Book Reviews
Recent reviews from Slashdot readers:
- Advanced Excel for Scientific Data Analysis Learn to turn Excel into something that rivals Mathematica using VBA, brains, and a heaping helping of fortitude.(Jack Herrington's review.)
- Nagios 3 Enterprise Network Monitoring A great book for anyone using Nagios as more than a casual user.(jgoguen's review.)
- Schneier on Security Schneier argues that security is not something you can buy; it is something you must get.(Ben Rothke's review.)
Submitting a review for consideration is easy; please first read Slashdot's book review guidelines. Updated: 2008114 by samzenpus
6299707
story
Comments: 136 +- Games: Hackers Targeting Xbox Live on Thursday October 08, @11:17AM
background: url(//a.fsdn.com/sd/topics/topicms.gif); width:75px; height:55px;
microsoft
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicxbox.gif); width:74px; height:56px;
xbox
darthcamaro writes "Windows isn't the only piece of Microsoft technology that hackers are attacking anymore. During a presentation at the SecTor security conference in Toronto, a Facetime security researcher revealed numerous methods by which Xbox users are being hacked today. 'Though the Xbox doesn't have the number one market share, it is the top target for hackers,' Boyd said. 'Xbox Live has 17 million plus subscribers, and that service requires payment.'"
Related Stories
: by
No man in the world has more courage than the man who can stop after
eating one peanut.
-- Channing Pollock
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
That explains it! (Score:5, Funny)
Re:That explains it! (Score:5, Interesting)
There isn't much to be done about it. They can turn off autoaim and that would make the mouse/KB combo more awkward. But it would also make controller aiming extremely frustrating. If you want proof of that just try to betray a teammate with a pistol while using the controller. It is virtually impossible because autoaim is turned off when you're aiming at teammates.
Parent
Same old MS (Score:4, Informative)
According to Boyd, the friend request DoS has been minimized in recent months as a result of Microsoft actions. Microsoft has now limited the number of friend requests a user can send, so there is now a time delay that mitigates the DoS risk.
Not if the attacker is using a botnet, unless TFA means the number of friend requests a user can receive.
One way that attackers enumerate their targets is by way of information that is easily publicly accessible. Xbox users gain points during gameplay, which leads to a gamerscore metric. The higher the gamerscore, the more valuable the gamer account. Boyd noted there is no easy way to keep a gamerscore private.
"If you go into the Xbox privacy settings, you can't block the gamerscore," Boyd said. "All you can do is hide your list of most recently played games."
Boyd added that sites like Mygamercard.net promote users' gamerscores, in effect painting a big target for attackers.
Typical, and depressing.
Re: (Score:3, Funny)
so your e-peen IS worth something after all :D
Re: (Score:2)
The higher the gamerscore, the more valuable the gamer account.
Achievement Unlocked: Hack-worthy Account!
Re: (Score:2)
Re:Same old MS (Score:4, Informative)
As the owner/founder of MyGamerCard [mygamercard.net], I hope that you're not claiming it's typical or depressing that I run a service that organizes gamers by their GamerScore?
MGC exists primarily to allow people to share their GamerCard (i.e. their gaming history) with friends. In addition, the stats I collect are used to foster competition and for personal tracking. The Leaderboards (which organize gamers by their score) are to incite people to play more and induce curiosity; I do not promote or condone any illegal activity.
Apologies if I'm being overly defensive or reading too much into your quote.. just seems that every six months or so, something comes around about GamerScore, and MGC gets thrown in the middle like it's intentionally trying to cater to idiots.
Parent
Everything is said. (Score:4, Insightful)
'Though the Xbox doesn't have the number one market share, it is the top target for hackers,
This phrase says everything.
Re:Everything is said. (Score:4, Interesting)
Indeed it says a great deal in that the myth that "Microsoft is the number one target because Microsoft is number one" is now shattered with this reported fact/statistic. But before we start citing this fact/statistic, let's do some fact-checking first and get some other parties checking these statistics. I have no leaning either way for this to be true. I actually have XBox360 and XBox Live so that I can play with my older children, so I would like it to be true that it's not driven by weaknesses and vulnerabilities in Microsoft's Windows driven network.
Another thought that hit me, and it was my first thought, was "compromised XBox360s joining botnets." The evidence for an infected PC is often readily available through various clues not the least of which are severe decreases in performance and software installed that the user doesn't recall installing. But with a very closed system like XBox360, the evidence wouldn't be nearly as obvious unless these machines set themselves up to power on in the background while disabling front panel indicator lights. (Since the indicator lights are mostly controlled by software, that would not be surprising to see.) And since XBox Live relies on home routers having specific ports forwarded to the machine so that game sessions can be hosted, port scanning could relatively easily identify machines running XBox live. Should a vulnerability be found to compromise the machine, you can bet that silent and worm-like infections would quickly follow even getting past NAT connected XBoxes as they connect to the infected game hosts.
Bad enough that yet another class of Windows machine is being targetted, but even worse that the liklihood of it being detected is significantly lower and that remedies to the problem are effectively limited to pulling the power plug from the wall even if it COULD be easily detected.
