Videos on YouTube About Hacking Online Games Are Actually Phishing Attacks

Recently, a member in an online game mentioned that his account was hacked. He said all his virtual items and virtual gold were lost. He was very angry because he found a video on YouTube describing how easy it is to hack accounts on that online game.

So I also watched that video and quickly recognized that this was a phishing attack using social engineering tricks. Moreover, after a quick research on Youtube I discovered several such videos for different games. They all share a common pattern and trick the users to send their password to a certain e-mail address.

Basically, all these videos promise something like "how to hack an account" or "how to get 1000 gold". They claim that they discovered a hidden function that usually would be used by the game masters of that online game. To activate the function, you would only need to send an e-mail with a certain structure to a particular e-mail address. Within those structures is always the account name and account password (that's the phishing indicator #1 - NEVER send passwords via e-mail somewhere!).

Moreover, all those videos name as e-mail address to send the request for the hidden function some address which is never under the domain of the corresponding company developing or running the online game. Mostly, these are semi-anonymous e-mail address @gmx.net or @gmail.com (phishing indicator #2 - similar, but not exactly correct internet addresses).

Here are some examples, just search on YouTube:
(Warning: Phishing attacks! Do not follow what they tell you!!)

  • Phishing video "How to Scam an account on WoW!!!"

  • Phishing video "WoW Account Hack [Easy]" (german)

  • Phishing video "Herr der Ringe Online Account Hack [Easy]" (german)

And there are even more. Some of them are online since two years and more! I can't believe this still works. But, like other Phishing in e-commerce and online banking, there are still a lot of people who are tricked by these attacks.

I think it would be a good idea and help users to describe these attacks on the web sites of the online game manufacturers and also on the welcome screen when you log in to your account in the game. There are still people who do not understand these attacks -- we need to tell them!


Trusted Privacy Domains -- Challenges for Trusted Computing in Privacy-Protecting Information Sharing

This is a paper I wrote together with Hans Löhr, Ahmad-Reza Sadeghi, and Claire Vishik. It was presented at ISPEC 2009 in Xi'an, China, two weeks ago. It is mainly a position paper about privacy challenges that could be solved with concepts based on trusted computing, especially so called Trusted Virtual Domains (TVD). Our main idea is to transform the TVD concept into an enforcement architecture for privacy policies. But in addition to discussing challenges and describing the idea, we also detail out some fundamental building blocks of TVD infrastructure, which has not been done before as to our knowledge. Namely, we describe the details of how to establish a member node of a TVD on a local platform, and how trusted computing functionality, such as provided by a TPM, is used in the protocols for TVD establishment.

From the abstract:
In this paper, we propose a conceptual framework for user-controlled formal privacy policies and examine elements of its design and implementation. In our vision, a Trusted Personal Information Wallet manages private data according to a user-defined privacy policies. We build on Trusted Virtual Domains (TVDs), leveraging trusted computing and virtualization to construct privacy domains for enforcing the user's policy. We present protocols for establishing these domains, and describe the implementation of the building blocks of our framework. Additionally, a simple privacy policy for trusted privacy domains functioning between different organizations and entities across networks is described as an example. Finally, we identify future research challenges in this area.

We propose to support the enforcement of privacy policies by establishing trusted domains. These policies enables individual users or organizations to specify fine-grained instructions for the use of private information. To enforce policies, we propose a "guardian agent" for the user: a Trusted Personal Information Wallet that is transferable between platforms and performs "verification" of the trustworthiness of a remote IT system, i.e., compliance to a specified policy. The verification helps guarantee the enforcement of the user's privacy policy when sensitive information is transmitted.


Does New Research on "Instant On" Computing Pose a Challenge on Trusted Computing?

Trusted Computing in general, and in particular the TCG model, relies on a trusted bootstrap mechanism, i.e., authenticated or secure boot. Based on this mechanism, all other functions are built, e.g., attestation and sealing. Attestation allows a local or remote party to verify the booted configuration of system components (e.g., BIOS, bootloader, operating system, etc.). Sealing enables to encrypt data in such a way that it can only be decrypted when the system has booted in the same constellation as at the time of encryption of the data.

Now, recent research in transistor technology paved the way for computer systems that would be "instant on", meaning, they would not need to boot, they would be available instantly on power-on. This research has added so-called ferroelectric capabilities to standard computer transistors. Materials with such capabilities can be found, e.g., in smart-cards.

But if we have computers that do not need to boot at startup, a trusted bootstrap mechanism will be meaningless. If a computer system is instantly on, maybe exactly in the same state as left at last usage (similar to suspend and resume functionality), we cannot verify the current state via attestation. What should be attested? The configuration the system was originally bootstrapped, possibly months ago? No, that would not help to make any judgement about the trustworthiness of a computer's state.

Fortunately, there are already some techniques available to handle such situations. For example, Intel's Trusted Execution Technology (TXT) includes a so-called Dynamic Root of Trust for Measurement (DRTM). This DRTM allows to "boot" small pieces of code or entire new operating systems during runtime, and takes the measurement of the loaded code to store it in a protected place of a TPM chip. With that mechanism one can reliably check the state of that loaded code. After execution of that code, the system returns to the original state before calling the DRTM.

However, it would not be of practical use to always start a new OS because that would introduce new time to wait for startup, which we just wanted to reduce with "instant on" systems. Instead, it would be better to just start small pieces of application code directly with that method, as was demonstrated by the Flicker project on newer AMD64 processors. One drawback of this method is, though, that the original system is "halted" while the specific application code is executed that was started via DRTM. Thus, in order to use, e.g., operating system services, the system has to "switch back" to the original state, and then restart the application via DRTM again, and so on. This introduces new costs of "context switches", which are much higher than normal process context switches.

To conclude, it is important to think about alternative ways of realizing attestation and sealing without relying on authenticated boot methods. I think runtime integrity monitoring seems to be the answer to that question. But, although there are some promising approaches, this is an unsolved problem yet.


Modeling Trusted Computing Support in a Protection Profile for High Assurance Security Kernels

This is a paper I wrote together with Hans Löhr and Ahmad-Reza Sadeghi (RUB), Christian Stüble (Sirrix), and Marion Weber (BSI). Two weeks ago I presented the paper at Trust 2009 conference in Oxford, UK.

Abstract of the paper:

This paper presents a Common Criteria protection profile for high assurance security kernels (HASK-PP) based on the results and experiences of several (international) projects on design and implementation of trustworthy platforms. Our HASK-PP was motivated by the fact that currently no protection profile is available that appropriately covers trusted computing features such as trusted boot, sealing, and trusted channels (secure channels with inherent attestation).
In particular, we show how trusted computing features are modeled in the HASK protection profile without depending on any concrete implementation for these features. Instead, this is left to the definition of the security targets of a an IT product which claims conformance to the HASK-PP. Our HASK protection profile was evaluated and certified at evaluation assurance level five (EAL5) by the German Federal Office for Information Security (BSI).

The HASK protection profile itself can be downloaded from the Sirrix homepage: http://www.sirrix.de/media/downloads/58389.pdf