There has been a lot of buzz recently about the possibility of Xbox Live being hacked. People are taking over accounts, locking out the original owners, and racking up charges. Message boards were in a panic, speculating about what the gaping security hole was and how it was exploited. As it turns out, the whole thing boils down to a social engineering attack (or pre-texting, for those who like to invent new words). The attackers simply call up Xbox Live support and convince the customer service rep to reset the account. Not particularly …

You see, Oliver…
[sung] In this life, one thing counts
In the bank, large amounts
I’m afraid these don’t grow on trees,
You’ve got to pick-a-pocket or two.
You’ve Got To Pick-a-Pocket or Two lyrics, from Oliver!

Does this ABC News story on criminals looting 401K and online trading accounts of tens of millions of dollars surprise anyone in the security field? Well of course it shouldn’t. We have known about the potential for this type of criminal activity for over 8 years.

We are performing computing that requires high assurance, such as managing an online trading account, on a low …

Jeremiah recently posted about the Microsoft Security Response Center inviting security researchers to disclose vulnerabilities discovered in a Microsoft “online web property,” which is to say, anything in the microsoft.com domain (or msn.com, live.com, etc.). Immediately, people started trying to profit from the idea, suggesting that Microsoft agree in advance to a “reward system” whereby they would pay cash for vulnerabilities. While this would be inexpensive for Microsoft, relative to their security budget, it would completely contradict the notion of responsible disclosure. If Microsoft chose to reward someone for reporting a vulnerability that they considered significant, …