Possible way Xbox accounts are getting exploited?

#1 Posted by mancide (145 posts) -

Eurogamer is talking about a possible exploit people have been using to harvest Xbox Live accounts in the ongoing account hijackings. There is also another report coming from a network infrastructure manager that details the methods being used more than Eurogamer goes into.

Anyone think this is possible? I've PM'd Patrick, although I'm sure he's already on it, as well as Xav over at Shacknews who had been doing some reporting for them. So far Xav is waiting to hear back from Microsoft, and I'd assume it's the same situation for Patrick as well.

#2 Posted by Branthog (7529 posts) -

Of course that's how they're doing it. I've been saying this for months in response to people who cry "I done got haxored how could that be durp durp!". If you have a complex password, a brute force attempt will be very difficult. Especially since the number of attempts you can make are limited via most interfaces (if you have an actual copy of the database in your hands, then the speed is only limited by your processing power, but that's unrelated, here).

So, what crackers do is have a script that runs against every account they can find and it uses a whole slew of simple passwords that people use. If people use short passwords or passwords derived from a dictionary, they are incredibly easy to guess. You would be surprised how many people use ridiculous passwords (names, dictionary words, short passwords, dictionary words with numbers in place of letters, etc). If you have thirty million accounts, you can bet that a fairly sizable number of them have fucking idiotic passwords like "password" and "god" and "monkey" and it is therefore trivial to access those accounts.

If you have a complex password that is not based in any way on a dictionary word, brute force attacks become very difficult. Through a limited-attempt web interface like Microsoft and most other services have, you're talking about -- at most -- a few attempts per second.

If your password is fIt7H4@p39#k, you're going to be pretty safe. That password has a search space of 546,108,599,233,516,079,517,120, which would take a massively dedicated offline cracking cluster system with direct access to a database more than a century at something like a hundred trillion attempts per second. An online attack, like this, is going to be much slower. More like a few attempts per second are possible. But let's say it's more than that. Let's say that they can attempt 1,000 password attempts every second against your account using Microsoft's interface. It will take almost two-hundred billion centuries to crack.

On the other hand, if you're the average person who has a password like "monkey", it would take a password cracking cluster offline literally millionths of a second (you can attempt every dictionary word in about one or two seconds) and it would take the same 1,000 attempts per second system we mentioned, above, about three days.

Of course, you could do something even simpler. More than ten percent of all users use one of the 100 passwords on this list. So, if you have a pool of 30,000,000 accounts, you can exploit more than 10% of them simply by making no more than 100 attempts through the online interface. That's three million compromised accounts. Not through Microsoft's failure (or Facebook's, or Twitter's, or any of the other services people constantly complain about "being haxored" on). Through the user's fault.

People need to learn to take more responsibility for their security and for their accounts. There's a reason that some people are never compromised while others are posting "oops, ignore those posts on facebook yesterday, my account got hacked again!". People don't like to hear that. They complain to me and yell at me every time I bring this up. But the fact is, they need better passwords and they need to keep those passwords to themselves. Further, they need to not use those passwords across multiple services (if you use the same password for twitter as your banking services, a compromise at twitter suddenly becomes a major problem, since it now grants the exploiter with your financial account).

Yes, it is sloppy security to have your interface respond to a user by confirming that a user account does or does not exist. When an incorrect username/email is provided, the proper response is "you have provided an incorrect username OR password" so that it is not obvious when you have stumbled onto an actual account name. And, yes, eight attempts at a time might be too many to allow. Since I pointed out that more than a tenth of all users use the same 100 passwords, you would only need to do this about twelve times, before you've exhausted that list. If you allow three attempts with a fifteen minute lock-out between each, you make it significantly harder. Addtionally, Microsoft support reportedly is not too difficult to social engineer, in which case the complexity of your password becomes irrelevant. This is a flaw in every system, unfortunately. If your policy allows gaps for social engineering to occur - they will. Undermining any technical preventative measures otherwise employed.

TL;DR: What world are these websites/authors living in that they think this is news? Everyone knew this is essentially what was happening. If you don't use a stupid password, you are almost certain not to become a victim of this. So stop using stupid passwords. If you're not sure if your password is stupid, consider checking it against Steve Gibson's Haystack calculator.

#3 Posted by Ubersmake (754 posts) -

I think it's very possible.

I actually ran into this issue at my previous job. We were implementing an account signup workflow, and the issue came up with what to do when a user put in the wrong credentials, as opposed to nonexistent credentials. Our solution was to simply say that something was wrong with what was inputted, and to try again, regardless of whether or not that user actually existed.

#4 Posted by Jadeskye (4367 posts) -

@Branthog: Your dedication to education is amazing.

#5 Edited by Jeust (10548 posts) -

The cool thing is that this happens also with other websites, like Facebook. Generally failed login messages provide too much information.

#6 Posted by Ubersmake (754 posts) -

@Branthog: I think the first problem here is knowing whether a user exists or not. Before even getting to the password part, knowing that a user exists on a service is a big thing.

#7 Edited by Grimluck343 (1149 posts) -

@Branthog:

Do you always post massive walls of text? Great post again.

But yes, it probably is simple brute force hacking, especially since entering email addresses that you get via google-fu will say either "Incorrect address" or "incorrect password," meaning that the email address is attached to a valid gamertag but the password is wrong. At that point you can just brute force it like you mention.

It kills me that people still think this is all Microsoft's fault when in reality it's users shitty password habits.

#8 Posted by Branthog (7529 posts) -

@Ubersmake said:

I think it's very possible.

I actually ran into this issue at my previous job. We were implementing an account signup workflow, and the issue came up with what to do when a user put in the wrong credentials, as opposed to nonexistent credentials. Our solution was to simply say that something was wrong with what was inputted, and to try again, regardless of whether or not that user actually existed.

Unfortunately, very poor security practices are common, these days and not just among small time operators. In addition to the compromise of identifying when a user account exists in the error message, you have the common practice of people storing user passwords in plaintext. Or when they bother to hash them, not using a salt. There are definite exploits possible on the server side and in some of those cases, even a very secure password is meaningless. However, when an actual server isn't being compromised and the actual user database isn't the bad guy's hand, a strong password should save one's ass. Definitely in this case, where there are a couple silly user interface security guffaws, but nothing that should severely compromise a solidly chosen password.

This is actually a concern I started to have when I began to see websites using email addresses in place of user names. Getting lists of email addresses is trivial and it's even less difficult when you're making a targeted attack (instead of trolling for a chunk of thirty million users; you just want to take my account). If you know my address, I'm already a little screwed (especially if my password sucks). On the other hand, if you know my password but that isn't used as a login on the website (ie, they require an actual traditional user name), then you have a slight buffer.

Anyway, everyone needs to practice better security. Users need to take more responsibility and so do websites and other services and institutions. One of the most offensive failures is what I see some banks using, right now. For example, when I log into my bank, it shows me an icon that I chose and I have to verify if it is indeed the correct icon. The idea is that if I've fallen for a phishing attempt, it'll have the wrong icon and I'll know something is up. Of course, in reality, a phishin site can act as a man in the middle and simply pass my credentials along to the bank, pipe that icon right back to me - and I'm none the wiser... and the phishing site has my credentials.

Or, worse, the sites (banking institutions and cell phone companies, for example) that ask you to verify yourself if you've forgotten your password. All you have to do is answer some questions and we'll reset your login information for you. Fantastic! Unfortunately, the questions are easily answerable to anyone who has your photo ID or a piece of your mail or knows the slightest thing about you. Mostly, because they're highly guessable. "Which of the following model of car do you own?" and "In which of the following cities were you born?" and "at which of the following institutions do you have a loan?". Pretty much all answerable -- at worst -- by going to one of those online sites and paying $5 for a background report.

#9 Posted by Beb (243 posts) -

@Branthog said:

TL;DR: What world are these websites/authors living in that they think this is news? Everyone knew this is essentially what was happening. If you don't use a stupid password, you are almost certain not to become a victim of this. So stop using stupid passwords. If you're not sure if your password is stupid, consider checking it against Steve Gibson's Haystack calculator.

I was "FIFA hacked" and that link gave me this (for my old, hacked pass):

Online Attack Scenario:

(Assuming one thousand guesses per second)70.56 centuries

#10 Posted by Branthog (7529 posts) -

@Ubersmake said:

@Branthog: I think the first problem here is knowing whether a user exists or not. Before even getting to the password part, knowing that a user exists on a service is a big thing.

Agreed, but there are many other ways to acquire login names and if the password could take centuries to crack, then having the account name is fairly insignificant. If having the username is the key to compromising the user, then you've suddenly made the username the real password here, which is a ridiculous concept. It's definitely a best practice to avoid giving away a login name during a failed attempt, but it should not truly compromise someone's account whatsoever.

#11 Edited by Jeust (10548 posts) -

@Branthog said:

@Ubersmake said:

@Branthog: I think the first problem here is knowing whether a user exists or not. Before even getting to the password part, knowing that a user exists on a service is a big thing.

