Microsoft’s Major Nelson (Larry Hryb, Xbox Live Director of Programming) has been allocated the task of calming the fears of Xbox Live members as to whether their
accounts have been hacked.Hyrb is responding to issues raised by security expert, Kevin Finisterre, who was locked out of his own Xbox Live account this month. Finisterre proceeded to release the audio file of this conversation with Microsoft’s Xbox Live.
The audio features such terrifying gems from the customer support crew as:
”This has been happening all day. You’re the third person today.”
And
“We don’t know what’s going on… we don’t know how people’s accounts are getting logged in by other people’s accounts”.
Hyrb’s response – posted on his Major Nelson blog site reads as follows:
“Earlier this week when I first heard about the ‘Xbox Live network hacked’ story, I checked with the people on our end, and then posted about it. As originally posted, Xbox Live has not been hacked. That is still true. A security researcher, Kevin Finisterre, discovered not a hack, but the fact that some accounts may have been compromised as a result of 'social engineering', also known as ‘pre-texting’, through our support center. Kevin gave me a call directly and once I realized what he was talking about (he sent me some painful-to-listen-to audio files) I confirmed that the team is fully aware of this issue. They are examining the policies, and have already begun re-training the support staff and partners to help make sure we reduce this type of social engineering attack.
“There's no other way to say it; this situation shouldn't have happened. Our customers deserve better.”
Erm, “…discovered not a hack… some accounts have been compromised…”?
Casting back into our nefarious past, and digging out a copy of
The Hacker’s Handbook (1985) by Hugo Cornwall, some extracts from Chapter Six ‘The Direct Approach’ come to the fore:
” Social engineering is the term crackers give to any form of "con trick" designed to get information about computer systems from the people who use or run them. In its simplest form, social engineering exploits people's natural openness and helpfulness by employing knowledge of human psychology and how people behave in situations where hierarchy, procedures and routine are part of day to day life. In the average business or university, the majority of people working there only know a small part of the picture, and can only respond to situations within the small picture…”
And what does Cornwall say is one of the standard S.E. hacks?
“The ‘Computer Support’ target, where crackers pose as a user and claim to have forgotten their password, is a bit old hat but can still be successful in busy helpdesk environments where operators are so busy they can't, or won't, be bothered to check the id. Asking for a change of password is a bit tricky, but as so many users forget their passwords as a matter of course this still sometimes works for crackers.”
To say that a social engineering (or ‘pre-text’) hack is not a hack to compromise user account information, is in SPOnG’s opinion, akin to saying that being conned out of your watch rather than being mugged for it is not robbery.
But, hey, at least Xbox Live members can actually get online at some time – unlike, it would appear many
Sony PlayStation Network users in Europe.