the mentality in today's world is that of "It isn't my fault, but his/her/it".


see " Rift " ...atleast they manned up and admitted it .


I could also point at Sony. In both the case of Sony and Trion it was a lapse in security, rather obvious ones to be exact. Further to the point, both groups that perpetrated the attacks went after personal information, such as credit cards.

The legal side of this is that Trion and Sony both had to acknowledge the breaches and what information was taken. Had they not done so they would have been liable for losses incurred by their customers by keeping it in-house. This also effected tens of millions of players, not a small handful of people on the forum.

So let me recap...

Sony/Trion customers financial data was compromised, making the respective companies legally bound to notify the customers. This effected tens of millions of players.

With Blizzard there has been no notification, and the effected number is extremely small. Further, people with authenticators have not been victims. Why? Because this isn't a breach on the end of Blizzard, which would nullify an Authenticator.
They spent a lot of money so it is unhackable! Sorry but no system is ever completely safe. There is still a chance that username/password list was stolen server side.

Edit: Also just because authenticator still works it doesn't mean they have been breached. Faulty logic.
Now class, would somebody like to explain to the OP the difference between hacking and cracking :P
They spent a lot of money so it is unhackable! Sorry but no system is ever completely safe. There is still a chance that username/password list was stolen server side.

Edit: Also just because authenticator still works it doesn't mean they have been breached. Faulty logic.


Of course no system is completely safe. But using your own "faulty logic" statement, what is more likely? Blizzard was breached or the people complaining of hacking were compromised through one of many methods? Again this falls back on the mentality of "It isn't my fault, but the other persons."

Except the part where not a single person with an Authenticator, mobile or key chain, has had their account impacted by loss of gold/items.

05/28/2012 07:17 PMPosted by Abirn
Now class, would somebody like to explain to the OP the difference between hacking and cracking :P


Cracking would fall under hacking, as it is the altering of software to obtain access. Though in more recent years it has spun off into it's own little world. Typically filled by the people that couldn't hack it at hacking, so they turned to easier targets.
They spent a lot of money so it is unhackable! Sorry but no system is ever completely safe. There is still a chance that username/password list was stolen server side.

Edit: Also just because authenticator still works it doesn't mean they have been breached. Faulty logic.


that chance is so small as to be not worth noting. its about the same chance that a comet will crash into the moon, altering its orbit and sending it on a death-ride towards the Earth.
05/28/2012 07:16 PMPosted by Zeal
Please.. tell me how this post is going to help people from not being "compromised"?


because it tells people how it happens, and what NOT to do. its like telling people that robbers get in easier when you dont lock your door at night.
05/28/2012 07:20 PMPosted by Kelthar
Please.. tell me how this post is going to help people from not being "compromised"?


because it tells people how it happens, and what NOT to do. its like telling people that robbers get in easier when you dont lock your door at night.


I believe that point went over his head....
They spent a lot of money so it is unhackable! Sorry but no system is ever completely safe. There is still a chance that username/password list was stolen server side.

Edit: Also just because authenticator still works it doesn't mean they have been breached. Faulty logic.


Of course no system is completely safe. But using your own "faulty logic" statement, what is more likely? Blizzard was breached or the people complaining of hacking were compromised through one of many methods? Again this falls back on the mentality of "It isn't my fault, but the other persons."

Except the part where not a single person with an Authenticator, mobile or key chain, has had their account impacted by loss of gold/items.


You still don't get it, a hacker grabbing a user name/hashed password list has nothing to do with authenticator. You talk about which is more likely but probability is not proof of anything.

Guess what other game companies had their tables compromised in the past year or two. EA, Bioware, Bethesda, Nintendo, Epic, Sony, Steam and Sega. Those are the ones I can name off the top of my head so might be a little more likely than you think. Previous to Sony most companies would never release info that they were compromised. Happens quite often.
05/28/2012 07:13 PMPosted by PostalTwinki


see " Rift " ...atleast they manned up and admitted it .


I could also point at Sony. In both the case of Sony and Trion it was a lapse in security, rather obvious ones to be exact. Further to the point, both groups that perpetrated the attacks went after personal information, such as credit cards.

The legal side of this is that Trion and Sony both had to acknowledge the breaches and what information was taken. Had they not done so they would have been liable for losses incurred by their customers by keeping it in-house. This also effected tens of millions of players, not a small handful of people on the forum.

So let me recap...

Sony/Trion customers financial data was compromised, making the respective companies legally bound to notify the customers. This effected tens of millions of players.

With Blizzard there has been no notification, and the effected number is extremely small. Further, people with authenticators have not been victims. Why? Because this isn't a breach on the end of Blizzard, which would nullify an Authenticator.


10/10


Of course no system is completely safe. But using your own "faulty logic" statement, what is more likely? Blizzard was breached or the people complaining of hacking were compromised through one of many methods? Again this falls back on the mentality of "It isn't my fault, but the other persons."

Except the part where not a single person with an Authenticator, mobile or key chain, has had their account impacted by loss of gold/items.


You still don't get it, a hacker grabbing a user name/hashed password list has nothing to do with authenticator. You talk about which is more likely but probability is not proof of anything.

Guess what other game companies had their tables compromised in the past year or two. EA, Bioware, Bethesda, Nintendo, Epic, Sony, Steam and Sega. Those are the ones I can name off the top of my head so might be a little more likely than you think. Previous to Sony most companies would never release info that they were compromised. Happens quite often.


