Email Issues, Website Security, Account Security Info

Discussion in 'Shard News' started by Chris, Dec 27, 2017.

  1. Chris

    Chris Renaissance Staff
    Renaissance Staff

    Joined:
    May 14, 2012
    Messages:
    3,385
    Likes Received:
    6,195
    Email Issues
    Recently the server has been experiencing greater than average issues with email disruptions related to new player registration and thread monitoring by our players. About 18 months ago we moved to a new virtual hosted server (more power) to upgrade our website and either the IP we were assigned was a spammer, or the IP address had never been used to send email. Over the last 18 months we have been working with various sites to get emails from our domain approved for transfer.

    Recently however a certain user has taken it upon themselves to try to get us blacklisted from various email services by requesting and then reporting emails from our domain as spam.
    Mail.png
    This of course is causing problems with new forum registrations, ingame account activation's, and updates for your watched threads. Given that this player decided to do this over Christmas it is even more nefarious. We have requested the flagged emails from the various hosting providers along with any details about when they were sent and who requested them to be sent.

    We have zero tolerance for this type of terrorism and the players/IP's involved will be blacklisted from the server.

    If you experience trouble with any of the following please contact the staff directly (via IRC or ingame Page) and we will assist you promptly.
    - Forum Account Registrations
    Note: This can impair your ability to make new posts until your account is verified.
    - Ingame Account Registrations
    Note: Even if you are unable to activate your account ingame, the email is still on file and can be used to recover a password in the future. Completing the verification process just causes it to stop asking you about it when you log in.
    Website Security
    Due to a recent update by Google Chrome about half the websites in the world are now being flagged as "Not Secure". This is yet another headache in a long line of misguided changes by Chome to "protect" its users. This is the same browser that happily allows extensions to steal your data and flags our client as "not safe". You can read more about the problem here.
    https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

    While some of our players are trying to make this out to be a serious issue that the staff is intentionally ignoring that is not the case. This is a complex change for a website we hand wrote ourselves. Additionally we use a very secure forum software package and keep it up to date security wise. The only vulnerability that you could face is if your computer is infected with a virus that redirected your website elsewhere when trying to log into our forums that was specifically setup to spoof our forum login process. The forums are designed to avoid this as you are not redirected when you log in here as it happens on the same page.

    We will eventually convert the forums to HTTPS but it will take time and is not as critical as focusing on other development tasks at the moment. We have not seen any valid threats related to our forum package being compromised in any manner by any users of this software package. We also take extreme care in walling off our various databases so even if one was compromised it would not affect the others. Account names are never transmitted outside the game server and passwords are never stored in, or transferred unencrypted.

    You should however never use the same email/password combination for multiple websites and should always use a program like Malwarebytes to scan and protect your computer from nefarious websites and browser plugins that will steal your data.

    If you have any questions about either issue feel free to contact the staff. In the meantime Firefox is a better alternative to Chrome and will keep you just as safe when accessing the internet in general.
    Account Security
    The number one way players have things like their accounts compromised is because they willingly share that information with others. Giving a friend your account information on server X because you quit there might not be a bad idea, until you realize you use the same combination of username and password on each server. A server operator could go rouge as well and use nefarious methods to collect your login information to use for profit in a nefarious manner.

    Additionally you should never share your account information here with any other player. Not your friend, your brother, or your kids. Everyone should keep their account information private. If you need to have someone refresh your houses for some reason there are much safer methods to accomplish this other than giving out your account information.

    So always use unique account names minimally, or unique passwords on each UO server you play on. You can change your password here anytime using the [register command.

    Outside of that the Renaissance staff will always go to extreme lengths to protect your personal email address, IP access information and any other information you share with the staff. Volunteers and forum moderators do not have access to account names, email addresses or IP information.​
    Last edited: Dec 27, 2017
  2. PaddyOBrien

    PaddyOBrien Well-Known Member

    Joined:
    Aug 12, 2014
    Messages:
    3,250
    Likes Received:
    4,470
    Are these issues connected to the bizarre posts in broken english about Vietnamese portapotties or other weird supplements? What's up with that?
    One likes this.
  3. Chris

    Chris Renaissance Staff
    Renaissance Staff

    Joined:
    May 14, 2012
    Messages:
    3,385
    Likes Received:
    6,195
    No, that is another issue. Spammers have been trying harder than ever to create accounts here to post generic spam like that. 99% of them are caught by the spam filter registration. However a few get through and make their automated posts. They are removed as quickly as we find them.

