Potential Xbox Live hacking related to FIFA 12

Anti-virus and anti-malware only works on known exploits, when there is a new exploit you are not protected until they patch it in.

And if it´s possible to wreck a few hundred centrifuges in IRAN why not steal some of that "work" and use it for easier targets.
 
That doesn't help. To allow the opt in, you have to modify the backend infrastructure, which increases the odds of a breaking change.

... which implies it's possible/doable, but need (significantly) more coordination and testing.

Exactly my point. The users sign into PSN first. That's not the case with Live ID. Each App implements it's own access to the service. To the app, Live ID is just a protocol that takes a username and password, and returns a cookie of some sort. Every app is free to implement how they access that API. Making the distinction of what is a fraudulent login is not an easy one. Currently, Live ID is essentially read-only to most applications. To implement what might be necessary, they'd have to add a way for the xbox to tell Live ID that they suspect foul play and to suspend some features. Now all you need is an attacker to have a proxy that allows the Live ID login, but blocks the "this is fraudulent" call, and they're good to go again. Or they don't even bother with the xbox, they login using the website and a US proxy, They can do all the same things on the website like buy premium content, and with a proxy in place, the region issue is gone too.

Yes, I am familiar with how PassPort works at a high level. MS acquired the original tech and team from FireFly Networks. What you described above is a weakness in Live ID/Passport.

Other technologies MS acquired (OSF/DCE) has more comprehensive and robust federated security service. You can have different trust level for different security domains. It should also be possible to add "version" to the protocol to add new behavior. Old version can be treated as not-so-trusted.

Because each PassPort member site handles their own sign-in, you can treat Xbox login to be more trustworthy compared to website logins. I remember a member site can tell where the user has initially signed in from (unless MS changed it).

The PassPort system has been compromised severely before (around 2001-2003), but Microsoft threw its weight to fix the holes. It has grown even bigger now, I'd be surprised if they can't fix it. The weakest link (easy to compromise/rogue member sites) may not be trusted.


EDIT: Also, it is unclear FIFA is related to these issues. Might want to revise the title.
 
I have no doubt they can fix it. I just don't know the timeline. My main experience with Passport was reverse engineering the protocol when I worked at Openwave.
 
It´s a pain, when i cancelled my CC because of the PSN failure i had to update the info on so many places and sometimes it was at the "wrong time" because i didn´t have the CC on me or i was in a hurry.

It's ridiculously simple, are there any that you can't actually do from your PC anymore? People are actually jumping through hoops to avoid changing auto pay info? Lose a piece of real ID (drivers license or passport or something) if you want a pain.

Here's the process for Netflix, go to netflix on your browser, log into your account (although that might be auto), click 'your account' go to the line with your CC info, click update, enter the new info. If that takes you more than 1 minute I really don't know what to say. All of my auto pays are basically that process, except the ones at my bank where I can change 5 with 1 click.
 
That doesn't help. To allow the opt in, you have to modify the backend infrastructure, which increases the odds of a breaking change.Exactly my point. The users sign into PSN first. That's not the case with Live ID. Each App implements it's own access to the service. To the app, Live ID is just a protocol that takes a username and password, and returns a cookie of some sort. Every app is free to implement how they access that API. Making the distinction of what is a fraudulent login is not an easy one. Currently, Live ID is essentially read-only to most applications. To implement what might be necessary, they'd have to add a way for the xbox to tell Live ID that they suspect foul play and to suspend some features. Now all you need is an attacker to have a proxy that allows the Live ID login, but blocks the "this is fraudulent" call, and they're good to go again. Or they don't even bother with the xbox, they login using the website and a US proxy, They can do all the same things on the website like buy premium content, and with a proxy in place, the region issue is gone too.

I'm not saying I think they shouldn't fix it. They should. I'm just pointing out that arguments of developer laziness (which are a perennial favourite around here :)) are not necessarily accurate.

yea, I changed my settings to NOT to remember log in as you suggested.... and I now rerlaize how many friggin serivces I'm running everyday that I need to now enter passwords for Live (Mesh, Windows Live, Bing Rewards, OneNote, Windows Phone (which is automatic), Xbox Live)

that's a lot of log ins to type nearly every day for services that just previously worked in th background for me. :LOL:
 
yea, I changed my settings to NOT to remember log in as you suggested.... and I now rerlaize how many friggin serivces I'm running everyday that I need to now enter passwords for Live (Mesh, Windows Live, Bing Rewards, OneNote, Windows Phone (which is automatic), Xbox Live)

that's a lot of log ins to type nearly every day for services that just previously worked in th background for me. :LOL:
Crazy, innit? Luckily I reboot my machine maybe once a month, so it's not too painful, but it is annoying.

I'm tempted to write an app that stores my password in a cryptographically secure way and then uses the accessibility APIs to enter them into the apps as they start up. There's probably already something like that available, if you could trust some other app writer with your password.
 
The PassPort system was created during the dotcom boom, with the vision of creating a user profile sharing/exchange marketplace over the Internet. That's why the technology does not support varying domain trust (If a site is untrusted, other sites won't want to exchange user profiles with it anyway). Instead, the team championed user privacy policies (P3P and such) to "bind" the participating services (in a non-legal but visible-to-end-user way).

