Socially engineering a story?
There have been some interesting stirrings within the world of Xbox Live over the last week. It all started with a post by a security researcher Kevin Finisterre reporting that people's Live accounts were being hijacked. This was in turn covered by numerous websites with varying degrees of scaremongering and hype. Cnet's early report appears to be the most balanced while others quickly spread FUD throughout the 'net. Microsoft's Major Nelson posted a response stating that: "...we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net"
and that "There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account."
This is turn brought some vitriolic responses including some claiming a Microsoft coverup. Others started to believe that their credit card info had been stolen and so on. A couple of days on the headlines had also moved on as Major Nelson updated readers with a post once again confirming that Live had not been hacked and re-affirming that this was a limited case of retrieving account information via social engineering. Microsoft seemed to be taking this seriously, being humble and admitting they have a problem that needs addressing. Their surprising (for MSFT) openness indicates they are doing something about it, which indeed they were. Perhaps the rest of the company could learn a few things from the gaming division.
What is interesting to me is how this has all been reported. Reading some articles it could look as if an issue was clearly and concisely reported, the issue was denied, then there was a step-down and a flaw admitted to. Now, while there was clearly a security breach and Microsoft's 'systems' were abused, there was at no time a purely technological problem and no data was stolen wholesale. As if often the case the systems that were compromised were organic not silicon based. When it is reported that a service involving payment information has been 'hacked' many assume all their personal details and their credit card information have been stolen, as sadly, this is often the case. But the real flaw throughout be it with the compromise itself, the desire to take advantage of it or the handling and reporting is sadly people not technology. And this is a much harder and less abstract thing for people to admit to.
There are a number of problems I can see with the scaremongering that occurred. Firstly, it's just the nature of the 'net that information travels very quickly with often little verification. Reports are bounced around and stories change subtly through a packet-based game of Chinese Whispers. Also a hyped story is a good story, it gets more page views, simple as that. Judicious use of terms - such as hack - that people don't fully appreciate or which have different meanings to different people is always a good trick. Secondly is Kevin himself. Now, while undoubtedly a talented fellow he is no stranger to using high-profile companies to publicise himself and his startup in ways not everyone would consider completely altruistic or even ethical. Whether you agree with this or not he's certainly as adept with the publicity machine as he is with security tools. From the looks of things Kevin knew this was not a widespread computer system security breach but instead a security breach in support staff behaviour and training before the story broke. But a cynic would say it's better for his own profile if he didn't reinforce that knowledge too much and instead let hysteria and uncertainty cascade. You see, social engineering can be used in many ways.
But to sum up, all credit to Kevin for getting this clearly important issue some attention and props to Microsoft's senior types for being up front, admitting a problem and taking steps to deal with it. And perhaps we should all step back from time to time instead of jumping on the juicy headlines.
7 comments:
This explains why the suport staff were so unhelpful when I was having problems with my account online.
See Idlethumbs thread DAmn you EB games and damn you Microsoft.
That could well just have been because they were crap.
Just read the thread and it sounds like that is the case. Microsoft clearly should have helped you out but you bought the card from EBgames, so your deal was with them and its up to them to fix things. Then they sort out they losses with Microsoft. I guess the problem is EBgames may get the same responses from Microsoft as you did...
Bastards the lot of 'em either way. Hope you got somehitng sorted eventually.
I did and am now rising up the ranks to become an achievement whore to contend with.
I'm also never shopping with EB Games again. Despite the fact that they admitted that they were wrong and gave me my new card.
I must call it a superb forum, I barely think about reading out a complete forum section but this forum was successful in getting my attention and believe me, That’s unusual.
[color=#0066cc][URL=http://www.healthylifestore.co.uk/Cawston-Vale]Cawston Vale[/URL] [URL=http://www.healthylifestore.co.uk/Vivatap]Vivatap[/URL] [URL=http://www.healthylifestore.co.uk/Dextro]Dextro[/URL] [URL=http://www.healthylifestore.co.uk/Harrogate-Spa-Water]Harrogate Spa Water[/URL] [URL=http://www.healthylifestore.co.uk/Linusprout]Linusprout[/URL] [/color]
Thank you, that was extremely valuable and interesting...I will be back again to read more on this topic.
Fantastic website, I hadn't noticed gamenian.blogspot.com earlier during my searches!
Carry on the excellent work!
The finest lay to go for the benefit of a respite is in my opinion Italy. Good beaches, crystal heavy water, polite people and ofcourse multifarious factual remains is verything you beggary to receive some dazzling time. Besides, prices are lovely and the food is in point of fact enjoyable. Look: [url=http://www.transport-warszawa.info/]transport warszawa[/url]
Post a Comment