Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Can Easily Lift Credit Card Info From a Used Xbox

Posted by timothy on from the extra-sensitive-data dept.

zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."

106 comments

  1. Jury is still out... by jrj102 · · Score: -1, Flamebait

    The jury is still out on this, absent real evidence I'm going to wait until more is known. Microsoft asserts (and it seems pretty credible) that card information is never stored on the device, making this attack impossible. (http://www.theverge.com/2012/3/30/2914332/microsoft-xbox-credit-card-hack-response) Anyone who has implemented this sort of system would agree that would be the natural design. I would rate it is likely you can recover account information, but incredibly unlikely that you can recover credit card info, but I'm giving this a few days for information to surface before I decide this is a valid attack vector.

    --
    jrjBlog
    1. Re:Jury is still out... by Anonymous Coward · · Score: 0, Interesting

      So basically you commented to let everyone know that you don't know shit. Quite worthwhile.

    2. Re:Jury is still out... by Anonymous Coward · · Score: -1, Troll

      Oh, I see. You are PAID by MS to write these comments.

    3. Re:Jury is still out... by billcopc · · Score: 3, Insightful

      I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.

      --
      -Billco, Fnarg.com
    4. Re:Jury is still out... by Dyinobal · · Score: 2

      Yep it makes 0 logical sense to store any credit card information locally on an xbox, I can't imagine Microsoft would make such a silly mistake. It would be like Valve storing credit card info for steam on the PC it is installed on.

    5. Re:Jury is still out... by Anonymous Coward · · Score: 0

      So basically you commented to let everyone know that you don't know shit. Quite worthwhile.

      Yes, and now we are in a loop.

    6. Re:Jury is still out... by ozmanjusri · · Score: 2

      now we are in a loop.

      A red ring of death?

      --
      "I've got more toys than Teruhisa Kitahara."
    7. Re:Jury is still out... by Anonymous Coward · · Score: 0

      "Yep it makes 0 logical sense to store any credit card information locally on an xbox"

      It makes sense to store valuable information on xboxes, just like Microsoft Windows versions which retain a lot of information unless you use CCLeaner or some other cleaning utility. And still, if you look around your drive enough, interesting info may still be retained!

      "I can't imagine Microsoft would make such a silly mistake"

      Are you sure it's a mistake? Have your read the Kinect privacy policy and or terms of service, for example?

      How many proprietary forms of software do you allow to access your entire drive in a malware scan on a proprietary OS? Are you certain they are not storing or sending information? Do you dump all net transmissions and inspect every binary and packet to make sure?

      "It would be like Valve storing credit card info for steam on the PC it is installed on"

      How do you know whether company A or B does or not, unless you carefully inspect every file on your PC and registry entries. What if company A or B uses encryption? Uses patched binaries with or without encryption? Stores the information using stego tech in image files?

      Electronics are increasingly showing their weaknesses, as if some were designed for the purpose of retaining your information.

      What makes 0 logical sense is to place any trust in any electronic device for privacy and security. Period.

      People do a lot of talking on how much governments own media, but there's a lack of it on how much access they have to electronics, both in software and hardware. Case and point: google cisco router backdoor.

    8. Re:Jury is still out... by ozmanjusri · · Score: 4, Funny

      The jury is still out on this, absent real evidence I'm going to wait until more is known.

      Exactly, those researchers at Drexel U have shown themselves to be repeatedly untrustworthy, and have huge commercial reasons to lie.

      And those people who are unsure whether their credit cad details have been stolen shouldn't complain either.

      I mean, which part of "Microsoft product" did they not understand?

      --
      "I've got more toys than Teruhisa Kitahara."
    9. Re:Jury is still out... by Runaway1956 · · Score: 1

      "It makes sense to store valuable information on xboxes, just like Microsoft Windows versions which retain a lot of information unless you use CCLeaner"

      How, and why, does it make sense to store "valuable" information? And, who determines what "valuable" means, anyway? Personally, I store almost nothing on my machine. And, Microsoft doesn't store ANYTHING on my machine. I dumped Windows years ago, when I discovered how easy it is to retrieve data that most people don't even know is saved.

      Crap, you can pretty much write a person's biography, if you can get his computer!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    10. Re:Jury is still out... by Anonymous Coward · · Score: 1

      Before my fellow Dragons attack the parent post, please read it again after turning on your sarcasm detectors.

    11. Re:Jury is still out... by ozmanjusri · · Score: 1

      I also thought the CC info was stored on Microsoft's servers.

      TFA implies it's cached in system files.

      Their advice is worth bearing in mind for desktop computers too, not just XBox 360s

      "I think Microsoft has a longstanding pattern of this," Podhradsky said. "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate—the data is still available... so when Microsoft tells you that you're resetting something, it's not accurate."

      --
      "I've got more toys than Teruhisa Kitahara."
    12. Re:Jury is still out... by ArundelCastle · · Score: 4, Insightful

      I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.

      The point, I think, is that it's naive not to assume some engineer decided to store the info in *both* places. If you were trying to make the customer experience as smooth as possible, and you had 99% confidence that the home box was in possession of the Real User, you might want to make the process a little more "foolproof".

      Say the billing server glitches and corrupts their copy of the CC... Poll the console, get the number, transaction approved. The alternative is pop up a CC entry screen, which has a non-zero chance to frustrate the Real User to the point of cancelling the sale. Bad for a market built on instant gratification.

      Any goodheart engineer who cries foul from a system security training point of view, has probably never had to answer to a Director more concerned with their department operating at a loss for years. Xbox division regularly dipped into and out of the red until the last couple of years.

      And the bigger point is, with all the revisions to the Dashboard, it may be impossible to know when this purported "feature" was added, taken away, or actively used. I bet you 2800 MS Points that the next dash update roots out and purges this data. Won't stop the class-actions though.

    13. Re:Jury is still out... by muon-catalyzed · · Score: 1

      Just the fact that the cc info is recoverable from the drive is alarming, it should have been scrambled beyond recognition by some cypher.

    14. Re:Jury is still out... by Anonymous Coward · · Score: 1

      "Exactly, those researchers at Drexel U have shown themselves to be repeatedly untrustworthy, and have huge commercial reasons to lie."

      Not much differnt than sloshdot editors these days!

    15. Re:Jury is still out... by icebike · · Score: 4, Informative

      Any one of two dozen drive over-write utilities (free or paid) will make sure your drive is unreadable.

      No need for multiple passes either, simply write binary zeros everywhere and you are done. The old FUD about the CIA recovering your info with electron microscopes is pure bull, and nobody has ever once successfully demonstrated that in public even when they had access to state of the art university electron microscopes.

      Platter level forensics are a hoax.

      --
      Sig Battery depleted. Reverting to safe mode.
    16. Re:Jury is still out... by ozmanjusri · · Score: 1

      Any one of two dozen drive over-write utilities (free or paid) will make sure your drive is unreadable.

      Yep I'm on Linux, so "dd if=/dev/zero of=/dev/sdx bs=1M" is good most of the time, or dban if I'm lazy.

      This is more of a problem for people who think consoles (and computers) should be appliances.

      --
      "I've got more toys than Teruhisa Kitahara."
    17. Re:Jury is still out... by Anonymous Coward · · Score: 0

      Wow. That seems like a pretty far-fetched sequence of events. Apparently you are claiming:

      1) The engineer is so worried about their billing server that rather than doing the natural thing (like backing the damn thing up once in a while), he decides to store sensitive credit card info on the client machine

      2) And the justification for doing so is that in the minuscule case of having the billing server be corrupted, and not recoverable, and so much data corrupted that a large number of users are going to cancel transactions rather than entering a new credit card number. Which they have to do every 5 years or so ANYWAYS when their card expires.

      3) And that after making these decisions, the engineer decides not to bother encrypting the information....the article mentions nothing about having to decrypt info, just using basic hacking tools.

      Sorry, if this did happen (and the jury is still out), I'm guessing it's a case of some idiot not being careful about what information is cached on the xbox. Not intentionally....probably a byproduct of how the client communicates with the microsoft servers.

    18. Re:Jury is still out... by mysidia · · Score: 1

      "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased.

      It's true though... when you reformat your computer you logically have a blank slate. Everything IS erased, it's just that some of the old data might not be irrecoverably destroyed, especially if you choose a quick format where you just get a clean filesystem w/clean volume metadata without going through every disk sector and zeroing or even clearing out directory tables..

      The message presented during format is a warning to be careful formatting, because you can lose data if you do it. They want to help make sure people don't accidentally format and become upset at Microsoft because they didn't know what they were doing.

      The warning is not a promise that if you do this, your personal data is totally purged from the hard drive so that you can safely resell it.

      I suppose there should be a warning about that too before you can proceed with formatting.

      "Warning: This operation will erase the volume's directory index and remove ordinary means of access to all files, but formatting will not make sure that any sensitive information on this volume is safely destroyed: to reduce the duration of the format operation and avoid unnecessary mechanical wear on disk drives, format only makes changes to the disk required to provide a clean filesystem; to ensure destruction of sensitive data, please use a secure deletion tool."

      A similar alert should be shown when moving an item to the recycle bin, emptying the recycle bin, deleting items in browser history, clearing the cache, deleting cookies, and exiting an application such as MS Word that utilizes temporary files but does not securely delete its temporary files, or an application that stores sensitive data in registry, or an application that had documents elements which were cached in RAM page cache, or an application that had document elements in RAM which were swapped to disk (pagefile).

      Preferably the warning should be accompanied by an option in the application to accept a performance penalty and delete the objects securely.

    19. Re:Jury is still out... by mysidia · · Score: 1

      Say the billing server glitches and corrupts their copy of the CC... Poll the console, get the number, transaction approved. The alternative is pop up a CC entry screen

      That doesn't make any sense at all. Microsoft's database framework: Microsoft SQL, Jet DB, SQL Azure... doesn't "corrupt" a copy of things in a database Microsoft's database system is a Tier1 application. If corruption was ever a significant issue they would have much larger problems on their hands, because they wouldn't be able to sell their bulletproof reliable self-healing massively scalable database server infrastructure.

      The far more likely scenario is they have "Accidentally cached" input of HTML forms containing a representation of the CC number, through a standard browser function, that didn't avoid caching SSL session data; or that they actually use HTTP and didn't think to use HTTPS when prompting the user with the form to enter their CC details.

    20. Re:Jury is still out... by Microlith · · Score: 1

      Won't stop the class-actions though.

      That's what the EULA with the binding arbitration clause is for.

    21. Re:Jury is still out... by oztiks · · Score: 0

      In other news hackers can lift credit card details from used wallets. Point is don't leave credit cards in your wallet if you plan to sell it.

    22. Re:Jury is still out... by Anonymous Coward · · Score: 0

      Now take in consideration that the disk wobbles when it spins and that bits do not physically fall onto the same spot when written, when you overwrite a track on a disk it will not end up at the exact same spot as it did before, however the signature will be more prominent. That said, I'm pretty sure that if you overwrite your disk with BS of 1M, forensics can still get your data :)

    23. Re:Jury is still out... by Anonymous Coward · · Score: -1, Troll
      Well yeah, no surprises that Slashdot has a response defending Microsoft as first post. The only surprise is that it isn't from Bonch/Sharklaser et al.

      I wonder how much Burson Marsteller are paying to get that privilege.

    24. Re:Jury is still out... by Kaenneth · · Score: 1, Informative

      Don't use CCleaner, it WILL fuck up your system eventually.

    25. Re:Jury is still out... by Jafafa+Hots · · Score: 1

      Yep. I won't believe ANY claims about what the CIA can do until the CIA demonstrates it publicly!

      When's their next Open House, BTW?

      --
      This space available.
    26. Re:Jury is still out... by Jafafa+Hots · · Score: 1

      Eventually? How long is eventually? Because I've used it regularly for as long as it's existed, and after all these years no problems so far.

      I guess I'm sitting on a time bomb!

      --
      This space available.
    27. Re:Jury is still out... by Anonymous Coward · · Score: 0

      How can forensics still get your data? You seem to imply that the BS=1M is important to this.

    28. Re:Jury is still out... by Serious+Callers+Only · · Score: 1

      You've never dealt with accepting credit card info before have you?

    29. Re:Jury is still out... by History's+Coming+To · · Score: 0

      Null results are still important.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    30. Re:Jury is still out... by Anonymous Coward · · Score: 0

      A pass from /dev/urandom is just as easy as a pass from /dev/zero, so why not, just in case?

    31. Re:Jury is still out... by Anonymous Coward · · Score: 0

      Because /dev/urandom can be contain incriminating evidence.

    32. Re:Jury is still out... by Hatta · · Score: 1

      Urandom is much slower than /dev/zero.

      $ dd if=/dev/zero of=/dev/null bs=1M count=1024
      1024+0 records in
      1024+0 records out
      1073741824 bytes (1.1 GB) copied, 0.207047 s, 5.2 GB/s

      $ dd if=/dev/urandom of=/dev/null bs=1M count=1024
      1024+0 records in
      1024+0 records out
      1073741824 bytes (1.1 GB) copied, 95.5125 s, 11.2 MB/s

      --
      Give me Classic Slashdot or give me death!
    33. Re:Jury is still out... by hairyfeet · · Score: 2

      How EXACTLY is this flamebait? he provided the link to the response from MSFT who says their software doesn't store locally so we have one saying A and another saying B, so logically one would suggest that waiting until we had a separate source test and verify the findings would be the best course of action. Or does a post not count if it isn't following the correct groupthink? Last I checked the banner read "News For Nerds" not "self affirming circlejerking" ala Faux news and MSNBC. The only compliant i can see with his post is that frankly it shouldn't have needed to be made in the first place as timothy should have had the reply in TFS.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    34. Re:Jury is still out... by hairyfeet · · Score: 1

      You can put a piece of paper through a shredder but if the shredder ONLY has that piece of paper and i have the time i can put that paper back together, so does that mean you didn't actually shred it? what we really need is different words here, erased VS erased and possibly recontructable would probably be better descriptions.

      What Windows does when you format is erase the Master File Table or MFT. Once the MFT is gone NTFS and the OS above it simply can't find any former files because without a pointer to tell them what and where a file is then it simply doesn't exist. Now of course we all know there are tools that can recover by doing a scan of the actual drive bit by bit (I prefer Recuva myself) but considering the fact that all one has to do is a standard overwrite by zeroes which can be done quite quickly and that even relatively simple encryption would make a file hell to repair on a formatted drive it really doesn't make much sense. I can't comment on the X360 but I do know Win 7 uses encryption for its caches like Readyboost so i don't see why it wouldn't do the same for any GFWL cache as the OS already has an API for encryption that should be pretty trivial to call. Even XP has NTFS file encryption so there really is no reason why they should have it unencrypted and if it turns out this is true someone needs a good firing.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    35. Re:Jury is still out... by Anonymous Coward · · Score: 0

      Tell that to some of my clients who often ask if I can fix their corrupted MS db. And by the time I get to it, it is thoroughly corrupted (most likely worsened due to unskilled hands trying to "fix" it).

    36. Re:Jury is still out... by Sigg3.net · · Score: 1

      Platter forensics a hoax?
      Today, yes. Yesterday? No.

      Drive technology has changed. I seem to recall that it was the old non-S.M.A.R.T able drives that were subject to (successful) platter forensics. Long time ago =! Hoax.

      --
      Defining Statistics and Social Research
    37. Re:Jury is still out... by icebike · · Score: 2

      You seem to remember wrong.

      All that has ever been demonstrated is that with an electron microscope a couple of bytes were successfully "raised" after being over written with a uniform pattern. The prior content of the drive was known, which is how they were able to determine that they weren't recovering noise. It was a proof of concept recovery of literally a few bytes from a drive with known content overwritten with known content. This was the topic of a guy named Venugopal Veeravalli, for his Masters thesis, Carnegie-Mellon University, 1987. (He went on to have a brilliant career, but nothing came of his research.)

      The process involved:

      Magnetic force scanning tunneling microscopy (STM) technique which uses a probe tip typically made by plating pure nickel onto a prepatterned surface, peeling the resulting thin film from the substrate it was plated onto and plating it with a thin layer of gold to minimise corrosion, and mounting it in a probe where it is placed at some small bias potential (typically a few tenths of a nanoamp at a few volts DC) so that electrons from the surface under test can tunnel across the gap to the probe tip (or vice versa).

