Bloodlines Notices: Cracking and exploiting residents

As the general average bloodlines player IQ is on a downfall rise i have tried to avoid comment those outstanding notices that go around but this one went to far and it should have ended when i said so.

This notice claims that by not being able to see the viewers version that the attackers will win. This notice promotes that users should be able to see what kind of software is used by the players making everyone believing that it is a good thing for THEIR protection when it quite the opposite. In fact since when around bloodlines the "self called elite" had any interest in having their down-lines/minions EDUCATED and WELL INFORMED for their own benefit?


So why would someone want to know what kind of software are users using?

The first basic rule to crack or exploit software (remotely or not) of any kind is to know what software is used, how and with what. By knowing what software is used; one can study it's vulnerabilities and apply principles like OS fingerprinting to the software that is to be exploited where the attacker will look for things like user agents and specify ID strings to facilitate the use of things like buffer overflow. Buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory. Second-life viewer software uses these languages thus being prone to quite some interesting attacks.


Let me break it down to simple visual contents for those dumbass nanobits minds who disagree with facts on the base of empiric knowlegde... or convenient reasons to do so .... just like in the past with REDZONE.
By finding out that a user is running on his system a specific version of a specific software; the attacker can lookup online for the software security flaws inherent to it or create a method to do so. Lets take a look for example with MSN.

There are an endless amount of security websites that disclose software vulnerabilities. There are several techniques that facilitate the exploit of a system or software that can be direct or indirect like privilege escalation. Also having the source code of a specific piece of software allows it to be studied and give large creativity to evilness many times.

Virtual Worlds - Real Exploits 1/6 - Exploiting & Hacking secondlife 

 Hacking Forensic Security (HFS)

Video1  - Video2 - Video3 - Video4 - Video5 - Video6

There is a reason why my viewer agent displays what it displays and why certain features are disabled by default since you people didn't even know the existence of secondlife.

[2010/03/22 2:11]  Merlin Swordthain: how have you been

[2010/03/22 2:11]  Draconian Hax: mostly busy

[2010/03/22 2:12]  Merlin Swordthain: yeah i noticed

[2010/08/13 15:06]  Merlin Swordthain: you are using a exotic viewer

[2010/08/13 15:06]  Merlin Swordthain: one my orbs have not recognized as safe yet

[2010/08/13 15:06]  Draconian Hax: define exotics

[2010/08/13 15:06]  Merlin Swordthain: is it newly made

[2010/08/13 15:07]  Merlin Swordthain: Draconian Hax was killed for having an Exotic Viewer, under review of being a copybot or not. @

[2010/08/13 15:07]  Draconian Hax: its “safe"

[2010/08/13 15:07]  Merlin Swordthain: the web site will review it

[2010/08/13 15:07]  Merlin Swordthain: ill let them know

[2010/08/13 15:07]  Merlin Swordthain: what is it called

[2010/08/13 15:08]  Draconian Hax: let me know what info will you get about the viewer

[2010/08/13 15:08]  Merlin Swordthain: what is its name

[2010/08/13 15:08]  Draconian Hax: lets just say that it is fully supported by the lab

[2010/08/13 15:09]  Merlin Swordthain: then it will be soon allowed im sure

[2010/08/13 15:09]  Merlin Swordthain: :)

[2010/08/13 15:09]  Draconian Hax laughs

[2010/08/13 15:10]  Draconian Hax: it IS allowed.

[2010/08/13 15:10]  Draconian Hax: available for others is a different matter

[2010/08/13 15:11]  Draconian Hax: :)

[2010/08/13 15:11]  Merlin Swordthain: so were you poking my security

[2010/08/13 15:11]  Merlin Swordthain: lol

[2010/08/13 15:11]  Merlin Swordthain: to see if it would notice

[2010/08/13 15:11]  Merlin Swordthain: lol

[2010/08/13 15:13]  Draconian Hax: I don’t need to poke things to see if others will notice something.

Looking  for viewers identification to know if it is a copybot of some sort is LAME and DUMB and FAILS as when the software is compiled it can have it's user agent  changed by spoofing it or even done later with the use of a addon.

