Third parties, in particular advertisers, have accidentally had access
to Facebook users’ accounts including profiles, photographs, chat, and
also had the ability to post messages and mine personal information.
Fortunately, these third-parties may not have realized their ability
to access this information. We have reported this issue to Facebook,
who has taken corrective action to help eliminate this issue.
Facebook applications are Web applications that are integrated onto
the Facebook platform. According to Facebook, 20 million Facebook
applications are installed every day.
Symantec has discovered that in certain cases, Facebook IFRAME
applications inadvertently leaked access tokens to third parties like
advertisers or analytic platforms. We estimate that as of April 2011,
close to 100,000 applications were enabling this leakage. We estimate
that over the years, hundreds of thousands of applications may have
inadvertently leaked millions of access tokens to third parties.
Access tokens are like ‘spare keys’ granted by you to the Facebook
application. Applications can use these tokens or keys to perform
certain actions on behalf of the user or to access the user’s profile.
Each token or ‘spare key’ is associated with a select set of
permissions, like reading your wall, accessing your friend’s profile,
posting to your wall, etc.
Tuesday, June 7, 2011
Square Enix customer data leaked after Sony problems
Japanese game developer Square Enix Holdings said email addresses of
25,000 customers as well as resumes of 250 job applicants were leaked
after a hacker attack against its European subsidiary.
Hackers accessed the Eidosmontreal.com website, managed by London-based
Square Enix Ltd, as well as other product sites, said a statement from the
group released late Saturday.
The news came as Sony's game and Internet services were pulled down after
hackers staged one of the biggest data breaches since the advent of the
Internet, including the theft of personal customer data.
Square Enix Holdings, creator of mega hits such as Final Fantasy and the
Dragon Quest series, took the sites offline to increase security, before
resuming services.
25,000 customers as well as resumes of 250 job applicants were leaked
after a hacker attack against its European subsidiary.
Hackers accessed the Eidosmontreal.com website, managed by London-based
Square Enix Ltd, as well as other product sites, said a statement from the
group released late Saturday.
The news came as Sony's game and Internet services were pulled down after
hackers staged one of the biggest data breaches since the advent of the
Internet, including the theft of personal customer data.
Square Enix Holdings, creator of mega hits such as Final Fantasy and the
Dragon Quest series, took the sites offline to increase security, before
resuming services.
Michaels Breach: Patterns Showed Fraud
Card issuers were quick to link incidents of debit and credit fraud to the
Michaels retail chain, experts say - a sign that strong transaction
monitoring and behavioral analytics are the best ways to curb growing
card-fraud schemes.
The Michaels card breach is now believed to have affected stores in 20
states. The mode of card fraud: Point-of-sale PIN pad tampering, also
known as PIN pad swapping. [See 3 Tips to Foil POS Attacks.]
Brian Riley, senior research director of bank cards at TowerGroup, says as
details about the breach are gradually revealed, it's clear that financial
institutions, as card-issuers, picked up on the common fraud link -
Michaels. "The behavioral scoring in this was really high," he says. "The
pattern of transactions showed that all of these affected accounts had
Michaels' purchases in their history. Behavioral scoring is really where
it's at in card transactions."
Even advanced card technology, such as the Europay, MasterCard, Visa chip
and PIN standard, which takes the skimmable magnetic-stripe out of the
equation, would not have helped in the Michaels' case, Riley notes. "With
a tampered POS device, you can get around EMV," he says. "A good, robust
scoring system is the only way to really pick up on this. That's why
behavioral scoring is so important. That's, quite often, how these things
are discovered."
Michaels retail chain, experts say - a sign that strong transaction
monitoring and behavioral analytics are the best ways to curb growing
card-fraud schemes.
The Michaels card breach is now believed to have affected stores in 20
states. The mode of card fraud: Point-of-sale PIN pad tampering, also
known as PIN pad swapping. [See 3 Tips to Foil POS Attacks.]
Brian Riley, senior research director of bank cards at TowerGroup, says as
details about the breach are gradually revealed, it's clear that financial
institutions, as card-issuers, picked up on the common fraud link -
Michaels. "The behavioral scoring in this was really high," he says. "The
pattern of transactions showed that all of these affected accounts had
Michaels' purchases in their history. Behavioral scoring is really where
it's at in card transactions."
Even advanced card technology, such as the Europay, MasterCard, Visa chip
and PIN standard, which takes the skimmable magnetic-stripe out of the
equation, would not have helped in the Michaels' case, Riley notes. "With
a tampered POS device, you can get around EMV," he says. "A good, robust
scoring system is the only way to really pick up on this. That's why
behavioral scoring is so important. That's, quite often, how these things
are discovered."
Virus causes data breach at state websites
Personal information about an unknown number of Massachusetts
residents may have been stolen from the Massachusetts Executive Office
of Labor and Workforce Development, after hundreds of the agency's
computers were infected with a computer worm.
"Unfortunately, like many government and non-government organizations
we were targeted by criminal hackers who penetrated our system with a
new strain of a virus," said Joanne F. Goldstein, the commonwealth's
secretary of labor and workforce development, in a statement released
this afternoon. "All steps possible are being taken to avoid any
future recurrence.”
About 1,500 computers in the departments of Unemployment Assistance
and Career Services and at the state's One Stop Career Centers were
infected with a computer virus called W32.QAKBOT, which is designed to
allow an attacker to take control of infected computers and to steal
information stored on the machines.
The agency first detected the presence of the virus on April 20, and
took immediate steps to disinfect its machines. But yesterday, the
agency said that the virus "was not remediated as originally believed
and that the persistence of the virus resulted in a data breach."
residents may have been stolen from the Massachusetts Executive Office
of Labor and Workforce Development, after hundreds of the agency's
computers were infected with a computer worm.
"Unfortunately, like many government and non-government organizations
we were targeted by criminal hackers who penetrated our system with a
new strain of a virus," said Joanne F. Goldstein, the commonwealth's
secretary of labor and workforce development, in a statement released
this afternoon. "All steps possible are being taken to avoid any
future recurrence.”
About 1,500 computers in the departments of Unemployment Assistance
and Career Services and at the state's One Stop Career Centers were
infected with a computer virus called W32.QAKBOT, which is designed to
allow an attacker to take control of infected computers and to steal
information stored on the machines.
The agency first detected the presence of the virus on April 20, and
took immediate steps to disinfect its machines. But yesterday, the
agency said that the virus "was not remediated as originally believed
and that the persistence of the virus resulted in a data breach."
Dropbox Drops the Ball on Data Security
Dropbox, a provider of cloud-based data storage services, is in hot
water with the Federal Trade Commission over claims that it lied and
intentionally deceived customers into believing that their data is
more private and secure than it really is. Whether Dropbox was
deliberately misleading, or just failed to clearly communicate policy
changes, the complaint filed with the FTC illustrates concerns over
online data security.
At issue are Dropbox's terms of service. Previously, the company
stated in its terms of service that "all files stored on Dropbox
servers are encrypted (AES-256) and are inaccessible without your
account password." But, Dropbox has continued to modify the terms of
service, and backpedal on exactly how secure customer data
is--sometimes putting its foot in its proverbial mouth.
Dropbox has been at least confusing, if not misleading, about just how
secure data really is.
After a few amendments, the terms have been altered such that it now
reads more to the effect that Dropbox can access and view your
encrypted data, and it might do so to share information with law
enforcement if it is compelled, but that employees are prohibited from
abusing that power and viewing customer data.
According to encryption expert Vormetric, the root of the Dropbox
scenario is that the keys used to encrypt and decrypt files are in the
hands of Dropbox, not stored on each user's machine. While Dropbox
might have policies prohibiting Dropbox employees from viewing files,
a rogue employee could view customer data using the keys held by
Dropbox.
Aaron Levie, co-founder and CEO of Dropbox rival Box.net, is a class
act. Rather than take advantage of the situation to kick Dropbox while
it's down, Levie gives his cloud competitor the benefit of the doubt.
"I think Dropbox has its users' best interests at heart, but probably
went a bit too far in the messaging. I believe they will rectify
this."
Levie did, however, stress the importance of data security as well.
"Broadly speaking though, security must be of critical importance to
any cloud service, and businesses should be absolutely certain they
can trust their provider--things like SAS 70 Type II certification,
encryption in transit and at rest, and extensive security controls for
users and IT should all be top of mind for enterprises looking to
leverage the cloud."
Dropbox is a popular online data storage service with over 25 million
users. I tend to side with Levie and assume that Dropbox doesn't have
any insidious or malicious ulterior motives. It seems that Dropbox has
perhaps been too fickle in trying to adapt its service and features to
improve performance and meet address concerns, but I doubt Dropbox
meant any harm.
That said, employees don't always follow policies, and the fact that
customers might believe their data is impenetrable while Dropbox
employees can actually view it at will is more than a little problem.
water with the Federal Trade Commission over claims that it lied and
intentionally deceived customers into believing that their data is
more private and secure than it really is. Whether Dropbox was
deliberately misleading, or just failed to clearly communicate policy
changes, the complaint filed with the FTC illustrates concerns over
online data security.
At issue are Dropbox's terms of service. Previously, the company
stated in its terms of service that "all files stored on Dropbox
servers are encrypted (AES-256) and are inaccessible without your
account password." But, Dropbox has continued to modify the terms of
service, and backpedal on exactly how secure customer data
is--sometimes putting its foot in its proverbial mouth.
Dropbox has been at least confusing, if not misleading, about just how
secure data really is.
After a few amendments, the terms have been altered such that it now
reads more to the effect that Dropbox can access and view your
encrypted data, and it might do so to share information with law
enforcement if it is compelled, but that employees are prohibited from
abusing that power and viewing customer data.
