Thursday, December 14, 2017
Home Tags Valve

Tag: Valve

Steam Store victims can expect an email from Valve. Valve has apologized for a winter Steam Sale breach—more than two months after 34,000 users had personal information exposed to other shoppers. The target of a Christmas Day denial of service attack, the online shop was overwhelmed by 2,000 percent more traffic than usual.
In an effort to counter the assault, a Valve partner deployed new caching rules, one of which incorrectly cached Web traffic for authenticated users, allowing some people to access details generated for others. As a result, those browsing the online shop between 2:50 and 4:20 p.m.

ET that day may have stumbled upon billing addresses, purchase histories, email addresses, and partial Steam Guard phone numbers and credit cards.

Folks were not, however, privy to full financial details, user passwords, or enough data to log in or complete a transaction as another user. Following a temporary shutdown of the Steam Store site, Valve worked with its Web caching partner to identify those whose information was accidentally served to others.

Before the New Year, the company said it would contact affected parties once they were identified. Now, contact has finally been made. "We're sorry this happened and have taken steps to prevent this problem from occurring in the future," Valve wrote in an email to customers, published by The Verge. Valve did not immediately respond to PCMag's request for comment. The message mostly reiterates a December update on the breach, with an explanation that "we want you to be aware of what information could have been seen by another Steam user." If you used the online store during the breach, and are still unsure about the safety of your personal details, email
There are plenty of great antivirus products out there, but sometimes they miss the mark. Seeing how much malware a security program catches is one way to evaluate it, but so is recording its number of false positives. A false positive is when antivirus mistakenly reports a safe and legitimate program as dangerous malware. That's annoying for users trying to access trusted programs but even worse for the creators of the unfairly demonized software. The Institute of Electrical and Electronics Engineers (IEEE) wants to put a stop to this, and PCMag's resident security ascetic Neil Rubenking has brought us the details of its plans. False positives are often the result of antivirus software encountering a safe program too new to recognize. IEEE's solution hinges on the Clean File Metadata Exchange (CMX) service. With CMX, software authors can submit metadata for new files such as new programs or updates to existing programs before they are even released. Security vendors could then access this data in real-time to stay current with the latest legitimate files and prevent their programs from flagging them as malware. CMX is not a database, though. It holds onto data for a week or two as it validates and delivers it to subscribers. Anyone checking in less frequently and looking for older data will have to pull an archive. "The system from our side is more geared toward big software houses," said Professor Igor Muttik, Senior Principal Research Architect at McAfee, in an interview with Rubenking. Vendors can submit if they have a Class 3 Digital Signature. "If they wish to build reputation, now they have a way of doing it." Initially, Microsoft was the only big company committed to CMX. But as the service continues to court partners it now contains millions of EXE records from groups like major security companies, PC OEMs, and even Steam. That doesn't mean smaller third parties are out of luck. Mark Kennedy, Distinguished Engineer of Security Technology and Response at Symantec, explained how a company like Symantec could endorse software it thinks is clean. Consumers then see that opinion and choose to trust it or not. CMX also uses Software Identification (SWID) tags to add more information to the service. The US government requires any software it uses to feature SWID tags, giving CMX even more data to draw from as a bonus. CMX is part of the larger Anti-Malware Support Service (AMSS) initiative. Another component, the malware packer-identifying Taggant System, was proposed by Kennedy and Muttik five years ago at the Black Hat conference. Some criticize these collaborations as anticompetitive, but James Wendorf, Director of Cross-Industry and Multiple-Stakeholder Collaborations at the IEEE, sees it a different way. "Standards are about bringing together interested parties, often competitors, to combat problems. The bad guys collaborate and share, so we need a way for the good guys to collaborate as they can," said Wendorf. "Without being anticompetitive, we don't want those problems. It matches IEEE's overall goals and purpose, which is to advance technology for the benefit of humanity." 
Marc Laidlaw, the esteemed sci-fi writer who has worked at Half-Life developer Valve since 1997, has confirmed his retirement from the Bellevue, Washington studio. He was the sole writer for both Half-Life 1 and 2, and had crafted each game's wider n...
"Federal union of consumers" also wants more liability for data breaches.
Valve's popular gaming platform is finally set to come to terms with rampant fraud and insecurity on its platform. Gaming vendor Valve is admitting that it has a problem with account theft in its Steam gaming community and is now taking steps to protect users. Whether or not the new user protections put in place by Valve are enough to protect Steam remains to be seen. "We see around 77,000 accounts hijacked and pillaged each month," Valve stated in a post explaining its new security efforts. "Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living." A key target for account hijackers has been the Steam Trading community, which enables users to trade items with each other. Valve is now introducing a two-factor authentication (2FA) system for Steam accounts called Steam Guard Mobile. The basic idea behind all 2FA systems is that by having a second factor, or device, that a user needs to have in order to gain access, the risk of account theft is reduced. Rather than simply plugging into an existing 2FA technology, Valve created its own for Steam. Among the popular 2FA technologies in use today is Google's Authenticator. "Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to," Valve stated. "This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades." Security experts contacted by eWEEK are not surprised by the new security effort from Valve to protect Steam users. According to Mark Stanislav, senior security consultant at Rapid7, Steam and other gaming platforms that involve digital currency have always been an attractive target for criminals. Although Steam is a target, Stanislav noted that only a small percentage of Steam's approximately 125 million users have had an account hijacked. With approximately 77,000 stolen accounts a month, that represent less than 1 percent of the user base being compromised. "While this amount is of course a big problem and nontrivial, it shows just how much opportunity attackers have to be successful against a population that immense," Stanislav told eWEEK. Rob Sadowski, director of marketing at RSA, the security division of EMC, commented that any service or system where there is potential for financial gain is a target, and the popularity of Steam with the volume of in-game commerce makes it a high-value target. Opportunity is created by the fact that there may not be the type of robust security and fraud controls found in more "conventional" transaction systems—for example, banking—and as such, gaming platforms may be easier to exploit, he said. "It should also not be overlooked that users may not perceive the same level of risk for their gaming accounts or virtual goods as they would for a banking account or financial transactions," Sadowski told eWEEK. "So they may be less careful or circumspect in terms of protecting their gaming accounts." Regarding the new Steam Guard Mobile two-factor authentication system, Sadowski said strong authentication can be a very effective control to ensure that users are who they say they are. "However, authentication should be augmented by additional fraud monitoring and controls that can analyze user behavior and highlight high-risk activities that may indicate patterns of fraud or abuse," Sadowski said. Stanislav also is optimistic that the Steam Guard Mobile 2FA system will be successful at protecting users, though there are past cases in the gaming world where such systems were defeated. "Early last year, we saw a piece of malware that would actually intercept two-factor authentication codes for the game World of Warcraft," he said. "This issue is exactly why Steam implements a process where the user doesn't simply transmit a code generated on their mobile device into their PC, which may already be infected, but instead performs that authentication action out-of-band via their phone directly to the Steam infrastructure." In Stanislav's view, the method and implementation of Steam's 2FA system should result in a vast reduction of digital theft if widely used by gamers. "There's always a risk that new security issues will be found that could allow an attacker to work around this security control, find weaknesses in the mobile application or social engineer the gamer into doing an action that weakens account security," Stanislav said. "Still, these new avenues are much harder for your average criminal to achieve and perhaps may result in them looking for a different platform or population to target due to the complexity for success." Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.
Traded items will be "held" for days unless you have two-factor security.
With Valve's long-awaited initiative to bring PC gaming to the living room now just days away, the head of the company has claimed its hardware line-up can offer better performance-value than consoles. In an interview with Develop, Gabe Newell was qu...
Matches set to be played in front of thousands at Seattle's KeyArena delayed due to DDoS attack
Attacker could steal account with nothing but a username.
Malware links briefly appear in fan-voting section despite $100 submission fee.
Gaming Editor Kyle Orland on Valve's big reveal.