Iantiger Posted April 7, 2006 Share Posted April 7, 2006 Many a time we have all seen the posts on here: "I was hacked". 99% of these hackings were the fault of the player for downloading some third party program, or clicking an untrusted link, thus installing a keylogger or trojan on their computer. However once in a while, a person may be dead-set on denying that they did either of these things, claiming the hacking was done by "brute force", or in other words, there is nothing they could have done to prevent the hack. However, surely if brute force exists, Zezima, and other such highly recognised players would be the main target, and thus you would think Zezima would have been hacked countless times. What are your opinions/thoughts? ~Ian Retired Tip It Moderator | Zybez Radio DJ - Listen Here Link to comment Share on other sites More sharing options...
Punc Posted April 7, 2006 Share Posted April 7, 2006 I'm pretty sure there are people that can brute force hack, I so don't think they'll waste their time hacking RuneScape account when you can hack IRL bank account or something similar... Link to comment Share on other sites More sharing options...
Hypnotic_tapeworm Posted April 7, 2006 Share Posted April 7, 2006 well it is possable... but would be very hard to pull off, first off they would need to know the players i.p adress and jagex stores them (i think) so they would need to hack the jagex server or main computer or whatever they would use, then find a players i.p address and then hack them.... but as you said they would go for the more well known players accounts i cant go into much more detail as i dont know how the jagex system works. but it is possable just very unlikely more often its people who've just been stupid but are too stupid to admit it, i mean the ammount of people ive seen fall for the "look you cant type your password look *******" just makes me laugh Link to comment Share on other sites More sharing options...
Mordendravid Posted April 7, 2006 Share Posted April 7, 2006 Yes it's definitely possible. There's 2 widely recognised methods that could be employed: 1) Password generators - multiple login attempts under a single user name with a program entering either a pre-defined list, or generating a password on each attempt. The simple solution to this sort of access attempt is the "get your password wrong x times and account is locked" approach. I'm fairly sure that even if Jagex don't actively employ this restriction they will have monitors on their login servers looking for similar activity - it's fairly old school now. 2) Server side hacking - this would require accessing Jagex's servers, again probably the login servers would be targeted as account details will be stored there in order to validate login attempts. However, this sort of approach means attempting to go round security implemented by a team of experts - even if you get past the multiple firewalls and onto one of the servers you would still need to unencrypt the information held on there. Even default triple-des security is not easy to unencrypt without the access key, let alone any additional encryption algorithms that are undoubtedly used. All in all if someone's got these sorts of skills they're unlikely to target a MMORPG when there are so many real life targets that would get greater kudos and/or financial gain. Therefore my suspicions are that 99.999% of actual hacking is through keyloggers and trojans. Though even these examples are rare in comparison to people simply sharing their password with a friend/writing it down somewhere obvious or using a password which is ridiculously easy to guess. I would also suggest that (as per Jagex's rules) people avoid using any illegal 3rd party clients to access the game - you're providing all your details to someone that you've never met and risking a ban from the game to boot. Just my $0.02 EDIT: PS I have not listed a number of other potential hacking approaches simply 2 that are very well known. The reason for this should be obvious. Link to comment Share on other sites More sharing options...
Hypnotic_tapeworm Posted April 7, 2006 Share Posted April 7, 2006 All in all if someone's got these sorts of skills they're unlikely to target a MMORPG when there are so many real life targets that would get greater kudos and/or financial gain Exactly! Link to comment Share on other sites More sharing options...
Duke_Freedom Posted April 7, 2006 Share Posted April 7, 2006 2 * 26 (alphabet capital + lower case) + 10 (0..9) = 62 characters Let's say a password of 8 characters.. 62^8 ~ 2 * 10^14 Let's say one trial takes 1 second :lol:. 2*10^14 / (3600 * 24 * 365) = 1.6 million years on average. Nope, noone is getting brute force hacked in this game. Fine, you use only 5 characters?! Still takes over 6 years on average to brute-force hack you then, and that is if we could try once every second(!), which we obviously cannot... The stuff that simple mathematics can enlighten us about is just incredible. ;) However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary. The value of my bank at its height. Estimated value at the peak of the rares market: 250 billion+.Most likely the largest trade in RuneScape ever. Estimated value at the peak of the rares market: 70 billion+. Link to comment Share on other sites More sharing options...
Hypnotic_tapeworm Posted April 7, 2006 Share Posted April 7, 2006 However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary. or maybe they did download something without realising(sp) and dont run anti virus/spyware programs so dont realise they have a ton of key loggers or trojans lol Link to comment Share on other sites More sharing options...
swampjedi Posted April 7, 2006 Share Posted April 7, 2006 Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force. My Goals and Achievements Link to comment Share on other sites More sharing options...
Bubsa Posted April 7, 2006 Share Posted April 7, 2006 Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force. Beaten to it. I think this was what you were getting at Ian. This is how much you all raised for charity. Thank you. Link to comment Share on other sites More sharing options...
ixfd64 Posted April 7, 2006 Share Posted April 7, 2006 I don't think RuneScape passwords are case-sensitive, though. They should be, in my opinion. ARENAscape: Baratus [AS] max hit: 166 with Moon Battle Hammer ixfd64 [AS] max hit: 116 with (untitled spell #2) Link to comment Share on other sites More sharing options...
Duke_Freedom Posted April 7, 2006 Share Posted April 7, 2006 Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force. Beaten to it. I think this was what you were getting at Ian. Still, if you get hacked as a result of a dictionary attack (which will still take a significant time period, but more realistic then brute-force, unless Jagex has a system in place which blocks ip's after x wrong passwords) that just means you were too careless in making a secure password in the first place... But since it are usually not extremely high leveled players / rich who got 'hacked', I don't think they were a victim of dictionary attacks either. I don't think RuneScape passwords are case-sensitive, though. They should be, in my opinion. Hm your right - and yeah they should be, was surprised to see they aren't.. :? The value of my bank at its height. Estimated value at the peak of the rares market: 250 billion+.Most likely the largest trade in RuneScape ever. Estimated value at the peak of the rares market: 70 billion+. Link to comment Share on other sites More sharing options...
Bubsa Posted April 7, 2006 Share Posted April 7, 2006 Sure brute forcing exists, but not here. Dictionary attacks sure, but not brute force. Beaten to it. I think this was what you were getting at Ian. Still, if you get hacked as a result of a dictionary attack (which will still take a significant time period, but more realistic then brute-force, unless Jagex has a system in place which blocks ip's after x wrong passwords) that just means you were too careless in making a secure password in the first place... I agree wholeheartedly. I think that highlights the importance of alpha-numeric passwords. This is how much you all raised for charity. Thank you. Link to comment Share on other sites More sharing options...
petey Posted April 7, 2006 Share Posted April 7, 2006 Let's say one trial takes 1 second 2*10^14 / (3600 * 24 * 365) = 1.6 million years on average. usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke :? Which Final Fantasy Character Are You?Final Fantasy Currently Listening To ~ Hotel California / The Eagles Link to comment Share on other sites More sharing options...
lankyman1 Posted April 8, 2006 Share Posted April 8, 2006 yeh that guy is right lol.. it doesnt take 1.6 million years haha thats just stupid.. it can be done in days and brute force hacking is possible. But why would you want to hack a game where you get pixels.. lol. i'm sure those hackers have better things to get.. like adult website passwords.. stuff that has a use. Link to comment Share on other sites More sharing options...
Duke_Freedom Posted April 8, 2006 Share Posted April 8, 2006 yeh that guy is right lol.. it doesnt take 1.6 million years haha thats just stupid.. I'm glad you have no idea what you are talking about and prove that by calling me stupid.. Thanks. usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke Well if you try filling in your username and a wrong password and then check how long it takes before you get a reply from the server that says that the password is incorrect, you'll see that it takes much longer then a second. But if you use a bit more advanced techniques you're right that you may be able to circumvent that though, no idea about that. It doesn't really matter that much anyway... If it takes 5-12 thousand variations a second brute-forcing is still not feasible. The value of my bank at its height. Estimated value at the peak of the rares market: 250 billion+.Most likely the largest trade in RuneScape ever. Estimated value at the peak of the rares market: 70 billion+. Link to comment Share on other sites More sharing options...
nvw08 Posted April 8, 2006 Share Posted April 8, 2006 yeh that guy is right lol.. it doesnt take 1.6 million years haha thats just stupid.. it can be done in days and brute force hacking is possible. But why would you want to hack a game where you get pixels.. lol. i'm sure those hackers have better things to get.. like adult website passwords.. stuff that has a use. Since your so uber smart can you tell me how you can brute force attack someone in days? If your talking about dictionary attacks that's different... I personally believe Duke Freedom seeing as he has probably been playing a lot longer then you as well as being very knowledgeable about the game so untill you can tell me how to do it in a few days I'm goin with 1.6 million years as the leingth for a standard brute force attack :wink: Droolman's item Guide | My RuneScape pictures | My barrows videos, with download link!Free Image Hosting! | Free File Hosting! Link to comment Share on other sites More sharing options...
Ball_of_Pain_Reborn Posted April 8, 2006 Share Posted April 8, 2006 Let's say one trial takes 1 second 2*10^14 / (3600 * 24 * 365) = 1.6 million years on average. usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke :? Hmm, I was thinking about that and I doupt it would be possible 'cus the runescape login isn't standard because you cannot simply tab your way into the field and press enter. You would have to set up an auto clicker to move between the 2 thingys and that would be pretty hard. Link to comment Share on other sites More sharing options...
dwarfie76 Posted April 9, 2006 Share Posted April 9, 2006 But if you use a bit more advanced techniques you're right that you may be able to circumvent that though, no idea about that. It doesn't really matter that much anyway... If it takes 5-12 thousand variations a second brute-forcing is still not feasible. The way a lot of people are getting compromised is using the same password ingame that they use on forum sites like this one. It's a reasonably trivial exercise to extract a user's password hash from a phpBB forum using SQL injection techniques. Once you have that you can crack the hash at your leisure. There are 32 digits in an MD5 algorithm meaning that for each character there are only 512 possible guesses. Tackling the MD5 one character at a time is far more efficient than trying to brute force the password. Once you have the MD5 key you can then crack any password hash you manage to get your hands on pretty easily. Link to comment Share on other sites More sharing options...