Parent
Re:Everything is said. (Score:4, Informative)
I would like it to be true that it's not driven by weaknesses and vulnerabilities in Microsoft's Windows driven network.
According to TFA, most attacks are from phishing, but Microsoft makes the phishing easy by putting your CC info where everyone can see it. They say you should lie on your user page.
Parent
The cell processor (Score:2)
Another explanation is that xbox uses a somewhat more conventional architecture processor. the Sony PS3 Cell is notoriously difficult to program for and thus requires uncommonly sophisticated skills in the hacker.
That of course is not perfectly true. Each Cell also has a conventional co-processor that could be attacked. but still the over all problem is probably a lot harder.
Maybe this is the way to get more trained cell programmers. Put tempting targets out there running on cells.
Re: (Score:2)
Re: (Score:2)
I think that is pretty much irrelevant. People coding malware use the same tools for writing code as legitimate programmers. All they would need is a development system to create the binary. They can test their own gear to find vulnerabilities that could be exploited to cause the game system to either download, install and run the code from the internet or otherwise use an exploit to insert code for execution in some other way such as an overflow. Once identified, it is merely a matter of writing the ma
Re:Everything is said. (Score:5, Insightful)
This is misleading.
XB360 is not the top console, no. Wii is. But how many of those Wii players network their machines? And how many of those also attach payment information to their machines?
In terms of network accounts with cash flow attached to them (ie. paid subscribers to a network service), Microsoft is number one. There are more paid XBox Live accounts worldwide than there are active "World of Warcraft" accounts! When looked at this way, Nintendo and Sony aren't even close. And so, the priority for hackers makes a great deal of sense.
Parent
Re: (Score:3, Insightful)
Actually, this news doesn't shatter the theory. Basically it reaffirms it. XBox Live is the #1 for-pay console network, hence it is the biggest target.
Re: (Score:3, Funny)
Fortunately the 360 is immune from sub rosa operation by a botnet, since when the thing is on it's so loud that Helen Keller wakes from the dead to complain about it.
Re: (Score:3, Insightful)
'Though the Xbox doesn't have the number one market share, it is the top target for hackers,
This phrase says everything.
It does have the number one market share for paid online subscriptions, which means it'll be a big target for phishers. Xbox live accounts have real value, which means it will be a target for hackers and phishers.
Read on, McDuff (Score:2)
The XBox is an appealing target because XBL has 17 million paying subscribers.
Re: (Score:2)
Man (Score:4, Funny)
I'm so glad I went with the PS3, I'll never have to worry about hacking if my firmware doesn't even work!
Phishing, not Hacking (Score:5, Informative)
Don't be confused. They're not hacking your hardware or the Xbox Live servers. They're using social engineering and any publicly available information (courtesy of things users choose to divulge in their profiles) to attempt to get passwords.
Big difference between hacking & phishing. Moreover, there's nothing particularly unique to the XBox Live service & this phishing, either.
Re: (Score:2, Insightful)
It just sounds better to be "hacked" because hacking implies that it was entirely out of your control. There is some poetic justice to the Xbox fanbois being attacked based on how "good" (read: how much time spent) they are at a game
SOCIAL ENGINEERING IS NOT HACKING (Score:5, Insightful)
The "researcher" who is quoted in this article comes off like a moron.
He complains that there is no way to hide one's gamerscore. NO SHIT. It is called social networking. GAMERSCORE = (imagined) PENILE LENGTH INCREASE. You don't farking hide it, the entire point is to show it off.
Next up, sending someone a message "g1ve me urz PW and I'll givez you 1,000,000 gamerscores!!" is not hacking. It is exploiting people's greed. There is a big difference.
Likewise wussies DOS'ing a game server to get back at the people who kicked their wimpy arse is also not new, it happens WAY more often in PC games, since the majority of PC games have dedicated servers whereas only a few (but popular) Xbox 360 titles use dedicated servers.
In summary, these are not "hackers targetting Xbox Live". 99% of them don't even rank as script kiddies.
Re: (Score:2)
"g1ve me urz PW and I'll givez you 1,000,000 gamerscores!!"
My pw is 12345!!!
Thank you for the gamescore!!!!!
Re: (Score:2)
Re: (Score:3, Funny)
1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!
Re: (Score:3, Informative)
Cheating is rampent on Xbox live. So is the ban hammer.
As an ultimate punishment, MS can disable one's entire Xbox live account. Worst case, that costs the cheater $$. Or of course they have a huge supply of 48 hour free trial gold cards, but then they have to spend their free time hunting additional 48 hour free trial gold cards. :P
Most cheats for Xbox
Happened to me (Score:5, Informative)
My account was stolen. It sucked. It took me months and way, way too many phone calls to get it back. The asshole who hacked it had changed so much information, including the gamertag, that they didn't even want to talk to me on the phone at first. Xbox customer support is absolute shit. Their reps are totally unhelpful, refusing to deviate from the script despite the fact that "account stolen" is apparently not in the script. There was not one that I called that was comprehensible in English.
