Potential Xbox Live hacking related to FIFA 12

Phishing is the obvious blame, but it may not be the real problem. A few knowledeable folks have their XBL accounts broken in too (claiming strong and unique passwords used). There may be other vectors, possibly via Windows Live.

The real problem is MS's attitude and customer service, followed by the actual weaknesses. Had they been more diligent and pro-active, some of the accounts won't be broken in more than once.

EDIT:
Tap In said:
the ban 25 comment resets your profile so only the CURRENT console machine you are using allows access to your profile without a password and any other machines that your profile is on is locked without the password.
Click to expand...

Yes, I was (still am) curious why the password-less profile was needed in the first place. Without it, you may not have to reset your profile at all.

Can the hacker reset your profile using his console machine since he has your id, password and all user details once he got in (except for the security questions) ?

this other feature below is for recovery of a hacked Live ID acocunt itself that your console is linked to, not your "on console" gamertag per se. so you can take control of your live ID and change your password again including your consoles password

http://windowsteamblog.com/windows_...dates-protect-you-from-account-hijackers.aspx
Click to expand...

Yes, I was asking whether a malicious hacker can use the same mechanism as you to make sure he can get back in again after your account has been recovered.


EDIT 2:
I think MS has finally updated the password changing mechanism on xbox.com to stop at 20 attempts.
 
KongRudi said:
In a minute, I have tried 600 password on those 5 e-mails, and a hour later, I have tried, 36000 passwords on those 5 emails, after a day I have tried 864000 passwords on 5 emails, and now I might have gotten a hit from one dude, even if he didn't use a easy to guess password, i.e. pass1234.
Click to expand...

864000 is many orders of magnitude off of a hit on even a simple 8 character alphanumeric (which is trillions of possibilities). You'd probably have better luck with a common password/dictionary search hoping to catch the stupid.
 
Alphawolf: Well, I'm not gonna do it anyway.

I just tried to picture how I would do it if I were running like 5 sessions of a bkilian's test-script, wich he said got two response a second, on like 5 e-mails. :-/
I assume you can scale it up,

I don't think anyone believe that the hackers are only doing 5 sessions at a time with 5 accounts. :p
It were just making an example that the only flaw where that you knew if you got the e-mail correct, or if the password were correct.

I'm assuming if people wanted to earn money on this, they'd set up various groundrules aswell, to increase the number of hits per day. If it were me again.
I would guess most passwords contain a dictionary word on the left, and number on the right.
Is probably 8 or 9 letters in total.
Usually 4-6 alphabetical letters, and contains 1,2 or 4 numbers, wich the it-experts forces us to use for added security (allmost never 3 numbers, unless your word-part contains 5 lettters), and the number-part is probably usually on the right side of the word-part of the hypotetical password. I would also guess that the most frequently used numbers used is between 1 and 4.
Because I figure that people want to be able to remember the passwords the first time they use them.
And then make a password-database, based upon such rules.

And I expect that the evildoers would probably try to improve their password-databases.
And probably improve those staticstics, based upon sucess after time.

The way I think, people who gets prompted to make a password probably think, i sit in a chair it's the twelth month of the year, hmmm my password is chair12, what need 8 letters?
chair123, or maybe chair1234.. so that means I had 15 chair-combinations to try.. :-/
 
Last edited by a moderator:
egoless said:
Please see previous text, and again, what is an acceptable response? Shutting down LIVE? Disabling all Windows Live ID sign-ins? Freebies? Gold stars for forum posters and websites? We all know there is no real answer to that.

...
Click to expand...

An acceptable response certainly does not include blaming the users falling for phishing scams, and then no result for a few months. That xbox.com hole should have been plugged long ago, not this weekend. The xbox.com password change mechanism is one of the first basic things to check. Coutee tried to warn MS but they ignored him. If MS don't want exploit info to go public, they should have reviewed and fixed the simple problem early; not wait until the info has hit the news, then patch it.

Other people have suggested other improvements to protect XBL users. You can read them in the GAF hacked victims thread.
 
egoless said:
Pointing people to the existing (for a while) xbox.com/security or spelling out what's on that page for every outlet rallying the "LIVE hack" is not warning people?
Click to expand...

Well, clearly this isn't a isolated incident, all Live-accounts are a potential target.

I think the best way would be sending all Live-members a email, telling them to keep track of their accounts, and make sure that they are the ones spending the money.
And warn people to change their password, if they are using the same password anywhere else.

egoless said:
Curious, should it be posted on a blog then, is that precedent and acceptable?
Click to expand...

No, all members should receive an e-mail, that's the precedent.
This isn't something wich may happen to you, and you could have been warned if you read Major Nelson's blog. It's a large scale attack on Microsoft's customers, wich currently is entrusted with the customers personal data, and they should be the one to warn them.
Not ShackNews. :-/

egoless said:
Also, complete transparency is and always has been a double edged sword. For example, to quote what has already been said..
Click to expand...

So what bad can happen from warning your customers?
Microsoft get some bad PR, and maybe MS will loose a tiny bit of profit, when they reimburse the stolen goods, wich people didn't know where stolen.


egoless said:
Shutting down LIVE? Disabling all Windows Live ID sign-ins? Freebies? Gold stars for forum posters and websites?

