Random Noise

Comments (0)

Xbox Live NOT Hacked…

There’s been a lot of hoopla today from various blogs and news sites about Xbox Live. c|net covered it, and it spread to Slashdot, Firing Squad, 1Up, Kotaku, Joystiq, Evil Avatar, and other sites quickly. There’s just something about the words “Xbox”, “Microsoft” and “Hack” that when combined cause all the gaming blogs to light up.

Well, it’s all for naught. To Microsoft’s knowledge, there has been no compromise of the Xbox Live network. No credit card or other personal information was exposed. We treat the security of our users and networks very seriously and are constantly evaluating and our security policies and procedures in this regard.

So what was all the fuss about? As far as our security investigation shows, this was a social engineering attack. Made famous by Kevin Mitnick, social engineering is the art of deceiving others into performing actions or divulging information. You know, like calling a phone company and convincing them to cancel the service for your neighbor who parks his car in front of your driveway. Using his name, phone number and address you might convince the phone representative that you’re really him - once that’s done you could wreck all sorts of damage. Another way would be to call your neighbor, convince him you’re the support representative for his phone company and you need him to confirm some important account details. Shoot, you don’t even need to call him - a convincing email or phishing website will do just fine.

In my opinion (this is my personal opinion, not that of Microsoft), there are (at least!) two things that can be improved upon here:

Xbox Live support representatives need better training

It was reported that when contacting Microsoft technical support, a representative said that “Hackers have control of Xbox Live and there is nothing we can do about it.” A support professional should not be making statements like this. First and foremost, they do not have the tools and access to the inner workings of the Xbox Live network, so it would be impossible for them to know if that statement were true or not. Secondly why would you ever say “there is nothing we can do about it?” Perhaps the “we” was intended to refer to Microsoft Support, but to everyone else on the planet it sounds like “we” == Microsoft, and of course Microsoft could do something about it (if it were true). We built the thing, we know how it works, there are many things we could do if anyone were to compromise our security.

Industry reporters should vet stories better

Sorry to blame the messengers here, but all the reporting I saw today was completely one-sided. Look - there was a report that security might have been compromised. Microsoft issued a statement saying that it would investigate. Then suddenly reports are everywhere that Xbox Live has been hacked. (I’m looking at you Kotaku!) What? How do you know? We get these reports practically every day, and I’ve yet to hear about one that turned out to be real.

I honestly believe our industry is being hurt by this lack of balance and bias within our most popular gaming blogs and news sites.

All in all, this whole shebang just reemphasizes how important it is to keep your personal information secret! Never share your password with anyone! Even if they claim they are from Microsoft. We don’t need your password! We will never ask for it. Protect other valuable information as well, like your name, phone number, credit card number, secret account question and answer, etc. These are only required if you call us for support - never share them with anyone via email, via voice chat, on forums, etc. Also, try to use a strong password, one that uses both letters and numbers. Use both uppercase and lowercase if you can. And finally, don’t use the same password on every website you visit! Who knows how other sites keep your information secure? A hacker could attack the site with the weakest security to get everything they need to steal your account.

- Official Microsoft statement (GamerscoreBlog.com) (MajorNelson.com)