So let me start off this post by saying that I’m a huge Blizzard nerd. I’ve been playing their products since Warcraft: Orcs & Humans. Most of their games defined my teenage years, spending time shut up in my friend’s house with a bunch of other nerds playing Starcraft till the sun came out, drinking Bawls like crack addicts. I’m also a fan of their security, I was highly disappointed in the rumors floating around when Diablo 3 launched about how their login system truncated complicated passwords. During that whole situation, it came out that Blizzard doesn’t really allow capitol letters in their passwords, they just let you think it does. It all ended up being a hoax, the story was reused because this happened with Rift a few years back and it must have been a slow news day. Also, a really awesome dude reverse engineered their login system since day one and wrote an awesome post http://www.skullsecurity.org/blog/2012/battle-net-authentication-misconceptions. On top of that, he’s also pretty well known for passwords, Skull Security is the go to place for password lists. (for now)
So being a player of Blizzard franchises, I can say that I have confidence saying that their recent attack means almost nothing. If we assume the worst, here is what was taken:
- password hashes
- username information
- authenticator data*
- secret questions
What’s being speculated right now is that with the authenticator data being stolen, your authenticator can be removed. Here’s the problem though: it’ s harder to reset my Blizzard account than it is my own bank. I believe the amount of accounts that can be compromised via this theft is minimal. Having played Blizzard franchises for years, I actually have experience in these matters. I’ve had to reset information on more than one occasion after rage quitting World of Warcraft…. Here are a couple of scenarios, from worst to best:
- You have a weak password and no authenticator: you fucked up. You are likely to be part of the few that lose their account temporarily. With how Blizzard responded to the incident, it’s likely your account won’t have a chance to get stolen. The hashing algorithm Blizzard used to hash the passwords is fairly strong and it will take some time, unless you have a really stupid password like hunter2. Blizzard has reacted in a timely manner and you will have to reset your password anyway, so this also minimizes the chance of your account getting hijacked.
- You have a strong password and no authenticator. Yeah, I wish the attackers the very best luck with getting those cracked in time… or at all.
- Say you have a weak password, but you have an authenticator. You can’t access your account without it, and to call up Blizzard customer support, you have to provide a lot more details than just your password. These kind of attacks go for the most bang, so it’ll be difficult to actually obtain these accounts. I read unsubstantiated rumors that with the data stolen, they can remove the authenticator without having the password, which is pants on head stupid. Really, Reddit?
- You have a strong password and an authenticator. Go you, you win.
I’m no crypto wizard, in fact it’s probably one of my weaker points. Blizzard claims to use SRP for authentication, which seems like a strong framework for authentication. There is an interesting thread on /r/netsec discussing the pros and cons (actually it’s destroying an article claiming that SRP won’t help Blizzard in this case) A lot smarter people than I are in there discussing how well it is as a tool, and it seems the consensus is that it’s a good protocol.
The secret questions thing is probably the only concerning thing here. They were taken. This could lead to more compromises than I predict, however, Blizzard is in the process of setting up a way to quickly change it. I have heard rumors that it is not possible to change your questions, but having gone through that process, I can tell you it’s possible, it just makes you want to shoot yourself in the face (3+ hours on hold with customer support). Authenticator removal used to be the same process, but now there is a form you can fill out and providing your drivers license can bypass this annoying process (it takes a long time, it took me 2 weeks), but as an attacker this avenue is improbable.
What could they have done better? Well, for starters, not get breached, but in this day and age, with so many companies getting breached, it’s only a matter of time. They could of also gone into a bit more detail on what happened, but I understand they are still in incident response mode right now and I hope they release more information as time goes on. Making it easier to reset your security questions would be cool, but not needed 100%. I wish more companies would make their passwords expire over a period of time, like most corporations do. People hate this practice and since Blizzard is so user oriented, I don’t see this happening. It’s the security vs usability argument.
Hopefully, like me, you can see that this is almost a non-issue. I’m looking forward to a good post-mortem breakdown of what actually happened, but I still believe Blizzard is the top dog in user security. Yeah, they got breached, but who doesn’t these days? I don’t think this will really mean anything. For the first time in a long time, a company had safeguards in place to protect their data in case of a breach and I personally applaud them. Blizzard is the model in which the standard should be set.
If you have any feedback on this post, or if you find any glaringly obvious problems, feel free to leave a comment or email me: g3k AT disillusion DOT us
*Writers note, it was pointed out to me by a friend that they only got the salts for the authenticator apps for mobile phones. So this narrows the attack surface from all authenticators to just the mobile apps. I’m not sure of the percentage of users that actually use this service vs the key fob, but it’s free vs having to pay some money + shipping. Again, this really limits the attack surface AND the added bonus of having the ability to change your authenticator on the fly if you have access to your account. Good luck attackers.