Reported fairly widely in the press is the story about a 5 year old managing to gain access to his father’s X Box Live account and access otherwise restricted video games.
The reports seem very consistent detailing the steps he went through to gain access to the account. Essentially finding a vulnerability in the password reset feature of the X Box One log on screen.
Microsoft have apparently rewarded the youngster with money, games and recognition; and for a 5 year old it must be a nice little 15 minutes of fame, not to mention free games.
What I am a little concerned about is that with all this coverage, no one seems to be asking how a vulnerability that is simple enough for a 5 year old to discover and exploit managed to get into a production system. Also, where else is the code for authentication used?
Don’t get me wrong, I am all for supporting innovation in security research at any age. But let’s get some perspective and start asking the questions that should really be asked.
For details either Google it, or try this link:
http://www.tomshardware.com/news/microsoft-xbox-one-security-5-year-old,26471.html
Granted part #1 of this article turned out to be a little more complex to execute that first reported (don’t believe EVERYTHING you read in a blog!), but this one turns out to be a little more serious.
Reported fairly widely in the mainstream tech-press, this vulnerability permits the retrieval of private data from the iPhone and bypasses any user passcode available. Looking at the process involved, this puts the technique into the hand of someone with mid-level technical expertise (thankfully we aren’t quite at the Hollywood-security model of hitting a few keystrokes to bypass a password prompt).
The following video gives you a good demonstration of the process and for those wanting a little more detail, the technical paper supporting this process can be found here.
First up, credit to the Blogger who first raised this little absurdity, go and check out Tongodeon who originated this story. I cover it here for two reasons:
This bank has set up a new authentication measure for identifying customers who phone the customer service line. In addition to other identification data they need to provide, they are also required to provide a secret question and answer of their chosing. Basically the operator will ask the question and the customer will provide the pre-determined response. Now this is fairly similar to the common Australian practice of providing a password in addition to personal information to verify your identity; a practice similar in its level of security deficit but not as much fun I guess.
Both of these practice put a lot of trust and faith in the operator you are speaking to. Whoever takes you call will gain all this information and potentially have the ability to use it for nefarious purposes. Combine this with the fact that call centre operators are generally not very well paid or on rather poor work contracts, I think this reveals an accident waiting to happen. Particularly when cheap inexpensive technology such as an RSA key is readily available.
But enough doom and gloom. Let’s look at the fun you could have with such a system.Tongodeon has provide a few choice examples to paint the picture of the type of secret question and answers you could use:
Q: Do you know why I think you’re so sexy?
A: Probably because you’re totally in love with me.Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I’d just like to do some banking.Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.Q: I’ve been embezzling hundreds of thousands of dollars from my employer, and I don’t care who knows it.
A: It’s a good thing they’re recording this call, because I’m going to have to report you.Q: Are you really who you say you are?
A: No, I am a Russian identity thief.Q: For the remainder of this conversation, “How can I help you today?” actually means “Would you like to buy some mescaline?” Do you understand?
A: I understand completely.
To this I can only add:
Q: As I said one morning walking down the street
A: Singing do-wah-didy didy-dum-didy-do
Q: I see dead people
A: Really? You must be nuts
Q: I think I just wet my pants
A: Oh, would you like me to give you a minute?
Q: Don’t bank here, use the [enter name of different bank] they won’t screw you with fees like we do
A: Gee, thanks for the tip
Q: Would you like a copy of some hot [chick/guy – delete as appropriate] we caught on the ATM camera?
A: Sure would, where can I download it?
Q: Everyone in this office is gay?
A: Not that there is anything wrong with that.
Choice is a wonderful thing. I wonder how long it will take the bank to change its policy?
The recent release of Opera Mini for the iPhone has seen it shot straight to the top of the Free Apps charts. This in general is good. The Safari iPhone browser is a little lacking in feature and competition is always generally good in such a regimented environment.
Now here comes the but. One thing that isn’t widely known by the majority of the consumer market (I am excluding those with some technical knowledge here) is how Opera Mini works and the ramifications on visit any secure site such as online banking (which should be noted a few banks are now offering mobile device friendly websites and I am sure more to follow).
One of the big selling points is the speed that Opera Mini achieves. Unfortunately it achieves this via proxying all content, compressing it for mobile platform delivery and then passing it on. On the average website this isn’t such a huge problem, however on a secure site such as a banking website, this will expose your details to the servers that are acting as the proxy.
On the whole this itself may not even be a problem, I am certain that Opera have security around this infrastructure to prevent disclosure of information. However I think this does raise a few general questions:
Am I saying not to use Opera? No, it is a viable option as a web browser. All I want to point out here is that you need to be aware exactly what is happening to your information and the fact that Opera should be making this fact a little more accessible to the average user