Tuesday, May 24, 2011

Report: Sony Music Greece, Indonesia Hacked

Sony Music Greece was hacked with its user data published to the Web and Sony Music Indonesia's Web site was defaced, according to an online news report.

The attacks, if confirmed, would be just the latest in a series of security problems the company has had in the past month starting with a distributed denial-of-service attack by the loosely organized hacker group Anonymous in early April to protest Sony's taking PS3 hackers to court.

A Sony spokeswoman provided this statement via e-mail this evening: "There was an online tweet that one page of Sony Music Indonesia's Web site was altered and Sony Music Indonesia shut down the access to such page and started investigation. We are investigating the Sony Music Greece matter."

SonyMusic.gr was attacked with a SQL injection method and customer names, user names, and e-mail addresses of potentially more than 8,300 users were posted on Pastebin.com, The Hacker News reported on Sunday. It displayed a screen shot that said "hacked by b4d_vipera." The link to the Pastebin page was empty as of Monday morning.

Chester Wisniewski at Sophos included a snippet of redacted data from the Pastebin page on his Naked Security blog post and said that it appeared to be incomplete "as it claims to include passwords, telephone numbers and other data that is either missing or bogus."

The SonyMusic.gr site was down this morning. Users should reset their passwords when they can and be alert to the possibility of phishing attacks, Wisniewski wrote.

The Hacker News first reported the Sony Greece hack on Saturday, as well as reporting that the Sony Music Indonesia site had been defaced with a screenshot saying "defaced by k4L0ng666." The Indonesia site was accessible on Monday morning.

On Friday, The Wall Street Journal reported that someone broke into the network of Sony's Japanese ISP subsidiary, So-net Entertainment, compromised e-mail accounts and stole customer rewards points. Also late last week, Sony Thailand's site was hacked and being used for phishing, according to ZDNet UK.

However, the big Sony breach came in April when someone hacked into the PlayStation Network and exposed personal information from 77 million customer accounts. Shortly thereafter, the company said attackers may also have obtained data from close to 25 million Sony Online Entertainment accounts.

It's likely that the subsequent attacks are not all connected, but could instead indicate that attackers are testing Sony's network for weaknesses and exploiting confusion among Sony customers about security of their accounts.

Source: http://news.cnet.com/8301-27080_3-20065389-245.html#ixzz1NHu7kyOv

Thursday, May 5, 2011

LastPass Forcing Members To Change Passwords

Users who manage and store their passwords through password management service LastPass are being forced to change their master passwords after the site noticed an issue this week that raised the spectre of a possible security breach.

As described in a blog yesterday, LastPass recently followed a string of breadcrumbs that pointed to an anomaly in its network traffic on Tuesday. Though such anomalies aren't unusual, LastPass found a matching anomaly in one of its databases. Unable to identify a root cause for either anomaly, the company made the decision to assume the worst--that some of its data had been hacked.

Although LastPass hasn't identified a specific breach, it's erring on the site of caution by now forcing its members to change their master passwords. For you non-LastPass users, what exactly does that mean?

Services like LastPass and rival RoboForm let users create and manage passwords to more easily log in to the vast array of secure Web sites they visit. Those passwords can be stored on a PC or mobile device as well as online. As one means of protection, both companies typically urge users to create a single complex master password that can unlock the key to accessing their passwords. Of course, if that master password is compromised, hackers potentially can gain access to all the individual passwords, one reason why these companies advise users to employ complex master passwords.

In this case, LastPass said it believes that users with complex non-dictionary master passwords were probably safe even if any data was compromised. But the company knows that many users out of force of habit often choose simple, easily decipherable passwords. Though it sees the need to require all users to change their passwords as an overreaction, as LastPass says, "we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

In the meantime, LastPass says that it's taking further precautions against the anomaly by shutting down and moving certain key services and verifying all of its source code. The company is also enhancing the encryption used to protect its data.

Update 9:30 a.m. PT: LastPass is now reporting on its blog that the company is being overwhelmed by support requests and is having trouble keeping up with the number of password changes. The company has since set up a way for users to confirm their e-mail addresses without having to change their passwords. As a result, LastPass is urging people who are using the service from the same computer or IP address to hold off on changing their passwords for a few days.

"We're asking if you're not being asked to change your password then hold off--we're protecting everyone."

The company further suggests accessing your LastPass data offline by disconnecting from the Internet and then logging in or by downloading its LastPass Pocket software, which lets you carry around your data on a USB stick.

Source: http://news.cnet.com/8301-1009_3-20060004-83.html#ixzz1LUtFvByE