For my Ethical Hackers. This is why I (like Sargent Schultz) want to “know nothing!”
Sony considers offering reward to help catch hackers
Still coping with the aftereffects of a pair of attacks that has compromised as many as 100 million accounts and which caused two online gaming services to be taken offline, Japanese electronics giant Sony is considering offering a reward for information leading to the arrest and prosecution of the attackers, people familiar with the matter say.
The company hasn't reached a final decision concerning whether it will offer a reward, and may decide not to do it at all, but the option is on the table, sources told me today.
… Word of a possible reward offering comes as the Financial Times reported that two members of the hacking group Anonymous have informed the FBI that members of the loosely associated group of activist hackers carried out the attacks that compromised the system and prompted Sony to shut down two of its online gaming services.
… Meanwhile, Sony denied assertions by computer security expert Gene Spafford during a Congressional hearing Thursday that it had been running outdated versions of Web server software and had not been using a firewall on its servers. In a statement from Patrick Seybold, Sony's senior director, Corporate Communications and Social Media, that's expected to be published on Sony's PlayStation blog, the company was using updated software and had "multiple security measures in place."
… Separately, Sony President Kaz Hirai sent a letter to Connecticut senator Richard Blumenthal containing a detailed timeline of the attack and Sony's response to it. The letter contains previously undisclosed details about the attack and the hardware Sony uses to run its gaming services.
… Sony's letter to Sen. Blumenthal is here.
[From the letter:
The basic sequence of events is as follows:
On Tuesday, April 19, 2011, the Sony Network Entertainment America (SNEA) network team discovered that several PlayStation Network servers unexpectedly rebooted themselves and that unplanned and unusual activity was taking place on the network.
… On the afternoon of April 20th, SNEA retained a recognized security and forensic consulting firm to mirror the servers to enable a forensic analysis.
… On Thursday, April 21, SNEA retained a second recognized security and forensic consulting firm to assist in the investigation.
… Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network
… on Sunday, April 24 (Easter Sunday) decided that it needed to retain a third forensic team with highly specialized skills to assist with the investigation. Specifically, this firm was retained to provide even more manpower for forensic analysis in all aspects of the suspected security breach and, in particular, to use their specialized skills to determine the scope of the data theft.
… Throughout the process, SNEA was very concerned that announcing incomplete, tentative or potentially misleading information to consumers could cause confusion and lead them to take unnecessary actions. SNEA felt that it was important - and that it was in keeping with the mandate of state law - that any information SNEA provided to customers be corroborated by meaningful evidence.
Indeed, many state statutes (e.g., AZ, CT, CO, DE, FL, ID, ME, MD, MS, NE, VT, WI, WY) essentially require disclosure without unreasonable delay once an investigation has been done to identify the nature and scope of what happened and who was affected.
… In your letter you suggest that sending 500,000 emails an hour is not expeditious; however this limitation exists because these emails are not "batch" e-mails. The e-mails are individually tailored to our consumers' accounts.
… Unfortunately, our forensic teams still have not been able to rule out that credit card data was taken.
… You have questioned why SOE did not disclose this loss of data from its servers until May 2. The reason was because SOE did not discover that theft until May 1. The intruder carefully covered his or her tracks in the server systems. In fact, as noted above, the discovery was made only after SOE rechecked their machines -- which earlier showed no evidence of theft – using information developed by our forensic experts working in collaboration with our technical teams.
… ln addition to offering this identity theft protection, SNEA has announced a series of steps that it will take – most of which were in progress before this theft occurred – to enhance security before the service is restored. SOE has taken or will take similar steps. Those steps are:
additional automated software monitoring and configuration management to help defend against new attacks;
enhanced levels of data protection and encryption;
enhanced capabilities to detect software intrusions within the network, unauthorized access and unusual activity patterns;
implementation of additional firewalls;
expediting a planned move of the system to a new data center in a different location with enhanced security; and
. appointment of a new Chief Information Security Officer.
It's for your protection!
Domestic Intelligence Surveillance Grew in 2010
May 6, 2011 by Dissent
Steven Aftergood writes:
By every available measure, the level of domestic intelligence surveillance activity in 2010 increased from the year before, according to a new Justice Department report to Congress on the Foreign Intelligence Surveillance Act.
“During calendar year 2010, the Government made 1,579 applications to the Foreign Intelligence Surveillance Court (hereinafter ‘FISC’) for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes,” according to the new report (pdf). This compares to a reported 1,376 applications in 2009. (In 2008, however, the reported figure — 2,082 — was quite a bit higher.)
Read more on FAS.
[From the report:
Of these 1,5 1 1 applications, five were withdrawn by the Government. The EISC did not deny any applications in whole, or in part.
… In 2010, the FBI made 24,287 NSL requests (excluding requests for subscriber infomation only) for information concerning United States persons. These sought information pertaining to 14,212 different United States persons.
This could be a handy way to call up all the pages I need to show my students at the start of each class!
Friday, May 6, 2011
Scrible - Highlight, Annotate, and Bookmark Webpages
Scrible is a new service offering a nice set of tools for highlighting, annotating, and bookmarking webpages. Scribble offers browser bookmarklets for Firefox, Chrome, Safari, and Internet Explorer. With the Scrible bookmarklet installed, anytime you're on a page just click the bookmarklet to launch a menu of bookmarking tools. The Scrible tool set includes highlighters, sticky notes, and font change tools. When you annotate and bookmark a page in Scrible it is saved as it appeared to you when you were done altering it. And as you would expect from a web-based bookmarking tool, you can share your bookmarked pages with others.