It's an interesting concept but today the consumers use it more like a single sign-on solution. You could just use a smart login client solution for that, as bkilian alluded to. Mac OSX has a keychain client for just such a purpose but the keychain is tied to the client machine.
 
Crazy, innit? Luckily I reboot my machine maybe once a month, so it's not too painful, but it is annoying.

I'm tempted to write an app that stores my password in a cryptographically secure way and then uses the accessibility APIs to enter them into the apps as they start up. There's probably already something like that available, if you could trust some other app writer with your password.

KeePass?

http://keepass.info/
 
Someone (Jason Coutee) reckons they've determined the problem - lax security on the xbox.com website allowing passwords to be brute-forced until accses is granted, whereby you are blown wide open. So a secure password should help prevent that, as would an email address that differs from your Live name as I understand it.
 
Maybe our bkilian can get it kicked up the chain and looked at. :)

Thank goodness my gamertag isn't linked to my e-mail address anywhere in public or private. Anyone who knows my e-mail address for that doesn't use an X360. And I have a strong password.

Don't have CC info linked, but would still hate to lose my account.

Regards,
SB
 
Oh, I'll definately bounce it over to the security guys. I wonder if the behaviour has changed recently, since I've had my live account locked a couple of times when I forgot to change my mesh password, and mesh tried to log in too many times.
 
Someone (Jason Coutee) reckons they've determined the problem - lax security on the xbox.com website allowing passwords to be brute-forced until accses is granted, whereby you are blown wide open. So a secure password should help prevent that, as would an email address that differs from your Live name as I understand it.

Ah, told people Phishing is not the only cause. You can cast reasonable doubt against that claim by looking at the victims' reports and profiles. ^_^

Should not have claimed users are at fault without investigating xbox.com in depth. [EDIT: Also, is FIFA cleared then ?]

Someone who has a strong 14 character password got broken in too. He claimed that the password is unique, not used in other services. May want to look deeper.
 
Someone (Jason Coutee) reckons they've determined the problem - lax security on the xbox.com website allowing passwords to be brute-forced until accses is granted, whereby you are blown wide open. So a secure password should help prevent that, as would an email address that differs from your Live name as I understand it.

See, and that's exactly what I have been suggesting was the most likely source of the problem all along: a flaw that allows brute force password attacks. Fuck MS for blaming the victims this whole time.
 
So now it's weak passwords of people using the same email handle as gamertag (does this pass the smell test with people who have been hacked? I know someone mentioned having a weak password, did they also have their email = gamertag?) as well as phishing/malware?
 
Before popping the corks on the champagne and the back patting begins, there's an update...

http://xboxlive.ign.com/articles/121/1216502p1.html

Ok, back to the regularly scheduled internet grind I guess.

You'll notice that MS is careful to say there hasn't been a breach of the service while tacitly admitting flaws in their login system are still a possibility (and indeed, an industry wide problem we all must deal with!). It's an attempt to deflect attention without technically lying about it.

If they could, they'd say, "these reports are erroneous and the claimed methodology could not be replicated. this is not a viable method of compromising an account." Instead they are talking out the side of their mouths about how security is a process and not a destination and brute force attacks are something everyone faces. Only, hopefully, other systems don't have their anti-brute force attack security measures so easily circumvented allowing infinite login attempts.

I don't think there is any question this is the exact vector of attack we have been looking for all along. They can try and play it off as business as usual, but the official response is basically a confirmation that they have had a critical flaw on xbox.com that hackers have been mining for nearly a year resulting in theft from tens of thousands of customers. Sure, it's not technically a "breach of the service", just a breach of their customers' trust.
 
Before popping the corks on the champagne and the back patting begins, there's an update...

http://xboxlive.ign.com/articles/121/1216502p1.html



Ok, back to the regularly scheduled internet grind I guess.

It is a flaw to allow that to happen easily. The site should not allow so many retries. I think iTunes will lock your account after 3 or 5 tries. PSN will also lock your account if they suspect fraud.

Plus MS should not keep saying that phishing is the only cause as it is clear now that there is another easy way in, without the user falling into phishing scams.

The problem is no (sophisticated) breach is necessary to get in. If you can go in without breaking the lock, then there is no need to break the lock in the first place.
 
by the way, for those of us who actually use the service...

go to your live account and be sure to set up a "trusted PC" in security Windows Live settings. If you ever get locked out a trusted PC becomes a key back in and is a confirmed access point for your Live ID regardless what else may get changed by hackers.
 
by the way, for those of us who actually use the service...

go to your live account and be sure to set up a "trusted PC" in security Windows Live settings. If you ever get locked out a trusted PC becomes a key back in and is a confirmed access point for your Live ID regardless what else may get changed by hackers.

What happens if the hacker gets in and set up a "trusted PC" for your account on his end ? Is it possible ? What does the password-less download profile ban25 mentioned do ? Why does one need it ?
 
Back
Top