Oh and this whole thing started because I found over $100 worth of Xbox points charged to my credit card. To this day I have no idea whether that person actually got my CC number or figured out how to charge without it. I executed a chargeback on that $100, and have yet to see another fraudulent charge.
Re: (Score:2)
As the Anon. coward stated, stealing an account is quite a bit different than a simple snafu. You are suggesting that someone hammered away at logging into your account, and then charged $100 to your account. That seems like a lot of effort just to play your games for free, especially when they could have just used TPB and some tools to get a similar experience.
The more logical option is that you had a weak password, you gave it away, or you were phished. None of these involve someone forcefully stealing yo
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
And if you have my Amazon password you can order real stuff with my CC, and if you have my banking CC you can steal all my money. That's why we protect our passwords children :)
What the .... ? (Score:2)
What the hell is this piece of shit, called "article"?
Using social engineering to obtain Xbox account details?
Oh my God, I would have NEVER thought something like that could happen.
Re: (Score:2)
I'm surprised there isn't less of this (Score:2)
Ever since multiplayer PC gaming, I have been surprised that I have not heard about phishing mods or virus mods. When you connect to a modded server, most multiplayer PC games will automatically download and execute scripts that run within the game engine. It shocks me that nobody has found a way to break out of the game engine sandbox and compromise a machine.
Now, consoles don't (AFAIK) support downloading mods. But I imagine that there would be similar attacks based on sending garbage data to the serve
How to remove credit card info? (Score:2)
Where is this option to remove your credit card info? I keep trying and it won't let me. I don't have anything on automatic renewal.
Re: (Score:2)
Actually I see the option but each time I try to remove the card, it tells me that a service is still attached to the card- and points me to an EXPIRED gold membership. I have since bought and activated a pre-paid gold membership so this makes no sense. Arg!
s/Hackers/Phishers/g would be a good start.. (Score:5, Insightful)
if you RTFA, what you basically see is this
- Xbox LIVE accounts are worth something, and often have CC info embedded in them
- all of the techniques are for getting control of an XBOX live account or DOSing an XBOX live user
- all of the non-DOS techniques are SOCIAL engineering "attacks"
The XBOX Live network is actually pretty solid, with IPsec between endpoints and servers. The successful "attacks" at the network layer are essentially ping-floods or traffic stoppages [i.e. the Halo bugs where you could turn off your cable modem and thus disconnect without killing your ELO ranking].
Finally, regarding the point about market share / attractiveness to hackers: this is stupid.
XBOX Live has more paying customers than any other console gaming network. Looking at # of consoles sold is not the same thing as attractiveness for phishers/scammers.
So, Mod the Article (-1: Epic Fail)
Over rated sensationalism (Score:3, Insightful)
Despite what the article might lead one to believe, the Xbox hardware isn't being hacked. User accounts are being compromised. The accounts aren't be compromised due to weakness in the software, authentication mechanisms, or by virii/malware. They are being compromised by social engineering and phishing. The only slightly disturbing subject mentioned involves introducing latency into game connections by way of DoS attacks and botnets. That sucks for people who play the games, but that isn't a weakness limited to the Xbox. Any internet connected device is susceptible to DoS attacks in some way.
Re: (Score:2, Informative)
Microsoft bashing is all fun and good, but at least think a little bit about what you've written before posting.
Re: (Score:2)
Re: (Score:3, Informative)
It's possible to only buy Nintendo Points cards, too
This is true of Xbox Live as well. You can subscribe and have your credit card charged automatically, but you can also survive on membership/points cards that you buy at the corner store instead.
Re: (Score:2)
It's comparing two separate things. What market share are they talking about? The online user base or the consoles-sold user base? The real question would be how many active online users, not how many consoles sold. It's comparing two separate and independent statistics.
I wonder who the number one market share is, anyways.
Re: (Score:2, Informative)
Not really right, no.
Xbox does have the number one market share in active online players (excluding the PC "open market"). Especially notable considering the annual fee.
Nintendo has the number one share in consoles currently sold. Online support on the Wii is basically neutered by the friend code system. Many games don't even try to do online multiplayer, and no financial information is stored on the system or your "profile" which really isn't a profile in the same sense.
TFA is pretty vanilla on the detail
Re: (Score:2)
Re: (Score:2, Informative)
Re:Top target? (Score:5, Insightful)
RTFA, there is no hacking being done. It's all DoS attacks, social engineering, and phishing scams. These methods are all independent of the hardware and in most cases the services being offered.
Also, while the xbox may not have the largest marketshare I would argue that it is very likely to have the largest and most active online community. The article is about "hacking" account information, not the hardware or software itself.
Parent
Re: (Score:2)
Don't know how it happened to me, but it did. If they had my CC number they never charged anything but Xbox points to it. Seems like a real stupid thing to steal. Maybe it was a kid or something?
Re: (Score:2)
Not only that but the Xbox is the only console with anything of value to target (Xbox Live accounts).
What's the point of hacking someone's Wii? Are you going to change their weather information or change someone's Mii to look like Hitler?
Re: (Score:2)
At least then I'd GET weather information. All I get is a -- C when I look at the summary screen.
Not that I live in an urban centre or the capital city or anything. Oh, wait, both of those ARE true.