Could be new. Could be a 'left over' from the original attacks. Looks more like a third-party weakness, but it's going to be hard to be sure with such minimal reporting.

http://www.databreaches.net/?p=20956

Sony attacked again – 93,000 usernames and passwords compromised

October 12, 2011 by admin

Associated Press reports:

Sony said Wednesday intruders staged a massive attempt to access user accounts on its PlayStation Network and other online entertainment services in the second major attack on its flagship gaming site this year.

The Tokyo-based company temporarily locked about 93,000 accounts whose IDs and passwords were successfully ascertained by the blitz. [Unencrypted? Bob] Sony sent email notifications and password reset procedures to affected customers on the PlayStation Network, Sony Entertainment Network and Sony Online Entertainment services.

Read more on CTV.ca.

It’s bad enough that their earlier breach embarrassed them on data security. But after claims of improved security, this incident has the potential to embarrass them again, even though this time, it appears that there might have been a brute force attack using usernames and passwords obtained from some other database(s).

Having also been criticized for its slow response in disclosing and warning people, Sony was quicker this time. The attacks appear to have occurred between October 7 and 10, and the firm posted a notice on its site October 11, although it had not yet sent out e-mails to those affected at the time of its blog post. Users generally responded appreciatively to the quick disclosure, as evident in the comments in response to the blog post.

In related coverage, John Leyden reports:

Sony has warned users against a massive bruteforce attack against PlayStation and Sony network accounts.

The attack – which used password and user ID combinations from an unidentified third-party source – succeeded in compromising 60,000 PlayStation Network and 33,000 Sony Online Entertainment network accounts. These accounts have been locked and passwords reset.

Credit card information is not stored on the dashboard of Sony accounts but it might have been possible that unauthorised charges were made against the wallets held on compromised accounts. Sony has promised to refund any such losses, as explained in a statement by Philip Reitinger, senior vice president and chief information security officer at Sony Group, on the PlayStation blog here.

Read more on The Register.

It could be very useful to have the “key” to systems protected by RSA's SecurID tool. It is much less valuable to be so clumsy in your hack that your target is immediately aware of your success and changes the algorithm.

http://www.wired.com/threatlevel/2011/10/two-hacker-groups-breached-rsa/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

RSA Blames Breach on Two Hacker Clans Working for Unnamed Government

Two separate hacker groups whose activities are already known to authorities were behind the serious breach of RSA Security earlier this year and were likely working at the behest of a government, according to new statements from the company’s president.

RSA President Tom Heiser, speaking at the RSA conference in London this week, said that the two unidentified hacker groups had not previously been known to work together and that they possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, according to IDG news service.

Heiser said that due to the sophistication of the breach, “we can only conclude it was a nation-state-sponsored attack.”

… The company was forced to replace SecurID customer tokens after the breach.

Somehow I doubt this. The military normally does not ignore procedure and there would definitely be a reporting procedure.

http://www.wired.com/dangerroom/2011/10/drone-virus-kept-quiet/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Get Hacked, Don’t Tell: Drone Base Didn’t Report Virus

Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.

… Nevertheless, the virus has sparked a bit of a firestorm in military circles. Not only were officials in charge kept out of the loop about an infection in America’s weapon and surveillance system of choice, but the surprise surrounding that infection highlights a flaw in the way the U.S. military secures its information infrastructure:

Very interesting, but I'll have to study the study to see how useful it might be...

http://www.pogowasright.org/?p=25002

Tracking the Trackers: Where Everybody Knows Your Username

October 12, 2011 by Dissent

Jonathan Mayer writes:

Click the local Home Depot ad and your email address gets handed to a dozen companies monitoring you. Your web browsing, past, present, and future, is now associated with your identity. Swap photos with friends on Photobucket and clue a couple dozen more into your username. Keep tabs on your favorite teams with Bleacher Report and you pass your full name to a dozen again. This isn’t a 1984-esque scaremongering hypothetical. This is what’s happening today.

Stanford conducted an important web leakage study to assess its pervasiveness, summarized in the blog post. Of note, Jonathan notes the implications:

From a legal perspective, identifying information leakage is a debacle. Many first-party websites make what would appear to be incorrect, or at minimum misleading, representations about not sharing PII.

Read more about the study’s methodology and results on CIS.

Jim Puzzanghera and Jessica Guynn of the Los Angeles Times, Grant Gross of IDG provide some of the extensive media coverage of the study with reactions from others.

Never, ever challenge hackers.

http://blogs.computerworld.com/19080/it_olympics_cyberattacks_to_test_cybersecurity_of_london_olympic_games

IT Olympics: Cyberattacks to test cybersecurity of London Olympic Games

The London 2012 Olympic Games open in nine months, but geeks and security freaks are preparing to go for the gold now in simulated cyberattacks against the technology systems running the Olympics. During the 2008 Beijing Olympics, there were reportedly 12 million cyberattacks per day, so it's a mighty big claim for officials to say the London 2012 Olympics will be "safe from cyberattacks" and from cybercriminals disrupting the games. Gerry Pennell, the CIO over cybersecurity for the London Olympics, confidently told the Wall Street Journal that "even if police shut down the mobile network in response to a major attack, the games would still be able to carry on." [Perhaps they haven't seen the “Build your own mobile network” tools the Berkman Center recommends? Bob]

What am I missing here? “Texting while driving is dangerous and possibly illegal so let's build it into our cars!”

http://reviews.cnet.com/8301-12261_7-20118807-10356022/cadillac-revamps-the-instrument-panel-with-cue/

Cadillac revamps the instrument panel with CUE

Cadillac has introduced a new central instrument panel that features touch-screen technology popularized by smartphones and tablets. The fully capacitive faceplate has an 8-inch touch screen that utilizes multitouch gestures to interact with it.

Key finding: Executive management does not know what is going on...

http://www.bespacific.com/mt/archives/028508.html

Data Mining: DHS Needs to Improve Executive Oversight of Systems Supporting Counterterrorism, GAO-11-742, Sep 7, 2011