These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Out of Pod Experience

 
  • Topic is locked indefinitely.
 

Security Breach at Steam

Author
Renturu
In Glorium et Decorum
#41 - 2011-11-12 02:04:22 UTC
1) Free Portal 2 and DoTA - #WIN

2) Contemplating getting one of those loadable credit cards and keeping just the bare minimum to keep it open. Then, only using it for online purchasing as even PayPal, if hacked, links directly to a bank/credit account and your screwed.

By the orders of PlunderBunny: ☻/ /▌ / \ This is Bob, post him into your forum sig and help him conquer the forums.

Barakkus
#42 - 2011-11-12 02:49:45 UTC
Yeah never played DOTA but I've been holding out for Portal 2 to go on super sale to buy it, so I could deal with that :P

http://youtu.be/yytbDZrw1jc

Endeavour Starfleet
#43 - 2011-11-12 05:19:46 UTC
I would recomend changing passwords and watching your credit statements as indicated. However I see NO reason for them to lie about the AES256 encryption part.

Do you realize that it would take a powerful quantum computer to be able to crack that kind of encryption? If I remember right Wikileaks distributed its database encrypted weaker than that and word is even the gov will take time to crack that.

Be on the safe side folks. But don't act like a bunch of idiots and try to compare Valve. A company hellbent on security after the HL2 attack with Sony which had virtually no security in place.

The idiots who did this attack tho are in for a world of criminal charges when they are located tho. The last attack didn't net encrypted financial files.
VKhaun Vex
Viziam
Amarr Empire
#44 - 2011-11-12 06:03:25 UTC
Getting a new debit card and changing a PW is trivial and I don't even have to do them myself. I just type in the new password and click a link on my bank's website. The amount of time I spend with no internet but having a desktop and electricity is so low it's also trivial.

Having a game literally the instant it launches was easily worth both of those things. Not having to manage physical copies to install and transport 100+ games is a nice bonus, but hey... STEAM is the devil and a piece of crap right? Who am I to argue...

Charges Twilight fans with Ka-bar -Surfin's PlunderBunny LIIIIIIIIIIINNEEEEE PIIIEEEECCCCEEE!!!!!!! -Taedrin Using relativity to irrational numbers is smart -rodyas I no longer believe we landed on the moon. -Atticus Fynch

Barakkus
#45 - 2011-11-12 06:20:35 UTC
Endeavour Starfleet wrote:
I would recomend changing passwords and watching your credit statements as indicated. However I see NO reason for them to lie about the AES256 encryption part.

Do you realize that it would take a powerful quantum computer to be able to crack that kind of encryption? If I remember right Wikileaks distributed its database encrypted weaker than that and word is even the gov will take time to crack that.

Be on the safe side folks. But don't act like a bunch of idiots and try to compare Valve. A company hellbent on security after the HL2 attack with Sony which had virtually no security in place.

The idiots who did this attack tho are in for a world of criminal charges when they are located tho. The last attack didn't net encrypted financial files.



Do you realize it doesn't matter if they compromised the keys?

http://youtu.be/yytbDZrw1jc

Endeavour Starfleet
#46 - 2011-11-12 07:34:54 UTC
How are they going to compromise them? Magic? There is a reason people use heavy encryption.
Alain Kinsella
#47 - 2011-11-12 08:14:46 UTC  |  Edited by: Alain Kinsella
Already have Portal 2 (they did have a pretty nice sale a few months back). Had to look up what DOTA 2 was - no thx, cannot stand Warcraft 3. P And the last (multiplayer) shooter I had any real interest in was C&C: Renegade. Straight

Hell, my last Steam purchase? SpaceChem & Bejeweled 3. Twisted And I have something like 80 or so hours on Bejeweled Twist.

As for the discussion on DRM in general, I find Steam to be a lot less intrusive (in general) than, say, Starforce or SecuROM - both of which have destroyed my and/or my roommate's PCs in the past. The only reason I have Bioshock is that they pulled SecuROM from the Steam version.

Don't even remember if I have a forum account or not. [Edit - checked, nope. Cool ]

"The Meta Game does not stop at the game. Ever."

Currently Retired / Semi-Casual (pending changes to RL concerns).

Naso Gomez
#48 - 2011-11-12 12:19:56 UTC
KaarBaak wrote:

Not requiring Steam to play a single-player game would be safer.

Most single-player games on steam you can play with out even having it running. If its in the common folder under steamapps then you can run it without steam, unless its a valve game, and whens the last time they released a 100% single player game.
Barakkus
#49 - 2011-11-12 17:34:33 UTC  |  Edited by: Barakkus
Endeavour Starfleet wrote:
How are they going to compromise them? Magic? There is a reason people use heavy encryption.



