1. We have added a Gift Upgrades feature that allows you to gift an account upgrade to another member, just in time for the holiday season. You can see the gift option when going to the Account Upgrades screen, or on any user profile screen.
    Dismiss Notice

Steam hacked - All Steam users are adviced to change their Steam passwords(Nov. 2011)

Discussion in 'Civ5 - General Discussions' started by The_J, Nov 10, 2011.

  1. Solver

    Solver Civ4/5 beta tester

    Joined:
    Mar 22, 2002
    Messages:
    1,260
    Location:
    Latvia, Riga
    I'm pretty sure this is for legal / PR reasons. From a purely technical perspective, if Valve set their encryption system at all correctly, then no security would be compromised by revealing the used algorithm. And yes, as far as the actual cryptography side of things goes, I do know what I am talking about. That said, after a breach of any kind it's a common policy not to offer comments. They don't want to officially make statements like "the encryption is unbreakable, no CC numbers will be leaked" for fairly obvious reasons.

    Edit: Sort of confirming this viewpoint is Valve's phrasing that they won't comment because this is part of an "on-going investigation".
     
  2. PieceOfMind

    PieceOfMind Drill IV Defender Retired Moderator

    Joined:
    Jan 15, 2006
    Messages:
    9,312
    Location:
    Australia
    Ok, there may very well be more important reasons not to divulge that sort of information (legal / PR as you suggest), but I'd still maintain security is a factor. If the hacker/s did in fact manage to steal some encrypted information, it would present an added barrier for them in cracking that encryption if they did not know the method used, right? (I'm not saying it's much of a barrier, especially relative to the cryptanalysis process)
     
  3. WimpyTheWarrior

    WimpyTheWarrior Chieftain

    Joined:
    Dec 31, 2003
    Messages:
    294
    Location:
    Sydney, Australia
    Hi again folks,

    Apologies for going long-winded, but I am very passionate about information security. Yeah I earn a crust at it.

    This post is about your personal security. There is another post about the security of your payment cards on the Steam server.

    The main risk to you is spear-fishing
    As a reminder, the main risk of this breach to you is a spear-fishing attack. You can expect to receive an email pretending to be from Steam. That email will contain accurate information about you, your personal details, and your gaming activity on Steam. Somewhere in the email will be a link or attachment that you will be urged to click on or open to perform some critical task. DON'T DO IT! The link or attachment is where the malware (MALicious softWARE) is at.

    You access Steam via your Steam client, not via any link. Be very suspicious of any link in any email. Modern email clients will give you the true path of a link if you hover the mouse over the link. Use that. You can also drag the suspicious email to the junk mail folder to see the email in the raw form, and the true address of the link that says "click here to repair". If you're paranoid or curious search for "email header trace", you can purchase a program for your desktop or use websites to identify where the mail is really sent from.

    You can expect lots of spear fishing attacks this year from multiple sources. Epsilon was a major commercial email provider for companies like Dell, Marriot, Tivo, Disney, etc. They were ripped earlier this year. Opps!

    Patching
    I have to counsel against this advice. The overwhelming industry evidence is that unpatched systems are the major source of infected systems. This vendor neutral article gives good advice about why you should keep your PC patched. http://pcprivacyadvice.blogspot.com/2011/10/general-windows-pc-security.html

    Microsoft update patches are digitally signed to prevent fake patches from being applied. Adobe auto-update is also secure, as is Java. You can patch any software from within the software, usually under the Help menu. Fake update patches are usually sent via email or web site browsing, especially Adobe Flash patches. ("You need to update your Adobe to watch this video" - DON'T DO IT!). Always patch using the vendor's recommended patching mechanism. Update your Adobe directly from the Adobe site, then go back the video site. If it still says you need patching, you KNOW it's a malware site.

    There currently is a debate within the banking industry about whether unpatched PCs should be allowed to sign onto banking websites for account transactions. It follows the arguments of PCI-DSS with the merchants ("If a card holder is not using a safe secure PC they should perform their banking using other means.")

    malware in your steam folder
    I read some comments about virus scans finding malware in the steam folders. This is unlikely to be related to the breach, as malware tries to hide anywhere on a PC. Here is an antivirus forum post from December 2009 (2 years before the breach) complaining of malware in the steam folders. http://forum.avast.com/index.php?topic=52475.0

    Breach notification laws
    IMHO this is the real disgrace in InfoSec; the lack of tough breach notification laws. In the US breach notification law is still state by state. Thankfully for health data there is national breach notification law. (HIPAA & HITECH). All of Europe has breach notification laws, which are proposed for Australia. This is an excellent site on what you can do if you are notified of a breach, as we all just experienced: https://www.privacyrights.org/fs/fs17b-SecurityBreach.htm

    So we can expect spear-fishing attacks. Be informed, be ready, and you'll be safe.
     
  4. WimpyTheWarrior

    WimpyTheWarrior Chieftain

    Joined:
    Dec 31, 2003
    Messages:
    294
    Location:
    Sydney, Australia
    This post is more about the protection of our payment card details in the Steam servers.

    Encryption
    I have read some comments here about the encryption used to protect the credit card details. Solver has it right in post #87; cryptography relies on known algorithms and unknown keys. The algorithm has to be open (published) so it can be peer reviewed for weaknesses. Bruce Schneier wrote about why you want to use an open common cryptosystem in 1999: http://www.schneier.com/crypto-gram-9904.html#different. Proprietary secret cryptosystems are weak, and are not allowed under PCI-DSS. It is counter intuitive, but cryptosystems have to be open to be strong.

    PCI-DSS mandates "strong cryptography", which is defined at https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary.pdf, and elaborated on in NIST 800-57. Most companies select AES-256, which was introduced to replace DES. DES became too weak as computer performance improved.

    So if we believe that the mathematics of the encryption is secure, then the forensic investigation, and the previous PCI audits of Steam, would have focused on the management and protection of the encryption keys.

    So will Steam discuss their key management policies and practices, to make us feel more secure? Absolutely not. That information would be extremely valuable intelligence to an attacker. But the PCI-DSS QSA (Qualified Security Assessor) did review it. The QSA must pass an exam and annual background check to be authorised to perform security assessments of a merchant's payment card capabilities. If you don't maintain your skills and ethics you lose the right to be a QSA. This site https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php lists QSAs and you'll see that some are In Remediation. The banks take this VERY seriously, and below I'll explain why.

    PCI-DSS
    So just what is PCI-DSS? I'll try to be brief, but your credit or debit card is issued by a bank that agrees to comply with the scheme's rules (Scheme = Mastercard or VISA or AMEX or JCB, etc.) One of the rules of all schemes is that the issuer must make good to the cardholder disputed transactions that the issuer cannot prove that the cardholder performed. So when your CC details are stolen and your card is used, the bank has to pay the merchant and also has to pay you back. Yes it's a total hassle to you and the merchant, but the bank is the big loser. Why are banks required to make you good for a dispute? Because the system collapses when the cardholders don't trust the payment mechanism. When you discover "Currency" in any Civ game, you're actually discovering trust by the population in a payment mechanism, whether it's coins or currency or checks or smart cards or eCommerce or mCommerce or Yap currency, which is extremely secure! (http://en.wikipedia.org/wiki/Yap#Stone_money) If people don't trust the payment method then the velocity of money in the economy slows down, which reduces economic activity, making less money for the businesses and banks. If you ever get a chance to visit a country with a cash economy you can see this.

    Since the banks are the big money losers when a merchant is hacked, the banks tightly audit the merchants for protection of the payment card details. This is where PCI-DSS comes from. The banks police PCI-DSS compliance using the QSAs, and merchants that do not comply lose their rights to accept payment cards. Loss of payment card Rights for an on-line company (like Steam) is a death toll. For example, in 2005 CardSystems Solutions lost 40 million clear text credit card details; they were torn to pieces by the subsequent lawsuits.