      It yields pictures (images) of the surface, AT THE BIT LEVEL, which then have to be visually analysed by humans, and they guess which grains of magnetic media represent the old data (5% of the grains), and which represent the new data (about 95%). It takes 10 minutes to yield one visual image, it takes 8 images to guess at a byte. And this was done with KNOWN prior content, and KNOWN overwrite pattern on a disk platter that had been written EXACTLY TWICE in its life.

      From this theoretical capability sprang the paranoia of multiple overwrite for mil grade erasure. An entire industry followed in lock step.

      In real life no one has ever recovered a full file, or even meaningful fragments from an overwritten drive. Not at the older sparse densities, and not at today's much denser packing of bits.

      With tape you could SOMETIMES do this, but only because heads never aligned precisely, and you could read the bottom layer of magnetic particles right thru the plastic substrate. But even that required extremely slow manual procedures with government budget equipment. The "lost" NASA tapes were recovered this way.

      The CIA relies on exactly what every body else does, the fact that data is seldom erased, merely the file allocation table is over written and data lurks in forgotten clusters on the drive.

      Go read the link I posted and the links it references.

      It doesn't happen.

      --
      Sig Battery depleted. Reverting to safe mode.
    38. Re:Jury is still out... by Anonymous Coward · · Score: 1

      > dd if=/dev/zero of=/dev/sdx bs=1M
      Use "hdparm --security-erase ..." instead. Apart from being faster, it will erase the entire disk, including any sectors which have been remapped, and will work on damaged disks (i.e. it won't abort or perform retries on write errors).

    39. Re:Jury is still out... by Kalriath · · Score: 1

      That's because your clients are incompetent. All of them.

      No company I've ever worked for has had an SQL server "corrupt" a database. Ever. The only thing even remotely similar was a disk failure, caused by shitty HP hardware, and recovered in an hour without even going to backups thanks to hotswapping disks in the RAID array.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    40. Re:Jury is still out... by Anonymous Coward · · Score: 0

      Thanks, I stand corrected and informed:)

    41. Re:Jury is still out... by Anonymous Coward · · Score: 0

      "I seem to recall that it was the old non-S.M.A.R.T able drives that were subject to (successful) platter forensics. Long time ago =! Hoax"

      What you remember is either a hoax or not what we're discussing here. So yes, you're still wrong.

    42. Re:Jury is still out... by Anonymous Coward · · Score: 0

      Except that they haven't proven that it's even a valid CC number. Jesus christ, the things you take as credulous.

    43. Re:Jury is still out... by ArundelCastle · · Score: 1

      Neither has that Director.

    44. Re:Jury is still out... by ArundelCastle · · Score: 1

      Won't stop the class-actions though.

      That's what the EULA with the binding arbitration clause is for.

      That's what consumer protection laws that declare EULA clauses invalid are for.

      Don't have one? Write your politician.

    45. Re:Jury is still out... by ArundelCastle · · Score: 1

      It's absolutely far-fetched. But so were black swans. ;) I certainly agree with your conclusion.

      1) I'm not making any realistic claims about the technology or the engineer's actions. I'm devil's advocating that Director of X is so worried about losing a sale they insist on a ridiculous layer of redundancy. It's not likely, but it is most definitely plausible. (Unless you're defending the intelligence of Microsoft management? oh snap!) And even though this story is about Xbox, information gets exposed elsewhere all the time. If you're not willing to blame the technology, then it comes down to poor decisions and human error.

      2) That minuscule case is a $10-$50 loss, plus negative word of mouth and mindshare damage. I don't have a tidy economics formula for it, but That's Bad. Talking about 5 year expiry dates doesn't enter into it, given that before the 360/PS3 no console with an online marketplace had a lifecycle lasting longer than 5 years. And the user knows that it's their job to update when they receive a new card.

      3) Employees under stress decide not to bother doing a lot of things. Everyone was the new guy once. Everyone has a senior moment eventually. Let's pretend this issue has existed since 2006, and it has just been discovered in 2012. Sounds like many security patches I've applied.

      A lot of /. comments are the search for logical justification of how shit happens. That's a very engineer thing to do. But businesses are no more logical than the fallible people who run them. How many stories do we read about the valiant IT crusader trying to sway their luddite management into awareness of The Right Way? :) Shit happens, because people.

    46. Re:Jury is still out... by Anonymous Coward · · Score: 0

      "The jury is still out on this"

      No, it isn't. You've got one set of bumbling idiots with no actual proof that it is what they think it is, but they're already attempting to shame Microsoft. I wish they'd apologize when it comes out that they were wrong, but they'll scuttle back under whatever rock they crawled out from.

      I suppose this isn't unreasonably sloppy as far as academia goes.

    47. Re:Jury is still out... by Anonymous Coward · · Score: 0

      "TFA implies it's cached in system files."

      It's offering no proof.

    48. Re:Jury is still out... by billcopc · · Score: 1

      The only thing people "know" about the CIA's abilities is whatever Hollywood dreams up for movies and TV gimmicks.

      As an outsider, my caricatured perception of government intelligence is a bunch of failed lawyers tallying various stats and counting down the minutes to their next smoke break. Recovering data from an erased hard drive seems well beyond the reach of any federal employee I've ever met. Maybe the top engineers at Western Digital could pull it off, but they have better things to do like cramming more bits onto a fucking platter.