According to encryption expert Vormetric, the root of the Dropbox
scenario is that the keys used to encrypt and decrypt files are in the
hands of Dropbox, not stored on each user's machine. While Dropbox
might have policies prohibiting Dropbox employees from viewing files,
a rogue employee could view customer data using the keys held by
Dropbox.
Aaron Levie, co-founder and CEO of Dropbox rival Box.net, is a class
act. Rather than take advantage of the situation to kick Dropbox while
it's down, Levie gives his cloud competitor the benefit of the doubt.
"I think Dropbox has its users' best interests at heart, but probably
went a bit too far in the messaging. I believe they will rectify
this."
Levie did, however, stress the importance of data security as well.
"Broadly speaking though, security must be of critical importance to
any cloud service, and businesses should be absolutely certain they
can trust their provider--things like SAS 70 Type II certification,
encryption in transit and at rest, and extensive security controls for
users and IT should all be top of mind for enterprises looking to
leverage the cloud."
Dropbox is a popular online data storage service with over 25 million
users. I tend to side with Levie and assume that Dropbox doesn't have
any insidious or malicious ulterior motives. It seems that Dropbox has
perhaps been too fickle in trying to adapt its service and features to
improve performance and meet address concerns, but I doubt Dropbox
meant any harm.
That said, employees don't always follow policies, and the fact that
customers might believe their data is impenetrable while Dropbox
employees can actually view it at will is more than a little problem.
Qakbot family of malware blamed for data breach
In Massachusetts, a Malware infection that spread to a possible 1,500
systems within the Office of Labor and Workforce Development (OLWD) is to
blame for a data breach assumed to have exposed 1,200 employer records, an
agency statement says.
The Departments of Unemployment Assistance and Career Services were
infected sometime in April. On Monday, the OLWD discovered that the
initial cleanup efforts failed to remove the Qakbot Malware. Because of
this, it.s possible that the Malware harvested confidential information.
Qakbot has been around for some time. First discovered in 2009, the
Malware spreads via several sources, including network shares. At one time
it leveraged vulnerabilities in Apple.s QuickTime and Internet Explorer to
target victims.
Qakbot is able to gather various kinds of data on an infected system
including OS and network information, keystrokes, stored FTP and email
login details, targeted banking data, as well as usernames and passwords
stored within a browser.
systems within the Office of Labor and Workforce Development (OLWD) is to
blame for a data breach assumed to have exposed 1,200 employer records, an
agency statement says.
The Departments of Unemployment Assistance and Career Services were
infected sometime in April. On Monday, the OLWD discovered that the
initial cleanup efforts failed to remove the Qakbot Malware. Because of
this, it.s possible that the Malware harvested confidential information.
Qakbot has been around for some time. First discovered in 2009, the
Malware spreads via several sources, including network shares. At one time
it leveraged vulnerabilities in Apple.s QuickTime and Internet Explorer to
target victims.
Qakbot is able to gather various kinds of data on an infected system
including OS and network information, keystrokes, stored FTP and email
login details, targeted banking data, as well as usernames and passwords
stored within a browser.
Regulator plans to discipline Hyundai Capital over hacking
SEOUL, May 18 (Yonhap) -- South Korea's financial regulator decided
Wednesday to punish Hyundai Capital Services Inc. for lax computer system
maintenance, which led to a major hacking attack at the biggest local
consumer finance firm.
The Financial Supervisory Service (FSS) launched an inspection into
Hyundai Capital on April 11 after a hacker broke into Hyundai Capital
between March 6 and April 7, stole personal customer information and
demanded cash from the company, threatening to leak it on the Internet.
Holding Hyundai Capital accountable for negligence in computer system
security management, the FSS will submit the case to its disciplinary
decision committee to decide on the punishment for Hyundai Capital and its
executives, according to the regulator.
The FSS said data on 1.75 million Hyundai Capital customers was leaked
during the attack, in which the hacker implanted a malicious program in
the company's homepage. The program was downloaded onto computers of
customers who accessed the homepage.
Wednesday to punish Hyundai Capital Services Inc. for lax computer system
maintenance, which led to a major hacking attack at the biggest local
consumer finance firm.
The Financial Supervisory Service (FSS) launched an inspection into
Hyundai Capital on April 11 after a hacker broke into Hyundai Capital
between March 6 and April 7, stole personal customer information and
demanded cash from the company, threatening to leak it on the Internet.
Holding Hyundai Capital accountable for negligence in computer system
security management, the FSS will submit the case to its disciplinary
decision committee to decide on the punishment for Hyundai Capital and its
executives, according to the regulator.
The FSS said data on 1.75 million Hyundai Capital customers was leaked
during the attack, in which the hacker implanted a malicious program in
the company's homepage. The program was downloaded onto computers of
customers who accessed the homepage.
Not so fast: Sony's PlayStation Network hacked again [Updated]
Less than 2 days after Sony started bringing its PlayStation Network back
online reports are coming in that the besieged gaming giant.s platform has
been hacked yet again. MCV is reporting that the exploit allows for
hackers to change users passwords using only a PSN account email and date
of birth, two pieces of user information that were obtained in the
original hack. Update below.
