Console yourself: Gaming threats in the workplace presented at BSidesLondon 2010

by Chris "paperghost" Boyd,

Summary : The talk seeks to explain the risks that a net-connected console in the workplace can bring, along with solutions for neutralising some of those threats. It will also examine some of the problems that cannot be readily resolved - problems that could lead to possible brand damage and compliance issues as consoles integrate web 2.0 applications and websites.
The main body of the talk is divided into three main sections, with an introduction that looks at global console sales figures, why consoles are becoming popular in the workplace and an exploration of data taken from a survey of 200 senior IT decision-makers in public and private sector organizations around the globe. Roughly half of the people surveyed had a game console in the workplace and forty-four percent of those had a net-connected console. Additionally, eight out of ten respondents had no record of who was using those gaming machines, setting the scene for a networked environment where all manner of malicious activities could be taking place.
The introduction will finish with a look at the increase in the profitable black market trade for videogame console accounts, how features added by console makers are an incentive to hackers and why a corporate gaming account would be a prize catch for a bad actor.
The three main areas that will be explored are phishing and social engineering (both ingame and online), hardware hacking / denial of service attacks (specifically, how the black market will create custom built DDoS Botnet tools to target specific individuals for the right price) and how the continued integration of services such as Facebook and Twitter into games consoles can bypass otherwise watertight security protocols, giving rise to data leaks / brand damage as a result.
I’ll include a real life example of a company that could have fallen victim to account theft and profiling of the employees, due to poor implementation of security practices in relation to their corporate gaming account. Additional areas covered will include how tying Xbox accounts to Windows LIVE Ids can result in basic security mistakes, how “features” of gaming accounts that cannot be hidden with privacy settings make you a target, an examination of the custom built hacking tools made to tamper with console data, how you can protect yourself from customer support being fooled into handing over your login and the typical journey of a stolen account.
We’ll also explore how console web browsers can cost companies money as a result of fake AV warnings, how games related searches on office PCs are increasingly becoming targets by Blackhat SEO exploitation and whether the “security scare stories” of the recent PS3 hack are justified.