These techniques while forbidden by Linden Lab can and are still used. These techniques are also widely available for a lot software out there to favor the users security such as for email clients, chat IM software and mostly browsers like firefox with addons like user agent switcher. 

These kind of techniques which aim to change or hide a specific user agent, ID string are defined as

Security through obscurity

  Now ... what was that question again ? 

Oh yah ... why would someone want to know what kind of software is someone else using ?

[2012/02/24 16:39]  Draconian Hax: as usual you are not very well informed about things. Just like what i told you about red zone in the past.

[2012/02/24 16:40]  Draconian Hax: more changes will happen. i would advise some ... better informed notices ... before post them in the future.

[2012/02/24 23:49]  Merlin Swordthain: you are welcome to your opinion

[2012/02/24 23:49]  Merlin Swordthain: I disagree

[2012/02/24 23:49]  Merlin Swordthain: and im welcome to mine

...Why would someone disagree with something that favours everyone else 

and not just a few ?

Protecting your account passwords

-->

So... this is where we came up to...

(/me lights up a cigar and takes a deep puff)

It seems that more and more of you keep having problems about some people cracking your second-life account passwords, emails IM software and so on. (mostly around bloodlines). And for some universal law that is about to be broken I ... I ... (*frowns*)

... well lets just say that I must be extremely drunk or completely out of my mind to be writing the following as if it would even be worth to try to ¨teach¨ something to these people but then again even intelligence goes on vacation for a few minutes sometimes.

I will probably hate myself and all this post tomorrow, but then again do i like anything ? .... so equilibrium will be maintained.

Note: If you do not understand any or the linked terms/words; click them to know its meaning. And send this to other people, specially bloodlines people

First: You have to understand that these people are NOT hackers. They are simply script kiddies or at most; crackers which in other words mean untalented, dumbass, dirty people who use specific software tools that were made by experts in a devious way .

Second: If you run windows you have a lot to worry starting by the way the operating system is constructed to the way it is by set default and then how it is administered and ending on how the market want it to be vulnerable.

If you Run a MAC (UNIX) or Linux well .. you are by default much more protected while maybe having to worry (if you are a MAC dumbass - *BSD does not include dumbasses) with some rootkits for Unix / Linux and assuming that you are not a noob) you can skip everything else that i will write bellow because if you know how to use it you have brain starting by the fact that you use it.(*bsd/linux)

As for MAC users .. you might still glance your eyes around since most of you have no idea how your system works. And windows users you definitely NEED TO READ IT.

Trojans, vírus, adware, spamware, rootkits, malware, spyware, backdoors (not your ass), etc , etc and the list never ends) is more than available for your system and can and IS used against you by default.

Are you still reading ? *damn* you must not be a bloodlines player !!

Third: The security of an operating system relies in 2 things.

The software used and and how it is administrated and keep in mind that no matter how well the operating system is managed by having the latest anti-virus the latest firewall and the latest security updates, it will still be as weak as the human factor behind it and that's where social engineering comes in and all your I.T noob expertize goes down the drain.

While i will try not to cover here methods that allow a cracker to obtain what he wants i will have to refer to some.

Make sure you understand the linked words and expressions. The following may contain ¨wording¨ that may not be simple to most computer users and if you are a noob windows computer user... well just do what i say for you own good and shut up because i don't have the time to explain you people why it should be done the way i say.

1: A few basic rules about creating MORE secure passwords.

Never create a password that uses a name/word that is something related to you. Such as family names, favorite stuff, personal stuff (even if only you know it) and so on. So NEVER use personal stuff to define your security methods but if you are dumb enough to do it; then make it complicated to be found or figured out.

For example: The word ¨dumbass¨ makes a 56 bit password. Not only it is easy to figure out against dictionary attacks or brute force attacks it is also very low in encryption bits.

Turning it into: Du/\/\B@5$ not only makes it harder to crack with specialized software as even to figure out by someone else; even if you tell to some social engineer that you are a dumbass and that is your password. On top of it the encryption goes up to 80 bit. (now you are a dumbass with style)

The higher the encryption the harder it is to crack even by the experts.

