Feeds

Everything you ever wanted to know about Xbox hacking

Cracking gameplay laid bare

SANS - Survey on application security programs

Tamper tantrums

Hardware tampering forms the second class of hacking activity. Hackers tamper with the data on their hardware via hex editing, rehashing and resigning to obtain digital items and products without payment. The tactic is used to artificially inflate account stats, making manipulated IDs a more valuable as a trading item in the underground economy.

"Because you can hook the Xbox up to your PC, people have created custom built tools to not only view the data on the Xbox hard drive, but alter the data through basic hex editing, rehash it (so the console thinks the files are legit) and resign it (which allows someone to use files that are tied to another profile)," Boyd told El Reg. "Not wanting to risk phishing themselves, some hackers will artificially inflate their Gamerscore and then try to sell the accounts on underground forums and even sites such as eBay."

This type of hardware tampering can also be harnessed in phishing attacks, impersonation, and other malfeasance.

"A recent exploit involved tampering with data on the Xbox hard drive which allowed you to join game sessions with a temporary name. The trick allowed phishers to impersonate game developers (whose gamertags are viewable on sites that list the gamerscore data) and ask for logins. By all accounts, the phishers did a roaring trade until this was fixed," Boyd explained.

Another (now closed) flaw involved exploiting Microsoft's Marketplace to obtain items for free. After making just one purchase, hackers developed a technique that involved changed just one line of code which allowed them to unlock every other item without paying for it. Microsoft soon put a kibosh on the ruse, but it does illustrates the fertile environment for hacking that the online gaming environment has become.

Lastly, online gaming environment can be beset with malicious disruption, as the result of hacking tools. Distributed denial of service attacks from botnets can kick players out of online game. It's also possible to purchase hardware that allows the unethical to cheat in games.

"Network disruption is a big part of certain areas in console modding and hacking scene," Boyd explained. "As most games are peer to peer with one gamer being the host, anyone can hook their Xbox to their PC via Internet Connection Sharing then use a combination of tools such as Zone Alarm to place IP addresses into trusted zones and network monitors to see the IP addresses in the first place. From there, they fire up a 'host boater' (which is basically a bonnet command program) which targets port 3074 - the port you need open for Xbox Live to work.

"They hit the flood button, and the hosts connection is flooded out by an army of infected PCs. As the attack targets the IP of the gamer directly and not the Xbox live service, it's very hard to do anything about these attacks," he added.

Combat fraud and increase customer satisfaction

Next page: DDoS for hire scams

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.