There is something that has to decrypt them to send the charges to the bank, you can't send the bank an encrypted account number and expect them to know what to do with it. They also have to have something to encrypt them to store them, they don't magically encrypt themselves.

If they compromised the database, it is entirely possible they compromised whatever systems handle the data and put it in the database. It's not terribly difficult to reverse engineer that once you get a hold of the software doing the work.

If it wasn't possible for them to get the numbers then why would they tell you to watch your credit card and bank statements as well?

Use your brain for a minute. I've been doing this **** for 10 years. I write software that handles approximately 2 billion dollars annually and interacts with many financial institutions. I understand very well how all this **** works.

http://youtu.be/yytbDZrw1jc

Banksae
Bedlam Escapees
Apocalypse Now.
#50 - 2011-11-12 17:39:24 UTC
I was very much surprised myself when i saw it. And i am especially shocked that Steam isnt making any effort to letting it know to people not playing daily. Not news item on homepage, just a little message on the forum and a one time pop up on what are normaly sale items. Not really fair from Steam.
Kengutsi Akira
Doomheim
#51 - 2011-11-12 19:47:37 UTC
so if they dont let someone know and due to their negligence tat person's bank account gets stolen, is Steam liable?

"Is it fair that CCP can get away with..." :: checks ownership on the box ::

Yes

Zions Child
Higashikata Industries
Ivy League Alt Alliance
#52 - 2011-11-12 19:58:17 UTC
Barakkus wrote:

Use your brain for a minute. I've been doing this **** for 10 years. I write software that handles approximately 2 billion dollars annually and interacts with many financial institutions. I understand very well how all this **** works.


To be fair, 2 Billion dollars is chump change in comparison to the hypervelocity trading programs that are used by investment firms. But I'm just being a **** with this sentence.

Anyways, if they stored the keys on a different database that wasn't compromised (which would be intelligent and not require a whole lot of thought as a basic security measure) then we have nothing to worry about.
Endeavour Starfleet
#53 - 2011-11-12 20:30:29 UTC
Barakkus wrote:
Endeavour Starfleet wrote:
How are they going to compromise them? Magic? There is a reason people use heavy encryption.



There is something that has to decrypt them to send the charges to the bank, you can't send the bank an encrypted account number and expect them to know what to do with it. They also have to have something to encrypt them to store them, they don't magically encrypt themselves.

If they compromised the database, it is entirely possible they compromised whatever systems handle the data and put it in the database. It's not terribly difficult to reverse engineer that once you get a hold of the software doing the work.

If it wasn't possible for them to get the numbers then why would they tell you to watch your credit card and bank statements as well?

Use your brain for a minute. I've been doing this **** for 10 years. I write software that handles approximately 2 billion dollars annually and interacts with many financial institutions. I understand very well how all this **** works.


Ya... Right...

Do you honestly think Valve would be acting so calm if there was even a remote risk of the key being accessed? Again this is military/gov/financial grade encryption here.

Valve is asking people to watch their credit statements as a legal percaution. If there was ANY evidence of a breech of the encrypted data they would be at once warning people.

Be safe but don't be stupid folks.
Barakkus
#54 - 2011-11-12 20:40:10 UTC
Endeavour Starfleet wrote:
Barakkus wrote:
Endeavour Starfleet wrote:
How are they going to compromise them? Magic? There is a reason people use heavy encryption.



There is something that has to decrypt them to send the charges to the bank, you can't send the bank an encrypted account number and expect them to know what to do with it. They also have to have something to encrypt them to store them, they don't magically encrypt themselves.

If they compromised the database, it is entirely possible they compromised whatever systems handle the data and put it in the database. It's not terribly difficult to reverse engineer that once you get a hold of the software doing the work.

If it wasn't possible for them to get the numbers then why would they tell you to watch your credit card and bank statements as well?

Use your brain for a minute. I've been doing this **** for 10 years. I write software that handles approximately 2 billion dollars annually and interacts with many financial institutions. I understand very well how all this **** works.


Ya... Right...

Do you honestly think Valve would be acting so calm if there was even a remote risk of the key being accessed? Again this is military/gov/financial grade encryption here.

Valve is asking people to watch their credit statements as a legal percaution. If there was ANY evidence of a breech of the encrypted data they would be at once warning people.

Be safe but don't be stupid folks.


Yes they would, they're trying to avoid a PR disaster like what Sony had going on, especially since Christmas season is right around the corner and they need those sales. Any one with any brains would try to avoid alarming the public any more than they have to. Only someone who is really stupid would tell the whole truth in something like this to the general public.

This story has been pretty low key so far....and honestly I don't think they know the full extent of the breach, and a good possibility they won't be able to determine the entirety of the breach...

