Results 1 to 10 of 10

Thread: News - Microsoft dismisses claims of Xbox Live hacking

  1. #1
    HEXUS.admin
    Join Date
    Apr 2005
    Posts
    31,709
    Thanks
    0
    Thanked
    2,073 times in 719 posts

    News - Microsoft dismisses claims of Xbox Live hacking

    Accounts have not breached says MS after claims to the contrary.
    Read more.

  2. #2
    Member
    Join Date
    May 2008
    Posts
    176
    Thanks
    2
    Thanked
    23 times in 12 posts

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    While it may not have been "hacked", it does have a serious security flaw and its frankly disgusting they arent doing anything about it.

    Here is how the accounts are being broken into:

    The first step was to gather the Windows Live ID’s of gamertags. So after a round of Halo Reach, he gathered a list of gamertags and enter them individually on Google. Thanks to Facebook, Twitter, or any other links that have their email advertised, hackers now have a potential list of Windows Live ID’s. Now the hackers check to see if the email is a valid Windows Live ID. To do this, hackers headed to Xbox.com Typing in the email and a random password like blah.

    If the hacker got the error message “account is invalid” they move on to another email.



    When the hacker comes across the error message “password is wrong” then that account is in trouble.



    Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for “try with another Live ID”. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker. Once a hacker is in your account, nothing is safe. Hackers will take your credit card info, Netflix, Hulu Plus, the works.


    Credit to http://www.analoghype.com/video-game...red-the-truth/

  3. Received thanks from:

    Biscuit (17-01-2012),crossy (17-01-2012),miniyazz (16-01-2012)

  4. #3
    Senior Member
    Join Date
    Jun 2004
    Location
    Kingdom of Fife (Scotland)
    Posts
    4,991
    Thanks
    393
    Thanked
    220 times in 190 posts
    • crossy's system
      • Motherboard:
      • ASUS Sabertooth X99
      • CPU:
      • Intel 5830k / Noctua NH-D15
      • Memory:
      • 32GB Crucial Ballistix DDR4
      • Storage:
      • 500GB Samsung 850Pro NVMe, 1TB Samsung 850EVO SSD, 1TB Seagate SSHD, 2TB WD Green, 8TB Seagate
      • Graphics card(s):
      • Asus Strix GTX970OC
      • PSU:
      • Corsair AX750 (modular)
      • Case:
      • Coolermaster HAF932 (with wheels)
      • Operating System:
      • Windows 10 Pro 64bit, Ubuntu 16.04LTS
      • Monitor(s):
      • LG Flattron W2361V
      • Internet:
      • VirginMedia 200Mb

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    Quote Originally Posted by Ross1 View Post
    While it may not have been "hacked", it does have a serious security flaw and its frankly disgusting they arent doing anything about it.

    Here is how the accounts are being broken into: [snipped]
    Many thanks for posting the explanation. Actually I was going to suggest that the argument between Jason Coutee and Microsoft could easily be settled - if JC can break in then XBL has been compromised, if not then maybe MS is correct.

    Problem I've got with the attack as detailed is that surely, with the "requirement" to circumvent the Captcha input, the number of guesses that a scripted attack can perform is going to be throttled. Being worried about this I fed my XBL password into GRC's password haystacks evaluator and it's coming back with breakage times into ten's of centuries - and that's assuming that the script kiddie can generate a 1000 hits/second. And unless told otherwise, I'm going to assume that el hacker isn't going to be able to generate this kind of throughput.

    So I think I'm not too concerned at the moment, but I'm a bit dismayed that MS don't appear to be taking it seriously - some statement that they've actually checked out the suggested attack method would go a long way to reassuring me. Oh, and some modification to XBL/Live so that it tracked the number of failed login attempts on an account and locked after a set number of consecutive failures - say 20 perhaps - with a successful login resetting this counter. Yes, I know this leaves folks open to a DoS attack against their accounts - we just can't win can we?

    Career status: still enjoying my new career in DevOps, but it's keeping me busy...

  5. #4
    Banned
    Join Date
    Jun 2008
    Posts
    2,129
    Thanks
    13
    Thanked
    189 times in 160 posts

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    MS need to know the difference between noticing and not.

    Having not seen it, does not mean it has happened.

  6. #5
    Registered+
    Join Date
    Jan 2012
    Location
    haverfordwest
    Posts
    70
    Thanks
    3
    Thanked
    3 times in 2 posts

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    i never hook up my card details to xbl as i buy codes online on a website much cheaper. and i dont really use the other services, got a pc hooked up to the pc, but yeah ms needs to secure it better, cause there are so many ways that ppl take ur windows id and because of xbl it has greatly been increased

  7. #6
    Senior Member Hicks12's Avatar
    Join Date
    Jan 2008
    Location
    Plymouth-SouthWest
    Posts
    6,586
    Thanks
    1,070
    Thanked
    340 times in 293 posts
    • Hicks12's system
      • Motherboard:
      • Asus P8Z68-V
      • CPU:
      • Intel i5 2500k@4ghz, cooled by EK Supreme HF
      • Memory:
      • 8GB Kingston hyperX ddr3 PC3-12800 1600mhz
      • Storage:
      • 64GB M4/128GB M4 / WD 640GB AAKS / 1TB Samsung F3
      • Graphics card(s):
      • Palit GTX460 @ 900Mhz Core
      • PSU:
      • 675W ThermalTake ThoughPower XT
      • Case:
      • Lian Li PC-A70 with modded top for 360mm rad
      • Operating System:
      • Windows 7 Professional 64bit
      • Monitor(s):
      • Dell U2311H IPS
      • Internet:
      • 10mb/s cable from virgin media

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    but that is using brute force... brute force isnt a security 'issue' on MS end, its people failing to keep their ID secure, the whole point of an ID is for your login and then your user name is used for everything else... If they're finding your logins through your facebook/twitter accounts then you clearly dont try and keep your account secure and its your own fault!.

    Brute force is a very basic method so im not sure why it mentions skilled hackers as it doesnt require any skill todo it in a reasonable time. However i will say this, Microsoft should be introducing tighter attempt methods, it should be 3 - 5 at most and then BLOCK logins for x amount of minutes as captchas aren't that effective anymore .

    But again, MS are right in their statement, users should be using a decent length password with capitals, punctuation, numbers. Simple stuff that everyone should be educated in, it would help you in avoiding this alot!.

    Looking at it though its similar to most systems, look at facebook you just merely login and failed attempts require captcha but thats it! Facebook is even worse when you think about it as alot of people have their email on their profile info so straight away theres the id...
    Quote Originally Posted by snootyjim View Post
    Trust me, go into any local club and shout "I've got dual Nehalem Xeons" and all of the girls will practically collapse on the spot at the thought of your e-penis

  8. #7
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,167
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    This is a bit of a non-news story surely? Capture is still cropping up 8 times or something per id?

    The only bit of that tale that sounded bad was the idea they could get their credit card details, surely the server shouldn't spit those back out?
    throw new ArgumentException (String, String, Exception)

  9. #8
    Senior Member
    Join Date
    Jul 2003
    Posts
    11,860
    Thanks
    830
    Thanked
    517 times in 357 posts

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    Its not a security issue as such, personally I think MS should just respond by changing what the website does after the first round of captcha and block the account for an hour or so from that IP.

  10. #9
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,167
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    Quote Originally Posted by [GSV]Trig View Post
    Its not a security issue as such, personally I think MS should just respond by changing what the website does after the first round of captcha and block the account for an hour or so from that IP.
    Even 10 min would do the trick.

    Its the usual trade off, usability for security.

    Having "I'm sorry dave, I can't authentificate that" doesn't help the muppets to realise they've a simple typo in their username.

    It's still only going to be those using very week passwords who can be cracked, this is more a concern of how much information people un-whittingly give away on their myface/twit
    throw new ArgumentException (String, String, Exception)

  11. #10
    Senior Member
    Join Date
    Jun 2004
    Location
    Kingdom of Fife (Scotland)
    Posts
    4,991
    Thanks
    393
    Thanked
    220 times in 190 posts
    • crossy's system
      • Motherboard:
      • ASUS Sabertooth X99
      • CPU:
      • Intel 5830k / Noctua NH-D15
      • Memory:
      • 32GB Crucial Ballistix DDR4
      • Storage:
      • 500GB Samsung 850Pro NVMe, 1TB Samsung 850EVO SSD, 1TB Seagate SSHD, 2TB WD Green, 8TB Seagate
      • Graphics card(s):
      • Asus Strix GTX970OC
      • PSU:
      • Corsair AX750 (modular)
      • Case:
      • Coolermaster HAF932 (with wheels)
      • Operating System:
      • Windows 10 Pro 64bit, Ubuntu 16.04LTS
      • Monitor(s):
      • LG Flattron W2361V
      • Internet:
      • VirginMedia 200Mb

    Re: News - Microsoft dismisses claims of Xbox Live hacking

    Quote Originally Posted by TheAnimus View Post
    This is a bit of a non-news story surely? Capture is still cropping up 8 times or something per id?

    The only bit of that tale that sounded bad was the idea they could get their credit card details, surely the server shouldn't spit those back out?
    If you check out the posting by Ross1, you'll see that (according to his source at least) that there's a way to circumvent the Captcha and continue to try another set of eight guesses.

    But I'll wholeheartedly agree with that second statement - once you've entered credit card details there should be no way for you to see more than just a portion of them (e.g. first and last four digits of the card number, with the rest being blanked out)

    Career status: still enjoying my new career in DevOps, but it's keeping me busy...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •