Hacking

SPOTLIGHT ON SECURITY

Game of PWNs

This past week brought a plethora of cybersecurity news, with attackers going after everything from gaming platforms to advertisers’ checkbooks.

Steam, the massive gaming site that’s part of Valve, got hacked, potentially endangering its 35 million members.

Law enforcement scored a big win when the FBI announced that it had busted a major cyberfraud ring that infected millions of computers worldwide and scammed legit online advertisers.

In D.C., federal agencies are seeking to set standards for cybersecurity pros, with an interagency group, the National Initiative on Cybersecurity Education (NICE), publishing for comment a draft document that seeks to define professional requirements in this field.

Meanwhile, Apple has come down like a ton of bricks on noted cybersecurity researcher Charlie Miller for creating a proof-of-concept app that exploited a vulnerability in iOS.

Steam’s Security Stumble

Hackers broke into Steam’s database, which contains members’ usernames, passwords, data about their game purchases, email addresses, billing addresses and encrypted card information, Valve said last week.

However, there’s apparently no evidence that the hackers stole encrypted card numbers or information that could personally identify anyone, or that victims’ cards are being abused by third parties.

Steam is the latest in a series of gaming companies to have been hacked this year. Earlier victims include the Sony PlayStation Network, Nintendo, Xbox Live and Square Enix.

“Gaming companies are the new gold mine of consumer identity information for hackers,” data protection expert Wasim Ahmad, who’s vice president at Voltage Security, told TechNewsWorld.

“Few gamers have thought about security the way that, say, financial services companies do,” Ahmad added.

Combining data encryption and database activity monitoring to identify and block unusual or unauthorized activity “would have prevented Steam’s database breach,” Todd Thiemann, senior director of product marketing at Vormetric, told TechNewsWorld.

Gamers can protect themselves by using unique username and password combinations to prevent password reuse problems, Chris Harget, senior product marketing manager at ActivIdentity, suggested.

They should also use a low-credit-limit card to subscribe to game services, Harget told TechNewsWorld.

One Ring to Find Them

This past week, the Manhattan U.S. attorney charged seven people with cyberfraud. Six of the accused, all Estonians, are being held by the Estonian police pending the filing of extradition charges against them, but the seventh, a Russian, is on the lam.

The suspects allegedly released malware that took over 400 million computers worldwide to redirect victims to advertisements, a practice known as “clickjacking.”

FBI spokesperson Peter Donald told TechNewsWorld that the Russian suspect, Andrey Taame, is still at large.

This bust is one of the latest examples of international cooperation among law agencies. Cooperation is vital in efforts to fight cybercrime because criminals don’t recognize national boundaries.

Tentative Rules for Cybersecurity Pros

PCs at the National Aeronautics and Space Administration (NASA) were among the 500,000 U.S.-based computers infected by the cyberfraud ring.

No surprise there — NASA has repeatedly been cited over the years for not bringing its cybersecurity up to scratch, with the latest report being one filed in March by its own inspector-general.

Things may change soon, however. The National Initiative on Cybersecurity Education (NICE), an interagency cybersecurity group, has published a draft document aimed at defining common terms, requirements and skill sets for pros in this field.

Whether codifying the requirements for cybersecurity pros will help improve matters remains to be seen.

The Defense Advanced Research Projects Agency (DARPA) has admitted it is losing ground in the battle to secure cyberspace, and it’s reaching out to hackers for help, hoping they can bring new and unconventional strategies to the table.

Apple Crushes Cyberworm Discoverer

Finally, Apple has kicked Charlie Miller, who’s noted for hacking the Mac OS, out of its iOS developer community and has barred him from returning there for a year.

This was apparently in response to Miller’s having posted an app on the iTunes App Store that exploits a new vulnerability in iOS.

That app is a proof-of-concept hidden inside a fake stock ticker program and approved by Apple for upload to the iTunes App Store.

It shows that Cupertino’s app approval process isn’t adequate and no app in the App Store is truly safe, Miller said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

Technewsworld Channels