Xbox, PS3 and the threat to workplace security

Videogame consoles are a new addition to many workplace recreation rooms, but do you know what potential dangers are waiting to pounce on both your network and your employees?


Videogame consoles are a new addition to many workplace recreation rooms, but do you know what potential dangers are waiting to pounce on both your network and your employees?

In a recent survey, we found that 49% of users who took part have a console in the workplace, 44% have a net connected console and only 28% monitor console use in the workplace. One third of the users we spoke to have more than one console in use in the workplace, further increasing the risk of exposure.

There is a well established underground movement where nothing but the latest hacks, software modifications and malicious attacks are created – all designed to take advantage of gamers, and if you’re not careful your business could be caught in the crossfire.

Get connected?

Distributed Denial of Service (DDoS) attacks only used to be a worry for PC gamers; however, custom-built programs specifically designed to target players on consoles are growing in popularity. Anyone can use one of the many paid-for DDoS services and have a hacking group customise and set up a Botnet to DDoS a target gamer out of the action. Prices range from $5 for a single Bot (usually a compromised PC) up to $20 plus $2 per additional Bot in return for a full Botnet setup – sellers will even login remotely and configure your home PC/router to allow you to manage the Botnet yourself!

User account anonymity

If you have a dedicated user account on a console in the workplace, call it something anonymous – don’t name it after your company or you’re opening up employees that use it to social engineering attacks, both in game and via messaging. Once a hacker or aggrieved counter-gamer obtains the account username, they can fire up one of the custom built spamtools on their home PC that will flood the console desktop with endless messages – eventually crashing the machine.

On the Xbox Live network, users can send messages to one another. Messages containing phishing links from attackers claiming to be, for example, “Xbox Support” are common – if an employee tasked with looking after the user account falls for this, they could well open up other areas of the business open to attack, especially if they use a password common across the network (or perhaps their work email account). Keep the personal information attached to the account to a minimum, and ensure the password used is unique.

Our survey revealed that awareness of the threats facing networked consoles was high, with 64% of respondents acknowledging that users and their consoles faced these and other threats.

Also be aware that many gaming sessions are recorded and put onto sites such as YouTube – do you want to see (and hear) a user account called “Your Company Inc” running around swearing and yelling at other gamers when the session isn’t going as planned? As 80% of our surveyed users said they do not keep documented records of who uses the workplace console, you will struggle to work out whom, when and how a breach took place.

Web browser worries

If your office console of choice is a PlayStation 3, be aware that it has a functional web browser. As a result, strange side-effects can occur when landing on rogue websites.

While the executables won’t download onto a PlayStation console (or indeed cause any damage even if it could), the user will still be presented with an alarming warning message. In May 2009, numerous videogame websites were serving Rogue Antispyware adverts and gamers panicked when confronted with dire warnings of “system infection” even though they were using a videogame console.

These websites tend to have a habit of freezing the browser on the PlayStation 3, requiring a reboot to recover the console. Would a regular employee see a message like that contact the IT department, who would also be baffled by warnings of “console infection” which could lead to costly (and unnecessary) remedial work.

If you are going to let people play games at work, make sure you protect your organisation by protecting your staff from themselves.

Chris Boyd is a researcher at Sunbelt Software

"Recommended For You"

Akamai sees record-setting spikes in size and volume of DDoS attacks Microsoft takes $1bn charge on Xbox 360 failures