Thursday, May 05, 2011

Sony's letter to Congress:


Sony blames Anonymous for PlayStation hack but confirms it has not identified those responsible

In a letter to the US Congress, Kazuo Hirai, Sony Computer Entertainment chairman of the board of directors, claimed that Sony had been investigating the intrusion around the clock and what had become ‘more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes'.

He went on to say that when data being stolen was discovered, a file was also found on the server that was named ‘Anonymous' with the words ‘we are Legion'.

… Sony went on to confirm that unauthorised activity was detected on the afternoon of Tuesday 19th April, with a discovery that data had been transferred off the servers without authorisation the next day, causing the shut down of the network. [So they “discovered” a problem but were unable to stop the theft of data? Bob] The FBI was notified on 22nd April and details were given to law enforcement on Wednesday 27th April.

… Robin Adams, director of security, fraud and risk management at The Logic Group, said: “I wonder if Sony are aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance? The PCI DSS control 3.1 states that cardholder data must be kept to a minimum and that a data retention and deletion policy must be implemented, which involves a process for the secure deletion of cardholder data when it is no longer required. I would suggest outdated credit card databases fall fairly under this category.

“Not only that but the PCI DSS Prioritised Approach categorises the 220 plus controls into six risk levels and control 3.1 is one of only eight controls considered severe enough to be put in at risk level 1. In these litigious days one can only assume that the Sony lawyers and Marcom staff who proofread this statement had been missing during the security awareness training.”


Report: New York State Subpoenas Sony Over Breach

(Related) ..and interesting idea. Behavioral Advertisers do it, why not criminals?

Data breaches show cyber criminals switching tactics, says SecurEnvoy

The massive data breaches at Sony and the US organisers of the X-Factor reality television show, indicate cyber criminals may be changing tactics, says security firm SecureEnvoy.

The hack of the Fox television network's database of competition entrants is the latest in a string of attacks on corporate servers to extract personal data, suggesting cybercriminals are now building information profiles on people, rather than developing frauds around available credentials, says Andy Kemshall, technical director of SecurEnvoy.

Attacks on Sony's PlayStation Network and Online Entertainment services and the Epsilon systems are the most high-profile reports of corporate servers being hacked, he says, but there have been many more less-reported intrusions, suggesting cybercriminals are now actively compiling data on large numbers of people for longer-term fraud.

… Andy Kemshall says it is easy to see a pattern emerging in these attacks. "Previously, frauds were card-centric and built around opportunistic database hacks, but the sheer volume of the system hacks in recent months suggests a longer-term strategy."

Security researchers are already reporting that names and unique identifiers such as social security/national insurance and address details, are being bought and sold on underground forums, along with dates-of-birth, e-mail addresses and other personal data.

"Our observations suggest this data is being compiled into one or more databases, meaning low-level frauds can be carried out on a steady basis, bursting into periods of high activity when the people's debit or credit card details become available," said Kemshall.


May 04, 2011

Hearing on The Threat of Data Theft to American Consumers

Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005. According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."

With so many passwords to remember, lots of us store our passwords online. That makes these systems a BIG target... Note that they are following at least a few Best Practices...

LastPass Security Notification

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. [Yes! Bob] Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

… For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

A warning of things to come? An opportunity for my Computer Security students? Clearly a victory of Marketing over Customer Service – “We'll sell it to you, but you're too ignorant to use it?”

Vendors Say Data Protection Software Too Complicated To Use

"With a series of major data breaches over the past few months, you'd think more and more companies would be investing in data protection software, which can help keep data secure even on systems that have been compromised. Unfortunately, even organizations that have paid good money for this software often don't use it, because, as one of the vendors admits, it's often too complicated to use."

For my Geeks. (Sony won't like this hack either.)

Gitbrew Releases OtherOS++ PS3 Linux Dual Boot

"Gitbrew has proudly released otherOS++ Linux Dual Boot v1.0b1, enabling PS3 users to install an alternative OS to their console with full access to all system hardware, including all 8 CELL cores (making the PS3 the world's most affordable supercomputer). For more information check out the installation instructions and source code."

So, who made this call – the FBI or DOJ?

FBI Chastised by Court for Lying About Existence of Surveillance Records

May 4, 2011 by Dissent

Jennifer Lynch writes:

An order last week from the U.S. District Court for the Central District of California has revealed the FBI lied to the court about the existence of records requested under the Freedom of Information Act (FOIA), taking the position that FOIA allows it to withhold information from the court whenever it thinks this is in the interest of national security. Using the strongest possible language, the court disagreed: “The Government cannot, under any circumstance, affirmatively mislead the Court.” Islamic Shura Council of S. Cal. v. FBI (“Shura Council I”), No. 07-1088, 3 (C.D. Cal. April 27, 2011) (emphasis added).

Read more on EFF.

Trying to get a sense of scale...

comScore: Facebook Now Serves One Third Of Online Ads In U.S.

… In the first quarter of 2011, comScore estimates that 1.1 trillion ads were served to U.S. Internet users, and 346 billion of those (or 31 percent) were on Facebook.

… Facebook has the volume, but it is also beginning to experiment with new forms of ads which are themselves more social. These ads look more like News items shared by friends than typical display ads. Until those start kicking in, however, Facebook can just keep putting display ads on its ever-growing share of pages people look at on the Internet.

A tool for deeper research? All the news that doesn't fit?

DocumentCloud: Direct Access To The Documents Behind The News

Want to know what’s really going on? Read the documents behind the news. Journalists strive to summarize complex documents, but sometimes its nice to read source material in its entirety. Thanks to DocumentCloud, a web service partnered with various media organizations, now you can.

… DocumentCloud aims to give media organizations a place to submit their own news documents source material for the public to view it. It’s a supplement to what you get from the newspaper or television, not an alternative to it.

… DocumentCloud is unique in that it allows media organizations to partner with it. Current partners are listed here, and include a lot of big names in North American journalism.

No comments: