Why should I be worried about Internet security?
As with any other thing of value in everyday life, your computer, and the data kept on that computer, are subject to crime. With the Internet becoming more and more a part of every day life, it is important to understand computer crime and ways to secure your computer from strangers. This is not meant as an alarmist document, but rather as a very real way to help keep your data your own, and keep your Ultima Online account more secure. Almost everyday Origin receives a call from a very distressed person whose computer security has been breached, and often, they have had their Ultima Online characters deleted or made useless. In our effort to be open and honest and to arm you with the knowledge you need, we are going to reveal some possible ways your system can be infiltrated. To our knowledge, there is no way your computer security can be compromised through Ultima Online, however, there may be security holes created because of your involvement in the external community of Ultima Online. For instance, ICQ, Web Pages, e-mail, and third party programs can all be used to gain access to your computer. There are ways to make it more difficult for a computer crook to get into your computer, and any criminal is going to look for easy targets first, not difficult ones.
There are definitions of many words available at the end of this document.
How can a criminal get access to my computer?
Every day Origin is called by people who have had their Ultima Online accounts infiltrated. Many people believe that this will not happen to them, but sadly, these people are often victims of compromised security, many without ever knowing it. It is important to remember that security holes are not created by Ultima Online. Although you may meet a computer criminal through an Ultima Online forum, this criminal can not get any information about you through Ultima Online, other than what you offer to them. Most computer criminals will, however, be able to learn such things about you, like your IP address, through other forums including, but not limited to:
In many cases, a computer criminal does not even need to know your IP to get into your computer. See the section on Trojans for more information. Once the criminal has bypassed your computer's security, you may lose any information available on your system, including any credit card information stored, passwords to other sites, or even personal files. Reading this document can alert you to how you may be vulnerable to the efforts of these computer criminals. Hopefully it will also instruct you on how to prevent such efforts by knowing how to identify possible security problems and potential threats.
Please remember, though, that computer crooks are constantly searching for new and effective ways of gaining access to your computer, and no amount of information we could provide will be able to keep up with them. This document is meant as a service, providing you with useful information to help you make your computer more safe than it otherwise would be, but Origin can't promise you that following the suggestions in this document will make your computer totally safe from computer criminals.
What are some quick things I can do to prevent someone from getting access to my computer's files?
Although this document covers these issues in more depth later, here are some quick prevention methods:
This document details the reasons for these precautions, and we urge you to read this document in its entirety.
What is the most likely way someone will break into my computer?
This may depend on you, but the most likely way people are hacked is by downloading files from a source they know nothing about, or by trusting someone they have met online. This is not to instill a sense of paranoia about who you meet online, but rather, you should know not to accept files from people you truly know nothing about. In most cases, computer criminals will send you Trojans in these files, though some malicious ones may simply send you a virus.
It seems as if computer security issues are becoming more of a problem now, why is that? As the Internet is growing and more people are on-line for longer periods of time, and with greater frequency, the risk of running into a computer criminal is also growing. Constant connections to the internet, such as cable modems and DSL modems also make your system more vulnerable, because these connections allow people to find you more easily as your connection is available for longer. Honestly, the number of easy targets increases daily on the net, as people do not use the typical rules for meeting a stranger when on the Internet.
Meeting People
Who do I trust?
Basically, it is very hard to know who to trust. Most computer criminals believe themselves to be able to "trick" others easily by gaining their trust and then ripping them off. A computer criminal generally loves nothing more than the thrill of the "kill." If it takes more than three months to gain your trust, don't think a computer criminal won't go this far. Computer criminals have lots of patience, and the longer it takes to gain your trust, the sweeter the "kill" is. The computer is their weapon of choice. A general rule to follow is trust no one you have not met in person. This seems to be a bit paranoid, but if you value your data, you should know to whom you are giving that data access. The same is true of web pages. Make sure you are familiar with the company or individual before you grant them any rights to your web browser.
How does a Computer Criminal find me?
