![]() (It's also really interesting to see what some games do when they fail to get folder access they just assume they'll always have. The whack-a-mole to enable games to run under Controlled Folder Access becomes its own very not fun minigame before you can actually start the real game. Games are developed by children and it is amazing the number of entry point binaries a single game might have to run, how often even "offline only" games still want to run binaries they copy or bury in random places in %LocalAppData% or worse %Temp%. ![]() This has been an amazing bundle of joy~ and has basically stopped me from playing Steam games. (I believe that file no longer exists in recent Steam clients, at least.) For that reason, I've turned on Windows Controlled Folder Access (aka Windows Ransomware Protection) on all of my Steam folders. There's evidence that password hashes used to be leaked from a file in the Steam client's folder. I've removed all credit card data that I can and haven't bought or paid for anything directly in the Steam client in years. I've removed all devices except my primary gaming desktop and mobile device. ![]() I disabled all OAuth applications on my account, no longer sign in under any web browser, and have refused to allow new applications. I only ever sign in to Steam now inside the Steam client and Steam Mobile app. (These leaks and that fall back would have me believe it's one of the Password Recovery or 2FA Recovery endpoints.) Though I've not attempted to run such gists/"utility libraries" myself to verify (I'm too lawful neutral/not a black hat whatsoever), at a surface level it seems like more than enough evidence to suggest botnets would use such things if enough people were posting "helpful password recovery tools" on GitHub that password spray accounts you tell it to. Simple GitHub searches seem to indicate that there are known password spray capable Steam endpoints that currently still leak password correctness/verification data regardless of 2FA enabled (and also leak whether or not 2FA is enabled on the account) and always falls back to email-based 2FA. Given that not-varying the password length had a noticeable impact on time, the warnings from my email providers, and other increasingly paranoid measures I've taken, I have no reason to suspect that this anything but a very distributed password spray attack. I believe that the password spray capabilities of today's botnets on any endpoint that returns results as fast as network messages travel should not be underestimated in a distributed enough attack. Many of the common ones you see today are based on the added assumption that they aren't spraying directly at a password endpoint but are instead predicated on breaking the hashes and the extra (increasingly minimal in the age of Bitcoin) cycles needed to hash/salt/pepper the passwords and/or building rainbow tables. ![]() Games obtained with codes from outside sources or purchased through other portals (i.e., Humble Bundles, Kickstarter, etc.) do not contribute to the cash amounts shown.Most of those old password-length "time to crack" estimates are based on a single machine. You'll only see figures in this system if you made purchases directly through Steam using credit or debit cards or with funds from your Steam Wallet. You'll need a Steam account with at least a few games purchased with what Steam refers to as "external funds" in order to see totals on this page. ![]() The ChinaSpend figure refers to all money connected to Steam China. If your account was ever linked to the "Perfect World" system attached to "Counter-Strike: Global Offensive" or "Dota2," you'll see an amount registered to PWSpend. The TotalSpend figure shows the total amount of external funds linked to your account, while OldSpend shows money spent before Friday, April 17, 2015. Scroll down and click on External Funds Used.īoth pages show the same information, including TotalSpend, OldSpend, PWSpend, and ChinaSpend.Click on Data Related to your Steam Account.Move your cursor to the upper left corner and click on Help. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |