[conspire] Security cautionary tale: Involves 'Steam' but could have been any of many others

[Rick Moen]

Just to stress, I have absolutely no idea what was the _actual_ 
route to Mr. Dave Palmer's security compromise, and no direct 
evidence that the 'Steam' downloads have recently (or ever) been
tampered with.  I'm just saying why that scenario is plausible, pointing
out bad security practice on that company's site, and citing this as a
cautionary tale about the broader problem of people trusting blackbox
proprietary downloads, especially in the face of such bad indicators.

Psuedonymous claims, about two weeks ago, alleging security breach on
'Steam' Web sites was here:
https://www.reddit.com/r/Steam/comments/3y7r0b/do_not_login_to_any_steam_websites/
I have no knowledge of whether those assertions are credible, and so do not
endorse them, but merely pass along the link.




Date: Thu, 07 Jan 2016 11:30:59 -0800
To: Skeptic <skeptic at lists.johnshopkins.edu>
From: Dave Palmer [e-mail snipped]
Subject: Hacked!

During the recent Steam winter sale (an online computer game distro
company), they had a major security breach, and the web pages belonging
to some people showed up on the computers of others, showing email
address and credit card info. I think they got me.

Yesterday, everything started going wonky. I got an email from American
Express saying I was trying to change my password. Then I got one from
 Earthlink about my email account. Then one from the Apple store, which I
have never been to. Then I stopped getting email entirely, and my phone
started acting weird. It would ring once or twice and then just stop.

So today, I managed to get onto the Amex site, and found that somebody
had put $6000 in charges from the Apple store on my card, so I called
Amex, and cancelled the card. Then I poked around inside my email
settings at Earthlink, and found that somebody had set it up to forward
all my mail to another address (a feature I didn't even know they had).
Just a few minutes ago, an AT&T tech showed up at my door to "fix my
phone." I hadn't contacted them. He looked at the info on his pad and
said that somebody had set up my phone to forward all my calls to
another number--which is something ELSE I didn't know you could do.

He took off the forward, and I pressed him to pass all this on to their
fraud division. He didn't seem too enthusiastic about it, like it might
mean more work for him.

This worries me greatly, this was no simple script kiddy hack. All my
passwords are SERIOUSLY secure. Anyway, I've gone through and changed
all the passwords. Any email sent to me since around 4  pm Wed never got
to me.



Date: Thu, 07 Jan 2016 13:35:45 -0800
To: skeptic at lists.johnshopkins.edu
From: Dave Palmer [e-mail snipped]
Subject: Re: Hacked!

>Interesting.  There's nothing on their web site right now warning 
>people of problems.

Nope, it happened last week, and Steam wasn't exactly
overly-enthusiastic about mentioning it. I learned of it on Reddit.

>I'm hope I'm telling you the obvious, but just in case, report this 
>to one of the credit reporting agencies ASAP so this is on your credit report.

Yup, Amex has cancelled my card, and I told them the $6000 in charges to
the Apple store this guy just made are not mine.

>For Earthlink, I believe that if you have the basic ID numbers, ssn,
>billing credit card #, phone #, you can push through a password change
>without knowing the old password.

Well that's kinda the odd thing: my old Earthlink password was still
working today. I've changed it, of course. I've changed ALL my
passwords, even on my WiFi router.

This is not script kiddy shit, this is Russian Mafia shit. I take my
security SERIOUSLY, always have. My passwords are all insanely obscure,
I never use the same PW twice, my PC is about as secure as Windows gets.




Date: Thu, 7 Jan 2016 14:08:12 -0800
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at lists.johnshopkins.edu
Subject: Re: Hacked!

Quoting Dave Palmer [e-mail snipped]:

> Yup, Amex has cancelled my card, and I told them the $6000 in charges
> to the Apple store this guy just made are not mine.

Note to the assembled:  One's right under USA law to not pay this gets
preserved only after one files a timely _written_ (signed, dated)
affidavit to this effect.

The FDCPA protection also won't protect you against fraudulent charges
originating abroad, so travellers should be aware of that.

> This is not script kiddy shit, this is Russian Mafia shit. I take my
> security SERIOUSLY, always have. My passwords are all insanely
> obscure, I never use the same PW twice, my PC is about as secure as
> Windows gets.

Careful exercise of logic would reveal to Dave where the security breach
_must_ have occurred, but I doubt he's going to bother stopping to
think, because he's too busy shouting about Russian mafiosi and the sky
falling.

It occurred wherever he stores his all-unique-never-used-the-same-place
passwords, or on the device where he uses them to make outbound
connections.  I'm betting that's the same place, and I'm betting that
it's his MS-Windows machine.

> as secure as Windows gets.

I'll just leave that lying there.

I don't mind telling the world where I keep all my _own_
all-unique-never-used-the-same-place passwords.  They're in a PalmOS PDA
that never gets its WiFi or even Bluetooth abilities enabled.  Said PDA
gets consulted by being held in the air by me, and I have to read the
passwords / whatevers off its small screen to use them wherever I need
to apply the information for access to something, i.e., I have to enter
them rather than copying/pasting from a password 'wallet' app.

Inconvenient?  Sure.  But I get the assurance that it's literally
airgapped from everything else.

The sole exception is when I back it up over USB.  And one of these
days, I need to get one of those USB adapter widgets that restricts what
type of USB device the thing I connect to can claim to be, though I
doubt that is a credible threat model in this case.

On PalmOS itself, I store all passwords and other sensitive information
in a gradually expanding set of records within Keyring,
gnukeyring.sourceforge.net , an open-source PalmOS application that
stores everything in a single database file that is 3DES encrypted as
stored, and only one record at a time gets decrypted in PalmOS RAM.
Thus, my backups are single files that you can certainly break into if
you can brute-force 3DES symmetric encryption.

I leave copies of the backup files, in fact generational sets of the
file going back years, in as many places as I can.

There's one master password.  If I ever forget it (and Deirdre does at
the same time), I'm in trouble.  Short of shoulder-surfing me as I use
my PDA, you'll need to use rubber-hose decryption on me (or my wife).




Date: Thu, 7 Jan 2016 17:49:57 -0800
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at lists.johnshopkins.edu
Subject: Re: Hacked!

Quoting Greg B [e-mail snipped]:

> Why store them online at all?  

Technically, I store them _offline_.  The only place that is 'online' is
in 3DES-encrypted form in PDA backups.  But let's move on to the
substance of your question and suggestion:

> Why not simply dream up an algorithm or two in your head and use one
> based on a derivation in conjunction with the site name?  Should be
> pretty indecipherable.

Also easy to start forgetting and getting wrong.[1]  Also, the more
easily memorable the algorithm is, the easier it is to deduce the
pattern from a couple of examples and make good guesses at the other
passwords.

Honestly, though, mostly the latter doesn't happen.  Mostly, passwords
get misappropriated because you use them on a machine that has been
security compromised, and then often the resulting damage gets
multiplied because of people using the same credentials in multiple
places.  But the worst damage occurs when the machine that has been
security compromised is one where the crown jewels are:  either the one
machine from which you do outbound connections to almost everything, or
the place where your 'password wallet' application is, or both.

Which brings us back to Mr. Palmer here.  He says that Valve Corporation
(which he calls 'Steam', the name of their gaming software platform) had
a major security compromise about which, as is typical, they've been
slow to be honest with their users about.  Which sort of behaviour I've
seen from firms only, gosh, just about always.

According to Dave, the 'Steam' Web site had security problems.  Let's
say you were a garden-variety computer criminal -- not the Russian
Mafia, just some shlub -- and you found that Valve Corporation had made
one of the usual dumbass errors with site security.  You ssh in using
(say) company developer credentials you stole when an engineer rashly
ssh'ed into the company from a shared university shell server that had
long ago had a trojaned /usr/bin/ssh client installed.  You poke away at
the server for a few weeks and find a way to escalate privilege to
root-user authority.  Now you have the keys to the kingdom.  You quickly
install a rootkit so that your presence won't be noticed by the
(oblivious) Valve Corporation sysadmins.

And you think:  What should I get into?  Credit card information for
sure, because it looks like Valve Corporation stupidly hosts
'store.steampowered.com' on its own server, the same server that hosts
downloads and product information.  (I cannot tell this absolutely for
certain without a lot more research, as they're load-balancing
everything on Akamai.)  So, let's say you break into credit card data,
and steal Dave's Amex card information.

But then what _else_ is the aspiring young breakin artist going to fool
around with?  Downloads, of course!  It's a juicy target, and there is
_nothing_ being done there to provide users with a means to authenticate
what they download.

o  The download for MS-Windows is an .exe file.
o  The download for x86_64 Linux is a .deb package.
o  The download for MacOS X is a .dmg disk image.

In each and every case, you are supposed to immediately 'open' and run,
or just run, an executable and then give it root (for Linux, MacOS X) or
Administrator (for MS-Windows) authority.  This huge piece of black-box
proprietary software, you are asked to just give it carte-blanche to do
anything whatsoever on your computer, right then.

And people do that.  Because they've heard 'Steam' is cool, and so they
totally compromise their system security for a bright shiny object that
they have absolutely no reason to trust.

Now, I don't know from specific information that Valve's .exe, or its
.deb, or its .dmg is now, or has ever been, trojaned by someone who
compromised its Web site.  However, the point is that _if_ someone did
compromise that Web site, that is logically, if not the very first thing
to tamper with, at least the second thing.

How do we do things differently in open source?  First of all, we are
lastingly wary of big piles of proprietary software and avoid them where
possible.   Second, we're trebly wary of such piles if expected to fetch
and run them with root-user authority.

Third, we also try to train users to check the provenance and
attestation of code.  Look, for example, at the 'Install Steam Now'
links on http://store.steampowered.com/about .  Do they even offer so
much as md5sums or sha1sums of the download files, so that the user can
verify that the download is intact?  No.

Is there a developer PGP keyring used to sign the downloadable files,
that can be used to ensure that the files haven't been tampered with
since the developer signed them?  Seemingly not that, either.

Many hapless compromises of developer download sites _have_ been quickly
detected because someone was alert enough to notice that newer downloads
lack PGP signing entirely or suddenly have a new key the developer
hasn't used before.  This pattern of change is apparent even if the
intruder uses root control to put a tampered-with PGP keyring up for
download:  Someone quickly enough wonders why the key suddenly changed
without explanation (and there are also better ways to manage
introduction of new signing keys that ought to be used).

But none of this is even in the picture because... cool gaming!
Bright shiny objects!

But Dave has _no idea_ how this could have happened.  Except Russian
Mafiosi.


[1] My Keyring database has about 250 records.  Even though probably 
2/3 of those are things I no longer need to know, even 50, even 30 
strong-password credentials are difficult to remember reliably.  And, 
don't know about you, but my losing access to most of my working set of
passwords would be a Very Bad Thing.