Pink Poogle Toy Forum

Well, out of curiosity, and I admit a little paranoia, I went ahead and checked my system for hack0r warez last night. I discovered L0phtCrack 2.5 on my system and was a little surprised to be honest. I can't say for sure if it was from a cookie-grabber, but I am not ruling it out just yet.

More information can be found here and here.

It cracks Windows passwords (of all types, apparently even in cookies) via the Windows Registry. In short, it uses an English dictionary and can crack a password with letters and numbers in about 10 days or less. So 'efficient' that the makers of the software pulled the plug on the project.

Suffice to say I went ahead and picked a foreign language translator and changed my password to a combination of non-English words for once.

I am suggesting this as an additional security measure to take just in case.

Oh, and anyone else might want to search for L0phtCrack on their system. Spelled with a number zero rather than the letter "O." Somehow if no one else finds this on their system, I probably will worry less actually.

I ran a search for anything named "L0phtCrack" on my computer and came up empty. I'm going to put the system through SpyBot and AdAware later today, though.

That's really scary, anjuna. I hope your computer's all right.

I came up empty also. I ran Spybot and Adaware and nothing came up in those, either.

Oh thanks for the reassurance. My computer is fine and dandy actually. I rarely get any malware, a bi-yearly virus or so if I am really unlucky, and only been hacked once (well before I played Neopets) by a defense attorney of all people during the time when I had a workers compensation case. That was very different and involved a different program (dtSearch).

I think the non-English password is a good idea, glad I thought to do that.

I also tend to go around Neopets now with ActiveX, Scripts, Flash and Applets disabled. I admit it speeds up the page loading 1,000%. I only have to remember for certain pages and games to turn them back on.

Has anyone that HAS been hacked lurking and willing to search their computer for that L0phtCrack, if they haven't already thoroughly sterilized their computer yet? (By the way, DO use Windows Search, I found it in Program Files in two different folders (one with a file containing a password hack attempt, another with a supposed password saved in it but with an error message after, in which I can only hope the app failed. Anti-Spyware programs will not likely find this. I ran several and they did not.)

Non-english password as in the foreign characters themself or english-alphabetical spelling?.

For instance... "Sakura" is the english-alphabetical spelling of the Japanese word referring to Cherry Blossom Tree. The japanese kanji is 桜.

Just wondering -- your idea is a good one!.

Foreign language is a good idea, but couldn't someone just input another dictionary file into that program? Still better than plain English, though.

If you have kids, or anyone else that uses your computer, L0phtCrack was probably installed by them. It's not a transmitted program, virus, or anything like that. It's a tool used by script kiddies to try and break windows passwords.

Neopets could easily solve the "cookie grabber" problem if they wanted.

Here's just four solutions:
1) Limit the HTML allowed
script tags, object tags, embed tags, etc... could be banned

2) Either don't use MD5 to hash transmitted passwords, or if MD5 must be used, at least salt the passwords beforehand.

3) Use random data to authenticate sessions that changes with each page hit
Such random data could even be tacked onto a password before its hashed to prevent session hijacking. Allowing only one log-in at a time would limit the amount that a session hi-jacker could do as well (because when someone logs back in after being logged out, they knock off the hi-jacker who would then have to re-run the attack to gain access, in the case of a cookie grabber this would mean the victim would have to hit the same script AGAIN, unlikely at best).

4) Use numbers to index users in cookies
Plain and simple, two things are needed to log into just about any system -- a user name and a password. If a number was associated with the user name ONLY for use in the cookies, it would prevent a grabbed cookie from exposing enough information to allow an attacker to log-in.

Cookies bound to an IP address would not necessarily help, because the cookies already contain too much information (user name/MD5 hashed password). If a cookie could be read by an intermediate source, your account is already compromised.

There really is no excuse for such a vulnerability to exist, I attribute it to laziness and lack of imagination.

As far as why I know about this stuff, I'm an internet security researcher. I developed xice encryption: http://en.wikipedia.org/wiki/Xice

@spudge:
Perhaps you could send that information and your suggestions to one of Neopets' email?. I really hope staff members happen to lurk this board -- so many opinions but no results yet. ):

Unfortunately I must've browsed just about 20 different shops since this first happened, and so far I'm okay.

Most non-character languages share most of the English alphabet letters. I would think Japanese "English" (if there is such a thing) OR phonetic translations would be fine. I am not sure if additional dictionaries can be imported or created. Quite possibly, but the nature of the cracker is a lazy hacker, so usually they will not bother. Not to say some have way too much free time on their hands. Uhm like, to all of you out there lamely hacking Neopets users, why not hack something worthwhile. Hey, you might even be offered a real job!

I agree with all the security measures above, particularly the non-MD5 hashed passwords and basically disallowing almost all BUT 'secure' HTML.

I do not have kids and I don't even have a Windows password. I am the only one that uses my computer and when I have guests or visitors I take full responsibility for their actions, since that is just how I am. (I try to maintain such a high level of security that no one other than me could likely harm anything. Theoretically anyway, lol.)