We all know there is no real answer to that. It will always be +1 to whatever a corporation does, especially one as despised as Microsoft. It's a prime example of damned if you do and damned if you don't. The degree of simplistic "if Microsoft only X, then Y" though is incredible since it's no different than the "lazy dev" comments elsewhere. Both seem incredibly shortsighted for something as complex as the security issue here.
Click to expand...

It's not affecting enough people that shutting down the Live-service wich people pay for is justified.

There are lots of things they could, should or ought to do, it's just the question if they're willing to do it.

Forinstance allowing users to remove their personal payment-data, online - instead of requiring consumers to call support on the phone all over the world - instead of only having that online feature, in the places/states where they're legally required to do that, and phone everywhere else, would have been a good long-sight security-feature. :-/

egoless said:
How about this, how was Larry Hryb's account hacked at the start of 2010 or did that already escape everyone's attention. Was that more than phishing? Clues?
Click to expand...

Major Nelson's account were also hijacked in the first week when Windows Live, came out, if I recall correct, they only changed his tag-line tough.
Didn't steal any money, according to official versions atleast.
It were no reason to believe that a large group of consumers where the intended target back then, it's now, and they need to fix it soon. :)
 
egoless said:
If the data shows phishing, and refunds are handed out for phishing as you've already seen, should the story lie to appease the champions of hacking not phishing?
Click to expand...

If there was actually data to support phishing they should probably share it. At this point phishing hasn't been anything more than a plausible, and convenient method of evading responsibility (since there will obviously always be some level of phishing every day). But if there was some sort of mass, concerted phishing scam, where are the saved emails? The screenshots of phishing sites? We are supposed to believe that thousands are falling victim each month, this has been going on for at least a year, but no one at Microsoft, on NeoGAF, 4chan, SomethingAwful or any other forum has been wily enough to recognize and document the scam that we are being told we must have fallen for? Can't be a very effective phishing scam if no one can find it.

Frankly, one of the biggest problems appears to be that Microsoft management believes their excuse wholeheartedly and have never bothered to investigate any other possibilities, even in the face of a huge surge in account thefts. And that's aside from the break down in customer service and their ongoing failure to implement safeguards against unauthorized purchases, both of which are scandals in their own right.
 
egoless said:
If the data shows phishing, and refunds are handed out for phishing as you've already seen, should the story lie to appease the champions of hacking not phishing? Also, did you stop to think that maybe the whole transparency about the way xbox.com sign-in works just gave a laser target to even the small time hacker even if that is not the major issue here? You know, the essence from the part I just quoted from Toulouse? Nope, it's all simple and easy right?
Click to expand...

Do you work for Microsoft ? Can you publish the data that proved all the affected users fell for phishing scam ?

And no, i'm not talking about others in your stealth last sentence. I'm asking you in particular since you keep dismissing things as so simplistic and post as a supposed outraged XBL member that you are not.
Click to expand...

You'll find my answers there, together with many other user suggestions.

You'll also find MS's customer service failed to block a hacked account successfully in Susan's case. You'll find users who have their security questions changed (presumably by the hackers), but these questions were not reset when MS gave the recovered accounts back to the users. So these people got hacked again when the hackers use the security questions to reset the password another time. No phishing is required in these incidents.
 
patsu said:
Yes, I was asking whether a malicious hacker can use the same mechanism as you to make sure he can get back in again after your account has been recovered.
.
Click to expand...


yes if you read the bottom of my post (bolded)

Before you can add a new proof or change any existing ones, you will need to be able to access at least one existing proof. For example, if your account was already set up with an alternate email proof and you wanted to add a cell phone number as well, you would need to use the alternate email address to do it. This means that even if a hijacker steals your password, they can’t lock you out of your account or create backdoors for themselves. You will always be able to get your account back and kick the hijackers out
Click to expand...

so your answer is no. he needs one of your pre-programmed proofs (text message or trusted pc or alternate email) to set or change any proofs once one is set.
that's why I was suggesting everyone set a couple of proofs before its to late. :LOL:
 
Tap In said:
yes if you read the bottom of my post (bolded)



so your answer is no. he needs one of your pre-programmed proofs (text message or trusted pc or alternate email) to set or change any proofs once one is set.
that's why I was suggesting everyone set a couple of proofs before its to late. :LOL:
Click to expand...

You should write a consolidated post consisting of all the recommended measures for others' benefits (Or a list of links to relevant posts).

Some info about the password-less profile may be helpful too. Some of my friends will inevitably ask me what the hell is going on. ^_^
 
Brad Grenz said:
Frankly, one of the biggest problems appears to be that Microsoft management believes their excuse wholeheartedly and have never bothered to investigate any other possibilities, even in the face of a huge surge in account thefts.
Click to expand...

Do believe this is actually true or are you just basing this on their public statements, which are obviously being carefully worded?