MCV says that the hack, which is really an exploit of Sony.s password
reset system, was first reported by Nyleveia.com and then corroborated by
Eurogamer. Now the PSN login option is unavailable on a number of Sony.s
sites. Sony's login site that is used to reset passwords using the email
and date of birth is now down.
According to Nyleveia the exploit was demonstrated to it personally by
someone who knew the method.
online reports are coming in that the besieged gaming giant.s platform has
been hacked yet again. MCV is reporting that the exploit allows for
hackers to change users passwords using only a PSN account email and date
of birth, two pieces of user information that were obtained in the
original hack. Update below.
MCV says that the hack, which is really an exploit of Sony.s password
reset system, was first reported by Nyleveia.com and then corroborated by
Eurogamer. Now the PSN login option is unavailable on a number of Sony.s
sites. Sony's login site that is used to reset passwords using the email
and date of birth is now down.
According to Nyleveia the exploit was demonstrated to it personally by
someone who knew the method.
PSN breach and restoration to cost $171M, Sony estimates
In the lead-up to its fiscal year 2010 earnings report this Thursday,
Sony today released a revised forecast -- forewarning a $3.2 billion
loss (yowzah!) -- for the twelve months ending March 31, 2011. Having
occurred in late April, the PlayStation Network attack and subsequent
data theft and outage fall outside of that period, but the company
nonetheless addressed "the impact" of the event during an investors
call today, "since there have been so many media inquiries about this
incident."
"As of today," said Sony, according to its call script, "our currently
known associated costs for the fiscal year ending March 2012 are
estimated to be approximately 14 billion yen on the consolidated
operating income level." That's roughly $171 million -- a "reasonable
assumption," says Sony -- that the company expects to spend throughout
the current fiscal year on its "personal information theft protection
program," in addition to "welcome back programs," customer support,
network security "enhancements" and legal costs. Sony noted that
revenue loss from the outage and recovery, which also spans its
Qriocity and Sony Online Entertainment services, had been factored
into the cost, as well.
"So far, we have not received any confirmed reports of customer
identity theft issues, nor confirmed any misuse of credit cards from
the cyber-attack," the company added. "Those are key variables, and if
that changes, the costs could change."
And what about the class action suits? Sony qualifies them as "all at
a preliminary stage, so we are not able to include the possible
outcome of any of them in our results forecast for the fiscal year
ending March 2012 at this moment."
Sony today released a revised forecast -- forewarning a $3.2 billion
loss (yowzah!) -- for the twelve months ending March 31, 2011. Having
occurred in late April, the PlayStation Network attack and subsequent
data theft and outage fall outside of that period, but the company
nonetheless addressed "the impact" of the event during an investors
call today, "since there have been so many media inquiries about this
incident."
"As of today," said Sony, according to its call script, "our currently
known associated costs for the fiscal year ending March 2012 are
estimated to be approximately 14 billion yen on the consolidated
operating income level." That's roughly $171 million -- a "reasonable
assumption," says Sony -- that the company expects to spend throughout
the current fiscal year on its "personal information theft protection
program," in addition to "welcome back programs," customer support,
network security "enhancements" and legal costs. Sony noted that
revenue loss from the outage and recovery, which also spans its
Qriocity and Sony Online Entertainment services, had been factored
into the cost, as well.
"So far, we have not received any confirmed reports of customer
identity theft issues, nor confirmed any misuse of credit cards from
the cyber-attack," the company added. "Those are key variables, and if
that changes, the costs could change."
And what about the class action suits? Sony qualifies them as "all at
a preliminary stage, so we are not able to include the possible
outcome of any of them in our results forecast for the fiscal year
ending March 2012 at this moment."
Sony BMG Greece the latest hacked Sony site
Greek Sony BMG site was reported hacked yesterday, with a partial dump
of 8300+ users full names email addresses and (partial again) telephones
appearing on pastebin. Given that not all details were mandatory, this
somehow limits the impact of the breach but still, looking through the
dump appearing in pastebin there are indeed accounts with all the
details provided.
Media coverage in
http://nakedsecurity.sophos.com/2011/05/22/sony-bmg-greece-the-latest-hacked-sony-site/
In what seems to be a neverending nightmare it appears that the website
of Sony BMG in Greece has been hacked and information dumped.
An anonymous poster has uploaded a user database to pastebin.com,
including the usernames, real names and email addresses of users
registered on SonyMusic.gr.
The data posted appears to be incomplete as it claims to include
passwords, telephone numbers and other data that is either missing or bogus.
[..]
It appears someone used an automated SQL Injection tool to find this
flaw. It's not something that requires a particularly skillful attacker,
but simply the diligence to comb through Sony website after website
until a security flaw is found.While it's cruel to kick someone while
they're down, when this is over, Sony may end up being one of the most
secure web assets on the net.If you are a user of SonyMusic.gr, it is
highly recommended that you reset your password. Expect that any
information you entered when creating your account may be in the hands
of someone with malicious intent, and keep a close eye out for phishing
attacks.The lesson I take away from this is similar to other stories we
have published on data breaches. It would cost far less to perform
thorough penetration tests than to suffer the loss of trust, fines,
disclosure costs and loss of reputation these incidents have resulted
in.Want to learn more about securing your web servers and databases?
