You know your reputation is shot when Google starts translating “Sony” as “Joke”
Sony Europe hacked by Lebanese hacker… Again
June 4, 2011 by admin
Chester Wisniewski writes:
By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
Read more on Naked Security.
LulzSec: Sony was asking for it - millions of records compromised (Update)
"The cybercrime wave that has affected Sony companies and a number of government agencies, businesses and individuals in recent months has hit Sony Pictures as well. Yesterday afternoon a group of criminal hackers known as "LulzSec" claimed to have breached some of our websites.
"We have confirmed that a breach has occurred and have taken action to protect against further intrusion. [We've heard that before... Bob] We also retained a respected team of experts to conduct the forensic analysis of the attack, which is ongoing.
"In addition, we have contacted the U.S. Federal Bureau of Investigation and are working with them to assist in the identification and apprehension of those responsible for this crime. We deeply regret and apologize for any inconvenience caused to consumers by this cybercrime."
Hackers target Sony, Nintendo and FBI partner Web site
Hackers went on a rampage late today, targeting Sony Europe, Nintendo, and the FBI-affiliate InfraGard Atlanta in a series of intrusions and security compromises that appears to have exposed passwords of some Sony and federal government employees.
The moves follow reports of hacks hours earlier that involved Acer Europe, Iran, NATO and the United Arab Emirates.
Kind of an interesting question: In the pantheon of hackers – ranging from the script kiddies through organized crime to government sponsored cyber-warriors – has the threat level increased for everyone?
What impact will the Sony and Infragard hacks have?
June 4, 2011 by admin
Chester Wisniewski writes:
In a self-titled hack attack called “F**k FBI Friday” the hacking group known as LulzSec has published details on users and associates of the non-profit organization known as Infragard.
Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.
Read more on Naked Security.
In its press release yesterday, LulzSec posted to Pastebin:
LulzSec versus FBI (we challenge you, NATO!)
It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it, check it out if it’s still up: http://infragardatlanta.org/
While not very many logins (around 180), we’d like to take the time to point out that all of them are affiliated with the FBI in some way. Most of them reuse their passwords in other places, which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too.
One of them, Karim Hijazi, used his Infragard password for his personal gmail, and the gmail of the company he owns. “Unveillance”, a whitehat company that specializes in data breaches and botnets, was compromised because of Karim’s incompetence. We stole all of his personal emails and his company emails. We also briefly took over, among other things, their servers and their botnet control panel.
After doing so, we contacted Karim and told him what we did. After a few discussions, he offered to pay us to eliminate his competitors through illegal hacking means in return for our silence. Karim, a member of an FBI-related website, was willing to give us money and inside info in order to destroy his opponents in the whitehat world. We even discussed plans for him to give us insider botnet information.
Naturally we were just stringing him along to further expose the corruption of whitehats. Please find enclosed Karim’s full contact details and a log of him talking to us through IRC. Also, enjoy 924 of his internal company emails – we have his personal gmail too, unreleased.
We call upon journalists and other writers to delve through the emails carefully, as we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya’s cyber infrastructure. You will find the emails of all 23 people involved in the emails.
Unveillance was also involved in a scheme where they paid an Indian registrar $2000 to receive 100 domains a month that may be deemed as botnet C&Cs. Shameful ploys by supposed “whitehats”.
We accept your threats, NATO. Game on, losers.
Now we are all sons of bitches,
Links to the chat log and Karim’s email followed the text above.
The recent hacks by LulzSec have generated mixed reactions. On the one hand, there are those who appear to be reveling in the hacks and the group’s apparently successful attempts to embarrass Sony. On the other hand, there are those who point out that people’s personal information is being exposed and that they have become victims/pawns in the campaign to embarrass others.
Undoubtedly the Secret Service will be all over these hacks. But where does Congress go from here? Will they look at the recent spate of attacks and take it as a wake-up call to impose serious security and data protection/retention requirements on businesses or entities that collect and store personally identifiable information? Or will they look at everything and say, “Well, woe, maybe we shouldn’t be too harsh because if it’s happening to even well-funded operations, what chance do small businesses have to provide adequate security?”