    So I know it can seem like "no one cares about the little guys in these breaches", which is probably true. But they DO care about their money, and the banks use PCI-DSS to make sure the merchants are protecting the banks, and we get collateral protection from the PCI-DSS.

    So would we get informed if the payment card details are decrypted?
    If the forensic investigation determines that the hackers can decrypt the credit card details, the issuing banks will be informed and they will issue new cards to affected cardholders. It's cheaper for the banks to cancel the old cards and issue new cards than to deal with all the chargebacks.

    I do advise that if given the choice, you NOT store your payment card details with a merchant "to make checkout easier next time". For my values the risk of loss exceeds the time saved typing in my details.
     
  5. wannabewarlord

    wannabewarlord Chieftain

    Joined:
    Mar 26, 2008
    Messages:
    408
    Location:
    Switzerland
    @WimpyTheWarrior
    Thanks for that informative read. I enjoyed reading it.

    That said, I am not worried exactly for that very reason that I can dispute payments. Sure, it'll be a hassle if it actually comes to this (which I highly doubt, we will see on my next statement), but before I go cancelling cards and feeding all my recurring transaction payments with my new card details (yes, I save CC details online, maybe not the smartest thing to do, but until I burn my fingers, the convenience surpasses my security concerns) I wait and see what happens.
     
  6. forty2j

    forty2j Chieftain

    Joined:
    Dec 6, 2010
    Messages:
    735
    Location:
    NJ
    Good read, Wimpy, but you took a bit of a left turn here:

    The only risk here is that your CC balance is only as safe as your account credentials, to the extent someone wants to make purchases on that site on your behalf. (I've seen this, for example, on iTunes, where someone got into an account and bought a bunch of apps for which they were associated with the developer - but this is quickly reversed.)

    Otherwise, your encrypted CC # will be somewhere within the site's database anyway, as you used it at one point to complete a transaction.
     
  7. WimpyTheWarrior

    WimpyTheWarrior Chieftain

    Joined:
    Dec 31, 2003
    Messages:
    294
    Location:
    Sydney, Australia
    Under PCI-DSS merchants are not supposed to store CC details. When the merchant presents the payment to the banking system, an authorisation/approval code is returned. The auth code, along with the date, time, and amount of the TX, is the only data the merchant needs to confirm a transaction with their bank.

    If a merchant elects to store the CC details they have instructions on how to truncate the PAN (Primary Account Number). The maximum allowed is the first 6 digits and last 4 digits, with the middle six digits masked, usually with zeros. Look at a recent CC receipt for an example. Here is the 2 page instructions to merchants on how to store payment details. https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

    However if the merchant is performing recurring transactions (like cable TV or your ISP), then the full details are stored for monthly submission to the banking system. That's where the encryption must be used. Or if you volunteer to store your details with the merchant "to make checkout easier next time".

    There is a technical risk that the CC nbr is inadvertently stored elsewhere in the system, for example if packet tracing is used for a firewall or antivirus. The QSA is trained to look for payment details throughout the entire merchant payment processing system. A QSA audit can take weeks, depending on the size and complexity of the system.

    Another risk is smaller merchants that fall under the radar, and only perform self assessments. I've been at small Australian hotels that wanted to keep a photocopy of my CC on hold while I was staying there. Yikes!
     
  8. forty2j

    forty2j Chieftain

    Joined:
    Dec 6, 2010
    Messages:
    735
    Location:
    NJ
    Ok, granted. But what if someone gets access to the server (which doesn't appear to be an issue..) and plants some malware to grab the CC #'s as they are entered and trasmit them out? Even if they only grab them post-encryption (e.g. between the server and the payment provider), the risk is similar to clicking the "save my card" checkbox.
     
  9. WimpyTheWarrior

    WimpyTheWarrior Chieftain

    Joined:
    Dec 31, 2003
    Messages:
    294
    Location:
    Sydney, Australia
    My my you have a lot of questions! You're not the hacker, trying to gain more intel on Steam, are you? ;) If not you should consider a career in Information Security; you're asking the right questions. And my industry is DESPERATE for good people, globally.