Pretty much you can only hope it only went so far, and do what is necessary to protect your accounts.

http://youtu.be/yytbDZrw1jc

Endeavour Starfleet
#55 - 2011-11-12 20:47:01 UTC
Yes change your passwords and watch your cards but seriously don't compare them to sony.

Sony had NO encryption.
Barakkus
#56 - 2011-11-12 20:47:33 UTC
Zions Child wrote:
Barakkus wrote:

Use your brain for a minute. I've been doing this **** for 10 years. I write software that handles approximately 2 billion dollars annually and interacts with many financial institutions. I understand very well how all this **** works.


To be fair, 2 Billion dollars is chump change in comparison to the hypervelocity trading programs that are used by investment firms. But I'm just being a **** with this sentence.

Anyways, if they stored the keys on a different database that wasn't compromised (which would be intelligent and not require a whole lot of thought as a basic security measure) then we have nothing to worry about.


Doesn't matter where they're stored, if they compromised the machines doing the actual work, they can easily get the keys without worry about where they're stored, if they're stored and not just hard coded into the software.

Even if they encrypt the portions of memory holding the keys used during processing, it still gets put there by something and is vulnerable at some point in time. Regardless if they are physically stored or in the application, they can be obtained.

If they were after the financial data, it wouldn't be much of a stretch to be monitoring and dumping the memory or obtaining the software that is doing the encrypting before finally defacing the site and letting them know that they got in. It's not like Steam knew immediately at the time the breach occurred, they didn't find out until their site was defaced. The attackers could have been trolling their systems for months without them knowing. Granted they did their investigations, but it's not terribly difficult for an attacker to hide what they were doing once they discovered they had access to the subscriber database.

It is also conceivable that they could have captured transmissions to the banks when purchases are made and the data is sitting in an unencrypted state.

Nothing is out of the realm of possibility really.

http://youtu.be/yytbDZrw1jc

Barakkus
#57 - 2011-11-12 20:48:16 UTC
Endeavour Starfleet wrote:
Yes change your passwords and watch your cards but seriously don't compare them to sony.

Sony had NO encryption.


Sony did encrypt credit card data, they did not encrypt passwords in case you missed it.

http://youtu.be/yytbDZrw1jc

Sidus Isaacs
Center for Advanced Studies
Gallente Federation
#58 - 2011-11-12 21:24:56 UTC
Barakkus wrote:
Yup, not liking this, changed my password already, going to call the bank tomorrow.

It will be months before they start using credit card numbers, or sell them, so you have a little time, but it will be pretty bad I think since there are so many people that have bought stuff off steam, CoD crowd and BF3 crowd in particular. Even if the stuff is encrypted, doesn't mean they can't crack it.



Crack AES256?

I won't be bothering to call my bank :)
Barakkus
#59 - 2011-11-12 22:00:53 UTC
Sidus Isaacs wrote:
Barakkus wrote:
Yup, not liking this, changed my password already, going to call the bank tomorrow.

It will be months before they start using credit card numbers, or sell them, so you have a little time, but it will be pretty bad I think since there are so many people that have bought stuff off steam, CoD crowd and BF3 crowd in particular. Even if the stuff is encrypted, doesn't mean they can't crack it.



Crack AES256?

I won't be bothering to call my bank :)



They don't have to crack it. If you even bothered to read anything else in this thread or use your brain to realize they don't have to do one damn thing if they compromised more than what Steam knows about, or has let the general public know about.

http://youtu.be/yytbDZrw1jc

Grimpak
Aliastra
Gallente Federation
#60 - 2011-11-13 02:37:39 UTC
Barakkus wrote:
Sidus Isaacs wrote:
Barakkus wrote:
Yup, not liking this, changed my password already, going to call the bank tomorrow.

It will be months before they start using credit card numbers, or sell them, so you have a little time, but it will be pretty bad I think since there are so many people that have bought stuff off steam, CoD crowd and BF3 crowd in particular. Even if the stuff is encrypted, doesn't mean they can't crack it.



Crack AES256?

I won't be bothering to call my bank :)



They don't have to crack it. If you even bothered to read anything else in this thread or use your brain to realize they don't have to do one damn thing if they compromised more than what Steam knows about, or has let the general public know about.


atm there are no reports of compromised CC's. also, maybe because of Sony, Valve decided to keep their decryption key safe somewhere in a place that is not inside the steam network proper.

anyways this happened around.. the 10th? and atm all of this is no more than speculation. Time will tell if there was CCs compromised or not.

[img]http://eve-files.com/sig/grimpak[/img]

[quote]The more I know about humans, the more I love animals.[/quote] ain't that right