backtop


Print 82 comment(s) - last by SquidianLoveGo.. on May 3 at 10:00 PM



Screenshots posted by MaddoxX reveal the extent of the breach
Cafe owners are in trouble, and users who made online purchases may be next

Valve's STEAM content distribution system has been the target of no small share of bad press since it was created, with complaints ranging from apathetic customer service to the inability to play legitimately purchased games online. Some users have had their accounts locked, deleted, or hijacked - but a hacker known only as "MaddoxX" has just opened a rather sizeable can of worms.

According to a posting made on an anti-STEAM website, MaddoxX has bypassed Valve's security system and accessed a significant chunk of data, including:
  • Screenshots of internal Valve web pages
  • A portion of Valve's Cafe directory
  • Error logs
  • Credit card information of customers
  • Financial information on Valve
While only the Cafe owners appear to be in immediate danger, MaddoxX claims to "have shell access everywhere," and has posted a list of login details for accounts on the Valve servers.  In addition, Maddox also reveals that private certificates for "People with a little bit of (sic) experience ... create their own 'fake' but working cafe / certificate."

It's not currently known how far-reaching the credit card breach is, but STEAM users who have purchased products online for electronic delivery would do well to keep an eye on their credit card statements for the next while, especially if MaddoxX makes good on a promise to release a "spreadsheet."

STEAM cafe owners worldwide are more than a little upset with the information already leaked. MaddoxX has posted emails received from cafe owners and operators:
Believe me, nobody wants to 'stick it to Valve' more than those currently in the cafe program. We're rubbing pennies together trying to make it from month to month, while Valve is making millions off of us ... All I ask is that you make some effort to edit cafe numerical details from any future release.

Please don't release the CC information, for the sake of the centers who are less informed.
MaddoxX does make one thing quite clear in his electronic manifesto:
If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information.
It seems that Valve is being held for ransom. If this is true, Valve may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

Update 04/19/2007: Doug Lombardi, director of marketing at Valve, contacted DailyTech with the following statement:
There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Yup, I knew it.
By Justin Case on 4/19/2007 2:25:57 PM , Rating: 5
I don't know what planet you live on, but I can tell you that, on this one, several banks run their entire backbone on... Windows. I'm not saying it's an efficient way to do things (for starters, it's more expensive than the alternatives), but it is perfectly possible to have secure Windows-based systems (I'm talking NT / 2000 / Server, not XP Home or any of that crap, of course).

A properly configured web server won't let hackers in in the first place, and careful configuration of your firewall, users, NTFS permissions, and internal network permissions can do the rest (in other words, the same things a sane and competent admin would to in a Unix system). Server 2003's defaults are even pretty civilized (as long as you add a good firewall and get rid of IIS).

Obviously if you run a vanilla install of Apache (or, god forbid, IIS) and upload-enabled PHP on an administrator account on a FAT volume, on a LAN with file sharing enabled, without a (real) firewall, you're asking for trouble.

NTFS gives, if anything, a lot more control over file permissions than the most common *nix filesystems. 99.9% of people don't have a clue about NTFS or user permissions but then, 99.9% of people aren't server admins.

It's not the OS that makes a system secure, it's the admin. On a properly configured system, external attackers (or clients in general) shouldn't even be able to figure out the server's OS.

P.S. - Remember Valve was founded by ex-Microsoft guys, so I guess having 100% secure systems would go against their nature. ;-)


RE: Yup, I knew it.
By Neosis on 4/19/2007 8:37:30 PM , Rating: 2
quote:
NTFS gives, if anything, a lot more control over file permissions than the most common *nix filesystems. 99.9% of people don't have a clue about NTFS or user permissions but then, 99.9% of people aren't server admins.


".. most comman *nix filesystems .." I presume you mean ext3 and ReiserFS. You are right about these two, NTFS enables more advanced file permission settings than POSIX, however these are not commonly used in servers by experienced system admins. One of the important reason is the poor scalability for ext3. (maybe with htrees, it's ok)

For security features and scalability, NSS has many advantages over NTFS, though recently NTFS gained similar features like Access Based Enumeration. It is similar to visibiliy in NSS. No suprise if we think NTFS is a derivative of the Novell NetWare 2.x ACL mode.

Here you can see its features: http://en.wikipedia.org/wiki/Novell_Storage_Servic...


RE: Yup, I knew it.
By Justin Case on 4/19/2007 11:20:59 PM , Rating: 2
NTFS actually has a lot of tricks up its sleeves that aren't "officially" documented, but if you hang around the MS newsgroups you'll see that it can do pretty much anything you want (and a lot of things you don't ;-).


"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki