Tuesday, May 24, 2011

Report: Sony Music Greece, Indonesia Hacked

Sony Music Greece was hacked with its user data published to the Web and Sony Music Indonesia's Web site was defaced, according to an online news report.

The attacks, if confirmed, would be just the latest in a series of security problems the company has had in the past month starting with a distributed denial-of-service attack by the loosely organized hacker group Anonymous in early April to protest Sony's taking PS3 hackers to court.

A Sony spokeswoman provided this statement via e-mail this evening: "There was an online tweet that one page of Sony Music Indonesia's Web site was altered and Sony Music Indonesia shut down the access to such page and started investigation. We are investigating the Sony Music Greece matter."

SonyMusic.gr was attacked with a SQL injection method and customer names, user names, and e-mail addresses of potentially more than 8,300 users were posted on Pastebin.com, The Hacker News reported on Sunday. It displayed a screen shot that said "hacked by b4d_vipera." The link to the Pastebin page was empty as of Monday morning.

Chester Wisniewski at Sophos included a snippet of redacted data from the Pastebin page on his Naked Security blog post and said that it appeared to be incomplete "as it claims to include passwords, telephone numbers and other data that is either missing or bogus."

The SonyMusic.gr site was down this morning. Users should reset their passwords when they can and be alert to the possibility of phishing attacks, Wisniewski wrote.

The Hacker News first reported the Sony Greece hack on Saturday, as well as reporting that the Sony Music Indonesia site had been defaced with a screenshot saying "defaced by k4L0ng666." The Indonesia site was accessible on Monday morning.

On Friday, The Wall Street Journal reported that someone broke into the network of Sony's Japanese ISP subsidiary, So-net Entertainment, compromised e-mail accounts and stole customer rewards points. Also late last week, Sony Thailand's site was hacked and being used for phishing, according to ZDNet UK.

However, the big Sony breach came in April when someone hacked into the PlayStation Network and exposed personal information from 77 million customer accounts. Shortly thereafter, the company said attackers may also have obtained data from close to 25 million Sony Online Entertainment accounts.

It's likely that the subsequent attacks are not all connected, but could instead indicate that attackers are testing Sony's network for weaknesses and exploiting confusion among Sony customers about security of their accounts.

Source: http://news.cnet.com/8301-27080_3-20065389-245.html#ixzz1NHu7kyOv

Thursday, May 5, 2011

LastPass Forcing Members To Change Passwords

Users who manage and store their passwords through password management service LastPass are being forced to change their master passwords after the site noticed an issue this week that raised the spectre of a possible security breach.

As described in a blog yesterday, LastPass recently followed a string of breadcrumbs that pointed to an anomaly in its network traffic on Tuesday. Though such anomalies aren't unusual, LastPass found a matching anomaly in one of its databases. Unable to identify a root cause for either anomaly, the company made the decision to assume the worst--that some of its data had been hacked.

Although LastPass hasn't identified a specific breach, it's erring on the site of caution by now forcing its members to change their master passwords. For you non-LastPass users, what exactly does that mean?

Services like LastPass and rival RoboForm let users create and manage passwords to more easily log in to the vast array of secure Web sites they visit. Those passwords can be stored on a PC or mobile device as well as online. As one means of protection, both companies typically urge users to create a single complex master password that can unlock the key to accessing their passwords. Of course, if that master password is compromised, hackers potentially can gain access to all the individual passwords, one reason why these companies advise users to employ complex master passwords.

In this case, LastPass said it believes that users with complex non-dictionary master passwords were probably safe even if any data was compromised. But the company knows that many users out of force of habit often choose simple, easily decipherable passwords. Though it sees the need to require all users to change their passwords as an overreaction, as LastPass says, "we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

In the meantime, LastPass says that it's taking further precautions against the anomaly by shutting down and moving certain key services and verifying all of its source code. The company is also enhancing the encryption used to protect its data.

Update 9:30 a.m. PT: LastPass is now reporting on its blog that the company is being overwhelmed by support requests and is having trouble keeping up with the number of password changes. The company has since set up a way for users to confirm their e-mail addresses without having to change their passwords. As a result, LastPass is urging people who are using the service from the same computer or IP address to hold off on changing their passwords for a few days.

"We're asking if you're not being asked to change your password then hold off--we're protecting everyone."

The company further suggests accessing your LastPass data offline by disconnecting from the Internet and then logging in or by downloading its LastPass Pocket software, which lets you carry around your data on a USB stick.

Source: http://news.cnet.com/8301-1009_3-20060004-83.html#ixzz1LUtFvByE

Thursday, April 28, 2011

Iran Targeted In New Malware Attack

Iran is investigating new malware dubbed "Stars" that government officials say is being targeted at the country as part of ongoing cyberattacks.

