How did they do it? (Hacked)

Anything not relating to the X-Universe games (general tech talk, other games...) belongs here. Please read the rules before posting.

Moderator: Moderators for English X Forum

jlehtone
Posts: 21801
Joined: Sat, 23. Apr 05, 21:42
x4

Re: How did they do it? (Hacked)

Post by jlehtone » Mon, 4. May 20, 10:33

Mightysword wrote:
Mon, 4. May 20, 03:20
And as noted, even with the most expensive defensive in place and a dedicate IT team to keep track of thing, it often just takes one gullible user to compromise the whole thing.
The size of dedicated, expert IT team in home LAN is probably 0. The amount of gullible users in home LAN ... can it be 100%?

apogee
Posts: 2115
Joined: Thu, 22. Jul 04, 13:35
x3tc

Re: How did they do it? (Hacked)

Post by apogee » Fri, 8. May 20, 12:49

From the op, Did you get the info about location from netflix site? And ever used the netflix app on your phone?

I had locations listed in Scotland and London both places i've not been recently for android, i use android netflix app.

If you have location switched off, and you connected via mobile data its likely the location comes from where your mobile provider connects to the internet, this could be several places depending on where the mobile data is routed in their mobile network.

I did change passwords recently when 2 items appeared in 'mylist' that I'm sure i never added.

Gavrushka
Posts: 8072
Joined: Fri, 26. Mar 04, 19:28
x4

Re: How did they do it? (Hacked)

Post by Gavrushka » Mon, 11. May 20, 16:23

apogee wrote:
Fri, 8. May 20, 12:49
From the op, Did you get the info about location from netflix site? And ever used the netflix app on your phone?

I had locations listed in Scotland and London both places i've not been recently for android, i use android netflix app.

If you have location switched off, and you connected via mobile data its likely the location comes from where your mobile provider connects to the internet, this could be several places depending on where the mobile data is routed in their mobile network.

I did change passwords recently when 2 items appeared in 'mylist' that I'm sure i never added.
Ah, yeah, I do have it on two phones, both Android, and location is switched off. - Thing is, I'd not used either phone for Netflix for a very, very long time, *BUT* one of the phones had been on charge at the time, and I believe the Netflix app updated. - There's a more than reasonable chance it was this that caused it, especially considering just how ridiculously obscure (and long) all my passwords are.
“Man, my poor head is battered,” Ed said.

“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”

“I…” Had she just called him fat? “I am just a different species, that’s all.”

“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”

Gavrushka
Posts: 8072
Joined: Fri, 26. Mar 04, 19:28
x4

Re: How did they do it? (Hacked)

Post by Gavrushka » Mon, 11. May 20, 16:32

Terre wrote:
Tue, 28. Apr 20, 19:33
I would still suggest a scan with Malwarebytes, just incase there is a miscreant onboard.
Malwarebytes was brilliant. Very easy to use, and ever so quick. Today I tried upgrading to premium, but when I went to the payment screen, the amount they were trying to charge my card was 30% higher than the one stated on the link I'd just clicked (within the antivirus software itself.) Obviously I did the rational thing and raged at the screen, claiming they were all liars and cheats, before uninstalling the software and rebooting. - As a parting Malwarebytes gift, this had the effect of deleting every damned password off my computer, and I had to manually reenter a number of ridiculously long convoluted strings of symbols, letters and numbers. I invented many new expletives, each directed at malwareshytes, with each errant keyclick.

So, as I said, Malwarebytes is the pits. :gruebel:
“Man, my poor head is battered,” Ed said.

“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”

“I…” Had she just called him fat? “I am just a different species, that’s all.”

“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”

g04tn4d0
Posts: 2040
Joined: Mon, 26. Apr 04, 12:58
x4

Re: How did they do it? (Hacked)

Post by g04tn4d0 » Tue, 7. Jul 20, 00:05

Gavrushka wrote:
Tue, 28. Apr 20, 17:50
I have the most exquisitely complex passwords imaginable, and yet someone just logged into my Netflix account from a phone... - I don't even get how such a thing is possible. - It'd be impossible to guess it (a VERY long series of upper and lower case letters, numbers AND symbols) and I don't manually type it in anywhere, so key presses can't have been logged, and I've antivirus (and all related malware /ransomware bla bla) on the computer.

So how is it possible? Eliminating the possibility of someone guessing (it would be over a trillion to one against,) I can only imagine there's been an oops away from my computer. (And the email was a genuine Netflix one, not a phishing attempt.)

*EDIT* only recent change to my computer was to download and install Shogun 2, Total War, which was free on Steam. - Hack report arrived a few minutes afterwards.
Have you ever logged into Netflix while on public wifi? A lot of easy hacks revolve around man-in-the-middle.

User avatar
felter
Posts: 6961
Joined: Sat, 9. Nov 02, 18:13
xr

Re: How did they do it? (Hacked)

Post by felter » Tue, 7. Jul 20, 02:03

Can I just say it doesn't matter if you type in a password or copy and paste a password, they are still both sent the same way and if you have a key logger on your computer, it will still pick up the password as it is sent.
Florida Man Makes Announcement.
We live in a crazy world where winter heating has become a luxury item.

pjknibbs
Posts: 41359
Joined: Wed, 6. Nov 02, 20:31
x4

Re: How did they do it? (Hacked)

Post by pjknibbs » Tue, 7. Jul 20, 08:51

felter wrote:
Tue, 7. Jul 20, 02:03
Can I just say it doesn't matter if you type in a password or copy and paste a password, they are still both sent the same way and if you have a key logger on your computer, it will still pick up the password as it is sent.
If you have a keylogger on your computer then you're SOL no matter what, but that's nothing to do how the password is "sent". In point of fact, any halfway decent login system should never actually send the password in plain text, but should send a hash of it instead, precisely to avoid a sniffer along the network route picking the password out.

BrasatoAlBarolo
Posts: 1404
Joined: Sat, 1. Dec 18, 14:26
x4

Re: How did they do it? (Hacked)

Post by BrasatoAlBarolo » Tue, 7. Jul 20, 09:03

It's never about how "strong" is a password. You can put there three pages of the Comedy or a simple "1234", if it's sent in a bad way, it can be read and used in malicious ways.
Honestly though, playing with random people passwords is actually uncommon: the easiest way to get some password is phishing; just send an email to any executive telling him the security failed and he's required to login to your random page and he is 90% of times complying.

User avatar
red assassin
Posts: 4613
Joined: Sun, 15. Feb 04, 15:11
x3

Re: How did they do it? (Hacked)

Post by red assassin » Tue, 7. Jul 20, 11:42

pjknibbs wrote:
Tue, 7. Jul 20, 08:51
If you have a keylogger on your computer then you're SOL no matter what, but that's nothing to do how the password is "sent". In point of fact, any halfway decent login system should never actually send the password in plain text, but should send a hash of it instead, precisely to avoid a sniffer along the network route picking the password out.
If you send a hashed password over the network to log in and somebody manages to intercept that hashed password, then that hash is what they need to send to log in, not the original password the user entered, so this doesn't meaningfully increase security. Hashing is done server side to make it harder for an attacker who dumps the password database to get the password needed to log in.

You can do some form of challenge/response authentication where the server sends a challenge and the client hashes that with the password and sends that back, but the server needs to have the plaintext password to verify that, which means it needs to at least be transferred at registration and password change time.

You can use asymmetric cryptography to establish identity, but practical user-side implementations of this have generally proven difficult because of challenges issuing or verifying users' keys and usability issues. (We use it to verify server identity, of course, with a few issues, but TLS client certificates, PGP email, etc have never really taken off except in a few very specific circumstances.) Alternatively you can just use asymmetric cryptography to establish a secure channel to send the password over, at which point you're probably just using TLS, which is the way the vast majority of implementations of authentication systems actually work. Since it became common practice, especially with additional mitigations such as HSTS, the threat from compromised WiFi has almost evaporated.

One-time passwords for two factor authentication - Google Authenticator, Yubikeys, and the like - are an additional mitigation against password compromises via keyloggers, phishing, etc, and should be used wherever possible. (Yubikeys are the best if available - they use a cryptographic handshake which means they can't be phished, which a Google Authenticator type code can be.)
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way

pjknibbs
Posts: 41359
Joined: Wed, 6. Nov 02, 20:31
x4

Re: How did they do it? (Hacked)

Post by pjknibbs » Tue, 7. Jul 20, 12:49

red assassin wrote:
Tue, 7. Jul 20, 11:42
If you send a hashed password over the network to log in and somebody manages to intercept that hashed password, then that hash is what they need to send to log in, not the original password the user entered, so this doesn't meaningfully increase security.
Disagree strongly. We know that people re-use passwords--in an ideal world that wouldn't happen, but we know it *does*. Therefore, if you send a password in a form that's readable and someone intercepts it, they can potentially use the same password on other websites to do some real damage. If you hash it in a way that can't be trivially reversed, the intercepted hash will only allow the attacker to log in on the one site where you've done that--it won't allow you to log in anywhere else they've used the same password.