    Encrypted transmissions
    Architecturally, the "native state" for CC nbrs is encrypted, and they are only decrypted in a secure location for a specific purpose. Your CC nbr is encrypted in the browser before it hits the IP stack in your windows O/S, you can use NetMon (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865) and see the encrypted traffic leave your PC. It's not decrypted at the merchant until it hits the web server.

    The traffic between the merchant and the payment system is always encrypted. It would be too easy to packet sniff traffic in the telcos. The cryptographic endpoints are inside the merchant server and inside the bank's front-end processor. You have to sniff the CC #s in a memory-resident program. The banks' front-end processors used to be proprietary servers like Tandem and Stratus that did not have malware, as the O/Ses were a very arcane blend of UNIX and mainframe. Merchant systems are usually LINUX/UNIX servers. These are harder to hack than Windows, but obviously not impossible, as the hack on Steam was successful.

    Hacking incident response
    I don't know exactly what steps Steam/Valve performed, but I can describe best practices for security incident response. First you disconnect the infected server COMPLETELY from every other device inside and outside Steam. It's logically parked aside for forensic investigation, but that's a different team. The Service Recovery team will deploy fresh new servers from the server farm, and then configure them to replace the activity of the infected servers. Data is loaded fresh from last known clean backup tapes.

    But wait, there's more. Before the Service Delivery team approves the new servers for production, a penetration test is performed. A pen test is a professional hack attempt against the servers by white hat hackers. White hat hackers are folks that can hack, but do it as consultants and tell the company how they succeeded. The almost always succeed. The company fixes what was found, then lather, rinse, repeat.

    So with all this testing, how come so many hacks succeed?
    HOWEVER......, white hat hackers stop and get paid when the contract is complete. Black hat hackers only get paid when they break in. So black hat hackers stay at it much longer. That's why systems that have passed white hat pen tests still get hacked.

    Pen tests and incident response teams are usually performed yearly. Why so much effort? There is LOTS of $$ to be made in this game. High volume payment systems on peak days will process over 1,000 transactions per second. That's A LOT of cash, baby! It's worth protecting, and it's worth stealing.

    What about that hacked server?
    The Incident Response team trolls through logs of the Intrusion Detection Systems trying to identify what vulnerability was exploited to gain access, and the identity of the hackers. You usually find out how they got in, but rare to identify the hackers to the point of criminal conviction. Hacking embraced globalisation before most other industries, and the traffic usually ends up in a country with a poor judicial system. Within the industry N. Korea is widely believed to use state-trained hackers for economic and military hacking.
    http://english.chosun.com/site/data/html_dir/2009/07/10/2009071000588.html

    To repeat, I HAVE NO EXACT KNOWLEDGE of what steps Steam/Valve have performed, and of course they would not tell me if I asked. But I will GUARANTEE you that Valve's bank is asking "Just what happened again?", and I will GUARANTEE you that Valve is turning itself inside-out to satisfy the bank's questions. The InfoSec news channels are still light on this one as it's still too fresh. I've read one report that speculated the Secret Service will assist with the investigation. You can follow updates on the Steam hack at http://datalossdb.org/incidents/494...-credit-card-information-accessed-by-hacker-s. Remember that this is a volunteer site, and breach notification is not always mandated. The real guts of what happened will NOT be reported here, or anywhere.

    As a final reminder, be sure you've changed your passwords, and binhthuy71 has convinced me it's time to use a password vault. Keep an eye on your credit card statements, especially for low dollar test transactions. If you get a spear-fishing email claiming to be from Steam report that to Valve.

    Meaningless observation
    The adchoices (upper right corner) for this thread show "PCI compliance". On the other threads I get ads like "Hottest Brazilian Girls". I am in the wrong industry!

    Now back to our regularly scheduled program
    Now can someone help me with Civ-5? For unknown reasons I am totally addicted to social policies! OK, not in this thread, I'll keep reading the other threads on that topic.
     