[...] Update: The editors of The Hacker News have contacted Naked
Security and indicated they were the source of the post to pastebin.com.
The original hackers had contacted them with the dump.
of 8300+ users full names email addresses and (partial again) telephones
appearing on pastebin. Given that not all details were mandatory, this
somehow limits the impact of the breach but still, looking through the
dump appearing in pastebin there are indeed accounts with all the
details provided.
Media coverage in
http://nakedsecurity.sophos.
In what seems to be a neverending nightmare it appears that the website
of Sony BMG in Greece has been hacked and information dumped.
An anonymous poster has uploaded a user database to pastebin.com,
including the usernames, real names and email addresses of users
registered on SonyMusic.gr.
The data posted appears to be incomplete as it claims to include
passwords, telephone numbers and other data that is either missing or bogus.
[..]
It appears someone used an automated SQL Injection tool to find this
flaw. It's not something that requires a particularly skillful attacker,
but simply the diligence to comb through Sony website after website
until a security flaw is found.While it's cruel to kick someone while
they're down, when this is over, Sony may end up being one of the most
secure web assets on the net.If you are a user of SonyMusic.gr, it is
highly recommended that you reset your password. Expect that any
information you entered when creating your account may be in the hands
of someone with malicious intent, and keep a close eye out for phishing
attacks.The lesson I take away from this is similar to other stories we
have published on data breaches. It would cost far less to perform
thorough penetration tests than to suffer the loss of trust, fines,
disclosure costs and loss of reputation these incidents have resulted
in.Want to learn more about securing your web servers and databases?
[...] Update: The editors of The Hacker News have contacted Naked
Security and indicated they were the source of the post to pastebin.com.
The original hackers had contacted them with the dump.
Sony hit with phishing scam on Thailand home page
A phishing site targeting an Italian credit card company has been
found on servers of Sony’s Thailand page.
Security firm F-Secure discovered the scam, which is unrelated to the
previous cyber attacks on the company’s PlayStation Network and Sony
Online Entertainment.
found on servers of Sony’s Thailand page.
Security firm F-Secure discovered the scam, which is unrelated to the
previous cyber attacks on the company’s PlayStation Network and Sony
Online Entertainment.
Michaels Breach: Who's Liable?
A Chicago consumer affected by the Michaels card breach has filed a
federal lawsuit against the crafts retailer, claiming it should have
better protected customers' cards from breach and compromise.
Brandi F. Ramundo had more than $1,300 withdrawn from her checking
account, after reportedly making a debit purchase worth less than $20 at
Michaels. Her five-count suit seeks class-action status, a jury trial,
compensatory damages, and consequential and statutory damages. It also
includes an order for Michaels to pay for card-fraud monitoring services
for consumers hit by the scam, as well as compensation and punitive
damages for costs associated with the suit.
Ramundo's suit raises questions about liability after a card breach fraud.
What role should merchants play, when it comes to ensuring transactional
security, and how should financial institutions, as card-issuers, fall
into the fray?
Attorney Randy Sabett, partner and co-chair of the Internet and Data
Protection practice at law firm SNR Denton LLP, says the liability lines
are often blurred and hard to define after a breach. Despite that card
fraud usually occurs outside banking institutions' control, banks and
credit unions, as the card issuers, usually absorb losses and expenses
associated with breach recovery.
federal lawsuit against the crafts retailer, claiming it should have
better protected customers' cards from breach and compromise.
Brandi F. Ramundo had more than $1,300 withdrawn from her checking
account, after reportedly making a debit purchase worth less than $20 at
Michaels. Her five-count suit seeks class-action status, a jury trial,
compensatory damages, and consequential and statutory damages. It also
includes an order for Michaels to pay for card-fraud monitoring services
for consumers hit by the scam, as well as compensation and punitive
damages for costs associated with the suit.
Ramundo's suit raises questions about liability after a card breach fraud.
What role should merchants play, when it comes to ensuring transactional
security, and how should financial institutions, as card-issuers, fall
into the fray?
Attorney Randy Sabett, partner and co-chair of the Internet and Data
Protection practice at law firm SNR Denton LLP, says the liability lines
are often blurred and hard to define after a breach. Despite that card
fraud usually occurs outside banking institutions' control, banks and
credit unions, as the card issuers, usually absorb losses and expenses
associated with breach recovery.
Some Soy Capital debit cards compromised
DECATUR - Officials at Soy Capital Bank and Trust are working to get customers their money back after an unknown number of debit cards were compromised over the weekend.
The bank was one of five Midwest financial institutions where some MasterCard-issued debit cards received fraudulent charges, said bank President Leon Hinton. The charges began late Saturday night, and MasterCard's fraud detection department alerted some customers on Sunday.