    We don't believe it is related to the problems mentioned above because the reported emails were emails a user specifically requested. (watching a thread, password reset request, etc)
  4. Surfrats

    Surfrats Active Member
    UO:R Subscriber

    Joined:
    Nov 17, 2017
    Messages:
    201
    Likes Received:
    126
    What are the chances the user abusing the spam function is the same turd that is harassing folks in IRC?
    PaddyOBrien likes this.
  5. PaddyOBrien

    PaddyOBrien Well-Known Member

    Joined:
    Aug 12, 2014
    Messages:
    3,250
    Likes Received:
    4,470
    Yeah that guy has been pretty active lately
  6. binlagin

    binlagin Active Member

    Joined:
    Mar 26, 2017
    Messages:
    271
    Likes Received:
    231
    People should be very careful about logging into forum accounts on public networks.

    Until HTTPS is implemented, passwords will be visible in plain text.

    Thanks for the heads up Chris!
  7. Sheepdog

    Sheepdog Well-Known Member

    Joined:
    Jun 29, 2017
    Messages:
    839
    Likes Received:
    1,065
    I legitimately couldn't think of a more loserish thing to do over Christmas.

    Thanks for being on top of it Chris.
    PaddyOBrien likes this.
  8. Chris

    Chris Renaissance Staff
    Renaissance Staff

    Joined:
    May 14, 2012
    Messages:
    3,385
    Likes Received:
    6,195
    This is misleading at best.

    Every password you type on your computer is visible in "plain text" If you have a virus on your computer or a plugin in your web browser. Your passwords are freely accessible. The security of our website does not come into play when protecting a password on your computer.

    The difference between HTTP and HTTPS is simply that the website backend is encrypted and you have got a SSL certificate. And I hate to break it to people but corrupt shady sites can just as easily get a SSL certificate as a legitimate website. The only way your password could be compromised here is if you got an email about UOR, and followed a link in the email which lead to a fake UOR website and you gave them your password.

    Simply entering your password on our website does not magically make your password visible to the world as some players are indicating. The internet has been a thing for 20 years, and for 18 or so of these years most websites were HTTP based.

    HTTPS simply allows the web server and your browser to exchange your password in a secure fashion. This does not protect your password from the most common of problems (local infection, malware browser addons, etc). It simply protects your from malicious redirection or our web server being hacked. However unless someone is actively compromising our web server or you are using shady DNS services (or a Shady VPN service) your information is safe.

    Given that the only information you are giving our website is a password for your forum account the risk, if any, is trivialized. If I were selling your items, and you were giving me your credit card number on this website it would be another issue. Also keep in mind our forums allow you to be remembered for months at a time via cookies drastically reducing any risk you might experience.

    The Renaissance forums are just as safe as they were yesterday, last year and 4 years ago. I specifically use a secure web host, to which none of our players are affiliated that does not allow access without several verification steps to ensure that any information you provide us is kept secure. I have explicit rules in place that control access to our web host to further protect our players. Also keep in mind we don't use common crappy web packages like Wordpress which are so easily hacked. We use a single, expensive, and well maintained forum product.

    So if you are hyper concerned about security focus on your own computer first. That is where someone will get your password. If you are still concerned simply use a throw away password for our forums.

    A good example of how incorrect the chrome "not secure" tag is. the UORenaissance.com website does not allow you to enter any information in a form. Yet it is listed as Not Secure. In looking into fixing this I found endless complaints from people upset with google over flagging their informational website, router management website, printer management website as no longer secure. One of the biggest web exploits in recent history was an SSL exploit that allowed this secure information to be read by 3rd parties across the internet.
    Last edited: Dec 27, 2017
    T3h D4ve and ElleFeyRa like this.
  9. binlagin

    binlagin Active Member

    Joined:
    Mar 26, 2017
    Messages:
    271
    Likes Received:
    231
    Chris, I mean no disrespect... but I disagree.

    If your computer is compromised... you have bigger things to worry about then your UO passwords. If someone goes to this length to install viruses on your computer, details contained in your email are WAY more valuable then these virtual pixels.

    This is not your problem, this is an end user problem. There is nothing you can do about this.

    I never said "the world", I said on PUBLIC networks and yes... your username/password would be plainly visible.

    <FORM> data is being POST to the website via an un-encrypted channel. With basic network monitoring tools, your username and password can be easily pulled out.

    This is a server problem, until SSL is implemented there is nothing we can do to protect ourselves other then accessing the forums from PRIVATE secured networks.

    If someone gets access to a forum account, it is quite possible they can target other individuals and begin targeted social engineering attacks.

