Steam Forum Compromise is the Latest Effort in Possible Credential Aggregation
Either someone is doing some serious academic work in researching password strengths, or someone is building a really great hashed password dictionary. The Steam community forum compromise, in which attackers gained access to a database containing usernames, encrypted passwords, and e-mail addresses, is just the latest in a series of compromises targeting a subset of the online community: gamers.
It’s difficult to say whether these attacks are increasing in frequency or whether media reporting and voluntary disclosure has created the illusion of a growing trend. In either case, our activities are continually moving online, often protected only by a username and password, instead of staying safe and warm in hard disks on our home desktop computers. The attack surface is increasing as more web services require more usernames and passwords and the opportunity for password reuse increases.
Online gaming targets make attractive targets to hackers that are looking to make easy money without running afoul of banking or merchant information that might attract federal law enforcement. It is against the Steam terms of service to sell or trade accounts. The same is true with popular massively multiplayer online games such as World of Warcraft. That doesn’t mean that it doesn’t happen. Often it happens fraudulently, with attackers gaining access to an account and then selling the account downstream to users on grey markets. Buyers know that they may be dealing in stolen goods, but because they’re trying to get an edge in the game, they’re willing to take the chance, although they often become the victims themselves when their account information is stolen as part of the transaction.
Compromising forums that are related to games may be the first step to large-scale operations compromising online game accounts. By building a rainbow table of usernames, passwords, and e-mail addresses, attackers can use a scatter shot approach to try to compromise as many accounts on as many services as possible. Each service compromise can add valuable information to a correlated list of credential pairs. Even if passwords related to accounts are encrypted and salted, as in the case of the Steam Forum, knowledge of valid usernames and e-mail addresses can help attackers to tailor spoofing or phishing attempts against known active accounts.
Valve and their Steam service isn’t the only target as of late. The movement this year was kicked off in April with the compromise and extended downtime inflicted on the Sony Playstation Network. Millions of user credentials were reported lost in the breach. In May 2011, websites owned by Square Enix were hacked, allowing attackers to gain e-mail lists. In June, the BioWare-owned Neverwinter Nights community forums were hacked, leaking several thousand usernames, encrypted passwords, and e-mail addresses, along with websites of Codemasters, Epic, and Bethesda. Users of the Microsoft Xbox Live service have reported account compromises, although this may be the symptom of downstream compromises rather than another example of a mass attack.
There exist safeguards against account compromises on several major services. Valve offers SteamGuard, a two-factor authentication mechanism that requires verification of a code if a user tries to log on to a Steam account from an unrecognized system. Blizzard has a system called the Battle.Net Authenticator, a classic asynchronous token authentication device, required to log on to their service. But these are opt-in services, leaving many users with only a username and password to protect their accounts. Users who want to increase the complexity of their passwords without suffering from password fatigue can use a password management application, preventing reuse.
All this activity hits the enterprise when we realize those same gamers on online forums and online games at night, and on the weekend, are often in our employment during the weekday in a huge variety of roles. Password reuse may extend to internal enterprise accounts. Attackers who wish to gain access to internal systems may first start with popular online gaming forums, working their way through user accounts correlated against their rainbow tables and password dictionaries to those that exist within a targeted business. The use of web-based single sign-on technologies like OAuth and SAML could increase the risk of compromised passwords, possibly allowing attackers to gain access to multiple resources with a single credential pair. In the enterprise, with the advent of single sign-on and federated user databases, the compromise of a single password could affect many systems, increasing the impact of an exploit.
Enterprises are advised to carefully review their password policy, tying user education in with password reset policies to divorce external and personal account passwords from internal systems. Password policies should require complex passwords. Additional authentication methods beyond username and password pairs should be considered. Sensitive sites may even consider developing policies and procedures to track compromises of public services and notify internal users who may be affected to change passwords on corporate systems. Greater awareness and tightened policies can go a long way toward keeping public compromises from affecting private systems.