Hinton said customers continued to discover charges they had not made throughout the day Monday. While he did not yet know the scope of the breach, Hinton said it affected a "small percentage" of Soy Capital customers.
[..]
CONFIDENTIAL: This email message and any attachments are for the sole use of the intended recipient(s) and may contain HIGHLY CONFIDENTIAL PERSONAL HEALTH INFORMATION. It is to be used only to aid in providing specific healthcare services to this patient. Any unauthorized review,use, disclosure, or distribution is a violation of Federal Law (HIPAA) and will be reported as such. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message immediately.
35m Google Profiles dumped into private database
Proving that information posted online is indelible and trivial to mine,
an academic researcher has dumped names, email addresses and biographical
information made available in 35 million Google Profiles into a massive
database that took just one month to assemble.
University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled
the database as an experiment to see how easy it would be for private
detectives, spear phishers and others to mine the vast amount of personal
information stored in Google Profiles. The verdict: It wasn't hard at all.
Unlike Facebook policies that strictly forbid the practice, the
permissions file for the Google Profiles URL makes no prohibitions against
indexing the list.
What's more, Google engineers didn't impose any technical limitations in
accessing the data, which is made available in an extensible markup
language file called profiles-sitemap.xml. The code he used for the
data-mining proof of concept is available here.
an academic researcher has dumped names, email addresses and biographical
information made available in 35 million Google Profiles into a massive
database that took just one month to assemble.
University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled
the database as an experiment to see how easy it would be for private
detectives, spear phishers and others to mine the vast amount of personal
information stored in Google Profiles. The verdict: It wasn't hard at all.
Unlike Facebook policies that strictly forbid the practice, the
permissions file for the Google Profiles URL makes no prohibitions against
indexing the list.
What's more, Google engineers didn't impose any technical limitations in
accessing the data, which is made available in an extensible markup
language file called profiles-sitemap.xml. The code he used for the
data-mining proof of concept is available here.
BofA Breach: 'A Big, Scary Story'
BofA Breach: 'A Big, Scary Story'
$10 Million Loss Highlights Risks, Sophistication of Internal Breaches
May 25, 2011 - Tracy Kitten, Managing Editor
An internal breach at U.S. financial giant Bank of America shows how some
corporations do not focus enough attention on mitigating internal fraud
risks.
According to news reports, a BofA employee with access to accountholder
information allegedly leaked personally identifiable information such as
names, addresses, Social Security numbers, phone numbers, bank account
numbers, driver's license numbers, birth dates, e-mail addresses, family
names, PINs and account balances to a ring of criminals. With that
information, the fraudsters reportedly hijacked e-mail addresses, cell
phone numbers and possibly more, keeping consumers in the dark about new
accounts and checks that had been ordered in their names.
Some 300 BofA customers in California and other Western states have
reportedly had their accounts hit, and 95 suspects linked to the breach
were arrested by the Secret Service in Feb.
BofA says it detected the fraud a year ago, but only recently began
notifying affected customers of the breach.
$10 Million Loss Highlights Risks, Sophistication of Internal Breaches
May 25, 2011 - Tracy Kitten, Managing Editor
An internal breach at U.S. financial giant Bank of America shows how some
corporations do not focus enough attention on mitigating internal fraud
risks.
According to news reports, a BofA employee with access to accountholder
information allegedly leaked personally identifiable information such as
names, addresses, Social Security numbers, phone numbers, bank account
numbers, driver's license numbers, birth dates, e-mail addresses, family
names, PINs and account balances to a ring of criminals. With that
information, the fraudsters reportedly hijacked e-mail addresses, cell
phone numbers and possibly more, keeping consumers in the dark about new
accounts and checks that had been ordered in their names.
Some 300 BofA customers in California and other Western states have
reportedly had their accounts hit, and 95 suspects linked to the breach
were arrested by the Secret Service in Feb.
BofA says it detected the fraud a year ago, but only recently began
notifying affected customers of the breach.
Mystery Australian merchant credit cards breached
The Commonwealth Bank, Westpac and St George have cancelled a number of credit cards in response to a potential security breach.
Both banks have confirmed to the ABC that some customers' cards have been cancelled due to fears they had been compromised and would be open to fraud.
The Commonwealth Bank says it detected the potential security breach through its continuous monitoring process.
CBA says a merchant terminal used by its customers was not secure.
It says the terminal is owned by another bank which has been notified.
CBA says MasterCard and Visa were also alerted to the potential problem immediately.
ANZ and National Australia Bank say it is not one of their terminals.
Westpac says there has been no security breach with its systems either, but would not comment on whether there was a problem at its subsidiary St George.
Sony Begins Providing ID Theft Protection for PlayStation Hack
Sony has begun sending out formal emails advising users of its PlayStation
Network how to sign up for the identity theft protection services it said
it would offer customers.
Sony also said Tuesday that the PlayStation online store would remain down
until the end of the month.