    I'd elaborate further... but I don't want to fear monger or give anyone ideas.
  10. wylwrk

    wylwrk Well-Known Member

    Joined:
    Jun 18, 2015
    Messages:
    5,473
    Likes Received:
    8,963
    If you're accessing password protected media from a public network, you're an effing tool.
  11. binlagin

    binlagin Active Member

    Joined:
    Mar 26, 2017
    Messages:
    271
    Likes Received:
    231
    What?!!?!?!?!

    Holy crap.. the ignorance is strong in this thread.

    Have you never logged into GMAIL on your university campus, library or at a giant LAN party(just to name a few)?

    If your submitting <FORM> data via an SSL protected domain, your details cannot be sniffed unless your the NSA or know a vulnerability in AES encryption.

    Anyways, I'm done with this thread... I raised concerns, it's up to the administration to determine what to do with it.
    Last edited: Dec 27, 2017
    Chadarius and One like this.
  12. Chris

    Chris Renaissance Staff
    Renaissance Staff

    Joined:
    May 14, 2012
    Messages:
    3,385
    Likes Received:
    6,195
    The problem is we are creating a straw man argument to justify why our focus should be on forum security rather than game server development. I have clear situations and things I need to fix on the game server. There is not an active aggressive attack vector allowing people to do this to our forums.

    We do not have financial information, this is clearly a non professional site, and would be a waste of time for hackers to try to compromise. A database of 4500 people is of no value to people who would have to employ some aggressive tactics.

    Even if you are accessing 100% HTTPS sites, if you are using a public network you are taking risks. But the risk is always based on what you are doing. Nefarious types on the internet do not give a shit about UO or your forum account. They are looking for paypal, etrade, gmail and other high value accounts to compromise. Those accounts are bundled and sold on the dark market in batches.

    Before to long I will look into this more. But I will not be in a rush to make a drastic change to protect against problems that might not even exist and potentially risk years of work getting our google page rank to where it is. That is a massive risk just to get Google to give our website a pass. Not to mention I hand wrote the UOR website itself. There is no "easy" method to convert it to HTTPS. I will have to stop development on the game server for a few months while I address that. For a website that literally asks you for no information. Just to get rid of google bitching about our site and a few players constantly posting about how insecure their hobby website is.
    Last edited: Dec 27, 2017
  13. CaptainMorgan

    CaptainMorgan Well-Known Member
    UO:R Subscriber

    Joined:
    Jul 14, 2014
    Messages:
    4,658
    Likes Received:
    2,791
    Seriously?

    100% correct


    Talk about misleading at best

    No, sorry

    Correct, which is what binlagin said

    You’re way out of your realm on this one. I lead a purple team for a living and tried warning you about this. This really shouldn’t be that big of a deal. Don’t take it so personally and just get it turned on
    binlagin likes this.
  14. CaptainMorgan

    CaptainMorgan Well-Known Member
    UO:R Subscriber

    Joined:
    Jul 14, 2014
    Messages:
    4,658
    Likes Received:
    2,791
    If nefarious types didn’t give a shit about UO, you wouldn’t spend any time cleaning up the nefarious crap done in UO and accompanying services
    binlagin likes this.
  15. Chris

    Chris Renaissance Staff
    Renaissance Staff

    Joined:
    May 14, 2012
    Messages:
    3,385
    Likes Received:
    6,195
    The only "nefarious shit" that we see here is the auto registration spam post bots, that literally every public forum has to deal with.

    And both CaptainMorgan and Binlagin seem to be missing the point here. You can talk about your vaunted knowledge of website security forever. This is a volunteer project. I am not a web developer. I will not risk your personal information by giving a 3rd party developer access to our web host and databases.

    I am not saying this is not an issue. I am saying not a single player has reported their forum account being compromised in 5+ years. It is unreasonable to halt all other development to focus time on addressing this. Trying to scare away new players with fear mongering about this is not helping either. If this was such a huge and critical problem you would think there would be daily reports of forum accounts being compromised. However this is not the case.

    Because as I see it, the only way to make players with this level of security requirement, for a hobby game server, is for the server to simply not exist. For the forums to simply not exist. The most effective method to protect your information is to simply not ask for it. Do I need to stop everything and develop a secure game client as well?

    If the players would rather have forum administrators and web developers then I guess we can refocus on that. I was under the impression that these forums exist to support the game we love. Not to exist as a stand alone entity focused on complying with any and all new web standards as they are introduced.