User avatar
felter
Posts: 6961
Joined: Sat, 9. Nov 02, 18:13
xr

Re: How did they do it? (Hacked)

Post by felter » Tue, 7. Jul 20, 14:40

My bad, me using the word sent was as misleading as using the word keylogger. I wasn't actually meaning sent over the internet, I was meaning more along the lines of when you press a key on a keyboard the data representing that key press is sent to where ever it is intended to go, whether that be a text document, a filename, a password box or whatever, that keystroke is sent in binary. The thing is if you cut and paste a word instead of typing said word, the exact same binary data is sent the exact same way and a keylogger picks this up, it doesn't actually just collect the data of a key being pressed, hence it is s little bit misleading calling it a keylogger.

The hashed business happens after this has happened, as a hash is only created after the data has been entered not as it is being entered. The hash is between two entities this can be over the internet, over your wifi, between two devices on your network or even two apps on a single computer but before that data is turned into encrypted data is in a state of plain binary data, being sent from keyboard, mouse click to the CPU, Memory, Hard Drive and SSD, I flies around as 1's and 0's and that is what the keylogger gathers up. As you enter digits into that password box by keyboard or cut and paste, they are sent to that password box unencrypted and remain unencrypted until you click on that enter button for it to be sent over the internet and it is up till then that a keylogger does it's job catching the text being sent to that password box.

I suppose the word keylogger probably comes from the original ones as some of them just gathered what was being sent form a keyboard but modern keyloggers don't just gather keyboard data they gather all text. I have one around here somewhere, it's benign as it doesn't send the data anywhere it just gathers it up and shoves it into a text file for later reading, but it wouldn't be too hard to turn it into something that could send gathered data. If you were to use cut and paste it would grab that data just like a keyboard keystroke and send it to a text file. It can still be used as a keylogger, if I was to put it onto someone else's computer as I could just collect the data file at a later date, it just can't be remotely accessed. And no I wont give anyone a copy.

So like I said, cut and paste does not fool a keylogger.
Florida Man Makes Announcement.
We live in a crazy world where winter heating has become a luxury item.

User avatar
red assassin
Posts: 4613
Joined: Sun, 15. Feb 04, 15:11
x3

Re: How did they do it? (Hacked)

Post by red assassin » Tue, 7. Jul 20, 20:17

pjknibbs wrote:
Tue, 7. Jul 20, 12:49
Disagree strongly. We know that people re-use passwords--in an ideal world that wouldn't happen, but we know it *does*. Therefore, if you send a password in a form that's readable and someone intercepts it, they can potentially use the same password on other websites to do some real damage. If you hash it in a way that can't be trivially reversed, the intercepted hash will only allow the attacker to log in on the one site where you've done that--it won't allow you to log in anywhere else they've used the same password.
Okay, fair enough, strictly speaking, hashing passwords in transit would provide some additional degree of protection against password replay attacks against other services. But you're defending against a threat that doesn't really exist, and implementation is difficult (you'd have to use some sort of JavaScript pre-transit password hashing to do it on the web, for example, and what happens if people have JS turned off?). TLS has pretty much solved the problem of on-the-wire interception of sensitive data, and it works for a much wider range of types of sensitive data than passwords. People's passwords get compromised by (in descending order) phishing, server-side compromises and user device compromises.

felter wrote:
Tue, 7. Jul 20, 14:40
The thing is if you cut and paste a word instead of typing said word, the exact same binary data is sent the exact same way and a keylogger picks this up, it doesn't actually just collect the data of a key being pressed, hence it is s little bit misleading calling it a keylogger.
You might be interested to learn this isn't quite true. Your conclusion is correct - chances are pretty good that anything doing keyboard input hooking will just listen to the clipboard as well - but they're quite different APIs. You can read about how the clipboard works in win32 in MSDN's ever-helpful docs, for example. This is relevant because on some OSes it's a much less privileged operation to read the clipboard than it is raw keystrokes. For example, Apple recently updated iOS to notify when apps read the clipboard, and it turns out a lot of apps have been doing it for slightly unclear reasons, TikTok being a main offender. https://www.independent.co.uk/life-styl ... 03461.html
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way

Post Reply

Return to “Off Topic English”