Account Security - How not to get hacked

#1
So over the last couple of weeks I've seen a lot of people get hacked. This hopefully will give those who have got hacked an insight as to how, and give everyone some general ideas on how to improve their account security.

Current Day Zero exploits in Java

Currently in Java 7 there are several severe exploits that allow external access, with relative ease, into your java environment, giving them access to everything thats running under java. The only defence against this (built into RS) is the Jagex Account Guardian as it uses your email and the runescape website, which is external to the java client.

Yes, this exploit means your bank PIN and password are completely useless against this attack. The good news is this attack is easily stopped by any basic firewall, even windows firewall, which puts Mac/Linux users at greater risk

However thats not the only thing to be aware of, allowing a java request in your browser will also give the same effect, however the firewall will not stop this one as you've specifically allowed the java client to be run. So don't accept java requests from sources you don't trust. Take note that there are actually very few websites that run java in their webpages anymore, the only ones off the top of my head are ebay, for their multi-image uploader and runescape itself. If in doubt, don't run it.

Mac has a pre-installed firewall, however in most older versions of OSX its not enabled by default. You can give it a google on how to do that. As for Linux, you again will need to google a firewall for your distribution.

Alternatively you could just revert back to Java 6, but the benefits and performance gain from Java 7, imo, outweigh the loss of having the exploits which are easily avoidable by using a firewall.

A secure password is pretty much the pinnacle of a secure account, though for some reason jagex don't like secure passwords, they don't allow symbols in their passwords and capitals are completely irrelevant, use a good mix of letters, numbers and symbols/punctuation where possible. Write it down if you need to, the chances of someone breaking into your house are slim, let alone come after your password and use it Tongue

Having a bank PIN is also a pretty secure form of defence, even if you have a key logger which captures your password and JAG answers, the bank pin will stump them. The down side to this still leaves the hacker access to the items in your inventory and those which you have equipped, which is often peoples most valuable items.

The JAG (Jagex Account Guardian), imo, is favourable over a Bank PIN, provided your using two step verification on your email address, as gmail and outlook now offer. 2 step verification means when logging in from a new device you will receive a text message to your mobile/cell phone providing a code you need to enter before access to your emails is granted. That means that without physical access to your phone, no one can gain access to your rs account from a new device. Ideally when setting your questions and answers, set them to something completely different to what the question is asking, that way they cannot be easily guessed or picked out from a key logger. Write them down if you need to, again someone breaking into your house for your runescape info is never going to happen Tongue

For the best security you really should use all of the above, however it can be annoying, but its far more annoying and depressing when all of your work and time has gone to waste when all your items are missing, simply because of something that takes 10 seconds of your life every time you login/swap worlds. The benefits of using these methods greatly outweighs the loss of your items and time.

A Note on private servers and bots

Theres already been several high profile cases of private servers disappearing off the map leaving a notice about legal cases with jagex, however they have then followed by mass hacking by those silly enough to use the same username and passwords as their real accounts. If you are going to play on private servers, don't use the same details as your actual runescape account, or even give anything close to your real details.

Again using botting software is not only against the runescape rules, it gives the developers direct access to your login name and unencrypted password. There have previously been several ways this has been used to hack accounts.

Recently both private servers and botting software have been used to launch attacks on both SwiftIRC and Rizon IRC networks where the main bulks of the runescape community lie. So you not only risk your own account, but unknowingly become part of a botnet launching attacks upon services that thousands of people use which are provided for free.

If you have any further suggestions or questions, post them below smile


EDIT 17th July 2013:

Adding to the above, be very weary of links you click on through emails, irc or otherwise. Just by visiting links you are vulnerable to what are commonly referred to as "Java Drive-Bys". As jagex does with the runescape java client, they embed a program into a website. Theres many forms of this attack. But running a malicious java applet, unlike various other forms of this attack, gives the user access to your system, files and everything in-between. That means they can download files/virus, delete files from your PC, even restart your PC if they so wished, just by visiting a website.

If you ever receive emails from jagex, or indeed any company/website, dont click the link. Instead, goto their site through your browser, and perform the steps manually. They should supply you with that option in the email too with step by step guides on how to do it.

This is what I mean. The link below looks like it goes to the surreal site, right? I mean sure, why wouldnt it, thats what it says, right?

http://www.clansurreal.com/

It actually links to my site. Thats why you need to be careful on the internet, anyone can own a website these days and they can put what ever the damn hell they want on it. So be careful what you visit.

If your ever in doubt use this site to check if its a known malicious site. http://www.siteadvisor.com/
@iWader on Twitter.
3
Reply
#2
Excellent post, hopefully this will give some people some ideas if they don't already have them in place. Being secure about your Runescape account will translate to good security habits elsewhere, which is probably the most important lesson.
[Image: evaluate-staff.png] 
Have a question? My PM is always ON.
0
Reply
#3
I got no security no recovery questions set can't chance my password because the email my account was attached to has been hacked for years and I can't change my email because for some reason it won't let me!!

Some how I have and still am scraping by lmao super account to the rescue!!!

By no security I don't mean no anti virus, I ain't that stupid haha.
0
Reply
#4
Theres a thread on the rsof somewhere jodie that you can post and jagex can reset your password/email based upon the info you give them.
@iWader on Twitter.
0
Reply
#5
(2013-02-17 07:50:50)Wader Wrote:  Theres a thread on the rsof somewhere jodie that you can post and jagex can reset your password/email based upon the info you give them.

He is 100% correct and i would submit a post asap and work on getthing your account secure. Wizard
Reply
#6
(2013-02-15 15:59:55)Wader Wrote:  they don't allow symbols in their passwords and capitals are completely irrelevant

I had no idea about this, for years now I thought my password was case sensitive and always made the effort to add them in....

Thanks smile
[Image: portus-champ-2012.png]
[Image: portus.png]
0
Reply
#7
I'm not bothered tbh LOL.
0
Reply
#8
bumping this thread for Related reasons
0
Reply
#9
(2013-07-17 21:53:21)Killians Red Wrote:  bumping this thread for Related reasons

who got hacked now?

Edit: added some more stuffs to the main post and stickied.
@iWader on Twitter.
0
Reply
#10
Nice guide even though I've been hacked multiple times and lost few accounts too.
0
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Guide RAF ACCOUNT GUIDE (FOR DXPW) Beccah 3 4,590 2018-11-16 14:43:51
Last Post: Jonathan
  Guide Clifford's guide to computer security and maintenance. Clifford 15 14,437 2013-06-27 12:16:44
Last Post: Wader

Forum Jump:


Users browsing this thread: 1 Guest(s)