    Maybe one day people can enjoy a hobby without complaining about how it is not run like a fortune 500 business with a dedicated IT department with 6 figure salaries. All I try to do here is stay motivated and take care of one disaster after the next. I am proud of what we have accomplished with so little. It will never be perfect, but in my opinion it is still better than nothing.
    Last edited: Dec 27, 2017
  16. CaptainMorgan

    CaptainMorgan Well-Known Member
    UO:R Subscriber

    Joined:
    Jul 14, 2014
    Messages:
    4,658
    Likes Received:
    2,791
    Geez, always with the panties in a twist. It’s a 10 minute change max, doesn’t give anyone extra access. You just don’t listen. You could have done it in the time you’ve spent justifying not doing it
    binlagin likes this.
  17. binlagin

    binlagin Active Member

    Joined:
    Mar 26, 2017
    Messages:
    271
    Likes Received:
    231
    I know I said I was done with this thread.

    But honestly... the password sniffing is the least of our concerns.

    SSL does more then just encrypt network traffic. SSL also asserts your domain you THINK your communicating with, is indeed the domain you are communicating with.

    The bigger issue here is, hackers can target this forum and use it as a DELIVERY vector for injecting malicious code, INSTALLING viruses your concerned with in the first place going after the big ticket items you raised.
  18. Chris

    Chris Renaissance Staff
    Renaissance Staff

    Joined:
    May 14, 2012
    Messages:
    3,385
    Likes Received:
    6,195
    Just "magically" targeting the website?

    How would the hackers redirect Uorenaissance.com when you manually type that in? Without access to your computer? Without access to your DNS service? Without using a skethcy public network?

    How would they inject malicious links into our website? Without access to your computer? Without access to your DNS service? Without using a skethcy public network?

    99% of the risks players face come from decisions made on their own computers. Not how we host the server. If you get a random email claiming to be from UORenaissance and it goes somewhere else. Then of course someone could be tricked. But given the distinct look and login for our forums you would have to ignore a million warning signs even if the domain looked right.

    Hackers can only inject links into an existing website if they compromise your personal computer with Malware or they compromise the website itself. I've already indicated that I have taken specific protections again the web server side of things. Yet most of the time I check player computers here they are infested with spyware and browser plugins.

    And not to mention this would not stop someone from simple spoofing a very similar domain name (which I cannot afford to buy all the variants) like UORForums.com or UORenaisance.com and trying to collect player information there.

    Again we are back to straw man arguments are potential things someone could do. And again I ask why someone would target tiny game server with this much effort to steal a single players information.

    If we really want to talk security, and you guys are as concerned about player security then you should be making guides on how to protect your computer from nefarious software, plugins and malware. Hell I bet 20% of our players computers have some variant of malware that includes a keylogger. And still I have not had a single complaint of a forum account being compromised by a bad actor...

    And to be clear I understand the benefit of HTTPS, but I also understand the price the server will pay if I do it incorrectly.
  19. PaddyOBrien

    PaddyOBrien Well-Known Member

    Joined:
    Aug 12, 2014
    Messages:
    3,250
    Likes Received:
    4,470
    Google is Skynet
    ReZon and One like this.
  20. binlagin

    binlagin Active Member

    Joined:
    Mar 26, 2017
    Messages:
    271
    Likes Received:
    231
    I am not a professional PEN tester or hacker, only an experienced professional web developer... so I cannot answer details on how, but I'm simply raising the concerns I address every day while I'm at work.

    SSL isn't new... it's been around and used since at least 1994. It's been broken and revised, but the premise has always been the same.... public/private key cryptography with a trusted 3rd party signing authority.

    All this is done with malicious entities running bots on these public networks, looking for insecure network communications.

    I'm sure @CaptainMorgan can go into details further... but the basic premise is a "man in the middle attack".

    https://www.ssldragon.com/blog/how-ssl-certificates-protect-you-from-man-in-the-middle-attacks/

    Like I said, I don't want to fear monger... but we will never know if this has even ever happened. Someone could have had their machine infected, while accessing the forums from a large university campus, after logging in to check their auctions. It is very challenging to track the originating source of a virus.

    This is the reason when you go to just about ANY site these days(even before login), your redirected to their HTTPS equivalent... these companies do not want to be held liable or publicly shamed for poor security practices.

    If you have questions or need help on how to get/install these certificates, send me a PM here or on IRC and I will be more then happy to help get this sorted out.

    Please don't take this as an insult, this stuff is all very confusing and very easy to dismiss... the reason I'm pushing back so hard is, I just want to help you protect YOUR investments.

    I will leave it at that.

    Thank you
    scuba likes this.

Share This Page