  10. agoodfella

    agoodfella Chieftain

    Joined:
    Nov 12, 2001
    Messages:
    591
    Location:
    USA
    holy <snip>. this totally sucks.

    of course, i find out about this through CivFan and not STEAM cause I haven't logged onto STEAM in over a month... shouldn't STEAM send out a general email to all of its users as standard operating procedure?

    Totally unacceptable.

    Moderator Action: Inappropriate language removed.
    Please read the forum rules: http://forums.civfanatics.com/showthread.php?t=422889
     
  11. Smokeybear

    Smokeybear Chieftain

    Joined:
    Apr 9, 2011
    Messages:
    1,240
    Location:
    US
    Presume you've changed you password successfully, and checked your credit card account for unusual activity, if any, by now. All good? Thought so. Next...
     
  12. JBearIt

    JBearIt Ard Ri

    Joined:
    Sep 3, 2001
    Messages:
    336
    Location:
    Indianapolis, IN
    Maybe just coincidence but I just received a credit alert that some one tried to use my credit card number in another state. Luckily my credit card company found the transaction suspicious and declined the transaction. It's the same card that I used for Steam.
     
  13. Smokeybear

    Smokeybear Chieftain

    Joined:
    Apr 9, 2011
    Messages:
    1,240
    Location:
    US
    Well, out of the millions of credit cards that have been used for Steam transactions, it would be rather surprising if none of them ever experienced any kind of illegal activity from any other source, ever. The sad fact is, most people will never know how or where their CC info got pilfered from, after an incident happens- so, unless you only used your card for Steam stuff and nothing else, ever... it's virtually unknowable who is responsible for a breach of your info- Steam? Some other online vendor? Your computer is compromised and your info stolen by a keylogger or other hacking method? The guy at the minimart or gas station cobbed your info when they had it out of your sight? Friend or relative used it unwisely without your knowledge? There are a million ways to get compromised, and it happens thousands of times a day, to millions of people every year. Most having nothing to do with Steam. Coincidence? Probably.
     
  14. Maniacal

    Maniacal the green Napoleon

    Joined:
    Mar 13, 2005
    Messages:
    18,778
    Location:
    British Columbia, Canada
    Iirc the credit card companies and banks don't usually (if ever) tell you where your credit card was compromised. It is kind of annoying, a friend of mine had his debit card compromised but his bank wouldn't tell him where it happened, which worried me at the time since I had used my card at many of the same places he did, except for a nearby convenience store. I wish they would reveal that info.
     
  15. agoodfella

    agoodfella Chieftain

    Joined:
    Nov 12, 2001
    Messages:
    591
    Location:
    USA
    That is not even the point. The breach is one thing. The lack of action is quite another.

    At a minimum, they should have actively sent out emails to all of its customers to login and take appropriate action.

    How hard is that?
     
  16. Peets

    Peets Chieftain Hall of Fame Staff

    Joined:
    Jul 23, 2008
    Messages:
    1,056
    Location:
    Belgium
    True, but what firm or business will do that? I presume 1%.
     
  17. Moosezilla

    Moosezilla Grognard Warlord

    Joined:
    Aug 29, 2007
    Messages:
    1,037
    Location:
    Canton of Roaring Waste
    Civ was never meant to be a form of MTG for online. If you cant buy it complete in a box, it sucks.
     
  18. Peets

    Peets Chieftain Hall of Fame Staff

    Joined:
    Jul 23, 2008
    Messages:
    1,056
    Location:
    Belgium
    I bought it in a box :confused:
     
  19. agoodfella

    agoodfella Chieftain

    Joined:
    Nov 12, 2001
    Messages:
    591
    Location:
    USA
    Oh I don't know... a firm that wants to keep its customers and stay in business?

    You can only crap on your customers for so long until they will vote with their $$$ and feet.

    I am getting close.
     
  20. Peets

    Peets Chieftain Hall of Fame Staff

    Joined:
    Jul 23, 2008
    Messages:
    1,056
    Location:
    Belgium
    Perhaps they aren't allowed to send emails cause it is not in the agreement to send you mails? If they did then some might sue them which can happen in the US (and they might even win :rolleyes:)
     

Share This Page