Unrealist Posted April 9, 2006 Share Posted April 9, 2006 Let's say one trial takes 1 second 2*10^14 / (3600 * 24 * 365) = 1.6 million years on average. usually a dictionary attack uses about 5-12 thousand variations a second...sorry to correct you duke :? Hmm, I was thinking about that and I doupt it would be possible 'cus the runescape login isn't standard because you cannot simply tab your way into the field and press enter. You would have to set up an auto clicker to move between the 2 thingys and that would be pretty hard. Actually, pressing the enter button can move you between username and password. Mine can, at any rate. Link to comment Share on other sites More sharing options...
Taito2004 Posted April 9, 2006 Share Posted April 9, 2006 It wouldn't happen on Jagex's side.. Jagex is a multi million buisness whhich could be shut down in an instant if they allowed someone to get hacked. The data protection act states that all infomation stored about someone must be kept safe under penalty of law, and if someone were to hack their servers this makes this infomation no longer safe.. the company would be either fined millions (thus probable putting them outta business) or shut down completly. 92/99 Fishing | 119/120 Combat | 92/99 Firemaking | 94/99 Fletching | 1878/1900 Total | 85/85 Slayer | 80/80 Prayer Link to comment Share on other sites More sharing options...
X-Arcade-X Posted April 9, 2006 Share Posted April 9, 2006 I guess I'm the first one to state that the applet won't let you log-in for 60 seconds after 7 invalid attempts. :lol: It's all about what you call "brute-forcing". I can go and enter Username: Zezima Password: tweedledumtweedledee And if that doesn't work, Username: Zezima Password: tweedledumtweedledoo And if that doesn't work, I'll give up. But hey, it could. Would you call 2 tries a brute-force or a random attempt? RsN: Arcade Link to comment Share on other sites More sharing options...
lakiisdebest Posted April 9, 2006 Share Posted April 9, 2006 well u coud instal keyloggers on library computers or on school. just to get an rs/hotmail/habbo (nvm) or so. and yea... i have lost my rs acc becouse my comp was broken and there was an drop party and well i wanted to go just for fun (first drop and then go pking) and so i have lost my lvl 98 member acc (witch i later saw back at one of the acc being banned ^^) the bird will always get the early wormbut the mouse will always get the cheesei am the jedi JOVLA PIAMS of the planet insulin! Link to comment Share on other sites More sharing options...
dwarfie76 Posted April 9, 2006 Share Posted April 9, 2006 I guess I'm the first one to state that the applet won't let you log-in for 60 seconds after 7 invalid attempts. :lol: Although if you were to attempt a brute force attack, you wouldn't use the applet, rather write a script which mimics the HTTP request that the applet sends to the server. Link to comment Share on other sites More sharing options...
zaquierming Posted April 9, 2006 Share Posted April 9, 2006 2 * 26 (alphabet capital + lower case) + 10 (0..9) = 62 characters Let's say a password of 8 characters.. 62^8 ~ 2 * 10^14 Let's say one trial takes 1 second :lol:. 2*10^14 / (3600 * 24 * 365) = 1.6 million years on average. Nope, noone is getting brute force hacked in this game. Fine, you use only 5 characters?! Still takes over 6 years on average to brute-force hack you then, and that is if we could try once every second(!), which we obviously cannot... The stuff that simple mathematics can enlighten us about is just incredible. ;) However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary. Even then, They would need to have the same password for, 6 years. Two roads diverged in a wood, and I-I took the one less traveled by,And that has made all the difference. Link to comment Share on other sites More sharing options...
gotsol Posted April 10, 2006 Share Posted April 10, 2006 2 * 26 (alphabet capital + lower case) + 10 (0..9) = 62 characters Let's say a password of 8 characters.. 62^8 ~ 2 * 10^14 Let's say one trial takes 1 second :lol:. 2*10^14 / (3600 * 24 * 365) = 1.6 million years on average. Nope, noone is getting brute force hacked in this game. Fine, you use only 5 characters?! Still takes over 6 years on average to brute-force hack you then, and that is if we could try once every second(!), which we obviously cannot... The stuff that simple mathematics can enlighten us about is just incredible. ;) However, what may cause people to get hacked while "they didn't install anything" (sorry, but I honestly doubt 99% of those cases) is that they have a too predictable password or a word in the dictionary. true but lets say the person has mmmm idk 10 computers much faster, but yes very rare RSN: 1 day late | Private chat: On | 60 ATTACK | 81 STRENGTH | 72 HITPOINTS | | 80 MAGIC | 13 PRAYER | 1 DEFENSE | 65 COMBAT | Link to comment Share on other sites More sharing options...
Recommended Posts