Kinect for PC Announced

Microsoft has announced that in 2012, they will release a commercial version of their Kinect motion and voice sensing platform for the PC, first introduced as an add-on to the Xbox.  Kinect gamers interact with games by moving their bodies around instead of pushing buttons on a controller.  A non-commercial development kit has been knocking around since June.  The platform will consist of new Kinect hardware, USB connectivity, an improved close-range camera, and further enhancements of the software to optimize it for the Windows PC.

Microsoft also has just launched a new initiative, the Kinect Accelerator incubation project.  This initiative through BizSpark will help software startups by providing access to Microsoft software development tools, connection to key industry investors, and by providing marketing visibility.  The Kinect Accelerator will give 10 tech-oriented companies using Kinect an investment of $20,000 each, plus a number of other perks.  Applications are being accepted through January 25th, 2012.  At the end of the program, each company will have an opportunity to present at an Investor Demo Day.

It will be interesting to see who brings me my Minority Report inspired Air-User interface first!   BRING IT!!

Steam Forums & Database Compromised

Valve has reported that their Steam cloud network gaming service forums were defaced on Sunday, November 6th.  As they  investigated the annoying defacement incident, they found that the intrusion went beyond just the Steam support and social networking forums.

Steam is a gaming service that lets people buy, download, play, and chat about a variety of games, some made by Valve, others by other authors.  About 1,500 titles are currently available on Steam including Modern Warfare 3, Skyrim, as well as many “indie” and free games.  Steam claims to have over 35 million active accounts.

Intruders gained access to at least one of Valve’s Steam Network databases in addition to the forums.  This database contains customer information, including user names, hashed and salted passwords, game purchase records, email addresses, billing addresses, and credit card information.  The credit card information was reportedly encrypted, and there is no evidence so far that any of the information was taken by the intruders, or that the protection on credit card numbers or passwords has been cracked.  Valve is still investigating the incident.

Although Valve does not report evidence of credit card misuse at this time, they are warning customers to watch their credit card activity and statements closely.  It’s probably a good idea for all Steam Network customers to change their Steam account passwords and any passwords elsewhere that are the same.  To change your Steam password, access Settings from the Steam menu within the client software.


Happy Halloween!!

I hope everyone out there had a fun and safe Halloween.  Our family saw over 300 people come through our haunted yard this year.  We got well over 100 pounds of canned goods for the local food bank, and many people commented on how much they enjoyed our display.

This was the first year that we put together a haunting, at the request of my 9 year old grandaughter.  I bought a 10×40 foot party tent, used 20 feet of it, and filled it up with mannequins and props all built from scratch.  My wife and I split the tent down the middle with black plastic sheets, and set about building a maze inside.  The tent has plastic windows and the material is white, leading to a nice easy level of lighting inside.  The black plastic in the center provided just enough shadow to obscure the static characters.

[EDIT – Videos & Pictures Added! ]

I made some “guts” for the first character, a mask joined to my heavy survival jacket, greeting all who ventured inside.  The guts were painted bright pink with green and brown, and the addition of some theatrical blood made them look extremely gross.  Kids loved ’em.

As you rounded the first corner of the maze, you were greeted with 2 aliens, one on either side of the divider.  Glow in the dark paint made their eyes light up.  My son in-law’s sister did a fantastic job of popping out at this point, and scaring the bejeezis out of many teens.  She wore the last mask we had left, an old geezer with pop out eyes and dark clothes. Continue reading

Nintendo Network Targeted

According to the Wall Street Journal, Nintendo reported Sunday that a server for its US website had been hacked, but that no company or customer information was compromised.  The Lulzsec hacker group, behind other recent high-profile breaches, claimed responsibility.

Lulzsec posted a server configuration file as proof of its involvement, but claimed that it wasn’t targeting Nintendo.  “We just got a config file and made it clear that we didn’t mean any harm” the claimed this morning via Twitter.

Nintendo has reportedly already fixed the exploited vulnerability.  The attack comes as Nintendo is set to launch its new online service for its 3DS hand-held game machine.  The 3DS went on sale in February in Japan and March in the US allows users to play 3-D games without requiring special glasses.  The Nintendo e-Shop, where 3DS users can buy and download games, including some classic title remakes in 3-D, will be available in the US Monday and in Japan Tuesday.

Speculation flows over why this hack was less impacting than the series of Sony hacks, and I would postulate that 3 main  factors have come into play here.

  1. Nintendo would have been very smart to consider the activities going on within their industry as precursors to a pending attack.  It is quite likely that Nintendo examined their own environment and did a little hardening.   I am certain that they would have at least increased their monitoring.
  2. The Nintendo environment is set up quite differently than Sony’s.  It doesn’t look like LulzSec spent the time to probe and research the environment, attempt social engineering, or was unable to.
  3. Third, Nintendo has opted for security over convenience in their daily operations.  They have taken a fair amount of heat from their customers because they do not store credit card information when purchases are made.  The CC information has to be re-entered with every purchase.  If you’ve complained about it before, tip your hat now, because Nintendo didn’t spill your beans!

Other console and gaming networks should pay heed, and other businesses as well.  Learn from the mistakes and successes of others, harden, monitor and store only what is necessary on your networks.

Game Networks Continue To Be Targets

Hackers may have accessed up to 25,000 e-mail addresses and 350 résumés during an attack on game developer Eidos Interactive’s websites.  The parent company, Square Enix, said that the breach occurred Wednesday, and could have given hackers access to user data for the Deus Ex: Human Revolution website, as well as résumés submitted by job applicants to Eidos.  If you’ve registered on an Eidos site or with the Deus Ex site, now is the time to change your password.

