Sony’s “3rd Breach”

SC Magazine reports that Sony has experienced a third breach in as many weeks.  This one is NOT as serious as either of the previous breaches, but if you are a Sony customer, it is still worth knowing about.

It appears that Sony found an old server from 2001 that was setup to gather sweepstakes entries, still connected to the Internet.  The data on that server involved the personal information of 2,500 sweepstakes contestants according to Reuters, which first reported the news. The data did not include credit card, Social Security numbers or passwords.  Enough intelligence is present to launch a significant spam and fraud campaign using email, snail-mail and phonecalls, though.

Sony has announced that as a result of these recent breaches, it plans to deploy software monitoring and configuration management tools, increase encryption, improve intrusion detection capabilities, and add new firewalls.  In addition, the company plans to hire its first-ever chief information security officer.

I hope that position resides in the GTA of Ontario, Canada.  I happen to know a guy…

Michaels Stores PIN Pad Tampering

Michaels Stores Inc. locations in Chicago and possibly other locations have been reportedly breached through PIN Pad tampering.  Credit and debit card information was compromised, the company announced Thursday.  Although not quite as large in scope as the Play Station Network hack, my wife and friends like and shop at Michaels stores.

Banking and law enforcement officials contacted the popular craft supply chain after some fraudulent debit card transactions were reported.  Authorities believe the transactions may be linked to legitimate transactions in Chicago-area Michaels stores.  If you have purchased goods at Michaels using credit ro debit cards, monitor your statements closely, and change your PIN code to be on the safe side.  It takes 5 minutes, and costs you nothing.

AllHeadlineNews

Bin Laden Blogger Site Hacked

According to ComputerWorld, curious Web surfers who visited the blog, Reallyvirtual.com, belonging to the guy that was tweeting about the Bin Laden takedown from on the ground as it happened, may have had fake-anti-virus malware quietly installed onto their computers.  The blog was quickly hacked, and the site was attempting to install the malicious “Windows Recovery” program until about 9:30 a.m. Pacific Time Monday.

Windows Recovery hides system folders on the PC and then tries to scare the victim into paying for bogus software that it claims will fix the issue.  If you visited this blog during that time period, best be running a real anti-virus scan on it, ASAP.  Follow the removal advice provided in the link above.

Another Sony Breach!!

It’s a bad time to be Sony.  Wired is reporting that hackers may have stolen the personal information of another 24.6 million customers, this time from Sony Online Entertainment, Sony said on Monday.  More than 20,000 credit card and bank account numbers were also put at risk.  This is on top of the earlier 77 million user PSN breach.  Sony Online Entertainment is a division of the company that publishes online multiplayer games like DC Universe Online, which was switched off Monday after Sony learned of the intrusion.

Also at risk are 10,700 direct debit records from customers in Austria, Germany, Netherlands and Spain, containing bank-account numbers, customers’ names and addresses that was stored in an “outdated database from 2007.”  Hackers may have had this information for more than two weeks now, as this intrusion occurred April 16 – 17, Sony said.

As compensation for the Sony Online Entertainment leak, Sony said that it will give all of its customers 30 days of additional subscription time, plus an extra day for each day the servers remain down.  Sony did not say when its SOE services would be back online.  As a goodwill gesture, Sony says it will offer all customers a selection of downloadable content and 30 free days of its premium PlayStation Plus service.

Come on Sony, time to get back in the game!  Pay for your shortcuts, fix your mistakes, and do it right.  Your reputation is on the line.

Hacker Claims To Have Sony Credit Card Data

A hacker claiming to have credit card info stolen from Sony’s PlayStation Network is trying to sell the data on underground forums, but the claims have not been confirmed.  Sony has contracted an outside security firm to investigate the intrusion on its network, and has stated emphatically that their credit card data was encrypted, reiterating that it had no evidence the data was stolen.

A researcher with TrendMicro, tweeted Thursday that he had seen discussions in online forums where hackers were offering to sell a database of 2.2 million Sony customer credit card numbers stolen during the attack.  Sony was supposedly offered a chance to buy the records back, but didn’t take the bait.  The person claiming to have the records says it contains first names, last names, addresses, phone numbers, email addresses, passwords, dates of birth, credit card numbers, CVV2 data, and expiry dates.  Those last 2 are definitely problematic if true.

The information may already be circulating among the criminal underground as reports have been made by Sony customers about fraudulent charges appearing on credit cards they have used for the PlayStation service.

Sony Faces Breach Backlash

According to Information Week, the gamers of the world have begun to speak out and take action, thrusting the pointy end of the stick at Sony.  One person has launched a lawsuit against Sony over the data breach in which the personal details of more than 70 million PlayStation Network and Qriocity users were stolen, and analysts estimate the hammered company could lose billions of dollars from this debacle.

