One of the world's most popular online video games falls prey to a security breach involving usernames, e-mail addresses, salted passwords, and 120,000 salted credit card numbers. For more information, please visit http://iclass.eccouncil.org

1. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
League of Legends is Hacked,
with Crucial User info
Accessed
- A Case Study

2. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
One of the world's most popular online video games falls prey to a
security breach involving usernames, e-mail addresses, salted
passwords, and 120,000 salted credit card numbers.

3. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Salting
Stored representation differs
Salting technique prevents deriving passwords
from the password file
Advantage: Defeats pre-computed hash attacks
Unique
Password
Note:Windows password hashes are not salted.
Alice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac
Cecil:root:209be1:a483b303c23af34761de02be038fde08
Salting
Same password
but different
hashes

4. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Riot Games, which developed League of Legends, announced that some usernames, e-
mail addresses, salted password hashes, first and last names, and even some salted credit card
numbers have been accessed.The salted data is somewhat protected, but if users have easily
guessable passwords, their information could be susceptible to theft, Riot Games warned.

5. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Hackers have breached the
system of one of the world's
most popular online video
games:
League of Legends

6. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
A salt is a random value used in a hash algorithm to make it more
secure. Hashing is used to verify the integrity of data and protect
sensitive information, like passwords. Common hash algorithms
include md5 and SHA-1.

7. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Active Online Attack: Hash Injection Attack
A hash injection attack allows an attacker to inject a compromised hash
into a local session and use the hash to validate to network resources
The attacker finds and extracts a logged on domain admin
account hash
The attacker uses the extracted hash to log on to the domain
controller
Attacker Victim Computer
Inject a compromised hash into a local session

8. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
LM “Hash” Generation
cehpass1
Concatenate LM Hash
CEHPASS 1******
ConstantConstant
DES DES
Padded with NULL to
14 characters
Converted to
the uppercase
Separated into
two 7-character
strings

9. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
League of Legends hit the scene nearly
four years ago, and in some ways
completely flew under the radar for
most casual observers of the gaming
industry. However, in that short time
frame, League quickly acquired
millions of players that stay addicted
to the evolution of the game.

10. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The affected users are only those
who live in North America.
While the accessed credit card
information is alarming, it pertains
only to records from 2011 and
earlier.

11. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
"We are investigating that
approximately 120,000
transaction records from 2011
that contained hashed and
salted credit card numbers
have been accessed,"
Riot Games
wrote in a
blog post

12. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
In 2011, LulzSec claimed responsibility for launching a distributed
denial-of-service attack on ZeniMax, which makes Fallout 3,
Doom, and Quake.
Handler
Handler
Attacker
Compromised PCs (Zombies)
Compromised PCs (Zombies)
Attacker sets a
handler system
Handler infects
a large number of
computers over
Internet
Zombie systems
are instructed to
attack a target
server
1
1
2
2
3
3
How Distributed Denial of Service AttacksWork
South Korea
Web Servers

13. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
In July, a Ubisoft security breach led to hackers accessing
usernames, e-mail addresses, and encrypted passwords.

14. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Riot Games, the company is instituting new security features, such
as e-mail verification and two-factor authentication, and is also
requiring users to change their passwords to "stronger ones that are
much harder to guess."

15. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
PWDUMP extracts LM
and NTLM password
hashes of local user
accounts from the
Security Account
Manager (SAM)
database
Attacker
fgdump.exe -h 192.168.0.10
-u AnAdministrativeUser -p
l4mep4ssw0rd
pwdump7.exe
Dumps a remote machine
(192.168.0.10) using a specified user
pwdump7 and fgdump

16. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
L0phtCrack
http://www.l0phtcrack.com
L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash
extraction from 64-bitWindows versions, multiprocessor algorithms, and networks monitoring and decoding

17. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
To know more about these
attacks and how to secure your Information
Systems become a Certified Ethical Hacker