These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Out of Pod Experience

 
  • Topic is locked indefinitely.
 

Security Breach at Steam
Author
Previous Topic Next Topic
Endeavour Starfleet
#61 - 2011-11-13 05:54:14 UTC
At the very least change any passwords related to the one you used on Steam. Tho if the bank offers it for free I don't see why there is a reason to not consider changing your card.

Doing so every once in a while is a good security measure anyway.
draconothese
Independant Celestial Enterprises
#62 - 2011-11-13 05:58:12 UTC
hey wait wait so because pc gamers reacted in a well mannered way is it safe to say all console gamers are spoiled brats and pc gammers are respectable adults
Endeavour Starfleet
#63 - 2011-11-13 06:06:11 UTC
draconothese wrote:
hey wait wait so because pc gamers reacted in a well mannered way is it safe to say all console gamers are spoiled brats and pc gammers are respectable adults


Again Valve is NOT Sony.

Yet, Can I has free Portal 2 plz valve? Big smile
SpaceSquirrels
#64 - 2011-11-13 07:20:58 UTC
Eh not even sure they retrieve any of said data. On top of that salted, and encrypted. Really the most they could do is get your password as it would take a considerable amount of time to decrypt an AES 256 line. (that's just one with a considerable amount of processing power) Change of the password to steam voids half the process. Most peoples credit cards would be expired by the time it's broken (if it's broken as it's only technically feasible.)

But I would agree there needs to be a one time pad for credit card commerce. (Not just a one time card which is kinda a PITA)
Endeavour Starfleet
#65 - 2011-11-13 07:56:46 UTC
I heard something interesting on the steam forums.

One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.

So the encryption on the sensitive stuff is likely many characters long. And not some 5-8 character key. Tho it does bring up a good point which is that you need to make sure your home wireless key is something very long and not something that can be easily broken by a GPU.

Again be safe and change your passwords. But don't be silly in blaming valve. They aren't sony.
Hakaru Ishiwara
Republic Military School
Minmatar Republic
#66 - 2011-11-13 13:31:07 UTC
Two questions:

1) Why did CCP not include the standard intermediate "you are leaving our site" page or pop-up when linking directly to a non-CCP web asset?

2) Where is the official message from Valve? The link on the eveonline.com web page points to root of the Valve / Steam forums. Not very helpful if looking for the official message.

Disclaimer: I found the official message quoted in the Steam forums, but I think that these questions need asking.

+++++++ I have never shed a tear for a fellow EVE player until now. Mark “Seleene” Heard's Blog Honoring Sean "Vile Rat" Smith.
Grimpak
Aliastra
Gallente Federation
#67 - 2011-11-13 14:09:45 UTC
Endeavour Starfleet wrote:
I heard something interesting on the steam forums.

One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.



that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already endedP

that said however, AES256 is only as safe as how safe you keep the decryption key.

[img]http://eve-files.com/sig/grimpak[/img]

[quote]The more I know about humans, the more I love animals.[/quote] ain't that right
SpaceSquirrels
#68 - 2011-11-13 15:18:40 UTC
lol regular hashed passwords (especially on xp and below) can be broken in seconds. On occasion if they're longer than 7 characters windows would break them up and a cracker would simply crack the two halves. It also doesnt matter in xp if you used upper case as windows converts them all to upper case anyway.

Look up john the ripper, or OPcrack. Granted the tables it uses are between 8-10gb per. But cracking generic hashed passwords on xp is not intensive.

But Grimm is right as it stands now cracking a DES 128-256+ is only theoretically possible, and if so only NSA or massive super computers are going to crack it anytime soon (Which would be months to years)
Barakkus
#69 - 2011-11-13 16:18:45 UTC
Grimpak wrote:
Barakkus wrote:
Sidus Isaacs wrote:
Barakkus wrote:
Yup, not liking this, changed my password already, going to call the bank tomorrow.

It will be months before they start using credit card numbers, or sell them, so you have a little time, but it will be pretty bad I think since there are so many people that have bought stuff off steam, CoD crowd and BF3 crowd in particular. Even if the stuff is encrypted, doesn't mean they can't crack it.



Crack AES256?

I won't be bothering to call my bank :)



They don't have to crack it. If you even bothered to read anything else in this thread or use your brain to realize they don't have to do one damn thing if they compromised more than what Steam knows about, or has let the general public know about.


atm there are no reports of compromised CC's. also, maybe because of Sony, Valve decided to keep their decryption key safe somewhere in a place that is not inside the steam network proper.

anyways this happened around.. the 10th? and atm all of this is no more than speculation. Time will tell if there was CCs compromised or not.



They noticed almost a week before they announced it, they had the forum offline for about 4 or 5 days before the announcement for "maintenance".

Valve won't know if anyone who has had their CCs compromised, it would be nearly impossible to prove most cases of CC fraud where connected to that breach since people use the same card to purchase other places on the net. Couple friends of mine that do use steam have already had their CCs used by other people.

http://youtu.be/yytbDZrw1jc
Barakkus
#70 - 2011-11-13 16:21:01 UTC
Grimpak wrote:
Endeavour Starfleet wrote:
I heard something interesting on the steam forums.

One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.



that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already endedP

that said however, AES256 is only as safe as how safe you keep the decryption key.


Or they compromised machines responsible for encrypting and decrypting those numbers.

http://youtu.be/yytbDZrw1jc
Ein Spiegel
Fly-by-Night Industries LLC PTY LTD
#71 - 2011-11-13 17:28:11 UTC
Schnoo wrote:
Enik3 wrote:
Gabe Newall has indicated that AES256 encryption was used on sensitive information, so there's very little to worry about if that's true.

I have far more faith in the security layers at a premier e-commerce company like Steam than I do in, say, ANY government agency. I'm pretty sure the average person's personal data is much more exposed in other places.

Well that's awesome! And I'm sure the hackers are right away trying to crack the AES256 encryption, instead of, you know, just downloading the AES256 keys from the compromised machine.

Sarcasm aside, one has to wonder how and where were they keeping the keys.


Remember, encryption is only as strong as the weakest employee's knees.

Relevant XKCD's:
Password Strength
Security

Fortunately, I don't have anything to do with steam. But I was a PSN member.
SpaceSquirrels
#72 - 2011-11-13 22:29:16 UTC
Barakkus wrote:
Grimpak wrote:
Endeavour Starfleet wrote:
I heard something interesting on the steam forums.

One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.



that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already endedP

that said however, AES256 is only as safe as how safe you keep the decryption key.


Or they compromised machines responsible for encrypting and decrypting those numbers.


Doesnt work like that. Two part system of public and private keys. They might use kerberos for transactions between companies in which case it's a ticket key system. There also isnt "one" key generator machine. It's handled at a software level. (key generation)

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard There's the gist.
Barakkus
#73 - 2011-11-13 23:18:34 UTC  |  Edited by: Barakkus
SpaceSquirrels wrote:
Barakkus wrote:
Grimpak wrote:
Endeavour Starfleet wrote:
I heard something interesting on the steam forums.

One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.



that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already endedP

that said however, AES256 is only as safe as how safe you keep the decryption key.


Or they compromised machines responsible for encrypting and decrypting those numbers.


Doesnt work like that. Two part system of public and private keys. They might use kerberos for transactions between companies in which case it's a ticket key system. There also isnt "one" key generator machine. It's handled at a software level. (key generation)

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard There's the gist.


At some point those numbers are held in an unencrypted state before they are stored encrypted. They will be decrypted from the database before they are transmitted to whatever financial institution that handles their payment processing. Most banks either use PGP or SSH to handle transmission of data from their clients. I have worked with American National, Lasalle, Bank of America and Harris, and know how they take payment transmissions. 3 of which use PGP and one of which uses SSH. We don't send encrypted account numbers, we encrypt the entire transmission via one of those two methods and they handle decrypting the information on their end. Harris is the only one that doesn't have encryption on the physical files themselves, but relies on SSH to encrypt the transmission, once it's on their end I don't know what happens to it, but the file itself isn't encrypted, only the means of transmission.

At some point those credit card numbers are in an unencrypted state, and there are machines at Steam that handle encrypting and decrypting that information. There is the possibility of compromising that system and capturing that data.

When you type in that credit card number, you're not encrypting it yourself, their application encrypts that number and stores it in their database.

At some point these numbers are indeed in an unencrypted state, there is something that has to encrypt them, if you compromise that, you have a way to reverse the encryption. It's not that difficult.

This would be entirely different if they hadn't been breached and some data store somewhere outside of their network was breached instead, but no, the actual location where everything happens from taking orders to storing orders and transmitting them was breached. That is the problem with this situation. The other problem is I seriously doubt they will be able to find the exact point at which they were breached, this could have been an issue for months without them knowing.

http://youtu.be/yytbDZrw1jc
Lutz Major
Austriae Est Imperare Orbi Universo
#74 - 2011-11-14 10:44:34 UTC
Barakkus wrote:
stuff

So you want to say, that your systems are also vulnerable? Big smile

I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably.

With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher.


Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never!
Grimpak
Aliastra
Gallente Federation
#75 - 2011-11-14 11:07:44 UTC
Lutz Major wrote:
Barakkus wrote:
stuff

So you want to say, that your systems are also vulnerable? Big smile

I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably.

With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher.


Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never!



well I guess Barakkus has a point. he's right, but while cautiousness is advised in this situation, it's also true that atm things have been quiet and we still don't know enough to go into a panic.

[img]http://eve-files.com/sig/grimpak[/img]

[quote]The more I know about humans, the more I love animals.[/quote] ain't that right
Lutz Major
Austriae Est Imperare Orbi Universo
#76 - 2011-11-14 11:19:19 UTC
Grimpak wrote:
well I guess Barakkus has a point. he's right, but while cautiousness is advised in this situation, it's also true that atm things have been quiet and we still don't know enough to go into a panic.


Indeed and I (hope I) didn't offend him, but he paints a picture where it's 'easy' to decipher strong encryption. And yes everyone of us should be cautious and change passwords (which everyone should do periodicly).
Pr1ncess Alia
Doomheim
#77 - 2011-11-14 11:35:29 UTC
fk em

let em steal from my account. i don't want it to happen, but what do you expect? This is a digital world, this is going to happen from time to time.

They have my card info, but ultimately that sht is on the FDIC, that's why we have it

i have no horse in this fight.
worst case scenario? minor inconvenience.
Alain Kinsella
#78 - 2011-11-14 11:53:41 UTC
I think this got passed over in the back-and-forth going on.

Barakkus wrote:
Couple friends of mine that do use steam have already had their CCs used by other people.


Did they have a forum account, or just the normal account?

You *can* have no forum account (I'm one of them), and that's where the initial break-in was apparently, so I'm curious if that subset is less likely to have been a target. Yes, I understand that probably everyone's up for grabs regardless of what vector they came in on (especially if they got 'certain types of access'), but one can hope. Smile

@ Alia - FDIC only protects against the bank failing, not bad transactions. That falls to the sponsoring CC/Debit company (which is sometimes the bank itself), and you usually have to report the bad transaction within a couple weeks to get a free pass. So its still worthwhile to keep a closer eye on your next statement (or better, have recent transactions printed @ ATM or by teller).

"The Meta Game does not stop at the game. Ever."

Currently Retired / Semi-Casual (pending changes to RL concerns).
Barakkus
#79 - 2011-11-14 12:41:43 UTC
Lutz Major wrote:
Barakkus wrote:
stuff

So you want to say, that your systems are also vulnerable? Big smile

I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably.

With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher.


Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never!


Nah, but if I were a hacker, and I found I could access that information, I would definitely be trying to find a way to decrypt that data before leaving. Blink

The gaming industry is a perfect target actually for people trying to steal data. Usually lax security and millions of purchases a year. It's a bit easier though for them because they can target gamers individually with this RMT crap and get them to give up their numbers freely rather than hack companies. Most of the time they're after stealing accounts to resell the assets later though. A lot of the RMT companies will also use CC numbers gamers give up to purchase currency/items/whatever to open new accounts for farming as well.

After Sony got hacked, I had my CC number changed even though I haven't paid for anything from them in a few years aside from ordering an expansion for EQ2.

If you do online purchases it's always a good idea to change your CC numbers that you use online every couple of years anyways. Unfortunately most places aren't as great with security regardless of the industry.

http://youtu.be/yytbDZrw1jc
Endeavour Starfleet
#80 - 2011-11-14 12:44:43 UTC  |  Edited by: Endeavour Starfleet
Ya that statement Barakkus made has not been confirmed to be related to steam at all in my opinion. So I am very suspicious.

How are his friends affected yet the steam forums are not overflowing with reports of CC fraud?