I try to monitor usage best I can; no one that uses it is malicious. And I do full spyware scans after, just in case anything is left over from them.

I believe anything encrypted can be decrypted, I store my passwords in plain text on a separate Hard Drive, and I prefer security thru obscurity. On the other hand, I take otherwise uber-paranoid measures sometimes.

EDIT: And JCMidore, you would not likely know until days or a week later if someone stole your password in this particular way. Be extra careful!

If only said hackers were out there to prove a point, and in turn help spot security holes and report their methods and actions to TNT -- be a hero for once.

@anjuna
And actually, I'm going to go clear cookies and do the routine "grabber-maintance" in a few minutes.

I believe one person tried that in the past (maliciously at first BUT to point out a few security flaws) and only got banned forever and almost sued. The fact is TNT knows all this. Hopefully they are working on it, but there is a chance they just don't/can't care, with so many accounts to 'manage.' And I do admit part of it is the user's responsibility (to not browse completely naively or uninformed). But with their site "needing" ActiveX, Flash, Java applets (?) and Scripts, it is MORE irresponsible of them, in my opinion, to expect us to know more. Besides, Neopets is expected to be a safe FAMILY site. No one wants viruses or malicious scripts or anything coming from it. It is reasonably expected. And disallowing 'fancy' code can stop the cookie-grabber thing, I do believe. In fact I think we would all be willing to give that priviledge up for such 'advanced' security. Avoiding virtually predictable scenarios like this.

Good that you're checking your system. AVG has a new free Anti-Spyware app I am trying out now. AVG Free (anti-v) does me VERY well, but alas I am not sure a cookie-grab would be detected by either. Best to get to know one's Windows, in my opinion, and even check Program Files and other usual places (Windows system folder, even C drive, etc.), sort by date and see if anything looks out of sort, if one is feeling something amiss. And remember, browsing with Avant (using Trident) and Orca (using Gecko, like FireFox) you can turn off ActiveX, Flash, Scripts, Applets, and even Images all with one easy click each. (The only thing they both don't support are toolbars but I catch Tarla several times a day by refreshing my handy Alert! link.)

I'm really starting to get annoyed about this.

I find it appalling that TNT hasn't announced on the site that there is a problem, and that they are working on it (and then solving it quickly and letting us know it's solved). If I didn't visit this forum, I would be blissfully unaware of the new cookie grabber threat, and would be browsing the site unprotected, easy prey for any malicious grabbers. I can't imagine how many people are unaware of this and are being taken advantage of!

I'm also getting very anxious for this to be resolved. Why are they taking to long? Shouldn't fixing security issues be of highest priority for them? Will they even let us know when the problem is solved? (Since they haven't let us know there's a problem in the first place) How will we know when it's safe again? I am very anxious to be able to buy things from user's shops, and look at guides and the like that are on petpages. There are just so many unanswered questions about this, and I hate being left in the dark.


I'm glad I'm not the only one doing that. Despite my flippant comments earlier in this thread, I'm actually a bit worried about going around neopets with scripts disabled. They wouldn't really freeze us for that, would they?

As for using non-English passwords, my passwords don't even contain real words in any language!

As of now there really isn't a "safe" way to surf the site. It needs cookies for authentication. Disabling Javascript prevents Cross-Site Scripting (XSS) attacks, but there's still sensitive information being transmitted plaintext (yes I would be in the minority to classify MD5 as plaintext).

Really the push should be to get TNT to remove such sensitive information from their cookies. I will stick with chocolate chip until then. Maybe with oatmeal. I don't know.

I don't really like raisins though, so I would exclude those. Possibly M&Ms would be nice to transmit. Definitely don't like sugar cookies though. I'm just kind of hungry right now I guess.

Personally, I'd rather have smarties. Not a big fan of raisins either, but I love me that oatmeal!

You really should submit your ideas to TNT. Hopefully with enough good suggestions like that, something will actually get done to make the site a safer place to surf.

Just wondering, does anyone know if this has been fixed yet? As in is it safe to go to user shops, etc.?

Anjuna, one of the people who supposedly had a hand in some of the earlier bad stuff said that they did it because they tried to let TNT know where there were weaknesses and that a) TNT didn't listen; and b) they froze him. So he and some "friends" (I use the term loosely) said the heck with it and went on a rampage - dupe day, the mess with the TP and the big cg problem.

I know nothing's perfect and if someone's really determined, they will try to find a way to cause problems. But it seems to me that while the programmers at Neo do work on plugging holes, no one's being proactive and making as sure as they can that this can't happen in the first place. The html checker was supposed to prevent this stuff from happening again on user pages. And geocities isn't allowed at all anymore - figures, they finally allow some hotlinking of images and Neo disallows them.

I'm not bashing TNT or any of the staff, I think they do their best and it can't be an easy job. But they really need to do some thing(s) different to protect their site and the users. Having people being cg'ed, frozen and then in some cases not getting their accounts back because it's the user's responsibility to protect their account or getting their account back in shreds just doesn't cut it for me.