What you aren't understanding is that even if someone hacking obtained said list, it wouldn't do them any good if the list itself was secured properly. Read; encrypted, strongly encrypted. Unlike in the case of Sony where the data was stored in plain text.

As for your statement of companies not releasing when they are compromised. Well, they don't legally have to unless user data was compromised. At that point they are bound, by law, to release the information. Less they become liable for any damages...
Hacking is generally accepted to be the act of intentional and malicious attempts to breach layers of security to gain access to a system or systems you are not authorized to access.


No, its not. Thats Cracking.

Hacking is any modification of something to do something it wasn't designed to do.


You still don't get it, a hacker grabbing a user name/hashed password list has nothing to do with authenticator. You talk about which is more likely but probability is not proof of anything.

Guess what other game companies had their tables compromised in the past year or two. EA, Bioware, Bethesda, Nintendo, Epic, Sony, Steam and Sega. Those are the ones I can name off the top of my head so might be a little more likely than you think. Previous to Sony most companies would never release info that they were compromised. Happens quite often.


What you aren't understanding is that even if someone hacking obtained said list, it wouldn't do them any good if the list itself was secured properly. Read; encrypted, strongly encrypted. Unlike in the case of Sony where the data was stored in plain text.

As for your statement of companies not releasing when they are compromised. Well, they don't legally have to unless user data was compromised. At that point they are bound, by law, to release the information. Less they become liable for any damages...


Sony did not have them stored in plain text. They were hashed like they pretty much always are. Also read up on how easy it is to break the hash with GPCPU. A few minutes for one (edit: I mean one GPU) if they are about 8 characters long with letters and numbers. Blizzard might have salted them to help a bit but salting only helps so much.

Also companies are supposed to release information but they will and do try to cover it up. Somtimes they release the information weeks later (my bank did this).
05/28/2012 07:31 PMPosted by Masquerade
Hacking is generally accepted to be the act of intentional and malicious attempts to breach layers of security to gain access to a system or systems you are not authorized to access.


No, its not. Thats Cracking.

Hacking is any modification of something to do something it wasn't designed to do.


Hacking describes the activity of writing code, e.g., programming. It is commonly misused in place of cracking, as you said.
Sony did not have them stored in plain text. They were hashed like they pretty much always are. Also read up on how easy it is to break the hash with GPCPU. A few minutes for one (edit: I mean one GPU) if they are about 8 characters long with letters and numbers. Blizzard might have salted them to help a bit but salting only helps so much.

Also companies are supposed to release information but they will and do try to cover it up. Somtimes they release the information weeks later (my bank did this).


One does not break a hash. They are one-way, irreversible. A technique to "reversing" hashes would be to use a rainbow table which is a mapping of hashes and corresponding values that produce that hash. This is what salting combats. A salted hash is pretty much useless to an intruder.

You could try to generate a hash that collides with the hash in question, (e.g., two different values that produce the same hash value) but this is very unlikely and depends on the hashing algorithm.
given the fact some people complaining they are hacked fake their identities as some IT guy. or some pro. or legend of IT in their own mind etc etc.

given how stupid they are not to know who they are themselves....... no one can save them.

probably why they got compromised/hacked/duped in the first place.
Sony did not have them stored in plain text. They were hashed like they pretty much always are. Also read up on how easy it is to break the hash with GPCPU. A few minutes for one (edit: I mean one GPU) if they are about 8 characters long with letters and numbers. Blizzard might have salted them to help a bit but salting only helps so much.

Also companies are supposed to release information but they will and do try to cover it up. Somtimes they release the information weeks later (my bank did this).


One does not break a hash. They are one-way, irreversible. A technique to "reversing" hashes would be to use a rainbow table which is a mapping of hashes and corresponding values that produce that hash. This is what salting combats. A salted hash is pretty much useless to an intruder.

You could try to generate a hash that collides with the hash in question, (e.g., two different values that produce the same hash value) but this is very unlikely and depends on the hashing algorithm.


Depends on the hashing algorithm. I was catching up on this stuff a few months back. Here enjoy some white papers. I am in no way claiming that Blizzard is using MD5 or something similar but just point out it is definitely possible. http://www.infosec.sdu.edu.cn/uploadfile/papers/How%20to%20Break%20MD5%20and%20Other%20Hash%20Functions.pdf


What you aren't understanding is that even if someone hacking obtained said list, it wouldn't do them any good if the list itself was secured properly. Read; encrypted, strongly encrypted. Unlike in the case of Sony where the data was stored in plain text.

As for your statement of companies not releasing when they are compromised. Well, they don't legally have to unless user data was compromised. At that point they are bound, by law, to release the information. Less they become liable for any damages...


Sony did not have them stored in plain text. They were hashed like they pretty much always are. Also read up on how easy it is to break the hash with GPCPU. A few minutes for one (edit: I mean one GPU) if they are about 8 characters long with letters and numbers. Blizzard might have salted them to help a bit but salting only helps so much.

Also companies are supposed to release information but they will and do try to cover it up. Somtimes they release the information weeks later (my bank did this).


The fact that you honestly believe a properly hashed file can be broken in a few minutes completely nullifies anything you have said or are going to say. It further shows your inexperience in the topic and computer security in general.

Join the Conversation

Return to Forum