Very interesting to me how many of my students wrote their weekly paper on this incident. With the price for stolen card numbers so low, you need 77 million cards to make a hack like this worth while...
http://www.databreaches.net/?p=18050
Stolen info from PlayStation hack reportedly up for sale
April 29, 2011 by admin
While Sony has been assuring everyone that users’ credit card numbers were encrypted, other reports continue to suggest otherwise (including this chat log that has garnered a lot of attention). Now Asher Moses reports:
Personal information and credit card numbers stolen from Sony’s PlayStation Network in one of the world’s largest privacy breaches are reportedly being offered for sale on underground internet forums.
Police and banks have said they have yet to discover a case of an Australian being defrauded as a result of the Sony breach, however, it has been less than two weeks since the attack and potential victims are being warned that they will have to be on their toes for some time to come.
Kevin Stevens, senior threat researcher at the security firm Trend Micro, was one of several experts who told The New York Times that he had seen talk of the hacked database on several hacker forums.
The researchers said the attackers were hoping to sell a database that included Sony customer names, addresses, usernames, passwords and millions of credit card numbers.
The credit card list alone was listed for upwards of $100,000 [If true, that's 770 credit cards for $1 or $0.0013 per card. Bob] and the hacker had allegedly offered to sell the database to Sony, however, did not receive a response.
Read more in The Age.
(Related) It's one thing to have a security failure. It's quite another to have many failures...
http://news.cnet.com/8301-31021_3-20058433-260.html
Sony's missteps through the years
Rootkit Scandal
Sony got into trouble in November 2005 when it was discovered that the company used a rootkit on music CDs to limit the number of copies a person could make of the CD and to prevent making MP3 files from the music.
Faulty Lithium-ion batteries
In the summer of 2006, reports of laptops smoking or bursting into flames began to crop up. Turns out a pretty big batch of Sony's lithium-ion batteries, which all the flaming laptops were using, were defective. The problem came to light when Dell was forced to recall more than 4 million laptop batteries made by Sony. Eventually Apple issued a recall for 1.8 million notebook batteries, as did Gateway (now part of Acer), Toshiba, Lenovo, Fujitsu, and obviously Sony itself.
This happened at roughly the same time as the Sony breach, but didn't cause millions of kids to go whining to their parents...
Amazon EC2 Crash Caused Data Loss
"Henry Blodget is reporting that the recent EC2 crash caused permanent data loss. Apparently, the backups that were being made were not sufficient to recover the lost data. [I wonder if they had ever been tested? Bob] Although a small percentage of the total data was lost, any data loss can be bad to a Website operator."
Another example of security failures being immediately recognizable after the breach...
http://news.cnet.com/8301-27080_3-20058471-245.html
DSLReports says member information stolen
Subscribers to ISP news and review site DSLReports.com have been notified that their e-mail addresses and passwords may have been exposed during an attack on the Web site earlier this week.
The site was targeted in an SQL injection attack yesterday and about 8 percent of the subscribers' e-mail addresses and passwords were stolen, Justin Beech, founder of DSLReports.com, wrote in an e-mail to members. That would be about 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts created during the site's 10-year history, Beech said in an e-mail to CNET today.
"The data was taken on Wednesday afternoon, recognized and blocked at 7 p.m., [Beats not even noticing for a week... Bob] and by Wednesday evening all the active accounts received e-mail notifications advising them to change their password if they share it with that e-mail address and all passwords were changed at that time," he wrote.
… "Obviously having both an SQL injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can," Beech wrote.
When you have no clue, hold hearings?
http://www.pogowasright.org/?p=22615
Wireless carriers reveal location privacy policies
April 28, 2011 by Dissent
Cecilia Kang reports:
The nation’s top wireless carriers say they all collect personal information, including location data, about subscribers and use much of that information to tailor marketing pitches for more services.
In letters responding to lawmakers’ questions, they described varied policies on protecting data and how long they retain location and other sensitive information such as a user’s name, Social Security number, and address.
Read more in the Washington Post.
[From the article:
“The use of encryption and related security technologies were utilized to varying degrees across the four wireless carriers, and sensitive data was retained for differing periods of time,” Markey said
(Related) Somehow, I don't think this will resolve all our concerns...
http://www.pogowasright.org/?p=22617
Verizon Plans To Put Location-Tracking Warning Sticker on Phones
April 28, 2011 by Dissent
Kashmir Hill writes:
Though Apple and Google have become the whipping boys for location privacy, both companies have said that the data sent back to them about phone users’ movements is anonymized and not traceable to individuals. That is not the case with carriers: Verizon, Sprint, AT&T and T-Mobile do have extensive logs of people’s movements, as made clear in letters to Congress made public today by privacy hounds Congressmen Joe Barton and Ed Markey.
Read more on Forbes.
“We're not sure what Cloud Computing is, but it sounds so cool we want everyone to use it.” The $2.5 Billion figure also explains why Microsoft and Google are each claiming the other is “not certified”
http://www.bespacific.com/mt/archives/027125.html
April 28, 2011
GSA Plans RFP for $2.5 Billion in Cloud Computing to Support IT Reform Plan
Jason Miller, Executive Editor, Federal News Radio: "The General Services Administration is about to give the Obama administration's policy that requires agencies to use cloud computing a big boost. GSA plans on releasing a request for proposals May 10 for e-mail-as-a-service that could be worth $2.5 billion. Vivek Kundra, the federal chief information officer, said Wednesday there are $20 billion in systems across the government that could move to the cloud, and email and collaboration software are among the easiest first steps. We already are seeing 15 agencies that have identified 950,000 e-mail boxes across 100 email systems that are going to move to the cloud," he said during an update on the administration's 25-point IT reform plan at the White House. "This represents a huge opportunity for [vendors] to aggressively compete for these new opportunities in the cloud space and provide the government with the best value and most innovative technologies." Among those 15 agencies already on their way are the Agriculture Department and GSA. USDA is moving 120,000 employees to Microsoft's cloud, while GSA picked Unisys, which partnered with Google, to move as many as 30,000 employees to a new email system."
For my Computer Forensics students
Nikon's Image Authentication Insecure
"Elcomsoft claims to have broken Nikon's Image Authentication system which — apparently only in theory — ensures that a photograph is authentic and not tampered with through a digital signature. They were able to extract the signing key from a camera and use it to have a modified image pass the software verification, rendering the rather expensive feature mostly marketed to law enforcement all but useless. So far Nikon has not given a statement. Canon's competing system was cracked by the same company last December."
Record labels sue individuals, but negotiate with big players. Interesting to see their concerns spelled out... Can we view this as a guide to future litigation?
Behind The Scenes: Record Label Demands From Amazon
Amazon defied the record labels by launching an unlicensed personal cloud music service. (Disclosure: I’m CEO of competitor MP3tunes.) Music companies immediately expressed their dissatisfaction and Amazon public stated they would discuss licenses with labels.
… Dominating the discussions is the labels concern that personal cloud services will exacerbate piracy and erode their business even further. Consequently they want to impose substantial restrictions on any such service, but each labels has different concerns and demands. Below are examples of the startling limitations major labels wish to impose on such services.
Universal Music Group is concerned that users will load pirated songs into lockers. Average MP3 players house more than a thousand songs and UMG believes that many were unpaid for. They do not want to see the billions of songs that came from P2P system laundered (think drug money) in a cloud service and become legitimate.
… All songs without a proof of purchase would be assumed to be unauthorized and not accepted into the system.
… Sony Music Group shares UMGs concern about the laundering of songs, but seems more concerned about locker sharing and downloads and is demanding restrictions in those areas. Sony believes users will share lockers by visiting each others houses and syncing in each others music. To combat this Sony wants loading to happen from only one computer. [Replace your computer, lose everything? Bob]
… Downloading is another area of concern for Sony. To prevent lockers from become Napster like repositories they want to restrict downloading to one emergency download only.
… Most worrisome to Warner Music Group is that users may setup multiple lockers and the distribute the extra lockers to friends. Imagine if a locker owner setup a locker at Apple and Amazon and then gave their less used locker away or maybe even sold it. What WMG would like to see happen is that a central locker authority would administer all locker assignments.
… In addition to usage restrictions, labels are demanding that cloud services pay them an annual per user fee. Labels will demand a minimum per user fee each year and not the more business friendly percentage model. Such a flat fee will mean no free or advertising sponsored service will be possible. For subscriptions services such as Rhapsody and MOG they demand the HIGHER of: per user fee, percentage of revenues or per stream fee effectively boxing in services and insuring they’re never able to turn a profit..
Now you can be even MORE social... (I'll wait until I can hack myself a beer)
Pepsi Creates a Social Network Vending Machine
"Now even vending machines are getting in on the social media act. Pepsi has rolled out a new machine that can send a soda to a friend, using a Facebook-like functionality. From the article: 'Along with buying a soda with either cash or credit, the Social Vending System allows people to send a user a soda as a gift. All they have to do is enter the recipient's name, mobile number and a personalized text message. Consumers can even send a video along with the gift. Once received, the recipient will learn where they can redeem it.'"
I mentioned this yesterday. Here is the video.
http://www.ted.com/talks/mike_matas.html#9893607359484616360
Mike Matas: A next-generation digital book
No comments:
Post a Comment