Arcen Games

Other => Off Topic => : Dominus Arbitrationis March 20, 2017, 05:25:07 PM

: Recent Hacking Attempt
: Dominus Arbitrationis March 20, 2017, 05:25:07 PM
https://arcengames.com/recent-hacking-attempt/

We will NOT attempt to get sensitive information from any users via PM.
: Re: Recent Hacking Attempt
: Cyborg March 21, 2017, 12:01:28 AM
Why would somebody do this? This is horrible. So sorry to hear it.
: Re: Recent Hacking Attempt
: x4000 March 21, 2017, 11:32:56 AM
We really have no idea.  They didn't make any demands, they didn't end up defacing anything, and so on.  I'm presuming that they were either trying to steal steam keys or install malware on our customer computers or deface our steam pages, or similar.

I haven't been doing anything high profile enough to warrant this sort of attention lately that I can think of.  Valve says that this is not something they've seen apart from us.  So whatever it is, it's something targeted at just us (or me, I don't know).  I don't know if it is personal, or a target of opportunity, or what.

Possibly someone looking for mantis installs just happened to find us?  But then what they started doing was pretty specific, so I dunno.
: Re: Recent Hacking Attempt
: x4000 March 21, 2017, 11:34:16 AM
For extra fun, I just noticed that the reason I've not been getting forum emails the last day or two is because he turned them all off.  Grah!

And things are still fouled up with my mantis account for mostly-unrelated reasons.  Well, I mean it's a downstream issue caused by having to do a bunch of password changes and whatnot, but still.
: Re: Recent Hacking Attempt
: TheVampire100 March 21, 2017, 01:29:11 PM
Hackers sell personal information like e-mail adresses to shady companies, so these companies can send targeted ads to these people. It's a really disgusting buisness.
I don't say this was the target here because someone wouldn't go so far to get the information from the same person, it really looks like a personal attack but in many cases this is the intend.
: Re: Recent Hacking Attempt
: x4000 March 21, 2017, 01:37:08 PM
The goal in this case was 100% clear to get access to our steam administrator privileges within Arcen.  That much we're very certain on, since that was attempted to be phished out of us.  But from there what to do... I'm less sure.  There's a limited amount of data one can get out of that sort of access, and certainly no customer data.

In a general sense I agree with you on the normal motivations, and we've fended off that sort of casual hacking before here as well as at past companies.  It happens.  The thing that made this one so freaky is that it went waaaaay beyond anything normal we'd ever seen in terms of the amount of effort being put in and the techniques being used.  I know a guy who runs a security consulting company, and it's the sort of thing he'd be doing if he's red teaming a client.
: Re: Recent Hacking Attempt
: z99-_ March 21, 2017, 01:48:01 PM
Maybe he thought you had inside info on Half Life 3
: Re: Recent Hacking Attempt
: x4000 March 21, 2017, 01:56:36 PM
Maybe he thought you had inside info on Half Life 3

*tents fingers* Ahahaha!  Then he looked in the wrong place...

*cough cough*

 :D
: Re: Recent Hacking Attempt
: eRe4s3r March 21, 2017, 04:29:42 PM
And this happened with Steam Guard on? If you answer that with yes, I'd call the police. There is no way a "random" hacker gets through 2FA on steam if your account security is hardened (ie, dev steam doesn't link to [email protected] for example, since a site email, stuff like the login code, can be very easily hax0red with a bit of social engineering if more people have access to the same mail account, obviously)

Am I right to assume this was the goal of the initial social engineering attack?

I think this is continuation of the front site deface hax from a few months ago, attackers will often probe 1 target where they had success as deeply as possible because it indicates lacking (or totally absent) security rules and awareness.

Of course, maybe the attackers should not target tech geeks huh. Should be very easy to trace down who tried to access your steam account. There is a login log somewhere in the depths of client settings in the steam client.
: Re: Recent Hacking Attempt
: Dominus Arbitrationis March 21, 2017, 04:53:16 PM
And this happened with Steam Guard on? If you answer that with yes, I'd call the police. There is no way a "random" hacker gets through 2FA on steam if your account security is hardened (ie, dev steam doesn't link to [email protected] for example, since a site email, stuff like the login code, can be very easily hax0red with a bit of social engineering if more people have access to the same mail account, obviously)

We are aware of how the attack played out, and have taken steps to prevent it from happening again. Valve was extremely helpful in this, and has provided us with the relevant logs.

Essentially, there was _very_ good social engineering done that resulted in the compromise. However, Valve is aware of the method of the attack and has taken steps to prevent another attack like this from occurring with us, and almost certainly with other people as well.

As for the other concern, no the accounts for Steam are not shared, and we practice giving people the bare minimum permissions that they need.

Am I right to assume this was the goal of the initial social engineering attack?