"Sony Computer Entertainment and Sony Network Entertainment have made
arrangements with Debix to offer AllClear ID PLUS to eligible PlayStation
Network and Qriocity account holders in the United States who are
concerned about identity theft," Sony said in an email sent Wednesday
afternoon.
The service will provide 12 months of alerts to help protect users from
identity theft, as well as provide ID theft insurance coverage (up to $1
million, Sony has said previously) as well as hands-on help from fraud
investigators.
Network how to sign up for the identity theft protection services it said
it would offer customers.
Sony also said Tuesday that the PlayStation online store would remain down
until the end of the month.
"Sony Computer Entertainment and Sony Network Entertainment have made
arrangements with Debix to offer AllClear ID PLUS to eligible PlayStation
Network and Qriocity account holders in the United States who are
concerned about identity theft," Sony said in an email sent Wednesday
afternoon.
The service will provide 12 months of alerts to help protect users from
identity theft, as well as provide ID theft insurance coverage (up to $1
million, Sony has said previously) as well as hands-on help from fraud
investigators.
Update: Honda Canada breach exposed data on 280, 000 individuals
Update: Honda Canada breach exposed data on 280,000 individuals
Company says ID theft unlikely because no SSNs, driver license details,
birth dates, bank details were compromised
By Jaikumar Vijayan
May 26, 2011 05:05 PM ET
Computerworld - Honda Canada has notified about 280,000 customers in that
country of a data breach involving the compromise of their personal data.
The breach was discovered in late February. However the company only began
notifying customers of the compromise earlier this month.
An undated alert posted on the company's Web site said the incident
involved the unauthorized access of customer names, addresses, vehicle
identification numbers, and in the case of a small number of customers,
their Honda Financial Services account numbers.
Jerry Chenkin, executive vice president of Honda Canada, said Thursday the
reason for the delay was because the company needed time to figure out the
scope of the breach before it could begin notifying customers.
Company says ID theft unlikely because no SSNs, driver license details,
birth dates, bank details were compromised
By Jaikumar Vijayan
May 26, 2011 05:05 PM ET
Computerworld - Honda Canada has notified about 280,000 customers in that
country of a data breach involving the compromise of their personal data.
The breach was discovered in late February. However the company only began
notifying customers of the compromise earlier this month.
An undated alert posted on the company's Web site said the incident
involved the unauthorized access of customer names, addresses, vehicle
identification numbers, and in the case of a small number of customers,
their Honda Financial Services account numbers.
Jerry Chenkin, executive vice president of Honda Canada, said Thursday the
reason for the delay was because the company needed time to figure out the
scope of the breach before it could begin notifying customers.
Asperger's charity loses children's data in laptop theft
Asperger's charity loses children's data in laptop theft
Personal information relating to 80 children with Asperger's syndrome has
been stolen from a Sheffield charity.
A laptop containing names, addresses and medical information was stolen
from Asperger's Children and Carers Together (ACCT).
The computer was taken from the home of an employee and reported in
December.
The Information Commissioner's Office (ICO) said the incident breached
data protection and the charity must ensure "information is encrypted".
Personal information relating to 80 children with Asperger's syndrome has
been stolen from a Sheffield charity.
A laptop containing names, addresses and medical information was stolen
from Asperger's Children and Carers Together (ACCT).
The computer was taken from the home of an employee and reported in
December.
The Information Commissioner's Office (ICO) said the incident breached
data protection and the charity must ensure "information is encrypted".
Latest Sony Hack Targets Japan Music Site
This is getting a little ridiculous. Analysts have discovered yet
another flaw on Sony's network, this time via Sony Music Japan.
"The Hacker News sent us a tip this evening documenting a couple of
vulnerable Web pages on SonyMusic.co.jp that allowed hackers to access
their contents through SQL injection," Chester Wisniewski with Sophos
wrote in a blog post.
another flaw on Sony's network, this time via Sony Music Japan.
"The Hacker News sent us a tip this evening documenting a couple of
vulnerable Web pages on SonyMusic.co.jp that allowed hackers to access
their contents through SQL injection," Chester Wisniewski with Sophos
wrote in a blog post.
Aussie banks cancel 10,000 credit cards
Aussie banks cancel 10,000 credit cards
No you didn.t exceed your limit, we can.t secure our data
By Natalie Apostolou
Posted in Security, 29th May 2011 22:50 GMT
The Australian banking system has been rocked by a mystery security breach
which caused the immediate cancellation of over 10,000 cards on Friday.
The Commonwealth Bank and the St George Bank initiated the alert via SMS
to customers notifying them that their cards would be cancelled as part of
precautionary measures.
The Commonwealth Bank said in a statement that it was alerted to comprised
security for credit card data following the report of a potential data
breach by an undisclosed Australian merchant (serviced by another bank).
However, none of the affected banks have revealed the cause or detailed
the exact nature of the security breach.
The Commonwealth Bank has cancelled 8,000 cards while Bendigo Bank has
also reportedly cancelled 2,300 cards. Westpac and the National Australia
Bank (NAB) alerted customers of the fraudulent activity but said that only
a small amount of customers - fewer than 1,000 - had been affected.