"The particular characteristics of the Stars virus have been discovered," Gholamreza Jalali, commander of the Iranian civil defense organization, told the Mehr news agency according to Reuters.

"The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organizations," he said, declining to specify what equipment the virus targets.

Jalali said efforts to contain last year's Stuxnet infections are ongoing and called on the foreign ministry to take action to stop the "cyber wars" against the country.

Officials in Iran have accused the U.S. and Israel of being behind Stuxnet, which spread through Windows holes and targeted specific Siemens industrial control software. Experts speculate it was written to sabotage Iran's nuclear program.

Source: http://news.cnet.com/8301-27080_3-20057103-245.html#ixzz1KrFJA3Gs

Tuesday, April 19, 2011

Match.com To Screen For Sex Offenders

(Credit: Chris Matyszczyk/CNET)

Match.com will start checking its members against a national sex offenders registry.

The company expects to start the new policy in 60 to 90 days, Match.com told CNET this morning, and confirmed that the policy will affect both new and existing members.

Match.com has been considering the option for a while, but yesterday's decision was hastened as a result of the attention brought on by a lawsuit filed last week, spokesman Matthew Traub told the Associated Press yesterday.

A woman in California has sued Match.com, claiming she was sexually assaulted by a man that she met through the online dating service. Arguing that the woman had no idea her date had been convicted of sexual battery, the suit is seeking an injunction to stop anyone from joining Match.com until the company sets up a process to screen for convicted sex offenders.

Match.com president Mandy Ginsberg told the AP that the company had been hesitant to implement such screenings due to their "historical unreliability." But discussions with advisers over the past few days convinced Match.com that certain improvements have made sex offender registries more accurate, prompting the dating service to reverse its stance.

To conduct its screening, the company will tap into a national registry of sex offenders set up by the federal government. This registry pulls together information from the 50 states and other U.S. territories and lets users search for sex offenders by name as well as location.

Since the registry relies on coordinating data from a variety of different local sources, Match.com is cautioning that these types of checks can still be highly flawed.

"It is critical that this effort does not provide a false sense of security to our members," Match.com said in a statement sent to CNET. "With millions of members, and thousands of first dates a week, Match.com, like any other large community, cannot guarantee the actions of all its members. Match.com is a fantastic service, having changed the lives of millions of people through the relationships and marriages it has given rise to, but people have to exercise common sense and prudence with people they have just met, whether through an online dating service or any other means."

Match.com advises its members to read and follow the safety tips that it posts on its Web site to better protect themselves both online and offline.

Update at 11:10 a.m. PT: Added statement and information from Match.com.

Source: http://news.cnet.com/8301-1009_3-20054881-83.html#ixzz1JzbtLGBO

Monday, April 11, 2011

New Fake Antivirus Accepts SMS Payments

There's a new twist with some fake antivirus scareware that has cropped up. It accepts payment via SMS, according to antivirus firm CyberDefender.

Typical rogue security programs infect the system first, then display pop ups warning that the computer is infected, and request payment to clean it up. The new programs are seemingly more genteel, asking for the money before the program is installed and infects the system, said Achal Khetarpal, threat research director at CyberDefender. Of course, a payment does nothing to "fix" a system and means criminals now have your money and possibly your credit card information.

When a potential victim happens upon a Web site hosting the malware, a dialog box pops up that looks very much like an installer window for a legitimate antivirus product, according to screenshots from CyberDefender. It says "Welcome to" and names a popular antivirus software and suggests closing other applications. If the victim falls for the ruse, it then displays a message that says "To complete installation, you must go through activation" and offers several ways to pay, including SMS (Short Message Service), WebMoney, and credit card.

If you click "cancel," the program won't install, compared with typical fake antivirus programs that have already infected the system by the time the victim realizes what is happening and keep displaying the annoying pop-up messages, even after reboot, Khetarpal said.

The company has seen five versions of the rogue security programs masquerading as software from Avast, Norton, McAfee, BitDefender, and RootKitBuster, and they, as usual, target Windows systems.

Khetarpal could not say how widespread the malware is but said he has seen it in a "lot of Web sites" and in relation to search results for popular and trending topics.

Fake AV scammers aren't the only ones to hop on the SMS payment bandwagon. Scammers were found to be seeking payment by SMS for fake browser updates earlier this year, according to GFI Labs.

Source: http://news.cnet.com/8301-27080_3-20052203-245.html#ixzz1JFJAj0pp

Monday, March 28, 2011

McAfee: Cybercrooks Target Corporate Trade Secrets

Cybercriminals are increasingly moving from stealing just personal data to capturing trade secrets and other corporate intellectual capital that they can easily sell through the underground market, according to a new report from McAfee and the SAIC.

