Microsoft Security Roundup

Major Nelson says we weren’t hacked, in reference to accusations that some accounts were hacked into and taken by other users, and says there is no evidence that there was any compromise at all of their security on Xbox Live.

Despite some recent reports and speculation, I want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net. There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account. This is a good time to remind our members that they should never give out any of their personal information. Additionally it may be a good idea to download this free PDF file from Microsoft.com ‘ Help Protect Yourself Against Identity Theft? that gives you some excellent information and tips on how to protect yourself. Source: Xbox Live Security

But this website, Security Focus, lists how you do it, and it is a simple social engineering technique, you call them up and say hey, my Xbox crashed or my friend changed my password, of course, they won’t do it for you right off the bat, you need to keep calling and picking out bits and pieces of the info that you need.

“We here at Infamous steal at least 10 accounts a day depending on there (sic) levels,” claimed a site belonging to Clan Infamous, which bills itself as “the best account stealing + boosting clan” in Halo 2. “If you talk s**t we will mod on your account until it is banned. If the levels on it are good, we will use the Credit Card on your account to then change the gamer tag.”

The clan’s Web site, however, does detail the method its members use to steal accounts. Rather than hacking computer servers, the clan’s account stealers claim to rely on social engineering to convince support personnel at Microsoft—and its subsidiary Bungie Studios, the creator of the Halo game series–to help the attackers take control of the accounts. To do so, the players spin a story about something going wrong with their account–from a crashed box to a sibling changing the password–and ask for help “recovering” the data.

“You call 1-800-4my-xbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake,” stated the Clan Infamous Web site. “You might get one little piece of information per call, but then you keep calling and keep calling, every time getting a little bit more information … once you have enough information you can get the password (and) the Windows Live ID reset.” Source: Account pretexters plague Xbox Live

So, no, they weren’t hacked, technically, but they are being socially engineered out of the info and helping them take the accounts. One would think that Microsoft would keep record of the calls made about each account, then it would be easy to tell if this is really happening.

And other news I’m sure Microsoft is just loving, they were declared Most Secure OS by Symantec, a company who isn’t to happy with Microsoft right now because of the Patch Guard stuff. The report is Internet Security Threat Report, and it is summed up nicely on the Internet News site.

The report found that Microsoft (Quote) Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.

During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows and the company took an average of 21 days to fix them. It’s an increase of the 22 vulnerabilities and 13-day turnaround time for the first half of 2006 but still bested the competition handily.

Red Hat was next requiring an average of 58 days to address a total of 208 vulnerabilities, Mac OS X had 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes and HP-UX from Hewlett Packard and Solaris from Sun, HP-UX had 98 vulnerabilities in the second half of 06 and took 101 days to fix them, while Sun took on average 122 days to fix 63 vulnerabilities. Sun said they don’t know where Symantec got their numbers because they were way off.