It is important to note that no matter how anonymous the Internet may seem, you are never truly unknown. In fact, for you to connect to the Internet you must have an "address" so other systems can know where to route data. This address is called an IP address. This IP address is much like the name for your system. Each time you log on to your provider, they will assign you an IP address. If someone has your address or can find out this address, they have the first thing they need to break into your system. In order for them to be able to do anything to your system, they have to know how to contact your system directly. It is important to note that your IP address can not be obtained through Ultima Online. So how would your account be in danger? Probably through outside contacts in relation to the game.
How could someone gain my password?
There are a few different ways people might be able to gain your password to Ultima Online or any other service.
METHOD 1: If the person knows you, or knows something about you, they might be able to guess your password. The more open you are with people about what interests you and about the personal aspects of your life, the more these people will be able to guess a password you may have chosen.
Prevention: The best thing you can do is pick a random password that you will be able to remember, but that is not related to you or anything about you. Many people place numbers in their passwords to make it even more difficult for someone to guess a password. For instance: Luck0theIrish where '0' is actually a zero. Many people actually just choose a string of letters and numbers such as: a01d3th7. These are more difficult to remember, but probably the most unlikely to be guessed.
METHOD 2: Someone might be able to systematically go through a list of possible passwords given they know an account name. Really, doing this seems like a tedious task, but since the person has a computer available to them, it is not that tedious. Since there are 26 possible letters to use in a password, and only 10 numbers, they can have a program which will cycle through all 36 combinations. This would have to be done for all five to thirteen places, given the number of letter in the password, and by that time it gets pretty time consuming. Origin has made it difficult for this to be done, but we could not make it impossible.
Prevention: Although this is perhaps the most unlikely of all security holes, it could theoretically be possible to lose your password in this way. In this case, the thing that the computer criminal needs is your account name. You should guard your account name if you can; avoid making your account name something that is readily accessible. The most common example would be using the name of your main character as your account name.
METHOD 3: You may wish to consult the section on Trojans, but if someone has remote access to your system, it is very possible that they will be able to get your password if you have the password saved on your computer.
Prevention: There are two good courses of action you can take to prevent this from happening. Never leave a save password box checked. Leaving a save password box checked means the password will be stored somewhere on your local hard drive. This may make it less of a hassle every time you log into the game, but it will also make it easier for someone to get your password. If a computer criminal can gain access to your hard drive, such as through a Trojan, they will have access to your password. So you should not choose to leave the save password box checked. The second thing you can do is to make sure you have no Trojans installed on your system. Having the latest scanning software and keeping all of the most recent files for scanning will help prevent hackers from having access to your system.
Already been hacked?
My account has been broken into, now what?
If your UO account has been broken into, what recourse do you have? What you should do is contact your local authorities and report the crime. Just as your IP address identifies you, so will there be a record of the criminal's ip address that will identify him. The authorities need only get this address. A very real crime has taken place, and though it may have manifested itself through Ultima Online, Ultima Online was merely the data that was stolen. Unfortunately we can not reimburse for items lost in the game, nor can we rebuild lost characters. If your account has been broken into and everything gone, it is gone for good, and you will have to start from scratch. You are responsible for anything done on your account, intentional or not.
What can I expect if my Ultima Online account was broken into?
Many people who have their account broken into have reported some of the following:
These are just some of things we have heard. Origin can not verify if an account was broken into or not, simply because the means are not available to us to determine that your account was definitely broken into. We will not be able to reimburse in any way for anything done to your account by a computer criminal. This is another reason why it is imperative to do everything to make your computer safe. And if someone does break into your computer and hacks your UO data, you should contact your local authorities to report this crime.
Avenues of Attack
How does a computer criminal find me?
It is important to note that no matter how anonymous the Internet may seem, you are never truly unknown. In fact, for you to connect to the Internet you must have an "address" so other systems can know where to route data. This address is called an IP address. This IP address is much like the name for your system. Each time you log on to your provider, they will assign you an IP address. If someone has your address or can find out this address, they have the first thing they need to break into your system. In order for them to be able to do anything to your system, they have to know how to contact your system directly. It is important to note that your IP address can not be obtained through Ultima Online. So how would your account be in danger? Probably through outside contacts in relation to the game.
I have heard that ICQ may allow a computer criminal to find me, is this true?
ICQ is a great way for someone to communicate with you. It is tremendously fun to use, and even helpful with Ultima Online. However, if you start to accept people you don't know into your contact list, it is possible that one of these people can get your IP address while you are both using this program. You can turn off the ability for others to see your IP address in ICQ, and we recommend always keeping this option checked. However, if the computer criminal uses a Packet Sniffer, they will be able to determine your IP address. Also, never accept a sent file from someone you do not trust implicitly. If someone is sending you a file, especially an executable file, be very certain you know what this file will do.
I have heard people who say their account was broken into because they downloaded an Ultima Online third party program. Is this possible?
Many programs exist to try to help you "get ahead" in Ultima Online. Not only can usage of these programs result in your account being banned, but they can do far worse. Downloading any of these programs and running them may have unforeseen consequences. Clever computer criminals will embed other executable files into such programs to help them gain access to your machine by placing a Trojan there.
You guys just don't want us to use third party program, so you are trying to scare us from using them by claiming they provide avenues for computer criminals. Why should we believe you?
It's true, we do wish that some third party programs were never used in Ultima Online. They give some players an unfair advantage over others, and this does hurt the game. However, it is also just as true that many of these programs install Trojans on your system. So, while it may seem like our warnings are suspect, we urge you to consider this before you download any program claiming to be helpful with Ultima Online. Remember, once a computer criminal has access to your system, it is not just Ultima Online they have access to, but everything on your computer.
I met a guy in an IRC chat channel, should I be cautious?
Chat boards are another tremendously fun way to meet people and discuss any of your favorite topics. However, just like meeting strangers on the street, you should take precautions. Never accept a file sent from anyone you do not trust implicitly. Also, remember to never give out your account information to anyone in chat, no matter how nice they seem. There is one story of a data thief who decided to enter the chat under a woman's name. He was very charming and offered to send pictures of "herself" to interested parties. These parties accepted the file, which was a self-extracting archive, and it contained pictures, but it also installed a Trojan on the recipient's machine. The poor recipients realized that they had been had, but it was too late.
What else should I be aware of?
One of the features of Windows 95, 98 or NT is the ability for you to share your files with other computers. Whether these computers are on a local area network or on the Internet, you should always make sure you are very careful about file sharing. If you have enabled file sharing, you should always make sure to password protect your hard drives.
Attack Forms
What is a Trojan?
A Trojan is a program which installs itself surreptitiously onto your computer. Once a Trojan is installed on your computer, it will try to run in the background, where it is very hard to determine that it is running at all. (Even a CTRL-ALT-DELETE might not be able to show you if a Trojan is running.) A Trojan, basically sets your computer up to be a server. This means that if you have an active Internet connection, the Trojan can open a port from your computer so another computer can log in. Once this other computer logs in, they have access to everything you have, and worse, they might be able to go so far as to see exactly what you are doing, even seeing what you are typing. If you are asking why this is really that bad, simply think how many passwords are stored on your computer. Even if these are stored in formats you can't read, a clever computer criminal probably can read them, or the criminal could simply copy the entire program over and just run it from their machine.
This can all happen in the background of your computer, and you would never see any outward sign of what was happening. Given the amount of normal and benign tasks that happen in the background all the time, would you really think anything was wrong if your hard drive light suddenly came on, and your hard drive started spinning? It happens all the time. Maybe your Internet connection seems to be moving at half speed. Given the data sending capabilities of high speed modems and the finicky nature of the internet, slowdowns are common. Would you think anything was wrong if you saw either of these two things? Probably not. Nor should you, and this is why it is so hard to imagine you might have one of these types of programs running in the background.
Such programs are very difficult to detect, even with virus scanners. With only a few changes, different versions of the Trojan can easily be made so as to be undetectable to the scanning software, until the scanning software is updated to account for the new version of the Trojan. A new version of the Trojan can again be released and this process can go on ad infinitum, where it is a constant race to stay ahead of each other.
