IT Security and Privacy

Just change your passwords.

Symantec found a server which appears to be a key part of a botnet which has harvested 44 million user names and passwords for online games:

World of Warcraft - 210.000
Aion - 60,000
PlayNC - 2 million (NCSoft's site-wide account)
Wayi Entertainment - 16 million

Symantec focused on an interesting feature of the botnet - it was used as an illicit cloud computing service to validate the quality of the stolen account information using a trojan program called Trojan.Loginck.

Ah, the Internet and its glorious features.

It was unclear how all of these identities were collected, probably via phishing or purchase.

Needless to say, this did represent a substantial dollar value in stolen accounts... millions and millions of dollars.

"44 Million Stolen Game Accounts Uncovered?", http://www.markeedragon.com/content.php/720-44-Million-Stolen-Game-Accounts-

E. Ward (2010), "44 Million Stolen Gaming Credentials Uncovered", http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

An employee of Bank of America in North Carolina was charged with installing malware on ATM machines. The software, apparently modified from some malware in Eastern Europe, allowed him to make undetected withdrawals from the affected machines over a seven month period (the withdrawals did not leave a transaction record).

The software, was first found in Russia and the Ukraine, captured PIN and card information from the magnetic strip as well as allowing undetected withdrawals. 16 versions have been found so far and affect ATMs from NCR and Diebold.

Bank of America found the data internally. Potentially, because the records did not balance (a more sophisticated attacker would make sure that the money came out of legitimate customers accounts ... $100 for you, $20 for me, so that the ATM would balance).

Maybe in ATM Hack 2.0

K. Zetter (2010), "Bank of America Employee Charged With Planting Malware on ATMs", http://www.wired.com/threatlevel/2010/04/bank-of-america-hack

via

" Bank Employee Plants Malware on ATMs", http://yro.slashdot.org/story/10/04/09/1240213/Bank-Employee-Plants-Malware-on-ATMs

Public key cryptography. Magic. You'd think it was some sort of magic bullet the way a lot of people talk about it.

The real problem with public key cryptography is that anyone can do it.

If you know the math, you can communicate. "Securely", yes, but with no idea who you are talking to.

In order to make public key cryptography useful, you need a system to associate keys with trustworthy (or, at least known) individual.

Welcome to Public Key Infrastructures, and, at their apex, Certificate Authorities.

Certificate authorities simply sign keys for others and associate a person (or organization) with a key.

So far, so good until someone undermines the certificate authority... since a certificate authority can associate any identity with any key, they can take all the "security" out of cryptography.

Apparently governments do this.

Not really surprising.

But, considering how many certificate authorities are out there and how many people work for them, how difficult do you really think it is for a criminal or company, or hacker, or government or anyone to get a public key that says they are who they want to be.


"Government Could Forge SSL Certificates", http://yro.slashdot.org/story/10/03/26/1334254/Government-Could-Forge-SSL-Certificates

The higher your score, the more you are a target for getting hacked on Microsoft's Xbox Live. High Gamerscore's are both valuable and there is no way to hide them.

Many Xbox Live users have either have money on their account or a credit card tied to their account which can then be used to purchase more games and other entertainment.

... and, of course, some people just want the high score in a game, no matter what AND are willing to pay for it.

Microsoft customer support is often the way these accounts are compromised via classic social engineering techniques.

Phishing for user account information via email is also popular (no surprise).

Interestingly, malicious players can spam a player with friend requests which effectively creates a Denial of Service attack.

S. Kerner (2010), "Hackers Target Xbox Live", http://www.internetnews.com/security/article.php/3842751/Hackers+Target+Xbox+Live.htm

The developers of the Zeus crimeware kit sell their product's base version for $4000. With all the options, it can be $10,000 or more (the Ultimate Edition... just like strong>Windows):

Real-time notification via Jabber - $500
Firefox form entries - $2000
Remote Control / Connection software - $10,000

Oh, and just like Windows, the bot developers use hardware activation so that it is tied only to one computer.

Current version: 1.3.3.7

Version 1.4 coming soon with some awesome features including:

It offers polymorphic encryption that allows the trojan to re-encrypt itself each time it infects a victim, giving each one a unique digital fingerprint. As a result, anti-virus programs, which already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.

D. Goodin (2010), "Trojan armed with hardware-based anti-piracy control", http://www.theregister.co.uk/2010/03/12/new_zeus_features/

via

"Malware Authors Learn Market Segmentation From the Best", http://it.slashdot.org/story/10/03/13/0247253/Malware-Authors-Learn-Market-Segmentation-From-the-Best

Why do users have bad passwords?

Why do users not search for malware?

Why don't users protect themselves better?

Because it doesn't make sense for users to do so, according to Cormac Herley, of Microsoft:

Users understand, there is no assurance that heeding advice will protect them from attacks.

Users also know that each additional security measure adds cost.

Users perceive attacks to be rare. Not so with security advice; it’s a constant burden, thus costs more than an actual attack.

Passwords is a clear example. We are told to have long, complicated, passwords that we change regularly.

However, passwords are actually attacked ... how?

The main attacks against passwords would appear to be: phishing, keylogging, a brute-force attack on the user's account, a bulk-guessing attack on all accounts at the server, and special-access attacks (guess-
ing, shoulder surng and console access).

None of which are blocked by long, complicated, passwords, that are changed regularly.

In the case of Paypal, only 0.49% of its fraud is due to password security flaws... only $8.8 Million.

Other examples cited in the paper include the relative ineffectiveness of detecting phishing by teaching users to properly read URLs and the total failure of certificate management.

Thought provoking stuff and definitely worth reading.

