In the past few weeks, reports have roamed the web about hacks of large videogame companies like Sony by the comically named hacker organization LulzSec. Hacks of various websites operated by some division of Sony have been in the news almost everyday until now. But also other companies have been attacked and broken into, namely Nintendo, Bethesda Softworks, Codemasters and Epic Games. LulzSec even extented to hack into United States’ Senate.org website.
The worst part of the attacks is that in the case of the bigger breaches at Sony, lots of email addresses, unencrypted user passwords and even valid credit card information has been stolen. Since a lot of users employ only a small number of different passwords for various accounts at different sites around the web, this information can be used to login at different sites and try to gain more valuable information about the user from there. The most valuable target would be webmail accounts and logins for social networks like Facebook. Especially on webmail accounts, often access data, other passwords and even credit card or bank account information can be found.
The storage of plain text passwords is especially bad since it makes it easy for the attacker to use it. State of the art technology would be to only store password hashes and to better have them salted. A hash is a value computed by a one way function taking arbitrary input and generating fixed length output. While it is possible to authenticate a legit user by simply hashing the entered password and comparing against the stored hash, an attacker would have to make costly calculations to find out the password. Since the advent of GPU computing, hash crackers have been supplied with a lot of additional compute power and this is where salting comes in. Salting refers to the process of appending the data ? in this case the plain text password ? with a random sequence of data. This salt is stored alongside with the final hash value. While at first sight this seems to be insecure, the salt is just needed to make hash cracking way more complex and thus this doesn’t compromise security at all. Of course, this all doesn’t help if you use an insecure hash function to do this. A hash function is generally considered insecure, if there is a way to generate collisions faster than in a brute force attack.
The most recent hack targeted the website of Epic Games. While the hackers were "only" able to retrieve email addresses and encrypted passwords, security could still be jeopardized for those users who used weak passwords. Weak passwords can be considered anything with a length below 8 characters and any word which can be looked up in conventional dictionaries. It’s best to use different lower and upper space characters, numbers and special characters to increase the search space.
Here is the official statement from Epic Games CEO, Tim Sweeney regarding the downtime:
"Our Epic Games web sites and forums were recently hacked. We’re working on getting them back up and running, and expect everything to be restored in a few days.
The hackers likely obtained the email addresses and encrypted passwords of forum users. Plain text passwords weren’t revealed, but short or common passwords could be obtained by brute-force attack. Therefore, we’re resetting all passwords. If you have an account on the Epic Games forums, you can request to receive your new password by email it to the address we have on file for you.
The Unreal Developer Network (UDN) has not been compromised. None of our web sites ask for, or store, credit card information or other sensitive customer data.
We’re sorry for the inconvenience, and appreciate everyone’s patience as we get our servers back under control."
A few days earlier the website of Codemasters has been hacked as well. As a security measure, the company took their website offline in order to prevent further intrusion. The website www.codemasters.com presently links to their Facebook fan page. According to their statement, Codemasters believes that names, usernames, email addresses, encrypted passwords and other account specific data has been compromised in the attack. The company notes though, that no payment information has been affected, since this is handled by an external company. Similar to Epic Games, the company recommends to change the passwords to all accounts, that used the same password as on the website.
At this point it is not known who conducted the attack on Epic Games and Codemasters. LulzSec didn’t mention it at all in their Twitter feed and didn’t respond to numerous inquiries from various Twitter users. The comical hacker group usually tweets about it’s exploits and makes releases about their booty on their website.
Earlier LulzSec claimed to have hacked Nintendo, but didn’t want to harm them as they like their products. Nintendo still issued a statement, that the security of user passwords might be compromised. While the security hole has already been fixed, Nintendo still investigates some details related to the attack. Data regarding payment services have not been affected.
Most gamers don’t understand as to why hackers attack game companies. They don’t see a reason to put others in misery for fun (and profit). The only positive thing about these attacks is that it will make companies more concerned about security. Especially Sony will probably reconsider where to store which data and how to protect passwords properly. That being said, while there might be positive aspects about these incidents, the legal implications are clear. Only because someone left his door widely open doesn’t entitle you to steal things from them.
Some companies like RSA Security or Sony now have dedicated Chief Security Officers to oversee the security of the companies’ infrastructure as a whole. It remains to be seen if this actually improves the situation. However, you can be sure, that those companies affected by the recent hacks will make security a top priority in the future. It’s just not something that can be done in a days work for large companies like Sony.
In other news, the International Monetary Fund (IMF) has reportedly been attacked. Again it is not known who is responsible for the attack, but in this case hackers working for some foreign government are suspected. This is indicated by the fact that it has been a targeted fishing attack to compromise a single system within the company network. Subsequently this was used to download a large quantity of data, which could be valuable for espionage purposes. At press time, more details about the stolen data was not available. The attack was reportedly launched long before the stepdown of former IMF chief Dominique Strass-Kahn. As a security measure, the World Bank temporarily disconnected internal network connections to the IMF. Officials of the organizations stated that it was a major breach, but the fund is currently fully functional.
Overall, companies and organizations face an increasingly hostile environment in the cyberspace. Be it for fun, challenge and recognition in the case of user data at various companies or espionage and cyber warfare in the case of government organizations, hacker attacks are an increasingly present threat in these times. Governments around the world started to prepare for both offensive and defensive scenarios. As always, the United States want to be at the forefront when it comes to warfare. Together with Israel, the US have launched a very sophisticated cyberattack employing the Stuxnet worm on nuclear facilities in Iran last year.