Agreed, but there are many other ways to acquire login names and if the password could take centuries to crack, then having the account name is fairly insignificant. If having the username is the key to compromising the user, then you've suddenly made the username the real password here, which is a ridiculous concept. It's definitely a best practice to avoid giving away a login name during a failed attempt, but it should not truly compromise someone's account whatsoever.

Besides that there is also the common practice that uses the email as the login, giving yet another way to try to crack the account of the a given person.

There are a number of bad practices that get implemented way too often.

#12 Posted by Branthog (7529 posts) -

@Grimluck343 said:

@Branthog:

Do you always post massive walls of text? Great post again.

But yes, it probably is simple brute force hacking, especially since entering email addresses that you get via google-fu will say either "Incorrect address" or "incorrect password," meaning that the email address is attached to a valid gamertag but the password is wrong. At that point you can just brute force it like you mention.

It kills me that people still think this is all Microsoft's fault when in reality it's users shitty password habits.

Exactly. And even if they fix this (again, not so much a security flaw as it is a failure to adhere to general best-practices), it does nothing to prevent people from gathering a massive database of logins, anyway. There are plenty of gaming websites out there that, at the least, have a massive database of their users' email addresses. Since they're on a gaming website, there is a good chance they have an Xbox account. Or maybe a PSN account. Programmatically chew through each address on the login websites, applying the top 100 passwords people mostly use. You're bound to crack a bunch of them (the ones with those simple passwords).

#13 Posted by Branthog (7529 posts) -

@Beb said:

@Branthog said:

TL;DR: What world are these websites/authors living in that they think this is news? Everyone knew this is essentially what was happening. If you don't use a stupid password, you are almost certain not to become a victim of this. So stop using stupid passwords. If you're not sure if your password is stupid, consider checking it against Steve Gibson's Haystack calculator.

I was "FIFA hacked" and that link gave me this (for my old, hacked pass):

Online Attack Scenario:

(Assuming one thousand guesses per second)70.56 centuries

The FIFA hack is no different. The reason it's "the FIFA hack" is because they can, I believe, use the FIFA in-game market to essentially launder money/credits/whatever from a compromised account. The account still has to be compromised, in the first place, and that isn't done with FIFA. That is done in the same way an Xbox account is usually compromised (unless Microsoft's servers and databases have been breached, which there has not been any such report of). Meaning that they either compromised the user's password or they used some form of social engineering.

That means either a user falls for a fishing attempt or their support organization falls for a social engineering attempt.

The phishing attempt would be something like an email that looks legit (until you look at the headers) and directs you to a login page when you click on it, but is actually just an identically presented login page that is logging your credentials.

The social engineering of the support people just involves someone calling them and claiming to be you and either getting your credentials from the support person or having the support person reset your account/password/etc for them. Most places, when you call them, ask you a few things to verify that you are you. It's kind of useless. Questions like "what is your zipcode and the last four of your social security number". Information anyone pilfering your mailbox at your house has. Actually, anyone you have ever done business with has it . . . as does anyone with $3 to $5 who does an online background check on you. Now that you've verified that "you" are supposedly "you", it shouldn't be too hard to have a new email address set on the account or have the password temporarily changed so you can login. (I haven't dealt with Xbox specifically much, so I'm not sure what their policies are -- but clearly there is a degree of social engineering that has been going on for years with accounts).

So in that situation, as I've said many times before, it is out of your hands. That is the one situation (other than a direct physical pilfering of the company's user database) where a complex password and all the user security in the world (other than not having a credit card tied to the account, I guess) isn't going to mean much. And that is a far greater security concern than "it identifies in the error message when you've struck a real login ID!".

#14 Posted by OldGuy (1546 posts) -
@Branthog said:

...the last four of your social security number...

...a direct physical pilfering of the company's user database) where a complex password and all the user security in the world (other than not having a credit card tied to the account, I guess) isn't going to mean much. And that is a far greater security concern than "it identifies in the error message when you've struck a real login ID!".

If you have the password hash table you can, with SSDs and rainbow tables, crack 14+ character passwords in less than five seconds. Fun. 
 
The old 7pass hard drive wipe? Gotta do it more than 25 (28? I don't recall the exact number now) if you want it to be unreadable. Feeling paranoid? Get a degausser and then throw the thing in an industrial shredder.
 
...and here's the fun thing about your SSN... so many things about you are tied to it that it doesn't take much for someone to get your SSN if they have any real desire to have it...
 
Credit card numbers are assigned via a defined scheme, when you give someone the last four digits of a typical card they now have the last three of your account number and the check digit calculated from the whole number. The first six digits are assigned to the card issuer and 7-15 are your account with 16 being the check. While it is non-trivial to figure out the whole number (even if you know the issuing bank) from the last four you still want to pay attention to who gets those numbers.

Everyone should also pay attention to all the subtle data mining that may be happening many of the times that you talk to a CS department: "...so that we can verify that I talked to you today, what is the first letter of the city you were born in?" or similar. Many tiny things when connected together can make a really clear picture.
 
All this said. The old tried and true methods (with a modern twist) still work as well (or better)... That odd shaped card scanner on the gas pump might be a card skimmer (which is a lot less messy than dealing with all those carbon inserts from the days of yore)...
 
A fun look at security:   
#15 Posted by Branthog (7529 posts) -

That's also why the three digits on the back of your credit card are such a fucking joke and why I am so adamant against giving any further identification to people when I use my credit card in person. People don't understand. They think that they have to show a photo ID or other ID with their credit card. They don't. In fact, VISA has an 800 number you can call to report a merchant if that merchant refuses you service because you wouldn't show them identification. Part of it is precisely that reason. If I hand someone my driver's license and my credit card, they now have everything they need. And, yes, skimming is a huge deal. You don't even need to attach a skimmer to an ATM. There are huge credit card theft rings that use waiters and other staff at places all over your city. An iPhone in your hand can be all you need to skim credit card info all night long. Pack it up, sell it to your guy for a few bucks. Now it's on the black market, being sold in huge bundles with other people's ID and credit card info.

#16 Posted by Beb (243 posts) -

My only point was that the articles above seem to say the Xbox hacks are the result of brute force, but I don't think that is true in my case, so I'm not sure these articles are really on to anything.

#17 Edited by big_jon (5723 posts) -

I can't get over the fact that Microsoft does not refund for this shit, it is still on them in my eyes, and though a bad password may have something to do with it, I doubt that in every case it is what is enabling them to break in.

It would be nice if those who were hacked would shed light on whether or not they had shitty passwords...

#18 Posted by John1912 (1857 posts) -

"The first step was to gather the Windows Live ID’s of gamertags. So after a round of Halo Reach, he gathered a list of gamertags and enter them individually on Google."

I kind of wanted to say thats how they got my gamer tag, but felt a bit stupid and paranoid to actually say it. Getting my Tag otherwise would have to dig through very few, years old posts on xbox.com. My account got hacked right after I played Gears 3 online. I hadnt been online in a very long time prior to that, so it was the only thing I could even think of that wasnt assfuck random in my account being targeted. Sad thing is I played like 3 fucking games.

#19 Posted by Branthog (7529 posts) -

@Narwhalist said:

@Branthog: You’re a man after my own heart.

Another factor I think could be involved in some of these is keyloggers. In university, I was unfortunate enough to get a reputation for being able to fix computers, and it was just astounding how many otherwise-smart people had computers that were so infected the only surefire recourse was to wipe them clean. I think it was often a direct or indirect result of software piracy — either people using copies of Windows and Internet Explorer that couldn’t be updated because they were cracked; or people downloading keygen programs and/or cracked software from questionable sources.

Of course, nobody kept backups either, but that’s an entirely different issue.

Keyloggers didn't even occur to me. I spend all of my time around other professionals (developers, sustaining engineers, etc) and so I sometimes forget that people still click on random shit in email and download crap from nefarious sources, without at least scanning them before executing them. Still, these things tend to also fall into the "user-side problem" aspect of this. Unless the "exploit" involves social engineering of the company's employees or directly breaching their servers and databases, it is hard to reason that it is their fault (well, except that they could enforce better password policies so that you can't use stupid passwords).

#20 Posted by Vinny_Says (5700 posts) -

@Branthog said:

So, what crackers do is

racist....

but yes....people who use the same passwords for facebook and banking are morons.

#21 Posted by TH3R1S1NG (18 posts) -

I just lost 1600 MS Points and have 2 achievements on FIFA 2012, which I neither have played nor own a copy of, and changed my password and windows live ID, is Microsoft refunding people who have had this happen or should I not even bother trying to get my money back, I dont have any credit cards stored on the xbox.

#22 Posted by Village_Guy (2546 posts) -

@Branthog said:

TL;DR: What world are these websites/authors living in that they think this is news? Everyone knew this is essentially what was happening. If you don't use a stupid password, you are almost certain not to become a victim of this. So stop using stupid passwords. If you're not sure if your password is stupid, consider checking it against Steve Gibson's Haystack calculator.

That is an interesting calculator, also it only reinforces my belief that my Xbox LIVE password is pretty secure.

Online Attack Scenario:

(Assuming one thousand guesses per second) 1.83 billion centuries

Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 18.28 centuries

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.