backtop


Print 82 comment(s) - last by SquidianLoveGo.. on May 3 at 10:00 PM



Screenshots posted by MaddoxX reveal the extent of the breach
Cafe owners are in trouble, and users who made online purchases may be next

Valve's STEAM content distribution system has been the target of no small share of bad press since it was created, with complaints ranging from apathetic customer service to the inability to play legitimately purchased games online. Some users have had their accounts locked, deleted, or hijacked - but a hacker known only as "MaddoxX" has just opened a rather sizeable can of worms.

According to a posting made on an anti-STEAM website, MaddoxX has bypassed Valve's security system and accessed a significant chunk of data, including:
  • Screenshots of internal Valve web pages
  • A portion of Valve's Cafe directory
  • Error logs
  • Credit card information of customers
  • Financial information on Valve
While only the Cafe owners appear to be in immediate danger, MaddoxX claims to "have shell access everywhere," and has posted a list of login details for accounts on the Valve servers.  In addition, Maddox also reveals that private certificates for "People with a little bit of (sic) experience ... create their own 'fake' but working cafe / certificate."

It's not currently known how far-reaching the credit card breach is, but STEAM users who have purchased products online for electronic delivery would do well to keep an eye on their credit card statements for the next while, especially if MaddoxX makes good on a promise to release a "spreadsheet."

STEAM cafe owners worldwide are more than a little upset with the information already leaked. MaddoxX has posted emails received from cafe owners and operators:
Believe me, nobody wants to 'stick it to Valve' more than those currently in the cafe program. We're rubbing pennies together trying to make it from month to month, while Valve is making millions off of us ... All I ask is that you make some effort to edit cafe numerical details from any future release.

Please don't release the CC information, for the sake of the centers who are less informed.
MaddoxX does make one thing quite clear in his electronic manifesto:
If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information.
It seems that Valve is being held for ransom. If this is true, Valve may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

Update 04/19/2007: Doug Lombardi, director of marketing at Valve, contacted DailyTech with the following statement:
There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Yup, I knew it.
By Runiteshark on 4/19/2007 2:01:20 AM , Rating: 2
quote:
There's nothing wrong with using Windows on their servers; Windows Server with a good admin can be as secure as any other OS. And BSD / Linux / Solaris with a bad admin can be as secure as Windows 95.


I totally disagree with you there. The primary problem with windows systems is the amount of buffer overflows, or other random exploits found on them. I'm not saying that nix or bsd doesn't have its share of exploits (proc race anyone?), but they are quite a few less then what is out for Windows. However you are correct, an attacker wouldn't be able to do anything if they did indeed secure their php setup properly (unless they had a mystical apache/IIS6 0day) as long as they couldn't get a shell there. However, once a shell is on that setup, if on nix or bsd systems, it is possible to prevent any further security breeches (root), whereas with windows, you are basically screwed. I'm defiantly not saying that sec can't be bypassed on the nix/bsd setups (php module inclusion exploits, 0days), but can be contained.

If you seriously think that Windows is a good choice for anything other then a workgroup or domain management os, take a stroll down any exploit website (milw0rm for example). Even the exploits that Microsoft warns about turns into 0days before Microsoft patches them.. As was with a recent one. At least with nix or bsd variants you can have much more control over user privileges (no exec, chrooted, jailed, control over what the exec, no compiling, etc) whereas with how IIS is set up, once someone has access, you are done.

The guy that had access to this box could so easily bot so many machines its not even funny, I don't know if you know about the .ani exploit (think wmf but worse) but it could so easily be included onto their main page with even that basic shell that its scary.


RE: Yup, I knew it.
By Justin Case on 4/19/2007 2:25:57 PM , Rating: 5
I don't know what planet you live on, but I can tell you that, on this one, several banks run their entire backbone on... Windows. I'm not saying it's an efficient way to do things (for starters, it's more expensive than the alternatives), but it is perfectly possible to have secure Windows-based systems (I'm talking NT / 2000 / Server, not XP Home or any of that crap, of course).

A properly configured web server won't let hackers in in the first place, and careful configuration of your firewall, users, NTFS permissions, and internal network permissions can do the rest (in other words, the same things a sane and competent admin would to in a Unix system). Server 2003's defaults are even pretty civilized (as long as you add a good firewall and get rid of IIS).

Obviously if you run a vanilla install of Apache (or, god forbid, IIS) and upload-enabled PHP on an administrator account on a FAT volume, on a LAN with file sharing enabled, without a (real) firewall, you're asking for trouble.

NTFS gives, if anything, a lot more control over file permissions than the most common *nix filesystems. 99.9% of people don't have a clue about NTFS or user permissions but then, 99.9% of people aren't server admins.

It's not the OS that makes a system secure, it's the admin. On a properly configured system, external attackers (or clients in general) shouldn't even be able to figure out the server's OS.

P.S. - Remember Valve was founded by ex-Microsoft guys, so I guess having 100% secure systems would go against their nature. ;-)


RE: Yup, I knew it.
By Neosis on 4/19/2007 8:37:30 PM , Rating: 2
quote:
NTFS gives, if anything, a lot more control over file permissions than the most common *nix filesystems. 99.9% of people don't have a clue about NTFS or user permissions but then, 99.9% of people aren't server admins.


".. most comman *nix filesystems .." I presume you mean ext3 and ReiserFS. You are right about these two, NTFS enables more advanced file permission settings than POSIX, however these are not commonly used in servers by experienced system admins. One of the important reason is the poor scalability for ext3. (maybe with htrees, it's ok)

For security features and scalability, NSS has many advantages over NTFS, though recently NTFS gained similar features like Access Based Enumeration. It is similar to visibiliy in NSS. No suprise if we think NTFS is a derivative of the Novell NetWare 2.x ACL mode.

Here you can see its features: http://en.wikipedia.org/wiki/Novell_Storage_Servic...


RE: Yup, I knew it.
By Justin Case on 4/19/2007 11:20:59 PM , Rating: 2
NTFS actually has a lot of tricks up its sleeves that aren't "officially" documented, but if you hang around the MS newsgroups you'll see that it can do pretty much anything you want (and a lot of things you don't ;-).


"This is from the DailyTech.com. It's a science website." -- Rush Limbaugh











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki