Tuesday, June 21, 2011

Sony continues to get a very expensive education in Computer Security. It makes you wonder if they are sharing solutions with their subsidiaries.

http://www.databreaches.net/?p=19076

Sony Portugal latest to fall to hackers

June 20, 2011 by admin

On June 9, Chester Wisniewski wrote (but I missed):

The same Lebanese hacker who targeted Sony Europe on Friday has now dumped a database from Sony Portugal.

The hacker claims to be a grey hat, not a black hat, according to his post to pastebin.com.

“I am not a black hat to dump all the database I am Grey hat”

Instead of dumping the entire database like many previous Sony attackers, idahc only dumped the email addresses from one table in Sony’s database.

He claims to have discovered three different flaws on SonyMusic.pt, including SQL injection, XSS (cross-site scripting) and iFrame injection.

Read more on Naked Security.


(Related)

http://www.databreaches.net/?p=19080

Hackers claim 177K e-mails from Sony Pictures France

June 20, 2011 by admin

Erica Ogg reports:

Sony’s turn as the whipping boy for Internet hackers continued over the weekend. Two hackers posted a list of e-mails they say they took from the Sony Pictures France Web site.

The two hackers who claim responsibility are a Lebanese student who goes by the handle Idahc, and a French friend of his who goes by Auth3ntiq. The two say they copied 177,172 e-mails from the entertainment company’s site, but posted only 70 of them on the code-sharing site Pastebin. They say they will not be posting all of the e-mails they found.

Read more on cnet



In stark contrast to Sony... (See, it is possible for executive to learn.)

http://www.databreaches.net/?p=19094

Executive Learns From Hack

June 21, 2011 by admin

Evan Ramstad reports about the lessons learned by one executive after the Hyundai Capital Services hack:

…His biggest mistake, he says, was that he used to treat the information-technology department as simply one of many units that helped the company get its main job done. Today he treats it as central to everything the company does. Since the attack, Mr. Chung has spent weeks learning the ins and outs of network architecture, security infrastructure and the tradeoffs between data protection and customer satisfaction.

“If you lock the restroom and garage because you are trying to protect the jewelry in the bedroom, sooner or later, the rest of the family complains and finds a way around it,” Mr. Chung says. “Like everything, IT security needs a philosophy, and only the CEO can make that kind of a decision.”

So what were the main lessons learned?

  • Trust the authorities.

  • Stay open and transparent.

  • Learn IT and know where vulnerabilities are.

  • Create a philosophy that drives IT decisions.

  • Reassess plans for products and services.

Good lessons to learn, indeed.

Read more in the Wall Street Journal.



Steal once, cash in forever?

http://www.databreaches.net/?p=19084

(update) Debit card breach affects several hundred card holders

June 20, 2011 by admin

The numbers of fraud reports related to the Michaels Store breach continues to climb. Jack Moran reports:

Federal authorities investigating a major data breach at craft retailer Michaels are fast becoming aware of its impact on debit card holders in Oregon.

During the past week, local police agencies from Portland to Medford have fielded several hundred reports apparently related to the extensive fraud case.

Eugene and Springfield police combined have received approximately 150 such reports, while Beaverton police have heard from about 50 people whose bank accounts were targeted in the scheme. Roseburg police say they’re aware of at least 70 additional cases, while Medford police saw a handful of reports trickle in last week.

Source: The Register-Guard. In other coverage, the Oregon Community Credit Union reported that 1300 of its customers were impacted by the breach.

The criminals seem pretty well organized as they seem to be moving from area to area or staggering when they start to use the card numbers they acquired. Given that stores in 20 states were found to be compromised, it will be interesting to see what the finally tally is on this one, if we’re ever told. Certainly there are a number of banks and credit unions that have replaced a lot of cards, although in many cases, that may just be proactive.



I see incidents like this and I wonder who wanted to access what and who did they pay to make it look accidental. I'd want to check the logs for this period of time.

Dropbox Password Goof Let Any Password Work For 4 Hours

"Dropbox confirmed today that for some time yesterday, any user's account was accessible without a password. The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST." "

Only" is relative; as reader zonky puts it, "It took around 4 hours from deployment for Dropbox to notice they'd entirely broken their authentication scheme."



Truth or simply an attention grabber? Could it happen here?

http://www.databreaches.net/?p=19088

Lulzsec 2011 census released

June 21, 2011 by admin

In a message that undoubtedly should send shudders down the spines of those involved in the security of UK census data, the hacking collective known as LulzSec posted a message on Pastebin yesterday:

Greetings Internets,

We have blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census

We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release)

Myself and the rest of my Lulz shipmates will then embark upon a trip to ThePirateBay with our beautiful records for your viewing pleasure!

Ahoy! Bwahahaha… >:]

Assuming the veracity of their claims, I can only hope that they do not post/reveal everyone’s data but that they do explain how they got around the government’s putative security. (Note: Graham Cluley says Sophos is assuming it *isn’t* true until they see some proof; I guess I’m more pessimistic).

And would the hackers find (or scarily, have they already found) it as easy to acquire sensitive personal and medical data from the NHS and SCR (Summary Care Records) system? Privacy advocates have long expressed concerned about the security of the SCR system, and a massive compromise of that system could make the UK public less likely to trust it or want their records to become part of it. LulzSec already gave NHS one gentle warning, but what else have they accessed or acquired?

To date, LulzSec does not report that they have compromised any major U.S. health care databases but that may only be a matter of time. What would happen here should a large healthcare insurer’s database be acquired or a huge hospital system’s patient records database be compromised and posted online? How would that impact the development of large networked databases here? And what if they decided to take down a power grid “for the lulz?”

Back in the UK, Tamlin Magee comments on TechEye.net:

An expert with high levels of access to government spoke on condition of anonymity to TechEye – and has told us that the only thing that will make us stand up and take note will be a truly catastrophic disaster. [Too may organizations like that. Bob] We are not talking data theft. We are talking significant, weighted attacks on the country’s infrastructure. Hospitals. Power grids. Airports. Data leaks are just the beginning.

This is not sensationalism. This is real. The entire country needs to wake up from its nap - Sony didn’t teach us squat, neither will this, if true, but it should.

Tamlin is right, of course. And to those who still have not taken security more seriously because “It can’t happen to us,” I would say, “How do you know it hasn’t already happened to you?” According to the hackers themselves, not every compromise has been revealed. So my question to our government and large private sector firms that amass huge quantities of data is this: what are you doing right now to harden your security? Are you still vulnerable to SQL injections after all these years and after all of the warnings you’ve had? If so, you’re still playing with fire but it is us who will get burned.



If true, what can we expect? 1) The kid had nothing to do with LulzSec, they just framed him to mislead the police. 2) The kid WAS LulzSec – all of it, and the threat to the free world is over. 3) Either way, LulzSec will seek revenge.

LulzSec Suspect Arrested By UK Police

"The UK's Police Computer e-Crime Unit (PCeU) has arrested a 19-year-old man in Wickford, Essex, in connection with the series of LulzSec attacks against organizations including the CIA, PBS and Sony. The man, who has been arrested under the Computer Misuse and Fraud Act, has had his house searched and a significant amount of material taken away by police for forensic examination. The PCeU worked with local Essex police and the FBI on the investigation."



Attention Ethical Hackers: The problem with fixing security vulnerabilities is that there is no requirement to fix nor any penalty for failure to fix (other than a security breach)

SSL/TLS Vulnerability Widely Unpatched

"In November 2009 a Man-In-the-Middle vulnerability for SSL/TLS/https was made public (CVE-2009-3555), and shortly afterwards demonstrated to be exploitable. In February 2010 researchers published RFC 5746, which described how servers and clients can be made immune. Software that implements the TLS protocol enhancements became available shortly afterwards. Most modern web browsers are patched, but the solution requires that both browser developers and website operators take action. Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems. Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix. Here is an exemplary list of patched and unpatched sites, along with more background information. The patched sites demonstrate that patching is indeed possible."



There is also the downside of “everybody hates you”

http://www.wired.com/threatlevel/2011/06/fair-use-defense/

Righthaven Loss: Judge Rules Reposting Entire Article Is Fair Use

A federal judge ruled Monday that publishing an entire article without the rights holder’s authorization was a fair use of the work, in yet another blow to newspaper copyright troll Righthaven.

It’s not often that republishing an entire work without permission is deemed fair use. Fair use is an infringement defense when the defendant reproduced a copyrighted work for purposes such as criticism, commentary, teaching and research. The defense is analyzed on a case-by-case basis.

Monday’s ruling dismissed a lawsuit brought by Righthaven, a Las Vegas-based copyright litigation factory jointly owned with newspaper publisher Stephens Media. The venture’s litigation tactics and ethics are being questioned by several judges and attorneys, a factor that also weighed in on U.S. District Judge Philip Pro’s decision Monday.


(Related) So I should be able to scan these real-time recommendations and instantly make programmed trades.

http://www.wired.com/threatlevel/2011/06/hot-news-doctrine/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Appeals Court Deals Blow to ‘Hot News’ Doctrine

A federal appeals court cleared the way Monday for a financial-news website to publish stock market analysts’ private buy and sell recommendations in near-real time, striking a blow to a century-old legal doctrine that gave media companies control over the time-sensitive news they report.

… The ruling overturns an injunction handed down by a lower court in 2010, that forced the site Theflyonthewall to delay posting leaked stock market buy and sell recommendations. The recommendations were intended for bank clients that earn the banks at least $50,000 to $100,000 in trading commissions yearly; by making them available to the masses in near real-time, Theflyonthewall was violating its intellectual-property rights, that court ruled.

The 2nd U.S. Circuit Court of Appeals, though, found on appeal that Theflyonthewall was within its rights.

“We conclude that in this case, a firm’s ability to make news — by issuing a recommendation that is likely to affect the market price of a security — does not give rise to a right for it to control who breaks that news and how,” the appeals court ruled 3-0.



Perhaps they need smarter lawyers?

EFF and Bitcoin

For several months, EFF has been following the movement around Bitcoin, an electronic payment system that touts itself as "the first decentralized digital currency." We helped inform our members about this unique project through our blog and we experimented with accepting Bitcoin donations for several months in an account that was started by others.

However, we’ve recently removed the Bitcoin donation option from the Other Ways to Help page on the EFF website, and we have decided to not accept Bitcoins. We decided on this course of action for a few reasons:



At last, Canadian websites can end in .EH? And California wants both .DUDE and .FERSURE

http://www.bespacific.com/mt/archives/027558.html

June 20, 2011

ICANN Approves Historic Change to Internet’s Domain Name System

News release: "ICANN’s Board of Directors has approved a plan to usher in one of the biggest changes ever to the Internet’s Domain Name System. During a special meeting, the Board approved a plan to allow an increase in the number of Internet address endings - called generic top-level domains (gTLDs) - from the current 22, which includes such familiar domains as .com, .org and .net. “ICANN has opened the Internet’s naming system to unleash the global human imagination. Today’s decision respects the rights of groups to create new Top Level Domains in any language or script. We hope this allows the domain name system to better serve all of mankind,” said Rod Beckstrom, President and Chief Executive Officer of ICANN. New gTLDs will change the way people find information on the Internet and how businesses plan and structure their online presence. Virtually every organization with an online presence could be affected in some way. Internet address names will be able to end with almost any word in any language, offering organizations around the world the opportunity to market their brand, products, community or cause in new and innovative ways."



Who says my students won't read academic papers?

http://www.sciencedaily.com/releases/2011/06/110620095523.htm

Sexting and Infidelity in Cyberspace: Humans Are Still Social Creatures Who Need Face-To-Face Contact, Study Finds

… The way we become involved in, and develop, relationships with others has changed dramatically over the last 20 years due to the increased availability of devices such as computers, video cams, and cell phones. These advances have had a significant impact on our social lives, as well as on the sexual aspects of our lives. These days, the internet is where the majority of people go to find sex partners.

… The survey posted on the "infidelity" website revealed the following results: Women were more likely than men to engage in sexting behaviors. Over two-thirds of the respondents had cheated online while in a serious relationship and over three-quarters had cheated in real life. Women and men were just as likely to have cheated both online and in real life while in a serious real-life relationship. In addition, older men were more likely than younger men to cheat in real life.

[The report: Download PDF (274.1 KB) View HTML



For my Geeks. It's Linux, but it does interesting things to Windows systems...

http://www.makeuseof.com/tag/download-50-cool-live-cds/

DOWNLOAD: 50 Cool Uses For Live CDs

It is perhaps the most useful tool in any geek’s toolkit, but do you realize all the things live CDs can help you with? If not, it’s time to read “50 Cool Uses For Live CDs”. This guide outlines just a few of the many uses live CDs can offer, and is a great resource for live CD beginners and enthusiasts alike.

DOWNLOAD 50 Cool Uses for Live CDs Read now on Scribd


No comments: