Welcome to duststar theory

Asiasoftt.net demystified

Author duststar | 08.01.2010 | Category Cyber Security, MapleSEA

Introduction

Chrisloup at Asiasoft MapleSEA Forum alerted that a phishing site using the domain “asiasoftt.net” was being spammed in Free Market.

Demystifying the phish site

1. WHOIS Details

Domain Name: asiasoftt.net

Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
Whois Server: grs.hichina.com
Referral URL: http://www.net.cn
Status: OK

Expiration Date: 2011-01-06
Creation Date: 2010-01-06
Last Update Date: 2010-01-06

Registrant ID ………………. hc397045121-cn
Registrant Name …………….. asaaf fsafd
Registrant Organization ……… huangjuntan
Registrant Address ………….. fdsfsdfs
Registrant City …………….. xiamenshi
Registrant Province/State ……. fujian
Registrant Postal Code ………. 361000
Registrant Country Code ……… CN
Registrant Phone Number ……… +86.05926286282 -
Registrant Fax ……………… +86.05926286282 -
Registrant Email ……………. 53474113@qq.com

The domain was registered using incomplete information. Notice the “Registrant Name” and “Registrant Address” were “randomised”. However, the registrant was not very smart as “He” left a traceable e-mail address, and “Registrant Organization”.

2. DNS Records

asiasoftt.net A 1 hour  76.73.42.94 ()
asiasoftt.net MX 1 hour 10 mail.asiasoftt.net
asiasoftt.net NS 1 hour  dns17.hichina.com
asiasoftt.net NS 1 hour  dns18.hichina.com
asiasoftt.net SOA 1 hour  dns17.hichina.com. hostmaster.hichina.com. 2010010624 10800 2000 691200 50000
mail.asiasoftt.net A 1 hour  76.73.42.94 ()
www.asiasoftt.net A 1 hour  76.73.42.94 ()

IP: 76.73.42.94
Website Status: active
Server Type: Microsoft-IIS/6.0

When you enter http://76.73.42.94, you get redirected to http://www.free258.com. Therefore, asiasoftt.net was hosted on a “Free webspace” account.

3. Who is the owner of the domain?

Tracing 53474113@qq.com lead us to establish certain facts:
a. This e-mail was used in a Chinese forum looking for potential partners to conduct MMO games currency trading business. (in short: selling of game currency to profit in real world)
b. Thie e-mail was also used in a job advertisement.

The owner real name is 黄俊坦 (Huang Jun Tan – Remeber earlier on “Registrant Organization” = ”huangjuntan”?). He is the General Manager of 厦门旺佳游网络有限公司 (51 to 100 employees). The company is located in China: 厦门市湖滨南路811号1204室.

It cost $4,000 Chinese Yuan per month to hire a web developer (In the above job advertisement). That is roughly $820 Singapore Dollars. I think it make sense for them to phish maplers, empty out their items, sell for mesos then sell for Singapore Dollars. Every 8 billion mesos they sell can feed a web developer for 1 month.

.duststar

Maplestory Cyber Security Series – Part 3 of 4

Author duststar | 07.01.2010 | Category Cyber Security, MapleSEA

Continuing from this post.

Part 3 – Protecting your accounts

1. E-mail Accounts

a. Protect the data between you and the e-mail servers

i. For web-based e-mails, use secure connection “HTTPS” rather than insecure connection “HTTP“.
ii. For client application e-mails, use at least “SSL/TLS“  over POP3 or IMAP.

b. Prevent getting key logged

i. Use a “On-Screen Keyboard” to key in your password. For Windows XP, this can be found by clicking on “START” button, go to “All Programs”, go to “Accessories”, go to “Accessibility”.

c. Set your “Security Question” (Pick something only you will know)

2. Asiasoft Passport Account

a. Ensure that the passport website is secured by SSL (Check for “HTTPS”)

b. Verify that the SSL certification is authentic (Issuer should be “GlobalSign Domain Validation CA” and holder should match the domain name “passport.asiasoft.net”)

c. Pick a login ID that is different from your forum ID, game account IDs, e-mail ID etc (So that people cannot easily guess it)

d. Prevent getting key logged

i. Use a “On-Screen Keyboard” to key in your password. For Windows XP, this can be found by clicking on “START” button, go to “All Programs”, go to “Accessories”, go to “Accessibility”.