Never use the same password for more than one record/login. If you do and that record/login gets compromised; the first thing the attacker will do is to try rely on your human weak factor and use it to try your other accounts.

Preferably you should also use a different email for each account/record/login. Some email services will allow you to create email alias for your main email account If not, create a new email.

Do NOT MIX your personal email accounts with hobbie stuff. If you have a business SL avatar keep it away from any kind of conflicts.

If your second-life password is 16 characters long make it worth the size. The more variety of characters you use the better (letters, numbers, symbols). If you do it less than 128 bits; then REDO IT ! Same is valid for any other type of logins/records. (always go as high as you can with encryption bit rate)

Storing passwords in your browser, SL viewer and internet applications is dangerous by default and if you use internet explorer for that, then you should get all of them stolen. You deserve it!

If you are going to store passwords on a browser make sure of 2 things.

- You don't use that browser for anything else other than to have your password stored there for fast login access

- Make sure that the browser will ask you to insert a master password for you to use it first.

For example use something like opera for saving secure passwords and lets say firefox for regular browsing.

Make sure you do not allow cookies on that secure browser that you don't known what they are and have browser always to delete it's latest activity records soon as you close it.

Always use secure https:// when creating accounts or access your accounts in any site if they provide secure logins.

Storing passwords on your second-life client viewer is NOT SAFE either even if the only thing you see there is [***********] . The password is stored in a specific file that can be easily decrypted and obtained. It can even be obtained by others from your SL viewer !

And if you use something like: --login Avatar Name to fast connect to the grid; that means storage of the password in clear text. (even easier to obtain no matter how high is the quality or complexity).

Second-life client viewers:

There is an endless amount of sl viewers (and more) out there, some almost open source, (lets not confuse with freeware) others less open source but most are copies from others. Are they good ? Well sure they work and they sure work in ways that most of you don't know. Ever heard about that one viewer that was great for griffing ? How about that one that was awesome to evade bans ? The list is long and quite a lot of these viewers have ¨hidden secrets¨ and vulnerabilities that can and ARE USED either by the creators of by those viewers or by those that found about the secrets and backdoors.

And for what ? For your SL account (lets not talk about RL identity theft too). Nothing comes free online unless is truly open source and clean from methods of obtaining information from the people that use it.

The same goes for all those ¨dark¨ tools and attachments that some dumbasses like to use around to play with fire. Sooner or later you will get burned. They can and are used against you.

Use the official and approved SL viewer by LL (way less chances of security problems) or if you know how to build, modify or inspect the source code of one; then do it yourself from the official source code. (read this)

While the official viewer/client that LL provides is not fully open source it does allow to inspect and build your own modifications to do what all others do if you know how.

The list of other SL viewers is bigger than 30 and if you want to check something fully open source, take a look at meerkat. (beware of those wicked thug SL viewers)

As for all you emerald lovers... well... if i was you ... i would stick with the official one.

Attachments and scripts in world:

The more free they are the more likely you are to pay in some way (for most of the cases). Do not accept anything from anyone that you don't know even if it looks like a landmark (specially around bloodlines - you will get bitten sooner or later) and if it is a landmark; ask for the slurl address instead.

Scripts can also spy you and this means connect to places that you don't know to provide the scripter with whatever info he/she wants from you. The only way you can be sure of whats happening is by performing traffic analysis (sniffing) on your own connection to see what it is going on.

Do not buy stuff around cheaper than what the official place sells it such like bloodlines products (YOU WILL be scammed sooner or later!!) When you buy... try to buy from reputable name ( i am not defending bloodlines here)

Secure communication in world:

While some SL viewers provide you the option of chat encryption like emerald and meerkat to avoid being spied in clear text (which is good); once again the viewer can have a backdoor or it may be vulnerable to in-world M.I.T.M.

Move your chat to something like skype (skype is not the best! its just an example) which provides encrypted communication and by using a second chat channel apart from Second-life to be in touch with in-world people; the chances of being successfully spied are VERY VERY slim to none.

Someone gave you some program to install on your operating system:

(Unix and for sure Linux users can skip this)

DO NOT install it ! Ask for the URL of that software for you to see what it does. Microsoft Windows users do not accept .executable files from your SL friends specially if you are a woman and he is a guy. And if you are a guy and you are taking it from a woman, then you are thinking with your penis and you deserve any possible the dirty outcome.

There are methods that allow any dumbass to create and bind a trojan executable inside of a regular software application that will even disable or get your firewall, anti-virus and other protection software alike; ¨numb¨ allowing him/her them to access your system without you knowing.

This will allow them to plant keyloggers which will record EVERYTHING you type and see; even if its complex passwords like: Du/\/\B@5$ if you type them manually.

(see also hardware keyloggers - not detected by protection software)

Using your accounts at someone else's place:

Well.. if you do that and the other person performs traffic analysis (sniffing) there and even uses keylogger on his/hers system to fish you or for his/hers own security; then you will be fished.

Important note: If the other person has some problems with LL regarding their in-world douche bag activities; once you login from their hardware and static ip; YOU WILL be under close attention too and in some cases your account will be suspended if needed or if your deepshit buddy got his suspended. IT WILL ! Do not doubt !

Using wireless:

If you use some else's wireless you are in it to get fished like the above example of using your accounts at someone else's place if the wireless owner wants too. (unless you VPN or SSH tunel to your trusted remote computer)

If you use your own wireless; make sure you use it with encryption of at least 128 bit to 256 bit (or higher) and wpa*-psk.

Wep keys can be cracked in 5 minutes and even some wpa*-psk. are vulnerable to certain kinds of attacks but at least wpa*-psk. will make life way harder for ant attacker to the point if quitting on the attack.

Use a cable as much as possible. It´ s faster !! and more secure starting from your neighbor. (maybe you have one that hates you or thinks you stink) or some second-life bloodlines war driving stalker ex-deepshit.

There is much more to say about all this but if you survived until now (which is mind blowing since you are not reading gossip); here goes some good tips as options to secure yourself.

Some security advices:

One of the best software applications out there to create extremely secure passwords and encryption them on file. This means that even if the attacker gets the file; he/she wont be able to read it. You can copy and past passwords in "shadow" mode and hide them from the database menu preventing keylogger screenshots or remote monitoring spy technical methods.

The following software if fully open source and is available for windows, unix and linux and also in a portable version.

It is a very full featured application with all sorts of secure options.

http://www.keepassx.org http://www.keepassx.org/screenshots

A very similar one http://keepass.info

If you need to access stuff like home banking ina very secure way use a linux live cd.

In short a linux live cd runs a linux operating system from a cd or dvd.

These are not build with Trojans, vírus, adware, spamware, rootkits, malware, spyware and not vulnerable to them by default.

You DO NOT need to install it! Simply run the cd when the computer reboots and load it.

( try something like knoppix live dvd)

Social engineering:

Some simple reading about the subject can be done from a well known master of it by the name of Kevin Mitnick. Easy reading;. Soft stuff for the noobs. (no gossip girls...) (The art of deception).

More complex readings regarding the subject and computer security can be done from Bruce _Schneier (website) (this one goes for *nix users mostly)

Identity Theft Toolkit (SMALL book and easy reading)

Now for the elite computer users:

To finish all of this you can always use your custom build SL viewer on your *nix box running a SCSI true-crypeted file system with usb fingerprint ID boot system after bios password settings and grub 256 (or more) bit password prompt logging in with a restricted games user provided with only 1 to 3 OS process for your user on a system that is protected by iptables, snort, and tcp dumped by something like wireshark. If you have to go online and you are not using your box, simply connect to it remotely through VPN or SSH 4096 rsa encrypted tunnel by user@ip and forwarding X if wanted using a live cd.

(i am not even going to bother to add links to those last lines)

Now that i lost 100 pounds sweating while writing all of this ...

(/me *spits the rest of the cigar out*)

.... and now that i have pretty much ruined my reputation in-world with this post i hope you all ignore it and get your accounts cracked because you deserve it for being dumb by choice and if i see you in-world; there is only 2 ways that thing can end....

and in both of them YOU die ...

*frowns hard*

... /me lights up another cigar ...

... damn noobs ....