And what will consumers make of all this? Will they do anything differently going forward in terms of not reusing passwords across sites or not giving their real data to entities if it’s not really needed? Are consumers becoming numb to breaches and going into a learned helplessness pattern instead of taking action to change the future?
I'm sure some of my students thought (at the beginning of the class) that I'm the only one in the world who thinks about security breaches like this.
Global Financial Aid Services reports a completely avoidable security breach
June 3, 2011 by admin
For those who remember the Peter, Paul, and Mary song, feel free to sing along with me: ”When will they ever learn? Oh when will they ever learn?”
Global Financial Aid Services of Gulfport, Mississippi recently notified the New Hampshire Attorney General’s Office that a laptop containing unencrypted student names, addresses, and Social Security Numbers was stolen.
By letter dated May 23, GFAS noted that the theft occurred April 17 in a hotel conference area during a symposium in Hawaii.
The total number of students affected by the breach was not indicated, but the letter to affected students is irritating to this privacy advocate, to say the least. First, the letter claims that “We have taken steps to address it [the security situation] out of an abundance of caution.” How is notifying people that they are now at increased risk or reminding your employees of proper security measures and protocols an “abundance of caution?” It’s not.
Second, the letter tells the affected students, “The laptop is equipped with technology designed to prevent unauthorized access and we have no evidence your information has been accessed.” What technology are they referring to? The password on the computer or something else? In their cover letter to the state, they do not indicate that the laptop was equipped with any software that would enable them to determine if the contents of the drive were accessed. So is this just a fancy way of making a simple password sound more protective than it really is or do they really have some genuine security technology on the laptop?
Third, although the cover letter to the state indicates that students’ addresses were on the laptop, the letter to students makes no mention of their addresses, and tells them that their “[client] account number, social security number and name” were stored on the computer. The cover letter to the state does not inform the state that client account numbers were also involved.
So no, I am not impressed at all by the breach notification and disclosure. And why, oh why, are we still seeing students’ Social Security Numbers in use for purposes that have nothing to do with Social Security, and why, oh why, are we still seeing laptops with unencrypted data being stolen? Enough already…
/End of Rant
Is there a proper (ethical) way to avoid an “Arab Spring?” What would define a legitimate grassroots protest v. an “AstroTurfed” attempt to discredit a legitimate government? Seems a question we should have an answer for...
"In what appears to be the latest bid by a government to throttle access to news and information amid growing civil unrest, the Syrian government Friday shut down all Internet services. Internet monitoring firm Renesys reported that starting around 7 a.m. EDT today, close to two-thirds of all Syrian networks were suddenly unreachable from the global Internet. In just 30 minutes, routes to 40 of 59 Syrian networks were withdrawn from the global routing table, Reneys' chief technology officer James Cowie said in a blog post. The shutdown has affected all of SyriaTel's 3G mobile data networks as well as several of the country's ISPs, such as Sawa, INET and Runnet. Also down are the Damascus city government page and the customs web site. The only networks that appear to be somewhat reachable are a handful of government-owned networks such as one belonging to Syria's Oil Ministry, Cowie noted. 'We don't know yet how the outage was coordinated, or what specific regions or cities may be affected more than others,' Cowie wrote. 'If Egypt and Libya are any guide, one might conclude that events on the street in Syria are reaching a tipping point.'"
(Related) But unlikely to be influential...
U.N. Report Declares Internet Access a Human Right
A United Nations report said Friday that disconnecting people from the internet is a human rights violation and against international law.
The report railed against France and the United Kingdom, which have passed laws to remove accused copyright scofflaws from the internet. It also protested blocking internet access to quell political unrest (.pdf).
Anonymous steals 10,000 Iranian government emails, plans DDoS attack
The Ministry’s website is still down as of this writing, and the servers are under Anonymous control. One of the Iranian members of Anonymous involved with the operation sent me a message from the compromised email servers as evidence that they were still under Anonymous control.
While email addresses can be spoofed, the collection of 10,000 emails is a pretty good indication that they have no need for spoofing.
On Wednesday we discussed news of Google's accusation that sources originating in China were interfering with Gmail using malware and phishing techniques, targeting Chinese political activists, US government officials, military personnel, and others. In response to the accusations, a Chinese official denied government involvement in the attacks, while the US government indicated they would investigate the matter. The attacks were more sophisticated than a typical phishing attempt, they involved Yahoo and Hotmail as well, and they have likely been going on for months. Now, according to a CBS report, "The Chinese military accused the US on Friday of launching a global 'Internet war' to bring down Arab and other governments, redirecting the spotlight away from allegations of major online attacks on Western targets originating in China."
Some ideas for securing your Internet use...
How the Epsilon Breach Hurts Consumers
June 3, 2011 by admin
Yesterday, following the Congressional hearing where Sony and Epsilon testified, we had a bit of a lively – if truncated – debate on Twitter about breach notification. Not surprisingly, George V. Hulme raised the issue of breach notice fatigue and how notifications should be confined to situations where there is some real risk.
Also not surprisingly, I disagreed with him, as did Douglas Davidson and Adam Shostack.
Deciding that this would take more than 140 characters, Adam cleverly blogged about the issue. You can read his commentary, How the Epsilon Breach Hurts Consumers on the New School of Information Security Blog.
As someone who also uses vendor-specific email addresses, I agree with Adam completely. And what really concerns me is that under existing laws, Epsilon’s clients were seemingly not obligated to notify us at all about the breach. We need to fix that. Maybe to prevent breach fatigue we need a tiered system like the color alert levels, [No, no, no, no, no! That's a level fuchsia bad idea! Bob] but I do think consumers need to be notified so that they can make informed decisions.
“Half the world is below average”
June 03, 2011
Tenth Study by the Digital Future Project Finds High Levels of Concern about Corporate Intrusion in Personal Lives
Press Release and Highlights: "The annual study of the impact of the Internet on Americans conducted by the Center for the Digital Future found that almost half of Internet users age 16 and older -- 48 percent -- are worried about companies checking their actions on the Internet. By comparison, the new question for the Digital Future Study found that only 38 percent of Internet users age 16 and older are concerned about the government checking what they do online."
Speaking of “below average” “We're the government. We ain't gotta follow no rules!” OR “I'll huff and I'll puff and I'll disrupt Social Security payment just before the next election” Murphy
Tornado Risk Seen for Social Security Project
June 3rd, 2011 : Rich Miller
The recent outbreak of powerful and deadly tornadoes across the United States raises a question: Should data centers be engineered to survive stronger wind storms? Curiously, the Social Security Administration has moved in the other direction. The SSA has elected to build its new $800 million data center to withstand wind speeds of only 90 miles an hour, rather than the 120 miles an hour standard common in most mission critical facilities
Could the Court compel me to list my garage sale items on Craig's List?
"American Airlines, which removed its flights from Orbitz.com late last year, was ordered by a Chicago court on Thursday to allow the travel site access to its flight and fare information. American Airlines filed an anti-trust suit against Travelport in December, claiming that the company, which owns just under half of Orbitz's shares and runs the service compiling fare information for travel site, was trying to control the sale of tickets. Before the lawsuit, a considerable amount of American's revenue had been coming from tickets booked through Orbitz and Travelport."
Gary Alexander understands that I have Ethical Hacking students who might find this academically interesting... (and this qualifies him for 10% of my 10%)
FaceNiff Is a Hacker's Dream for Android Users
… The only prerequisite for FaceNiff is a rooted Android phone. Once installed, the app will tear through the Wi-Fi network for any accounts that are logged in. Protected networks aren't safe from this, as FaceNiff can access WEP, WPA, and WPA2 Wi-Fi networks.
The developer put a disclaimer at the top of the FaceNiff site. "Legal notice: this application is for educational purposes only. Do not try to use it if it's not legal in your country."
(Related) Gary also sent this one...
Five Security Apps That Can Help Recover a Stolen Laptop