Provide current and future game developers an insight in how a piece of game hacking works in order to better prepare countermeasures against the hacks.Game hackers, more times than not, ruin the experience for other players due to destroying the notion of fair competition and the need to build up skills in the game of choice in order to prove the best players in the community.ĭespite the ethical concerns, this article can serve a few purposes: There are also issues with affecting the games in a negative way for other players that only want to play the game for its intended value. There are ethical concerns regarding the driving of costs of overhead in the gaming industry due to the constant battle against cheaters, bot creators, crackers, and the like.
First and foremost, the author and Offensive Security are not condoning the hacking of games. Security Operations for Beginners (SOC-100)īy Anthony “RedHatAugust” Radzykewycz Before We Beginīefore beginning this article, we need to cover some things up front.Exploit Development Prerequisites (EXP-100).“It’s very likely there was either a flaw in the infrastructure or configuration of Microsoft’s certificate authority that led an existing certificate to be compromised or a new certificate to be created,” Hansen says. The well-known web security researcher Robert “RSnake” Hansen says he read the line in Microsoft’s post about improving the security of “key management systems” to suggest that Microsoft’s “certificate authority”-its own system for generating the keys for cryptographically signing tokens-was somehow hacked by the Chinese spies. In combination with the token validation bug Microsoft describes, that may mean it could have been used to sign tokens for any Outlook cloud account, consumer or enterprise-a skeleton key for a large swath, or even all, of Microsoft’s cloud. It also doesn’t explain why so many organizations, including US government agencies, would all be sharing one Outlook cloud instance.Īnother theory, and a far more troubling one, is that the token-signing key used by the hackers was stolen from Microsoft’s own network, obtained by tricking the company into issuing a new key to the hackers, or even somehow reproduced by exploiting mistakes in the cryptographic process that created it. “My best guess is that they started from a single server that belonged to one of these organizations,” says Skverer, “and made the jump to the cloud by abusing this validation error, and then they got access to more organizations that are sharing the same cloud Outlook instance.”īut that theory doesn’t explain why an on-premises server for a Microsoft service inside an enterprise network would be using a key that Microsoft describes as intended for signing consumer account tokens.
Then, Skverer suggests, hackers might have been able to exploit the bug that allowed the key to sign enterprise tokens to gain access to an Outlook cloud instance shared by all the 25 organizations hit by the attack. That might have allowed the hackers to steal the key from one of these “on-premises” setups on a customer’s network. In older setups of Outlook, the service is hosted and managed on a server owned by the customer rather than in Microsoft’s cloud. In the absence of more details from Microsoft, one theory of how the theft occurred is that the token-signing key wasn’t in fact stolen from Microsoft at all, according to Tal Skverer, who leads research at the security Astrix, which earlier this year uncovered a token security issue in Google’s cloud.
WIRED contacted Microsoft, but the company declined to comment further. But exactly how such a sensitive key, allowing such broad access, could be stolen in the first place remains unknown.
0 kommentar(er)