My issue, as ever, is that in the balance between minimizing their potential legal liability and properly informing their customers they appear to be leaning very heavily in the former direction and are giving out only the barest minimum of information. I'm not convinced by the argument that they can't release more information without compromising security, either.
 
mrcorbo said:
Do believe this is actually true or are you just basing this on their public statements, which are obviously being carefully worded?

My issue, as ever, is that in the balance between minimizing their potential legal liability and properly informing their customers they appear to be leaning very heavily in the former direction and are giving out only the barest minimum of information. I'm not convinced by the argument that they can't release more information without compromising security, either.
Click to expand...

If the fix for a known attack vector is difficult to fix without potentially opening up more attack vectors or even worse losing functionality of the service, then maintaining security through obscurity until a fix can be implemented is the best thing they can do. Hence, not releasing public information on the potential attack vectors that may be occuring.

Having a dedicated crime ring hacking Live and profiting is a whole lot less damaging than a potential flood of script kiddies hacking the system once they know what to target, assuming an enterprising hacker releases a proof of concept hack based on information that Microsoft releases to the public in an attempt to appease the transparency advocates. And in the process harming far more people than might currently be harmed.

It's not like it's uncommon for a proof of concept hack to appear within days of publicly divulged security holes. In fact, it's far more uncommon that a proof of concept hack isn't released when a company divulges information on potential security holes.

It's why any good security researcher always attempts to work with a company when they discover a security hole. And only if the company is putting them off, or appears to be deliberately not working on a fix do they then go public before a fix is confirmed. Ones that don't do this are in it for the profit, using the hole, or wanting others to use the hole.

Regards,
SB
 
rekator said:
There always the secret question in case your lost your password on LIve implementation?
Click to expand...

that can be changed by hacker access if he has PW. the proof option is a lock... no matter what they do without one of your proofs (your PC, mobile phone or unhacked email) he can not lock you out and you can lock him out by resetting PW
 
egoless said:
If the data shows phishing, and refunds are handed out for phishing as you've already seen, should the story lie to appease the champions of hacking not phishing? Also, did you stop to think that maybe the whole transparency about the way xbox.com sign-in works just gave a laser target to even the small time hacker even if that is not the major issue here? You know, the essence from the part I just quoted from Toulouse? Nope, it's all simple and easy right?

And no, i'm not talking about others in your stealth last sentence. I'm asking you in particular since you keep dismissing things as so simplistic and post as a supposed outraged XBL member that you are not.



Well put constructive data sans rhetoric. Thank you. I still don't agree with complete transparency while combing through and re-securing nearly 40 million Live ID just from 360s contribution. To me, that's just adding more noise. There has to be a resolution though or all E3 news will get overshadowed just like last year's debacle, but only worse in Microsoft's case.
Click to expand...

Microsoft screwed up big time with this one, there is no debate about that, only useless defences that claim victims are at fault.

Microsoft have so much experience with how the "internet" works, they obviously didn´t put that knowledge to use in this case. And their support for their customers have been beyond bad. If they just had been able to actually help their customers in a more timely fashion alot of the bad PR would have gone away.
 
AlphaWolf said:
Yea MS screwed up so badly they have dozens of forum pundits fuming.
Click to expand...

Hardly. This is getting continuing press coverage that would cease if an explanation were to be given that seemed plausible in some of the cases where their stock explanation doesn't seem to fit.
 
Silent_Buddha said:
If the fix for a known attack vector is difficult to fix without potentially opening up more attack vectors or even worse losing functionality of the service, then maintaining security through obscurity until a fix can be implemented is the best thing they can do. Hence, not releasing public information on the potential attack vectors that may be occuring.

Having a dedicated crime ring hacking Live and profiting is a whole lot less damaging than a potential flood of script kiddies hacking the system once they know what to target, assuming an enterprising hacker releases a proof of concept hack based on information that Microsoft releases to the public in an attempt to appease the transparency advocates. And in the process harming far more people than might currently be harmed.

It's not like it's uncommon for a proof of concept hack to appear within days of publicly divulged security holes. In fact, it's far more uncommon that a proof of concept hack isn't released when a company divulges information on potential security holes.

It's why any good security researcher always attempts to work with a company when they discover a security hole. And only if the company is putting them off, or appears to be deliberately not working on a fix do they then go public before a fix is confirmed. Ones that don't do this are in it for the profit, using the hole, or wanting others to use the hole.

Regards,
SB
Click to expand...

Surely there must be a middle ground between full transparency and a satisfactory explanation that doesn't make it seem like they are trying their damnedest to sweep the issue under the rug.
 
You must log in or register to reply here.

Similar threads

A
Xbox Live Gold not needed for Free-To-Play MP, No Price Changes [2021-01-22]
4 5 6
Replies
119
Views
12K
BRiT
BRiT
A
Holy Wall of Text: My impressions post Playstation 4 (PS4) unveil
2 3 4
Replies
70
Views
19K
(((interference)))
I
A
Forza: A Test Case for next gen hardware discussion
2
Replies
32
Views
8K
tuna
T
F
Image Quality and Framebuffer Analysis for Available/release build Games *Read the first post*
125 126 127
Replies
3K
Views
767K
SumoSaki
S
Back
Top