LulzSec set sights on Brink?

LulzSec teases Brink server hack

A salt is nice, as long as the salt is unknown. If you know the salt, you don’t have to brute force anything.

There are also techniques of retrieving a (static, shared between all users) salt, for example by brute forcing the salt itself (preferably compare it’s hash with the salt applied against your own user account).

Plus there is a chance your password is stored without a salt and perhaps not even hashed at all

[QUOTE=Florisjuh;337715]A salt is nice, as long as the salt is unknown. If you know the salt, you don’t have to brute force anything.

There are also techniques of retrieving a (static, shared between all users) salt, for example by brute forcing the salt itself (preferably compare it’s hash with the salt applied against your own user account).

Plus there is a chance your password is stored without a salt and perhaps not even hashed at all ;)[/QUOTE]

Lol @ no hash at all, but the worst thing is it happens :eek:

What user data could they potentially have access to? Surely all player information is going to be XBoxLive/PSN/Steam details.

Presumably Bethesda aren’t storing, for example, Steam account: real names, payment details and passwords. Could it be information grabbed from the new stats site?

Or the forums? Yikes.

free publicity for Brink

Wtf paul wedgewood is lulz. OPERATIVE IN DISGUISE!

no, seriously, what does this mean?

Publicity, not really positive though.

If they have gotten something, it would be the e-mail and (I doubt it) the password you use on these forums, Bethesda’s forums or on the Brink stats website.

They won’t have your Live account, PSN account or Steam account because SD/Bethesda don’t know your e-mail/password for that stuff.

[QUOTE=Florisjuh;337715]A salt is nice, as long as the salt is unknown. If you know the salt, you don’t have to brute force anything.

There are also techniques of retrieving a (static, shared between all users) salt, for example by brute forcing the salt itself (preferably compare it’s hash with the salt applied against your own user account).

Plus there is a chance your password is stored without a salt and perhaps not even hashed at all ;)[/QUOTE]Ehr, a salt just makes a password more random before it is hashed. If they want to find the password, they still need to use a brute force attack (unless someone made rainbow tables including salts).

They hacked PBS. Who hacks PBS?

[QUOTE=Krallis;337552]What the **** is wrong with them. What has Brink done to deserve this. The only issue I had with Brink turned out to be my fault because I hadnt updated my drivers.
All theyre doing now is screwing people over and its not funny. Not just Brink, but all the PSN users who just want to have fun with the service and they cant because of this selfish group of hackers.[/QUOTE]

Find it odd that they pick on a struggling new title from a small company like SD, while steering clear of the big players who currently rule the market.

I think they are aiming for Bethesda. What this means for Splash Damage might not be their main concern.

Wouldn’t even consider Bethesda to be a big player when compared to the likes of EA and Activision.

Maybe LulzSec played Brink, than I understand them.

If you know the salt, you can apply it to the passwords in any rainbow table and compare the salted rainbow table entry with the password in the database.

What exactly are they going to get?

It can’t have anything to do with steam login can it? Since thats completely seperate…

Let’s try that again.

When a user registers, a salt is generated, this gets padded to the password and the padded result is hashed and stored.

When a hacker wants to retrieve an un-salted password from the hash, he could look it up in a rainbow table because such a table contains all possible hashes for passwords up to a given number of characters. However, longer passwords or salted passwords cannot be reliably deduced from this table because the hashes would overlap or might not occur at all in the table. He would thus need to start a new brute force attack using longer inputs.

So, any salt worth it’s salt is long enough to pad the user’s password until rainbow tables become inpractical. Here’s what wikipedia says about this:

The benefit provided by using a salted password is that a simple dictionary attack against the stored values becomes impractical if the salt is large enough. That is, an attacker would not be able to create a precomputed lookup table (a rainbow table) of hashed values (password + salt), because it would take too much space.

Obviously, once you would calculate such a table (similar to a table for passwords up to 20 characters or so) you are out of luck. But if you choose the salt well, a cracker might just need so much time to crack a password that it doesn’t matter if he knows the hash and salt, it just becomes too much effort, which is what modern cryptography is all about.

[QUOTE=kamikazee;337803]When a user registers, a salt is generated, this gets padded to the password and the padded result is hashed and stored.

When a hacker wants to retrieve an un-salted password from the hash, he could look it up in a rainbow table because such a table contains all possible hashes for passwords up to a given number of characters. However, longer passwords or salted passwords cannot be reliably deduced from this table because the hashes would overlap or might not occur at all in the table. He would thus need to start a new brute force attack using longer inputs.

So, any salt worth it’s salt is long enough to pad the user’s password until rainbow tables become impractical.[/QUOTE]
If it turns out that Bethesda has spilled user account data all over the internet after an SQL injection, or something similarly rudimentary, I wouldn’t have a great deal of confidence that any details are adequately encrypted, salt or no.

Hopefully they will come out and state what information they had as soon as possible, so that people can start changing any shared passwords. I see that orders.bethsoft.com is down. Do they have credit card details too?

I wonder what info they could get that would be specific to Brink as the game itself has no account creation. Perhaps it’s the logins for the stats site? Or maybe they hijacked the netvars system?