Xbox 360 vulnerability? No, just weak passwords!

If your Xbox Live account has been hacked chances are it’s because you used a weak password. According to this post xbox.com reveals if a hacker has found a legitimate email address by printing the following error:

The email address is or password is incorrect. Please try again.

After 8 attempts with a wrong password a CAPTCHA is shown but that can be easily circumvented.

Now, showing that error message makes the job of hacking accounts easier but if it wasn’t there you can be sure that login page would be (and is being) hit by dumb bots that stuff the login page with random emails and passwords. My blog gets hit by so many bots exploiting vulnerabilities for software that doesn’t even run on here that nothing surprises me any more about the intelligence of script kiddies.

It would be super if Microsoft used something like Steam Guard or at the very least put time limits on successive password checks but in the meantime what can you do?

  • Use Lass Pass or another password service and pick a strong password. Use a pass phrase, “talking heads is a great band”, “i wish i had super powers”, “use your own imagination”. They’re all a lot better than “abcdefg1” and a lot easier to remember! Connect a keyboard to your Xbox to type a long phrase in or you’ll be discouraged.
  • Limit the damage. Don’t add your credit card to Xbox Live. Sometimes you can buy an Xbox Live Gold subscription at half the price Micrsoft charges. Buy points cards if you want to buy stuff. Until recently it was hard to stop XBL auto renewing if you used a credit card.
  • Go live in a hole in the hills and play marbles with the mice.

My XBL Gold subscription ran out a few days ago so I’m back to being a silver member. Not too fussed as almost everyone I play online with has a PS3 or PC too. I’m left wondering why I need an Xbox 360 any more! I will make doubly sure that I have a strong password on the account.

Thanks Gavin for linking to that article, even if we do disagree about what a security hole is. 🙂

WordPress Exploit Scanner 0.1

My previous post about hacked WordPress sites caused Donnacha to ask,

After your last post on this subject, I was thinking that it would be a good idea for Automattic to create a plugin that carries out all the checks you suggested people do to find out if they’ve been hacked…

At the time I wasn’t too optimistic about it but after thinking about the idea for a few days I came up with the WordPress Exploit Scanner which does most of what Donnacha wanted.

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.
It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.

You must be running WordPress 2.5.1 or higher to use this plugin. There’s not much point in finding exploited files if you’re running an old version of the software that can be broken into again.

Download the plugin from here: WordPress Exploit Scanner

Thanks to those who tested the plugin, especially Cathal Garvey who provided some great feedback!