      --
      -Billco, Fnarg.com
    49. Re:Jury is still out... by billcopc · · Score: 1

      That's just an attack on Microsoft. Formatting does not erase your data, it erases the metadata, (re)initializing the filesystem structures to a clean, possibly blank state. The raw data remains, but since you no longer have an index to tell you where each file begins, how big it is and what it's called, you have no easy way to access it.

      With many filesystems, this metadata exists in several places and usually has one or more backup copies. A "quick" format tends to kill the main index, leaving the backups mostly intact. Recovery tools can scan the disk to find these backups and "unformat" the filesystem. On FAT systems, they don't have this luxury, instead they look for specific signatures to find old orphaned directory entries, but it's the same idea.

      So... "formatting" doesn't really erase your data. Says so in the name: format. If you want to erase data, use an erasing tool, such as `dd if=/dev/zero` or DBAN or anything else that overwrites the entire disk.

      --
      -Billco, Fnarg.com
    50. Re:Jury is still out... by Eskarel · · Score: 1

      It was possible, whether it still is at current data densities I don't know.

      What I do know is that it's astronomically expensive and the CIA can make you disappear a lot cheaper and easier if that's what they want so they don't bother much.

    51. Re:Jury is still out... by Anonymous Coward · · Score: 0

      As a small comment, (logically) overwriting an Xbox HDD makes that disk unusable forever(*) in an Xbox. It can still be used in a PC, of course. The reason is that each disk has a signed blob in the first few sectors that stores that disk's IDENTIFY response. There's no way to re-generate that information without a private key.

      (*) Yes, there's hddhackr which allows you to change the serial number of your harddrive to match another one where you saved the "security sector".

    52. Re:Jury is still out... by Anonymous Coward · · Score: 0

      But there *are* latent magnetic images still on the drive. This is how black box recorders work (in aircraft). The flight control information is a continuous loop, usually making one complete cycle every 2 or 4 hours. Recording power is always at half power. Its a given that they can get all the information from at least the last 4 passes (between 8 and 16 hours of information). Drive writes are always at full power, but there are still latent magnetic images on the drive (its just a lot harder to get them). Home based tools won't pull them off, but get a few dozen electrical engineers to cook up something that can read at least 2 or 3 prior writes will get the job done. But you say "Oh, they don't have the money for even 2 or 3 electrical engineers... oh wait, this is the federal government". On the other hand, doing 3 or 4 writes to a hard disk will rub out the last 3 or 4 latent images with rubbish. ...Then they round you up and start applying "Rubber Hose Cryptography". See here for more information.

    53. Re:Jury is still out... by Anonymous Coward · · Score: 0

      Don't use CCleaner, it WILL fuck up your system eventually.

      Ok, have seen this one spouted online a couple of times now, every time a blind assertion without backup.

      Explain the damn mechanism!, provide a friggin flowchart/sequence of events/whatever floats your boat showing how the use of ccleaner fucks up machines.

      Anecdotal experience of a single machine doesn't count.

  2. I made the point earlier by Omnifarious · · Score: 3, Insightful

    Proprietary software vendors cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected.

    --
    Need a Python, C++, Unix, Linux develop
    1. Re:I made the point earlier by Anonymous Coward · · Score: -1

      Proprietary software vendors cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected.

      Yes, not at all like Google.

    2. Re:I made the point earlier by Omnifarious · · Score: 0

      I think Google has very similar perverse incentives, though they have structured themselves in some ways to be more resistent.

      I've actually grown rather disenchanted with Google over the last year. I feel like they've changed direction in a way that's ultimately harmful for everybody, including them, though it's beneficial in the short term.

      --
      Need a Python, C++, Unix, Linux develop
    3. Re:I made the point earlier by Anonymous Coward · · Score: 0

      People cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected. Open sores is no different.

      FTFY

    4. Re:I made the point earlier by Anonymous Coward · · Score: 0

      If you are wondering why you got an offtopic; that was a "don't feed the trolls" moderation. Google is a proprietary software vendor and had never been posted. The grandparent was redirecting the conversation oftopic and by posting from a named account you bring that to everyone's attention.

    5. Re:I made the point earlier by Anonymous Coward · · Score: 0

      There's no incentive for MS to waste time and money on implementing a proper reset. Remember, if you resell anything - video games in particular for some arbitrary reason - you are a pirate and a criminal. Resale is unpatriotic and you are a communist!

    6. Re:I made the point earlier by Omnifarious · · Score: 3, Insightful

      I agree that Open Source is no different. But I think it's harder to get away with it because it's harder to hide what you're doing. And even if you do for a time, someone will come along and fix it, and if you don't accept their fix you'll lose your users to the fork.

      --
      Need a Python, C++, Unix, Linux develop
    7. Re:I made the point earlier by schoett · · Score: 1

      Open source is different in that anyone peeved about some missing or unfriendly feature can implement it. You do not need to become an official committer; just put your patch on the mailing list and it is likely to be picked up and integrated.

      Open source is different in that people generally strive to build the best software they can; there is no management saying "This is good enough; we're not going to bother with feature/problem X", or worse, as in this case, "there is no problem X".

  3. Details of the academic paper by Anonymous Coward · · Score: 1, Informative

    From http://aisel.aisnet.org/amcis2011_submissions/54:

    Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

    Dr. Asley L. Podhradsky, Drexel University
    Dr. Rob D'Ovidio, Drexel University
    Cindy Casey, Drexel University

    Information Systems Security and Privacy

    Abstract
    Traditionally, when individuals wanted online access they connected their PCs to the internet. Now, non-traditional devices such as cell phones, smart phones, and gaming consoles serve as common means of online access. Gaming consoles, just like PCs need proper sanitization processes to help fight identity theft. Individuals understand you cannot simply throw away a computer that has your personal data on it without some sort of sanitization process; gaming consoles are no different. Simply returning your console back to “factory state” will not do the trick, you need to take things one step further.In this research paper the authors aim to bring awareness to the gaming public, researchers and practitioners that improperly discarding used consoles without proper sanitization practices can inadvertently release personal data which can result in identity theft. The researchers will demonstrate through a case study how easy it is to steal an identity through a discarded Xbox. Finally, the researchers will demonstrate how gamers can sanitize their game consoles when upgrading their systems to ensure their identity is not at risk when the used device is retired.

    Recommended Citation
    Podhradsky, Dr. Asley L.; D'Ovidio, Dr. Rob; and Casey, Cindy, "Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives" (2011). AMCIS 2011 Proceedings - All Submissions. Paper 54

    Couldn't find a free to access PDF though.

    1. Re:Details of the academic paper by Opportunist · · Score: 2

      What? No torrents?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Details of the academic paper by Xugumad · · Score: 4, Interesting

      Got myself a copy (my employer appears to have a subscription), The really critical bit here is:

      "Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10."

      While they conclude that it's likely this is a credit card, based on the card identifier (first four numbers) and that it matches the Luhn algorithm (mis-spelt as "Luhr" in the article - that took a while to figure out!), however the Luhn algorithm isn't designed for this sort of use, it's primarily there to catch data entry mistakes. I'm fairly happy that the chances of a match like this on a multi-GB hard drive are fairly good, just through random chance. A good follow-up experiment here would be to buy new XBox 360s, buy points and then scan the hard drive for the card used.

      IMHO their points raised about finding gamer tags, friend lists, etc. are probably far more relevant, especially in relation to this data not being destroyed when a factory reset is done.

      There's some really odd bits, though... "In this particular instance, we can see NAT (Network Address Translation) rules for a site called Bungle.net[sic], where Halo players can have their stats tracked or purchase games and merchandise [36]." - which as far as I can tell is actually a list of errors you can get if your NAT setup is causing problems.

      I'd also be more confident if the work had less odd errors; "Book and Nuke, by DBAN is", presumably refers to "Darik's Boot and Nuke", frequently abbreviated to "DBAN".

  4. "Factory Reset" means nothing on the 360... by Anonymous Coward · · Score: 5, Informative

    The so-called "Factory Reset" on the 360 doesn't do anything. It blows away a few settings, but the majority of the Flash NAND that everything else is stored in remains untouched- that is, the data is still there- just not in any reference-able format (this is analogous to unlinking a file- the data is still there, just not listed in the filesystems TOC).

    If you really want to nuke a 360, you need to go into the System Info page (the one with the console serial numbers, kernel version, etc)- then enter in a combination of button presses that is usually specific to your console or the machine model (nobody has really figured that one out). Usually this combination starts with LT, LR, X, Y, LB, RB- but then there's anywhere between 2 and 8 additional button events. You might be able to guess it with some patience, I've done it before- but I think that was just blind luck (in my case, the remaining buttons to press were on the D-Pad- up, down, left, right, then the X, Y, A, and B buttons).

    If you call Microsoft, they can usually get you the combo for your console if you make up a story about losing the parental controls or some bullshit (they won't just give it to you if you ask for it- they want a reason).

    Once you do that, you'll get a screen that will basically confirm you really, really want to blow the console away. If you confirm, the 360 will reset itself to the actual factory state- that is, all your HDMI settings, wireless settings, account information- everything will be nuked.

    But the publicly available "factory reset"- the one you can get to without any secret combos or anything, isn't really a reset. A lot of settings will linger around, and the only way to nuke them totally is with the aforementioned wipe.

    -AC

    1. Re:"Factory Reset" means nothing on the 360... by maitai · · Score: 0

      And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.

    2. Re:"Factory Reset" means nothing on the 360... by Anonymous Coward · · Score: 1, Insightful

      And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.

      What is wrong with you exactly? You are clearly damaged in some way.

      First Sale Doctrine: I buy shit from you, the shit is mine now, I sell shit to someone else. You don't get to stop or interfere with that.
      Sorry but I like liberty and being free. I don't want to live in a nation where all my stuff belongs to the aristocracy and I'm just renting it from them at their pleasure, that's just slavery in a different name.

    3. Re:"Factory Reset" means nothing on the 360... by ClosedEyesSeeing · · Score: 4, Insightful

      I miss when I didn't have to use cheat codes to clear my data. :(

    4. Re:"Factory Reset" means nothing on the 360... by Anonymous Coward · · Score: 0

      The first sale doctrine doesn't mean Microsoft have to make it easy for you. To make a typically ludicrous Slashdot analogy, the first sale doctrine means I can sell you a pad of paper, and you're free to sell it to someone else. It doesn't mean I have any obligation to remove all trace the credit card numbers you scrawled on it while it was yours.

      Sorry, can't think of a car analogy off the top of my head.

    5. Re:"Factory Reset" means nothing on the 360... by Nos9 · · Score: 1

      You are correct, it's your shit now. Microsoft isn't stopping you from selling your shit. It's like bitching that the dealership won't help you transfer the title on the car you bought from them when you sell it to someone else several years later. It's your job to deal with that because it's your shit now.

    6. Re:"Factory Reset" means nothing on the 360... by Anonymous Coward · · Score: 0

      If you buy certain things, such as an extended warranty on the power train that goes with the vehicle, the dealership has to make it easy to transfer the ownership (settings).

  5. They got your credit card anyway! by damm0 · · Score: 3, Funny

    Pretty soon everyone will have had their credit card stolen so just don't worry about it!

    Nothing gained, nothing lost!

  6. wipe out by skeq · · Score: -1

    i think its the same as selling an used hard drive, doesnt matter that its packed in a (x)box with other stuff, its still a hard drive, and you have to wipe them clean before you let them go.

  7. Ah, nostalgia. by Cazekiel · · Score: 3, Funny

    The good ol' days when someone just stole your wallet/pocketbook from your grocery cart... how I miss them.

    --
    You want to know how to help your kids? LEAVE THEM THE F*&K ALONE. --George Carlin
  8. Wiping a 360 hard drive is idiotic by Aldanga · · Score: 5, Insightful

    Straight wiping of a 360 hard drive will destroy it for future 360 use. The hard drive security sector (hddss.bin) is stored on the disk and, if erased, will render the hard drive useless on a stock 360 console. The security sector cannot be "spoofed" or otherwise as each hddss.bin is unique to the specific hard drive on which it resides. Only by backing up the specific sectors where hddss.bin is stored before wiping, then restoring them afterward, will keep the hard drive usable in a 360 console.

    There are hacking tools to convert non-360 hard drives into usable drives, but not Microsoft OEM drives. I can't believe the researchers recommended a straight wipe without this caveat.

    1. Re:Wiping a 360 hard drive is idiotic by game+kid · · Score: 1

      Oh, sorry about the ruckus. Those loud guffaws were just rms feeling vindicated again. :P

      --okay, maybe the 360 shouldn't be full-on free software, but they really should ship HDD-reset CD thingers to properly wipe the disc so we don't turn our HDDs into blank coasters (from the console POV anyway) when this sort of wipe becomes necessary.

      --
      You can hold down the "B" button for continuous firing.
  9. PCI-DSS Scope? by Jeremiah+Cornelius · · Score: 1

    Is your XBox in scope? :-)

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:PCI-DSS Scope? by mtl_hed · · Score: 1

      The PCI-DSS spec is used by organizations to evaluate their infrastructure as to whether it is in compliance. I've read the entire v2 doc before, and unlike most technical specifications it is more of a best practices guide for secure transport and storage for PCI data. This includes everything from switches, routers, servers, to tape backup and everything in between. In Microsoft's case this includes the Xbox itself and everything within their datacenters that PCI data flows through. Part of the spec states that storage of PCI data should be avoided if possible and gives recommendations around storage when it is deemed necessary for secure storage. Things like encrypted filesystems using hardware security modules help accomplish this. To jrj102 comment, it is very likely M$ chose not to store the data on the Xbox itself, but instead store it within their own network tied to your account in some way and thus greatly reducing risk.

    2. Re:PCI-DSS Scope? by Jeremiah+Cornelius · · Score: 1

      Key word: "Tokenization"

      You store a KEY locally - which has cryptographic validation - but is not cryptographically derived from any actual card data itself. This token is stored, and can be used in place of the card info - which is stored per PCI-DSS specs, in the commerce infrastructure.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:PCI-DSS Scope? by Anonymous Coward · · Score: 0

      Already done...
      http://www.firstdata.com/en_us/products/merchants/security-and-compliance/transarmor-solution.html

  10. And this is why by rikkards · · Score: 4, Insightful

    I buy the gift cards when doing anything regarding the xbox

    1. Re:And this is why by Anonymous Coward · · Score: 0

      Because you're apt to believe anything you read on a gaming blog?

  11. crtl+f dban by n3r0.m4dski11z · · Score: 1

    not yet!

    This article might as well read "used pcs". Why wouldnt you dban your console if you were going to sell it?

    Answer: because people dont know and dont care./

    --
    -
  12. I don't buy it by Anonymous Coward · · Score: 5, Interesting

    TFA: Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

    That's a solid find. Except for the fact that I can't find the option to enter in a Discover card to Xbox Live for it to store. Chances of this being a real valid Discover card number? I'd put it right around the same as /dev/urandom.

    http://i.imgur.com/A0M4d.png

    1. Re:I don't buy it by Anonymous Coward · · Score: 0

      Quite. The likelihood of any random 16 digit number having a valid checksum is 1 in 10. The likelihood of being any given issuer is around 1 in 10 million, but the likelihood of being some valid issuer is much higher.

      Pretty much any decent size cache of 16 digit numbers probably includes something with a correct checksum and a valid issuer. If the best they can come up with is a number from a type of card that XBox Live doesn't accept, then it's probably noise.

    2. Re:I don't buy it by WWWWolf · · Score: 1

      Yeah, I thought the same. XBL purchases come out of your MSPoints wallet, which is (logically enough) stored in XBL, not the console - you can purchase stuff through the xbox.com website too, and stuff gets downloaded when you turn the console on again. Credit card info is stored on XBL too, as far as I can boundlessly speculate. Wouldn't make much sense to store it on the console, especially since the XBL account is not tied to a specific console.

      However, as far as I can tell you can have multiple 360s logged in at the same time, and the console stores authorisation cookies, not passwords; you can change the Windows Live account password and the console will still happily log you on. You can change your privacy settings to only allow your One Holy Console(tm) in without passwords. Still, theoretically, you could (somehow) let your hard drive slip to someone else, thus allowing them to log in as you, and have someone charging stuff for your credit card, but all those points would go to your account anyway. All the more reason to set the password asking on.

  13. Creepy by Snospar · · Score: 1

    Woah! I was getting a bit creeped out by some of the more paranoid comments from our brethren and just at the right/wrong moment a junior spider abseils off my ceiling light across the room and onto my keyboard. The slightest movement of my hand makes it scurry in and under the ] (right angle bracket) key. It shall feast well tonight!

    And my comment... don't use Xbox it's Microsoft shit. Easy.

    --
    Moore's law is not a law. Theory, yes; Predictable trend, certainly; Law, no.
  14. Five year old Consoles... by Anonymous Coward · · Score: 1

    Too bad credit card numbers never expire...

  15. PS3 better uses HDD's that work on any sata system by Joe_Dragon · · Score: 1

    PS3 better uses HDD's that work on any sata system so they are easy to nuke.

  16. Re:PS3 better uses HDD's that work on any sata sys by ArundelCastle · · Score: 1

    Yes, we know. That was true in 2006 and it's true today.

  17. Re:PS3 better uses HDD's that work on any sata sys by TrancePhreak · · Score: 4, Interesting

    Credit card details were already leaked through Sony themselves. No need to physically get at the boxes.

    --

    -]Phreak Out[-
  18. The (inofficial) position of MS on this matter by Opportunist · · Score: 0, Troll

    So? You're not supposed to sell your XBox, what's your point?

    More officially, they will certainly "look into it". Don't expect, though, that much more than a look is put into it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  19. damn it, I logged into AOL again by ThePhish · · Score: 0

    Slow news day? This is just as slashdot worthy as some putz buying a refurbed computer or HD and finding someone's personal info, or a "My Documents" full of NOT THEIR DOCUMENTS.

    My money is on most readers here aren't stupid enough to unload any data storage device w/o appropriately clearing it, or using throwaway credentials.

    1. Re:damn it, I logged into AOL again by compro01 · · Score: 1

      >My money is on most readers here aren't stupid enough to unload any data storage device w/o appropriately clearing it, or using throwaway credentials

      Except that there's no practical method for actually wiping the damn thing other than microsoft's secret konami code.

      Wipe the disk using DBAN or something and now microsoft's stupid "security"(the only thing it secures is their profits on selling commodity hardware) flag results in it not being usable in the system

      --
      upon the advice of my lawyer, i have no sig at this time
  20. Never happen at a professional software company by dbIII · · Score: 0

    Such a flaw is as stupid an idea as forgetting about leap years - twice running, or letting image viewers run arbitrary code embedded in images. Only a highly unprofessional software vendor would allow such a thing out into the wild after QC testing.
    It's funny how just saying it as it is comes out as Microsoft bashing. A bit more testing on such show stopping bugs, probably only a handful more employees, and we wouldn't have these things to complain about.

    1. Re:Never happen at a professional software company by Anonymous Coward · · Score: 0

      Lot's of the original Xbox exploits were in games. By professional gaming companies.

      It happens.

  21. Duh by uvajed_ekil · · Score: 0

    It may not run WIndows, but don't forget that the Xbox is a Microsoft product, so of course it is a liability.

    --
    This is a hacked account, for which the owner can not be held responsible.
  22. HAH! by idbeholda · · Score: 2

    Let's see them pry personal credit card information from my Sega Genesis!

  23. Microsoft doesn't really do a great job by MindPrison · · Score: -1, Flamebait

    ...of any security, that's just babble from their PR dep.

    How can I say that? Simple...I'm not even a hacker, but I've used a certain "Boot-cd" (you'll have to search for it on the net yourself), to get into every single system MS have made to date, to help out a school recover their students accounts, nothing illegal as it was the schools themselves who requested this from me, as their IT dep. was inadequate and said the usual MS-BS...the accounts are NOT retrievable if there is only an admin account and the PW is unknown, which ...is BS...and this is from MS themselves. They even say that on national TV....and it's a blatant lie. Every OS...MS has released, is easily "hackable" within 10 minutes with that CD!

    --
    What this world is coming to - is for you and me to decide.
    1. Re:Microsoft doesn't really do a great job by Richard_at_work · · Score: 0

      Congratulations, you have discovered that with unfettered physical access to a machine, no OS is secure. Do you want a sweetie or something?

    2. Re:Microsoft doesn't really do a great job by Kalriath · · Score: 1

      Not surprising, if the user had reversible encryption enabled or you have physical access and can overwrite the hashed password with an arbitrary value. Of course, if the user ticked the box "Encrypt contents to secure data", or enabled Bitlocker full disk encryption, your "boot-cd" would be completely useless.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  24. Drexel has a research department? by Anonymous Coward · · Score: 0

    I am more amazed by the news that Drexel has some sort of research department.

  25. Too close by Turnerj · · Score: 1

    ... to April 1st to not say this could be an elaborate April Fools joke.

  26. Disposability by Anonymous Coward · · Score: 0

    Am I the only one thinking that a credit card number is a lot more disposable than a console? Before selling used hardware, it's prudent to wipe the hard drive, sure, but there are easier ways to protect your bank accounts than going binary on a magnetic platter.

  27. And?... by Anonymous Coward · · Score: 1

    Stolen credit card numbers are cheap. Who's going to pay $50 for a used XBox just to steal somebody's credit card information?