@AiurFlux said:
@enthalpy said:
@AiurFlux said:
August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.
I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.
I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.
I wish someone in this thread would put the facts together instead of going off like a crazy person here. Blizzard responded in an extremely measured way here. They first went into lockdown, which is what you do. It sounds like they saw this in near real-time, which means that they have reasonable protections and effective monitoring in place. They then, after completing what was likely an insanely complicated assessment of the situation, explained this to their customers.
It is counterproductive to require any firm to immediately inform on a breach because that can indicate a current vulnerability. This is why software firms avoid announcing compromises for their software until they patch them.
Here is what happens in a typical security incident protocol:
- The system is locked off from the outside, accounts and sessions are killed, etc...
- An assessment of the means of entry is done and any security holes closed, while
- a copy of the compromised systems is made immediately to preserve the system in its current state. This includes write-blocked drive imaging, any external system log aggregation, etc...
- Forensics begin on a write-blocked copy of any images that were taken of servers and logs are reviewed
- An early assessment is made of the data that was available on the compromised machine(s) and combined with a network traffic assessment to assess what may have leaked
- Appropriate law enforcement is contacted, based on the initial compromise assessment
- If any regulated data is found, the appropriate regulatory agencies are contacted
- After continued assessment of the state of the entire environment, a more in depth assessment of the compromise is done and a communication plan is prepared
- Communication to affected parties happens
What's important here is that it sounds like the way in which the passwords were stored is extremely secure and is probably close to computationally infeasable to crack. Here is what can happen now:
Someone can, knowing your email address and secret question, request a password reset that will be sent to your email. That is all. From the information that Blizzard released, there is no way that people can log into your account with the information they have gained from this compromise without accessing your email account, which is another item that would have delayed the announcement.
Also, this was an impressively fast response from such a huge company.
Bullshit. It occurred 5 days ago. That's 5 days of having information at risk, including financial information given the real money auction house in Diablo 3. That's 5 days that some asshole could have free reign. That's 5 days to many. When my information is at risk, when my finances are at risk, I should be informed of it right then and there. Not a work week after the fact.
You're right in saying that divulging that information could inform other people of a vulnerability, but the simple act of hacking it has exposed that vulnerability. If you don't think that these people communicate with one another you're out of your mind. Typically it's not just one person doing it anymore but rather a group of people that each delegate part of the operation. Furthermore if they're REALLY concerned with security then maybe they should make a public notice and shut down their shit system for those 5 days until they sort it out instead of leaving it online and forcing people to find out about this through a media site like Giant-fucking-Bomb.
It's irresponsible. It's lazy. It's ignorant. And it needs to fucking change. These companies need to be held accountable and MAYBE just maybe the traditional way of doing things isn't enough anymore. How many hacks have occurred within the past year? It's unacceptable, especially in the game industry where everything is going digital and everything has extra costs tacked on.
And the response wasn't fast at all. Sony had a similar response and they got bashed for it, but because it's Blizzard people hold them up like Christ on the Cross and say "THEY'RE TEH BEST EVAR!". You sound like a PR guy when you say shit like that. The investigation might have been started fast but the whole informing the public thing, the people that give them money and put their trust in them, wasn't good.
I'm not trying to defend Blizzard per se--I'm trying to assess the breach in terms of its security implications for its users and also wanted to provide some information about how a typical incident response procedure works. I may have been too flippant with my first sentence or so, for which I apologize, and I've certainly changed my battle.net password to be on the safe side. But treating all compromises the same is not helpful to the gaming community who needs good information to assess their risk posture, nor is it particularly fair to the firms involved.
Given the timeline and types of data that they handle, I think that Blizzard informed pretty quickly. I also think that there is not a ton here that causes huge additional risk to users because, unlike many other large compromises, this compromise did not include any directly actionable data (CCNs, passwords, etc...).
Is this bad? Yes. The ability of people phish off of the email addresses is a concern, and the decision to handle secret questions in the way that they are just looks dumb. But unlike a number of the firms who have been recently compromised, the data was stored in a sensible way, i.e. hashed (hopefully salted) phone numbers and with a complex protection mechanism on the passwords.
I also think that it's best for this information to go through public sites. How do you want Blizzard to notify the community, assuming that their communication path (email) is the same as the one that the hackers now have access to? Because if this was an extremely well-planned hack, the attackers could have phished the "your account has been compromised" emails to land at the same time that Blizzard's did. And if they were even close to competent phish writers, a huge number of people would have lost their passwords to this phish.
I'm really not looking for this to be a contentious conversation--I understand your concern and anger regarding compromises, because a lot of companies are not doing what they need to do in order to keep their customers safe, and they do need to be held accountable. Like you, I hope that more facts come out of this breach and that there are clear steps taken to further tighten security around Blizzard.
Hope everyone has a pleasant weekend.
Log in to comment