3. Maplestory Game Accounts

a. Prevent getting key logged (Use the in-game on-screen keyboard provided)

b. Pick a login ID that is different from your other game account IDs, e-mail ID, passport ID, forum ID etc (So that people cannot easily guess it)

4. 2-Factor Authentication (2FA)

a. If Asiasoft was to release the 2FA security token for MapleSEA, you should consider getting it.

b. Below is my submssion for “Vasco System Q&A Event“.

1. Do you know what Two-factor authentication (OTP Token) is?

Two-factor authentication (2FA) requires the use of 2 different pieces of information or process to authenticate the identity of a person. For Asiasoft’s implementation, basically this means 1st factor looks at “something you know” e.g. id, password, soft-keyboard pin and 2nd factor looks at “something you have” e.g. the OTP (One-Time Password) security token.

OTP Token is this case, when activated or pressed, generates a random password that is based on a secret process e.g. RSA algorithmn known between the security hardware device (token) and the security server (token authentication server). Usually, the generated random password is only valid for a short period of time therefore even when one’s OTP is compromised the account is still safe to a certain extent (Please see answer to question 2).

2. Do you know that Two-factor authentication provides 99.8% protection?

Yes. Basically the other 0.2% comes from 3rd factor mechanism “something you are” e.g. biometric fingerprint or iris scan. However, the costs of implementing 3FA would probably be too high (to achieve that 0.2% extra user confidence) and unrealistic for the gaming industry (even local Singapore banks are not using it, yet).

3. How do you think Two-factor authentication can contribute to securing game accounts?

It adds on an additional layer of defence against account compromisation which is good because this is exactly what “defence-in-depth” strategy means. Attackers will need to spend more time and effort to defeat 2FA.

Technically, when a player logs on to his account using 2FA, attackers cannot access the account unless the player logs out. Even if the player logs out, if the session for the OTP has expired e.g. 1 min, the attacker is still being denied access to the account.

4. Will you be interested to use it, rate it 1 – 10? (1 – Not at all, 10 – I am very interested)

10.

5. Rate the Two-factor authentication. (1 – lousiest, 10 – Best)

10.

6. When do you want this to be implemented?

As soon as possible. However, players ought to be made known if any, the costs involved for token purchase, replacement and any other support costs. Also, another of my concern would be the younger population, how to educate them on 2FA.

5. Choose a Strong Password

a. At least consists of 12 characters with alphabets, numbers and symbols if possible e.g. m@pl3s+-0ry (with symbol), mapl3st0ry (alpha-numeric).

6. Recognise and Prevent Phishing Attacks

a. Avoid using “links” given by others. Always type in the web address yourself or use a bookmark.

b. When in doubt e.g. GM asking you to divluge your account ID/password or personal information, always clarify the matter through i-Box

7. Apply Common Sense

a. Do not log in any of your above accounts anywhere else other than your own system. There are always chances of software or hardware keyloggers being installed without you knowing.

b. Keep password only to yourself. It supposed to be your secret. Surely you don’t share secrets around right?

.duststar

Maplestory Cyber Security Series – Part 2 of 4

Author duststar | 06.01.2010 | Category Cyber Security, MapleSEA

Continuing from this post.

Part 2 - Protecting your system

1. Defence-in-depth

a. Lockdown your system

When we lockdown our system, we introduce better granularity to the way we want our system to work. For example, we restrict the use of “Administrator” account and instead use a “User” account with the least privileges. This way we could minimise the damage caused by the installation of a malware. The gist here is that if you run the malware accidentally, the malware will be run with the least privileges.

However, Maplestory (and many other MMORPGs) requires us to run the game with full “Administrator” privileges. Do you know why? This is because they will probably uses 3rd-party security protection software such as gameguard, hackshield, x-trap etc which requires the kernel level access.

So ironically, now it gets more troublesome to play Maplestory securely. Let us see. To achieve a decent system lockdown to play Maplestory, you need to create 2 user accounts on your system: one with “Administrator” access, and one with “User” access. When you play Maplestory, you need to switch user to the one with “Administrator” access. When you want to surf net, check e-mail, msn or any other things, you need to switch user to the one with “User” access. Let us use the following scenario. Somehow, you were tricked to run a malicious file that installs a keylogger onto your computer. Depending on how well the keylogger was coded, it might not install at all in your system because it does not have full “Administrator” privileges. Or, it might install and affects only the “User” privileged account. Nice! Now our Maplestory login ID, 1st password and 2nd password are safe? Well, not really. A skilled hacker can still use “local privilege escalation attack” to get hold of “Administrator” privileges to install the keylogger.

b. Patch your system

Operating system such as Windows XP, Vista, 7 etc and software applications such as Internet Explorer, Mozilla Firefox, Adobe reader, Flash player etc are often found with vulnerabilities or bugs that needs to be patched if not they may be used as a vector to introduce malware into your system. Therefore, always patch your Windows (http://windowsupdate.microsoft.com) and update your software applications to the latest version.

c. Anti-virus

There is no such thing as … “XXX anti-virus is the best!”. There is no single anti-virus solution that is capable of 100% detecting all malware. Taken from AV-Comparatives, based on summary report for 2009, we can see that some is good at detecting known malware, some is good at removing malware, some is good at detecting new/unknown malware etc. Therefore, I am not recommending any anti-virus here. What I suggest is to get one that is within your budget, or consider using the free ones. Do not install more than 1 anti-virus on your system without checking for compatibility issues. More than often you might get zero protection rather than double protection.

Having anti-virus installed and working properly is first step. Ensuring your anti-virus’s signatures is updated when new signatures are released is the second step, and this should be done on a daily basis. Lastly, scan all files before copying them to your systems, and perform full system scan on a periodic basis.

Relating to Maplestory, sometimes the game files or the game security files such as Hackshield gets detected as a malware and was deleted which results in the game unable to start up properly. What you can do is to inform iBox and wait for your anti-virus company to release the corrected signatures and apply them to your anti-virus.

d. Firewall

Firewall in simplicity controls what goes out to the Internet and what comes in from the Internet. Windows firewall by default allows anything to go out to the Internet and nothing to come in from the Internet. Uh? How come Maplestory still can connect to the game servers? This is because the connection request was initiated by the Maplestory.exe process in your system which is accepted by the firewall since by default it allows anything to go out to the Internet. Other commercial or open-source firewalls work the same but allow more granularity in network access control. For example, you can decide which application can go out to the Internet rather than just “anything”.

It is really not easy for a normal user to configure his/her firewall correctly especially if you want to configure the firewall rules for Maplestory. There are so many IP addresses and ports to configure. Probably, the Maplestory’s “Helpdesk Support” will tell you to disable your Firewall.

e. Other less important yet must do things

i. Disable Autorun and Autoplay (That is how removable media malware spreads.)

ii. Disable your router’s wifi access if not in used, or secure it.

At minimum, ensure that you use WPA2 and use a strong passphrase (most useful). If possible, enable MAC filtering to allow only your own devices. Lastly, disable broadcasting of SSID (least useful).

The best is still not to use it, and use wired connections.

iii. Manage untrusted files with extra caution before running them

One way is to scan them through multiple AV and behaviorial analysis engines online before deciding to run them or not.

2. Security through system isolation, or virtualisation

By isolation, we refers to performing different functions independently. This means function A will be isolated from function B therefore when function A fails, function B is not affected and vice versa. How does this applies to cyber security, and how is it related to virtualisation? With virtualisation, it is possible to run multiple operating systems using a single physical system therefore achieving virtualised system isolation. We talk about the importance of having layers and layers of cyber security protections and defences. Using system isolation acts as another layer.

A real example to run a secure Maplestory system is as follows. We have a physical system installed with Windows XP (Host system). On top of it, we create 2 additional virtualised systems. One for trusted activities running on Linux, and one for untrusted activities running on Windows XP. Trusted activities can be personal e-mail checking, internet banking, stock brokering etc. Untrusted activities can be downloading and running a file from the Internet, checking seperate e-mail account for communicating with untrusted sources, running your instant messenger etc. We use the trusted system for accessing Asiasoft Passport’s functions. We use the untrusted system for accessing Playpark.net’s forum. Finally, we installs Maplestory client on the Host system and plays from there. If we do not use Host system for anything else except playing Maplestory, the risk of being infected by a trojan or keylogger is greatly reduced (Nothing is 100% secure). Everytime before we use the trusted system, we will revert it back to the original system snapshot. This way, even if it was infected with a trojan or keylogger at any point of time, the malware will not survive the revert operation.

If time permits, I would probably create a project and technical guide to create and manage this setup.

.duststar

Maplestory Cyber Security Series – Part 1 of 4

Author duststar | 05.01.2010 | Category Cyber Security, MapleSEA

In this 4-part series, I will be covering cyber security issues on Maplestory and explore ways which you can protect yourself against hackers.

Part 1 – What is your data backup and recovery plan?

Or you do not have one? I think most people only realise the problem of losing data when their hard disk died, gets corrupted or OS crashed beyond recovery. Thus, it is important for us to have a data backup and recovery plan before we look at how we protect our system, accounts and identity.

1. Backup

The cheapest solution would be to burn your critical data into write-once DVD-Rs and archive them away. Depending on your needs, you can do this daily, weekly, monthly etc. Having multiple snapshots of data would allow you to fall back to older snapshots should current ones fail. Furthermore, once written the data cannot be destroy by any computer file system operations such as “delete” or “format”.

Alternatively, you can use a large storage capacity thumb drive to keep “hot” copy of your critical data, and keep the periodic snapshots on another external hard drive. This way, you still have 2 good copies on different storage media to fall back to when you need them.

For those security conscious users, if you often carry these medias on the go and are afraid of losing them in transit, it is good  to look at full disk encryption solution e.g. truecrypt (free) to protect your data. Also, always scan your data for malware and clean them before backing up. This is to ensure that you do not get a re-infection when you recover your data.

b. Recovery

Before recovering your data, you will need to re-apply all the security configurations which you have done previously, and run a full system anti-virus scan with latest downloaded anti-virus signatures to ensure that the recovered system is malware free.

.duststar

Cross-Site Scripting (XSS) Vulnerability on Playpark.net

Author duststar | 04.01.2010 | Category Cyber Security, MapleSEA

This vulnerability was reported 6 months ago to Asiasoft via then Q-Box. Few months down the road they “removed” the vulnerable splash page, or they did not? Currently, the vulnerable page is still accessible.

Background

When I enter http://www.maplesea.com, I was directed to the event splash page:
http://freestyle.playpark.net/eventSplash/index.aspx?return=http://maple.asiasoftsea.net/en/
After 10 seconds, I was automatically redirected to http://maple.asiasoftsea.net/en/.

XSS Vulnerability

The ‘return’ variable in the event splash page’s URL is vulnerable to XSS attack.
For example, we can replace the return value ‘http://maple.asiasoftsea.net/en/‘ to ‘http://www.google.com.sg’.

http://freestyle.playpark.net/eventSplash/index.aspx?return=http://www.google.com.sg

After 10 seconds, we will be automatically redirected to Google’s website.

A malicious hacker may manipulate the variable to his own phishing or malicious site (imagine a replica of asiasoft’s passport login page) and send out the modified full URL to his targeted victims in the form of phishing e-mail or through Instant Messagging.
The victims thinking that a web link originating from playpark.net domain should be safe may possibly click on the link, and get redirected to the hacker’s phishing, malicious site.

Solution

The ‘return’ variable should be validated at server-side script (e.g. ASPX) and restricted to a list of pre-defined URLs.
As a best practice, ALL variables (inputs) should be validated.

.duststar