Yes, we believe that compromising the Steam account was the goal for the attack. Despite this, the attacker was unable to execute the final stages of his plan, and was unable to do anything with the Steam account.

I think this is continuation of the front site deface hax from a few months ago, attackers will often probe 1 target where they had success as deeply as possible because it indicates lacking (or totally absent) security rules and awareness.
We do believe that is the case. I have since gone in and fixed any flaws that we could find. If anyone knows of additional flaws, please send me a PM/email so they can be patched. You can also make a Mantis issue regarding it, but depending on the severity of the flaw that might end up being hidden from public view to prevent anyone from getting any ideas.

Of course, maybe the attackers should not target tech geeks huh. Should be very easy to trace down who tried to access your steam account. There is a login log somewhere in the depths of client settings in the steam client.

Yep, I pulled _all_ of our logs and combed through them looking for any access to Chris' accounts or another Staff Member's accounts. We also got the IP that the attacker used to log in with from Steam.



To conclude, we have done extensive investigating and determined the IP that was used to access each service, when they accessed them, and how they got access.
: Re: Recent Hacking Attempt
: WolfWhiteFire March 22, 2017, 04:07:46 PM
To conclude, we have done extensive investigating and determined the IP that was used to access each service, when they accessed them, and how they got access.
Can you use that to try to find out who was the hacker and what they were trying to do? Also do you plan on getting the police involved? I really don't get why anyone would do this, but I feel you should definitely try to get the police involved if they aren't already, considering the lengths taken to try to get whatever they were after and the possibility that this isn't the first time the person did a hack attack on this company.
: Re: Recent Hacking Attempt
: x4000 March 22, 2017, 04:16:59 PM
To conclude, we have done extensive investigating and determined the IP that was used to access each service, when they accessed them, and how they got access.
Can you use that to try to find out who was the hacker and what they were trying to do?

The short answer is no, unfortunately. Without getting into details of their exploit it's hard to explain how they covered their tracks.  If we were countersecurity experts (we are not) and had an active live packet sniffer to our server (we do not) or some sort of honeypot set up (no comment), then potentially we could backtrace the user.  But suffice it to say that proxies and VPNs make that sort of thing pretty futile unless you're the NSA, anyway.
: Re: Recent Hacking Attempt
: x4000 March 22, 2017, 04:23:36 PM
And this happened with Steam Guard on? If you answer that with yes, I'd call the police. There is no way a "random" hacker gets through 2FA on steam if your account security is hardened (ie, dev steam doesn't link to [email protected] for example, since a site email, stuff like the login code, can be very easily hax0red with a bit of social engineering if more people have access to the same mail account, obviously)

This again is something I can't comment too directly on, but it was a midlevel attack by someone clever.  They got by the 2FA despite us not doing anything stupid (our bases were fully covered on that front), but they managed to use some excellent trickery to get what they wanted anyhow.  The 2FA actually is what saved my butt to some extent, because as soon as a change was made I got pinged and leapt to deal with it.  Part of it was that I got doxxed, but none of my personal systems or truly personal info was uncovered in that so far as I know.

Basically: knowing what I do now, I could pull this attack off against any other indie developer I wanted to, presuming that I found a weakness in some random service on their servers (doesn't matter what).  But that said, the other end has been hardened against this, so I think if I tried to do this I'd wind up falling into a honeypot belonging to Valve now, to be honest.  I have no idea, but I suspect so, anyway.

It was an interesting experience, anyhow.
: Re: Recent Hacking Attempt
: zespri March 25, 2017, 03:59:42 AM
Basically: knowing what I do now, I could pull this attack off against any other indie developer I wanted to, presuming that I found a weakness in some random service on their servers (doesn't matter what).  But that said, the other end has been hardened against this, so I think if I tried to do this I'd wind up falling into a honeypot belonging to Valve now, to be honest.  I have no idea, but I suspect so, anyway.

It was an interesting experience, anyhow.

I've been here 7 years... I think I own 5 copies of some Arcen games and more than one of each individual ones (was buying bundles and such and given the keys away to support the company).
Always admired the honesty and perseverance of Chris. Agreed / supported most of what has been written, discussed.

Still, I can't shake "security by obscurity" feeling. Detailing exactly how hacker social engineered his way to a steam account should actually help people, not put them in danger. Because exploit is now known and taken care of by Valve themselves. It would help people would might would otherwise face a similar threat elsewhere in future. So why cannot this be explained or talked about? If you want to help these indie developers not to fall into the same trap, why would not you explain what exactly the trap is?

: Re: Recent Hacking Attempt
: Dominus Arbitrationis March 25, 2017, 12:19:06 PM
Still, I can't shake "security by obscurity" feeling. Detailing exactly how hacker social engineered his way to a steam account should actually help people, not put them in danger. Because exploit is now known and taken care of by Valve themselves. It would help people would might would otherwise face a similar threat elsewhere in future. So why cannot this be explained or talked about? If you want to help these indie developers not to fall into the same trap, why would not you explain what exactly the trap is?

I can't speak for Chris, but the reason why I don't want to disclose the exact details is because while this exploit may be patched, a particularly clever person could probably come up with a new attack based off this one. In addition, if we expose this issue, then Valve can't catch someone who tries this again. As it stands, they are aware of the issue and probably watching out for this again.

While I would love to openly address the issue, there are flaws with that. Not to mention, I like to respect privacy, even that of the "big boys". So, I don't want to detail their failings due to people getting the wrong idea. If Valve said that we could mention it, I would openly address it. Steam is the major way we sell the games. Annoying them just isn't good business sense. Do I think it would annoy them? I'd like to say no, but you can never be sure, so we should err on the side of caution.
: Re: Recent Hacking Attempt
: zespri March 26, 2017, 03:40:40 AM
Apparently stuff happens: https://medium.freecodecamp.com/hackers-stole-my-website-and-i-pulled-off-a-30-000-sting-operation-to-get-it-back-143d43ee3742#.3yj19ueax
: Re: Recent Hacking Attempt
: x4000 March 27, 2017, 11:41:06 AM
I know what you mean about "security by obscurity."  It's one of those things I'm really against, and so it's really tricky how to address that sort of thing.

When it comes to security researchers, I've always had an issue with the ones who publish their findings publicly before disclosing them to the companies affected.  Granted, a lot of that came out of the companies not being responsive to reports from researchers, and so researchers going about it the only way they could.

In this particular case, in my judgement by discussing this issue more publicly in terms of exactly what happened, I feel like I'd contribute more to hackers than I would to security.  That's a judgement call, obviously, but after a lot of consideration that's still the conclusion I come to.  This particular technique won't work again against Valve, but I don't want to encourage other people to try this against Valve or other hardened targets.

I also have to acknowledge my conflict of interest -- Valve is the source of a vast majority of my income.  Discussing security flaws without being in coordination for them could end my business.  I'm not really here to try to get my company embroiled in things like that.  I just want to make games.

How much does that conflict of interest affect my decision making, though?  There's a certain level of cowardice in the "don't rock the boat with your source of income," and I recognize that.

That's why I've been mulling this over and over.  I still keep coming back to the same feeling, though: with a lot of the security researchers that make exploits public nowadays, it's done I feel like almost out of pride or habit of that being the process.  So then Microsoft or Oracle or whoever are left scrambling to patch whatever thing after it's public, and getting customers to install those patches.  I'd be a lot happier if those researchers approached those companies first, got the things patched, and then either did or did not disclose the vulnerabilities after that based on their judgement.  Over-publicizing things like that has rubbed me the wrong way for years, even though in a lot of cases I know it's the only way to go.

In this particular case, despite the fact that I could now "pull this off against any other indie," as I noted, I think I'd wind up in handcuffs if I did so.  Since there's a component of social engineering in this one, there's always the chance I could pull it off without handcuffs, but the likelihood is low right now in particular.  Making the methods public is something that would likely lead to a lot of extra work for Valve in terms of having to fend off people who try the social component just to see if they can make it work.  And it could lead to a series of unrelated hacks of other indies to get the needed technical data, which would have other knock-on effects in systems unrelated to Valve.

In short, talking about this too publicly is something that I just don't see an upside for.  Even while acknowledging my bias for keeping quiet because of my financial relationship with Valve, I think that this would just not be a good samaritan thing to disclose.  If I consider how I'd feel if another indie disclosed it, I'd be mildly annoyed if it didn't affect me, or pretty incensed if it led to an attack on me.  As it stands, I don't see this being widely attempted going forward, and the vulnerability closed, so anything I do that might increase attempts on that or similar vulnerabilities is just bad for everyone.

It might be rationalization, but I've thought about it a lot and that's what I come up with.  :-\
: Re: Recent Hacking Attempt
: Professor Paul1290 March 27, 2017, 03:45:19 PM
I tend to be in favor of the "coordinated disclosure" approach where the company/developer is contacted first and given a reasonable amount of time to patch vulnerabilities before they go public, and that seems to be where thing are going these days when it comes to how vulnerabilities are handled.

That said, that only really works with those who are willing to "coordinate".
If the company/developer is unwilling to address the issue at all then I have no problem with vulnerabilities being published right away as at that point I think it becomes more important to dispel the illusion of security.
: Re: Recent Hacking Attempt
: x4000 March 27, 2017, 04:24:14 PM
That said, that only really works with those who are willing to "coordinate".
If the company/developer is unwilling to address the issue at all then I have no problem with vulnerabilities being published right away as at that point I think it becomes more important to dispel the illusion of security.

100% agreed.