Shostack + Friends Blog Archive


White Wolf, Unknown number of Passwords, Hackers

white-wolf.jpgThe game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks.

Dear White Wolf Users,

Like many other well-known companies of the last few years, White Wolf was the target of an attack by international hackers this weekend. These hackers are now attempting to extort money from us with the threat of posting user data to the internet. We have no intention of paying this money, and are in contact with the FBI in an attempt to bring these criminals to justice.

We are choosing to make this public so that our users and fans can take any precautions needed to protect themselves. We are recommending that if you have used your White Wolf user password as the password for any other services you use on the internet, that you change them immediately.

The first trend I’d like to talk about is disclosure. Since February, there has been a dramatic shift in the willingness of companies to admit to security faults. This is very important, because without data, we can’t even begin to measure our defensive activities. (And it shows.) White Wolf isn’t even worried about credit cards or social security numbers. This would have been unlikely to be talked about even a year ago.

The second trend is that the attackers are extorting money, and lots of it. Ten years ago, hackers were called criminals, and there was lots of sound and fury. The truth was the people onstage at Defcon might have been punks and vandals, but they were in it for fun, not money. When Erik Bloodaxe said “I only hack for money,” it was made into a t-shirt, and Erik wasn’t happy about it. Today, there are entire criminal organizations that really only hack for money.

The ways they work are pretty simple: They steal. They blackmail. They commit fraud (often by impersonation). These are not new crimes. They are new methods of committing very old crimes. They are also made scalable by the internet.

There are three main components to the cost of these attacks. They are the direct costs of response (security consultants, code changes, etc), the lost revenue from being offline, and the brand damage of having their site exposed. That last is very hard to calculate.

(Thanks to Les for the pointer.)