C. Herley (2009), "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users", http://www.nspw.org/papers/2009/nspw2009-herley.pdf

via

M. Kassner (2010), "Are users right in rejecting security advice?", http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036

Only 9 percent of companies who've had a security breach figure it out themselves. 80 percent of the time, a credit card company comes knocking to let you know

You've been Hacked.

(according to a survey by Trustwave of 200 security breaches that occurred in 2009)

Of course, what's really interesting about this is that if your confidential, non-credit card data is taken, the odds of you figuring it out is virtually nil.

Why does this happen?

If you are doing something about security, there are too many alerts, alarms, configurations, systems, and networks to defend.

Unless the bad guy is so stupid or obvious to announce his (or her) intentions, you'll never notice amongst all of the other things you've got to do day after day after day.

While the article cites security vendors who want you to "standardize tools" and buy their product, the real answer is to make the parts of your system that are "security relevant" really simple and separate from the rest of your environment.

If it is not simple, it is not secure.

Also, design systems as if they might fail so that the security consequences should be minimized.

You have to understand both what you value and what your foes may value.

One of the biggest problems that online game companies face is that their economic incentives and priorities are not the same as their adversaries. While gold farming is a "customer service problem" for a game company, it may be a multi-million dollar business for your foe.

If so, he is going to be willing to spend a lot more to attack your service than you are going to want to spend to defend it.

If a scammer can earn thousands of dollars from abusing your product or service, he (and all of his friends) are going to come visiting... and you will be left empty-handed.

If casual fraud is easy, there will be a lot of casual fraud.

People are terrible, aren't they?

B. Prince (2010), "Why Data Breaches Can Go Unnoticed by Their Victims", http://www.eweek.com/c/a/Security/Why-Data-Breaches-Can-Go-Unnoticed-By-Their-Victims-894968/?kc=EWKNLSTE02162010STR2

A 6.5 hour denial of service attack hit Ubisoft's DRM Servers on yesterday (Sunday, 3/7/2010). From the limited information available, it seems players were unable to log into the service (it seems players were able to continue playing once logged in). Ubisoft's new DRM service for PCs requires a constant Internet connection to play. When the connection drops, the player game session ends and reverts to the last save point once a new session is opened.

There are still conflicting stories about whether the DRM scheme has been broken. Ubisoft continues to assert that the DRM system is still functioning.

This type of service is a tempting target for a denial of service attack in that a short, intense attack can cause a lot of disruption instead of degrading gracefully. If one can knock out the servers for just a minute, it looks like everyone who was playing would be knocked out.

It will be interesting to see if Ubisoft pursues legal action in this case. Denial of service attacks are pretty clearly computer crimes and Ubisoft should be able to claim clear losses (lost customers and time & resources to recover). (Credible) Legal action would also act as a deterrent to future attacks.

J. Sterling (2010), "Ubisoft lied about DRM servers, admits they were attacked", http://www.destructoid.com/ubisoft-lied-about-drm-servers-admits-they-were-attacked-166200.phtml

L. Plunkett (2010), "Ubisoft's New DRM System Falls Down, Locks Out Paying Customers", http://kotaku.com/5487918/ubisofts-new-drm-system-falls-down-locks-out-paying-customers

J. Walker (2010), "Ubisoft Says Server Downtime Due To Attacks", http://www.rockpapershotgun.com/2010/03/08/ubisoft-says-server-downtime-due-to-attacks/

J. Walker (2010), "Ubisoft’s DRM Servers Broken All Day", http://www.rockpapershotgun.com/2010/03/08/ubisofts-drm-servers-broken-all-day/

J. Orry (2010), "Ubisoft confirms server attack", http://www.videogamer.com/news/ubisoft_confirms_server_attack.html

T. Bramwell (2010), "Ubisoft DRM was "attacked" at weekend", http://www.eurogamer.net/articles/ubisoft-drm-was-attacked-at-weekend

4 men were indicted for using a CAPTCHA scam to buy up tickets sold online from Ticketmaster, Tickets.com, MLB.com, MusicToday, and others. How did the scam work? Pretty straightforward. The group hired some programmers to automate CAPTCHA processing and flood the system and buy up a ton of tickets.

Which they resold... the glory of scalping in the Internet age:

To cover their tracks, the men used aliases, shell corporations, and fraudulent misrepresentations, both to deploy the CAPTCHA Bots and to disguise their ticket-purchasing activities. They also lied to online ticket vendors, Internet service providers, landlords, and lower-level employees at Wiseguy to conceal their activities.

The scammers were quite successful - half of the general admission tickets to Bruce Springsteen's 2008 Concert in Giants Stadium.

UPDATE: Their total take? Around $25 Million

C. Albanesius (2010), "Four Indicted in CAPTCHA Hacks of Ticket Sites", http://www.pcmag.com/article2/0,2817,2360794,00.asp

Security tokens are the latest and greatest in game security for World of Warcraft and other games ... and they have been beaten. Attacks that several people, including myself, have previously speculated about.

The attack is pretty straightforward. Hackers get a piece of malware onto a victim's computer. When the victim player logs into World of Warcraft, the malware intercepts the code and sends it to the crooks who use it to login and loot the account.

There are a couple of problems here. The security token generates "one-time passwords" that are actually good for a short period of time (a matter of minutes due to the sloppiness of clocks).

There are some potential countermeasures that Blizzard can take to thwart this attack, some of which are more fragile and easy to implement than others.

Where there is money on the table, hackers will try to find a way.

While the attack has been described as a "man-in-the-middle", it is actually a "man-on-the-side" attack - it is high tech shoulder surfing.

While this is pretty disturbing for games like World of Warcraft, it is of greater concern for banks and other financial firms using similar security tools.

A. Ziebart (2010), "Man in the middle attacks circumventing authenticators", http://www.wow.com/2010/02/28/man-in-the-middle-attacks-circumventing-authenticators/