It might seem that this could easily be stopped, because you would have to keep downloading new versions of the Trojan, right? Not necessarily. Just as Windows and Netscape have ways they can update themselves, so can invasive and clever Trojans. Once they have a connection to your system, the hacker can simply update the Trojan to the latest version. Remember, they have complete access to your system.
So really, the obvious question becomes, how in the heck would you ever get a Trojan. Surely you can see what you install on your system. Again, many programs that we run do things in the background that people never see, installing a program on your system without your knowledge is not difficult at all. However, it does require some action on your part. You would have to run some form of an executable program on your system. The following is an account of someone who got a Trojan on their system and lost over a year's worth of data to a computer criminal:
I was talking to this girl I met in a chat channel. We met a couple of days before, and she seemed very nice. As we talked more and more, we started to get to know each other. At this point she asked for my ICQ number. I gave it to her. A few more days passed with us making idle chit chat. Finally she offered to send me some pictures of herself. She sent them to me in a self-extracting archive, and said all I had to do was run the program and it would install the pictures onto my computer. I was so happy to get a chance to see her that I immediately ran the program and got to see pictures of "her." It turned out that they were not really pictures of "her" because she was a "he." He had built up my trust and a month later, I discovered that the file he sent included a Trojan.
Another important detail about Trojans is that they do not allow only one user to gain access to your system. There are two very common Trojans being passed around on the net at the current time. One is Back Orifice, and the other is NetBus. Both are very sophisticated pieces of programming, and both are very difficult to detect. Many "would- be" computer criminals, simply scan random IP addresses looking to see if there is a NetBus or Back Orifice connection at the other end. If there is, into that system they go. So not just one person could be accessing your files if you have a Trojan, but several.
Prevention of a Trojan being installed on your system is probably the best way to avoid the problem all together. However, there are some other tools you can use to help you. Permanent connections, such as those available to cable modems and DSL modems are the most likely targets of Trojans. If you have a permanent connection to the Internet, or you just leave your connection active a lot, you may wish to set up a firewall. A firewall will allow you to block access from certain ports on your computer. There is also a program called Nuke Nabber which allows you to monitor ports you select. Since NetBus operates over port 12345 most of the time, and Back Orifice generally operates over 31337 and 81887, you should configure Nuke Nabber or the firewall to look at these ports.
What is Packet Flooding and/or WinNuke?
A win nuke or a packet flood can be accomplished if the user knows your IP address. Basically a person will set up a program to query your computer over ICMP (Internet control message protocol) which normally uses port 0 - 11. They can also query other ports over other protocols, such as port 139 and 113 over TCP/IP. Think of this as an advanced telephone system. When you call someone, the phone rings on their end, and you also hear the phone ring. The same process on a computer is called pinging. If another computer user has your IP address, it is very much like having your "phone number." The user can ping your computer, and your computer will answer with a ping. Part of the danger of this system lies in the variance of speed between the two computers, and how fast each is able to process a reply to the ping. If another user has a very fast connection, they can ping your computer repeatedly. Your computer will need to answer each time it is pinged. Even though their computer will have to send the ping and receive an answer, your computer will have to receive the ping and provide an answer. Given the fact that they can do this over and over at top computer speed, they can cripple your Internet connection, and even cause a major slowdown on your system. Spoofing halves the workload the computer criminal's computer must do, giving it even more of an advantage of your system. Other flooding types exist, such as using the Windows stack in a WinNuke attack. This usually occurs over port 139 using TCP/IP protocol. Such an attack is uncommon because recent patches offered by Microsoft prevent this attack. Prevention of flooding can be done in several ways. One of the ways to do so is to set up a FireWall or NukeNabber to scan for and block all incoming ports vulnerable to attacks. This can limit some legitimate uses of some ports, especially on LANs, however, and may not be the most desirable solution. You may also wish to block off vulnerable ports while granting selected systems, such as your ISP, access. Many firewalls have selective filters to help you accomplish this and you should consult their documentation for vulnerable ports and how to set the software up. Many of these attacks have been reduced over time as a result of patches provided by Microsoft which enhance your internet security.