In today's release of a new study, "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency" (PDF), McAfee and the Science Applications International Corporate find that the theft of trade secrets, marketing plans, R&D data, and even source code is on the rise, especially as such information is often unprotected.

Based on a global survey of IT professionals, the report uncovered a number of findings.

A quarter of the companies surveyed said a data breach or just the threat of one has put a halt on plans for a merger or new product launch. Among those that actually suffered a data breach, only half of them took the necessary steps to prevent it from happening again.

Among companies that have been hit by cyberattacks, only about 3 in 10 have reported all such breaches, while 6 in 10 picked and chose which ones they reported. Along those lines, many organizations specifically look to store their data in countries where the laws are more lax over reporting data breaches to customers.

Hit by the recent economy downturn, many companies have been looking at cheaper ways of processing and storing their information abroad despite the potential risks, the report said. Across the world, China, Russia, and Pakistan are thought to be the least secure areas for storing critical data, while the U.S., U.K., and Germany are perceived to the safest. Currently, companies in the U.S., China, and India spend about $1 million a week to secure their sensitive data outside their own countries, the report said.

The information technology industry itself continues to be challenged trying to secure the wave of iPhones, iPads, and Android devices that employees are increasingly using on the job for sharing data, the report found.

"Cybercriminals have shifted their focus from physical assets to data-driven properties, such as trade secrets or product planning documents," said Simon Hunt, vice president and chief technology officer for endpoint security at McAfee. "We've seen significant attacks targeting this type of information. Sophisticated attacks such as Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding."

To generate the report, McAfee and the SAIC worked with Vanson Bourne to survey more than 1,000 senior IT decision makers across the U.S., U.K, Japan, China, India, Brazil, and the Middle East during November and December of last year. This latest report is a follow-up to a 2008 report entitled "Unsecured Economies," which at the time found that cybercrime was costing companies more than $1 trillion globally.

Source: http://news.cnet.com/8301-1009_3-20047876-83.html#ixzz1HvdyapDY

Friday, March 25, 2011

Sony: PS3 Hacker GeoHot Fled To South America

date, 7:01 p.m. PT:with Hotz saying he is on a long-planned vacation.

If you've been following the drama between Sony and hacker GeoHot (aka George Hotz) then you're in for a fun twist today: Sony is accusing Hotz of fleeing the country, but Hotz says he's just enjoying spring break.

Sony makes the allegation in a court filing (PDF, see page 2, line 24) dated Friday.

After news stories began appearing today, Hotz wrote a blog post to set the record straight.

"Actually, it's true I'm in South America, on a vacation I've had planned and paid for since November. I mean, it is spring break; hacking isn't my life," he writes. "Rest assured that not a dime of legal defense money would ever go toward something like this. And of course [Sony-employed law firm Kilpatrick Townsend & Stockton] loves the idea of painting me as an international fugitive. I have been in contact with my lawyers almost every day; I would not let the case suffer."

George Hotz telling Sony how he feels.

(Credit: YouTube)

Hotz is well known for reverse-engineering the multi-digit code that allows the installation and execution of non-Sony-recognized code onPlayStation 3s, essentially allowing anyone with a PS3 to run homebrew software, or even pirated games.

A federal magistrate a couple weeks ago OK'd Sony's request for Hotz to hand over his hacking gear--his PS3 consoles, computers, and other equipment--untouched. It seems that before turning the stuff in, he allegedly made edits, deleting key evidence that Sony likely planned to use against him.

What's more, Hotz was allegedly caught lying about having a PlayStation Network (PSN) account. But Sony says it was able to prove that in February of last year, Hotz allegedly purchased a new PS3 and, tracing the serial number, Sony says it concluded that he had set up a PSN account under the screen name "blickmanic," which is also a name Hotz used on previous Web forums oniPhone jailbreaking.

Besides jailbreaking PS3s for non-sanctioned use on PSN, Hotz was a very vocal and active member of the iPhone/iOS jailbreaking community, bringing several key userland jailbreaks to the devices, including blackra1n and limera1n. While Apple consistently moved to patch the exploits Hotz used in its software, it never went overtly litigious as Sony has.

It's unclear what will happen in this case next. It's not publicly known where in South America Hotz is staying, what gear he has with him, and what assets he has access to. Recently, a court granted Sony access to Hotz's donation-based PayPal account, so that cash source may well be totally unavailable.

Whatever the case, we expect this to be far from over. There are egos, weird and obscure copyright laws, and potentially millions of dollars still at stake. If you're like me, you might want to make some metaphorical popcorn as well.

Source: http://news.cnet.com/8301-17938_105-20046386-1.html#ixzz1HdF1RaLX