Sony has admitted that extensive amounts of sensitive personal data were compromised, including name, physical address, email address, birth date, PlayStation Network/Qriocity password and login, handle/PSN online ID, and may have also stolen purchase history info, billing addresses, and password security questions.  Sony so far has said that there is no evidence of credit card data theft.  A complaint filed in the Federal Court in San Francisco accuses the company of failing to protect user data, and Sony is also accused of failure to comply with PCI standards.

Alabama resident Kristopher Johns is seeking to represent all affected users.  The lawsuit seeks reimbursement for any losses that may result from the theft of credit card data, refunds for services, and of course, punitive damages.  The lawsuit says that Sony “failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed bringing the PSN service back on line”.

• SMH has a news video from Australia posted.
• Wired has some put up an article speculating about potential suspects.
• C-Net has posted 5 good questions that Sony needs to address in the near-term.

Sony Breach Follow-up

So, Sony has had a breach.  Security researchers say this may be the largest theft of identity data on record.  Some of my friends have expressed concerns because they and their kids have accounts on Sony’s PlayStation website.  From what I have heard, 1 million Canadians may be impacted by this attack.

What can they expect?

.

.

.

What is known:

• There is no law in place that forces the company to tell customers about the breach.
• The hack took place April 17 -19, and notification was delayed.
• Passwords, logon information, email addresses and personal details were exposed.
• Credit card details MAY have been compromised.

Suspected Impacts:

• The criminals had time to make use of or sell credit card information.
• Passwords are notorious for being used on multiple websites.
• Login details are also commonly re-used.
• Email addresses being exposed will very likely be used in spear phishing campaigns.
• Personal information may be used to fine tune spear phishing attacks and identity theft.

I think that the risk posed by credit card fraud is pretty self-explanatory.  If the information MAY have been exposed, it probably was.

Spear phishing is an attack used to bait a user into clicking a link or opening an attachment in email, just like in a typical phishing attack that comes in the form of spam emails.  What sets it apart is that the attacker has some knowledge of, or information about, the target of the attack.  The attacker learns the targets’ likes, dislikes, interests and “hot items” that might cause them to trust, be curious, or react to their message.  They may use the Sony breach for instance, and send fake emails purporting to be from Sony, a news organization, an investigator, a lawyer associated with Sony, a subsidiary, or whatever creative device they can concoct.  Their message will entice the target to take some action that allows them to further defraud or abuse them, like install malware, gather more information about them, get passwords, or financial intelligence.  The ultimate target is generally financial gain.

What should you do?

• Personally, if I had a credit card that I had registered with the Sony network, I would be cancelling that card.  Now.  I can hear the litany of “over reacting”, “tin-foil hatter” and “nonsense”, but that is what I recommend, take it or leave it.  Let me adjust my cap.  Your credit history, time, and money are better spent ordering a new card than dealing with the fallout of financial loss, explaining and fixing the situation for days, weeks, or even years to come.  Don’t be lazy, do it now.  At least call your bank and ask THEM what action they recommend.
• Mind your bank account.  As Police Detective Superintendent Col Dyson said in a phone interview with reporter Asher Moses, “If you’re armed with enough personal information you could basically do  anything that the legitimate person could do themselves” including obtain various forms of credit, target their banking accounts, or steal their identity.
• If you have an account on Sony’s network, change the password ASAP, and while you are waiting for Sony to come back online, change any accounts elsewhere that share the same login and/or password information.  And shame on you.  Don’t do it again!  I know, I know, I have a zillion passwords too.  Guess what?  There’s an app for that!  Invest in a password organizer that allows you to store and ENCRYPT all of your passwords.  then you only need to remember one. Many good ones are free, and can reside on your mobile device of choice.
• Be especially wary of emails bearing links or attachments.  If you are deathly curious, open the attachment or link ONLY in a sacrificial environment.  To me, that means you setup a separate PC just for the occasion.  That old clunker you rest your feet on under your desk will do.  Setup a locked down O/S on it.  Add VMware.  Lock down the VM.  Copy the link/attachment to USB and examine it in the VM.  Afterwards, nuke the whole setup.  Do not trust it again.  Wipe the disk and start fresh again next time.  If you were clever, you would have installed Comodo Time Machine or something similar to save time in this regard.  If that’s all too much for you, -=[DELETE]=- works just nicely, thank you…
• Pressure Sony to provide credit and ID monitoring services.  If your personal information was compromised because of their network breach, you have a right to expect certain remedies, and in my opinion, this is one such remedy that you should demand.

Just my 2¢, collect the whole dime.

-=[Busted]=- Poker Sites Seized

The FBI has indicted the founders of the US’ three largest internet poker companies, among 11 people charged by FBI with bank fraud, money laundering and gambling offences that resulted in billions of dollars in illegal profits.  PokerStars, Full Tilt Poker and Absolute Poker founders face up to 20 years in prison if convicted.

Restraining orders have been issued against more than 75 bank accounts in 14 countries used by the companies and their payment processors, while 5 internet domains used to host their illegal poker games have been seized.

http://www.indianexpress.com/news/fbi-charges-3-largest-internet-poker-firms-with-fraud/777097/

Shop Online – For FREE

No, I am NOT encouraging you to scam your favorite e-store.  This is for awareness only, please don’t do anything foolish or illegal.

The Register reports that researchers have been able to defraud e-commerce sites including Buy.com, JR.com, and LinuxJournalStore.com using simple URL and data manipulation techniques.  One technique they used to get items for free was to set up their own Amazon seller account and then purchase an item from a merchant that uses the Amazon payment system.  At checkout time, they altered the data their browser sent to the server so that the payment was credited to their own seller’s account, rather than the account controlled by the selling merchant.

Another method involved cloning a digital PayPal Express token used to uniquely identify a particular payment, and inject it into the process of a different order.  This caused Buy.com to skip the payment process altogether during the placement of the second order, allowing them to receive the item at no cost.

Yet another attack worked by exploiting a logic flaw in the system used by PayPal that failed to confirm the gross amount of the payment from the buyer.  This allowed a fictitious shopper the researchers called Mark (no relation) to make a payment of $1.76 to a seller, and then to alter the amount reported to the server to appear to have been $17.76.  The seller’s invoice actually showed a payment of $17.76.

The insecurities reported stem from bugs in two leading e-commerce software packages, open-source NopCommerce, and the commercial Interspire Shopping Cart.  The researchers installed these tools on lab servers and examined the source code to identify the flaws and to figure out practical ways to exploit them.  They then set their sites on closed-source proprietary software used by Buy.com and JR.com by conducting “blackbox exploit analysis” on the two sites.

They said the software they analyzed was vulnerable largely because it was designed to be flexible enough to work with a variety of online merchants and payment processors, exposing web-based APIs that were easy to manipulate.  They called out Amazon Payments specifically for a “serious error” in its software developer kit that allowed attackers to provide their own digital certificates during online transactions, bypassing legitimate certificates used during a verification process.  Convenience and flexibility once again interferes with security.  The attacker can invoke these APIs in an arbitrary order, set argument values for their calls at will, sign messages with their own validating signature, and memorize messages received from other parties for later replay.

Their detailed findings will be presented in a paper at next month’s IEEE Symposium on Security and Privacy.  A PDF of their paper is available here.

Windows Activation Ransomware

Ransomware is a type of malware that disables the victim’s ability to use their computer or access their data.  It can use encryption, registry interference, rights and security modifications or just plain old graphics overlays to accomplish its task.  The end result that the attacker desires is to charge the user a fee to get access back, and sometimes, obtain credit card information for sale on the black market, or for more fraudulent spending.

Gregg Keizer at ComputerWorld is reporting that a new Trojan has hit the wild, wooly, web, that in this case is trying to extort money from its victims by convincing them to dial expensive international telephone numbers to reactive Windows.  Once installed on a PC, the malware displays a message claiming that “This copy of Windows is locked.  You may be a victim of fraud or there may be an internal error,” and it must be reactivated.  The computer will not boot into either normal or Safe mode.  The victim is instructed to dial a long distance number, then enter a six-digit code to reactivate the operating system.  “The call from your country is free of charge,” the message falsely indicates.

The perps pretend to be Microsoft, and the telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.  F-Secure is trying to determine the location of the call center.  The scammers make money through what F-Secure called “short stopping,” billing a call at a rate higher than the actual destination charges.

What can you do if you are the victim of a ransomware attack?

• You can pay these clowns, perpetuating the threat, lose the $30 – 200 that is typically charged, and risk losing more money by handing them your credit card details.  (NOT recommended)
• You can install a good reliable backup/restore mechanism.  Windows restore point is often tampered with, so I suggest Comodo Time Machine, Symantec Ghost, or one of many others available.
• Tape backups are always a handy mechanism, provided you actually use them.  Few will.
• Also, if you have another computer handy, you can google the message presented, and get its unlock code eventually.  In this case, F-Secure got unlock code: 1351236 from the call center.

“I hate the idea of paying money to these clowns,” said F-Secure’s representative. “Just enter that code.”