What is a Virus?
Many people know about viruses, but they do not understand how it is possible for a virus to infect their system. Basically, a virus is a program which "attaches" itself to another program. Once a program with a virus is used, the virus resides in the ram memory of your computer. Each file you access, depending on the virus, may become infected. Once you shut off your machine, the virus will be cleared off your ram, but it still remains on the infected files. If you run any of those files again, the virus is loaded into memory and is ready to infect new files. A virus may also infect the boot sector on your computer. If this happens, the virus will automatically load into memory each time your computer is booted up. It is beyond the scope of this document to define all the types of viruses, and the possible adverse affects of having a virus on your system. The main thing to remember about viruses, is that it is very important to have the most recent scanning software running at all times on your system.
I have heard your computer can be broken into through a web browser, is this true?
Many web browsers now have the ability to run programs right off the web. In fact, many of the neatest web pages include Java and Active X scripting to really show off what web technology can do. The downside of this is that a harmless visit to a site can turn disastrous without the proper precautions. You should always have your security settings high enough that you are prompted before a site tries to run an executable program on your system. Almost all of today's browsers have security built in which allow you to control this access. Backdoor programs embedded in web pages can install hidden programs onto your computer such as Back Orifice and others. Always make sure you fully trust the web site before you accept any programs they try to send you.
Definitions
What in the heck did you just say?
Background: Running in the "background" refers to an application that is running, but not readily noticeable to the computer user.
Cable connections: Cable modems are modems which use common cable connections for internet access rather than phone lines. Cable modems allow for greater bandwidth than normal phone lines. Cable modems do not require you to dial in to a service provider, though they may require a log-in. Cable connections can remain active indefinitely, however, they do require shared bandwidth. Although they are capable of high-speed, the more people in your area using cable modems can slow down your internet connection.
Client: A client is a term used for either a computer or program that will enable you to log in to a server. Clients issue requests to a server and the server will fulfill or deny the request.
DSL, xDSL or ADSL Connections: These are dedicated high-bandwidth alternatives using your normal phone line. DSL connections do not share bandwidth and are capable of very high speed transfers, up to 50 times that of a normal 28.8 connection. DSL operates using high-frequency signals over normal phone lines. Because normal phone conversation take place using low-frequency signals, much of the bandwidth available on your phone lines is not used. DSL uses this bandwidth.
Firewalls: Firewalls are security systems put in place on servers to prevent unauthorized access to ports on a computer.
Computer Criminal: For the purpose of this document a computer criminal is anyone who is trying to do something harmful to your computer.
IP address: This is the address for your computer on the internet. It tells other computers where to route information to. You will be assigned an IP address by your ISP. Most ISPs will give you a new IP address each time you connect to them. This is called a dynamically allocated IP. If your ISP has assigned you one IP which you will keep for as long as you are on their service, this is called a static IP address.
LAN: Local area network. A LAN is a group of computers linked together for the purpose of sharing files and information. Usually they are connected through a server or set of servers. LANs are set up primarily in businesses, but you can have a home LAN set up. You may be able to access the internet through a LAN, but only if one of the servers has a connection to the internet itself.
Nuke Nabber: A program which lets you monitor your ports and activity on those ports. It also has other features to help track and prevent hacking attempts.
Ping: Ping is a request sent to a computer so that the computer receiving the request will acknowledge that it is there. Think of a ping as a phone call. You make the call, it rings on your end. You know that it is ringing on their end as well.
Port: A port is like a doorway on your computer. If you have two applications running, it would not make sense for them to go through the same doorway, as it might be difficult to tell the difference between the information. So a port separates out how certain data is sent or received.
Server: A server is a computer or program which will accept requests from a client. It will then process this data and either deny the request or process it.
Spoofing: A process where the hacker need only send a ping, and does not accept your response.