Square Enix confirms a group of hackers gained access to parts of our website as well as two product sites.  The sites were taken offline for analysis and to implement measures to increase the security of all of their websites.  Square Enix will be contacting all parties that might have been affected by the breach, emphasizing that no credit card information was compromised.

This continued targeting of online game sites demonstrates to me that consumers continue to be targets.  It is logical to target consumers, as every single one of us, from the janitor to the CEO, ultimately is a consumer.  We have entertainment needs, we have children, we have social and communication needs, and each activity associated with meeting these needs provides another avenue of attack from our online enemies.  The online gaming companies should note the continued assault on their networks and take action to detect and prevent further attacks, or risk losing their customers’ trust.

The same goes for all companies that maintain an online presence and especially those that gather financial information, as well as intelligence.

IT Breach Laws

Information security breaches need to be made public.  They need to be made public in a much more proactive and efficient way than they are today.  Sony is a fine example.

Senator John Rockefeller IV, chairman of the US Senate Committee on Commerce, Science and Transportation, agrees.  He and four other senators said so today in a letter sent to the US Securities and Exchange Commission (SEC) asking them to bolster corporate breach notification requirements.   The letter stated “Securing cyberspace is one of the most important and urgent challenges of our time.  In light of the growing  threat … it is essential that corporate leaders know their responsibility for managing and disclosing security risk.”  “Our review of recent corporate disclosures suggests that material breach reporting, like information risk, is inconsistent and unreliable.”

IT still struggles with the dual edged sword of making a system or application usable, and making it secure.  IT teams generally have a mandate based on Availability.  InfoSec teams have a polar objective; keep the information Confidential and maintain its Integrity.  Those three words are capitlized because they are the classic pillars of Information Security.  C-I-A.  Rarely if ever does security trump IT or Business needs.  Until there has been a breach.  Then the daggers come out…

I have spent more than three decades in Information Technolgy and one third of that time focused on Information Security.  My background originates with PC technician and field repair work, and I have progressed through the ranks of Inside Sales, Helpdesk, Technical Support, Desktop Technician, Network Engineer, Infrastructure Engineer, Supervisor, IT Manager, IT & Security Consultant, Security Incident Response Specialist, to Informaiton Security Manager, consulting widely on IT and Security projects.

In my opinion, we need standards, guidance and hard rules on the Internet that are equivalent to the rules of the road.  We didn’t create networks of roads to eliminate traffic accidents.  We built them to enable faster travel.  Some accidents on these highways were going to be inevitable.  We built protective devices and safety features to keep the cars on the road and to protect the occupants when they collided.  We restricted how fast and in which directions one could travel.  We mandated certain equipment as required.  We demanded that each person using the roads be adequately trained and licensed before having priveleged access.  We put forth laws and regulations that every user must follow, and provided the police with the powers to enforce those laws.

Technology moves so fast that we’re adopting and adapting it faster than we can think of the consequences.  Every single Internet consumer should have to pass a basic aptitude test, or at least security awareness training.  They should understand that their communications traverse multiple networks, and that each of these networks may or may not be trustworthy, and will have varying policies regarding privacy and access.  They should know that there are inherent risks in using the Internet and that not all information or personas should be trusted.  It should be made clear what phishing is, what social engineering is, why credit card and personal information should be kept confidential, what the heck malware is and how it can be avoided.  Imagine if everyone on the Internet understood what a password actually was, how it should be created and protected, and what the consequences are if compromised?  What if we all understood those 53 page privacy agreements that nobody reads, but everyone accepts?

In my time within IT, I cannot count the number of times I have heard the Project Manager or worse, the Executive Sponsor extort “Get the system up and running.  We will add security on later!.”  Security as an afterthought is usually forgotten.  It doesn’t make it onto the Project plan, and is trumped by convenience.  Convenience of the implentor, the developer, the consumer and the business’ need to generate revenue.  My grandfather once gave me a lecture regarding my money.  He held a bread bag in one hand, and dropped nickels into the bag with the other.  He gathered a large number of coins in the bag and made me count them as he dropped them in.  He then poked quarter sized holes in it and walked around the room as he added more and more coins.  He told me that the only person that would get rich with a bag like that was the guy that followed behind him and picked up the lost money.  That is the state of e-commerce security today.

Industry surveys commonly attribute major data breaches to ‘insider threats’ but carelessness, misunderstanding or unreasonable policies may also be valid reasons why  these security breaches occurr and re-occurr.  Just my 2¢, collect the whole dollar.

Sony’s “3rd Breach”

SC Magazine reports that Sony has experienced a third breach in as many weeks.  This one is NOT as serious as either of the previous breaches, but if you are a Sony customer, it is still worth knowing about.

It appears that Sony found an old server from 2001 that was setup to gather sweepstakes entries, still connected to the Internet.  The data on that server involved the personal information of 2,500 sweepstakes contestants according to Reuters, which first reported the news. The data did not include credit card, Social Security numbers or passwords.  Enough intelligence is present to launch a significant spam and fraud campaign using email, snail-mail and phonecalls, though.

Sony has announced that as a result of these recent breaches, it plans to deploy software monitoring and configuration management tools, increase encryption, improve intrusion detection capabilities, and add new firewalls.  In addition, the company plans to hire its first-ever chief information security officer.

I hope that position resides in the GTA of Ontario, Canada.  I happen to know a guy…