No you didn.t exceed your limit, we can.t secure our data
By Natalie Apostolou
Posted in Security, 29th May 2011 22:50 GMT
The Australian banking system has been rocked by a mystery security breach
which caused the immediate cancellation of over 10,000 cards on Friday.
The Commonwealth Bank and the St George Bank initiated the alert via SMS
to customers notifying them that their cards would be cancelled as part of
precautionary measures.
The Commonwealth Bank said in a statement that it was alerted to comprised
security for credit card data following the report of a potential data
breach by an undisclosed Australian merchant (serviced by another bank).
However, none of the affected banks have revealed the cause or detailed
the exact nature of the security breach.
The Commonwealth Bank has cancelled 8,000 cards while Bendigo Bank has
also reportedly cancelled 2,300 cards. Westpac and the National Australia
Bank (NAB) alerted customers of the fraudulent activity but said that only
a small amount of customers - fewer than 1,000 - had been affected.
Survey: Breaches Cost Some Healthcare Organizations $100K Per Day
Most healthcare organizations have made compliance with security and
privacy regulations a priority, but that hasn?t slowed the data-breach
bleed, a new survey finds.
Some 56 percent of IT administrators in healthcare organizations say they
spend anywhere from 25 to 100 percent of their time working on compliance,
and 54 percent spend most of it on HIPPA, according to the survey
conducted by GlobalSign, a certificate authority. Meanwhile, some 34
percent of organizations suffered a breach of their patients' records in
the past two years, and 10 percent say those breaches cost organizations
$100,000 per incident each day.
Nearly 40 percent spend one-fourth of their work week "improving security
and ensuring data privacy," and 19 percent say they spend 75 to 100
percent of their time on compliance, the report found, based on a survey
of 107 IT administrators, managers, and C-level executives. Half of the
respondents are with organizations of 5,000 or more employees.
Lila Kee, chief product officer at GlobalSign, says the findings reveal
that healthcare is working heavily on compliance for HIPPA, HITECH, and
other state and federal regulations, but is still getting hacked. "They
are still having breaches even though they are doing a lot with
regulations and compliance," Kee says.
privacy regulations a priority, but that hasn?t slowed the data-breach
bleed, a new survey finds.
Some 56 percent of IT administrators in healthcare organizations say they
spend anywhere from 25 to 100 percent of their time working on compliance,
and 54 percent spend most of it on HIPPA, according to the survey
conducted by GlobalSign, a certificate authority. Meanwhile, some 34
percent of organizations suffered a breach of their patients' records in
the past two years, and 10 percent say those breaches cost organizations
$100,000 per incident each day.
Nearly 40 percent spend one-fourth of their work week "improving security
and ensuring data privacy," and 19 percent say they spend 75 to 100
percent of their time on compliance, the report found, based on a survey
of 107 IT administrators, managers, and C-level executives. Half of the
respondents are with organizations of 5,000 or more employees.
Lila Kee, chief product officer at GlobalSign, says the findings reveal
that healthcare is working heavily on compliance for HIPPA, HITECH, and
other state and federal regulations, but is still getting hacked. "They
are still having breaches even though they are doing a lot with
regulations and compliance," Kee says.
Data breach notification laws: Timing right for breach notification bill, experts say
New legislation proposed by the White House is attempting to blanket
the United States with a standard set of data breach notification
rules and experts say the time has never been better for the proposed
data breach notification law (PDF).
The Obama administration is seeking to standardize the amount of time
companies can wait before informing consumers of a data breach
involving consumer data. At the same time, the White House issued a
document outlining its International Strategy for Cyberspace (PDF),
which outlines a roadmap in how the federal government would help
secure distributed networks, protect intellectual property and build
disaster response plans.
The new data security legislation sent to Congress follows a string of
high-profile data breaches. It would require companies to notify
potential victims “without unreasonable delay.” Other requirements
include the notification of a major media outlet and all major
credit-reporting agencies within 60 days if the credit card data on
more than 5,000 individuals is at risk.
The bill and a document outlining the country’s national security
strategy comes just two years after President Barack Obama’s Strategic
Cyber security Review, which outlined cybersecurity and made it
paramount to U.S. national security.
“There hasn’t been a high number of very high-profile attacks and data
breaches that have drawn the concern of Congress,” said Eric
Rosenbach, principal and lead of the Global Cybersecurity Consulting
Practice at Good Harbor Consulting. “You see now, within the last two
or three years, that there has been a number of high-profile attacks
that change the context in which people think about this.”
The Obama administration said it sought to construct a ubiquitous
piece of legislation that would benefit the private sector and protect
consumers, thus creating one consistent federal standard for data
breech notification. A unified federal law will help “push forward
the new momentum of cloud computing,” by creating one set of rules
that large corporations have to deal with instead of several,
Rosenbach said.
Rosenbach believes that while this proposal is important, it will not
make it through the legislative process unchanged, especially coming
from a democratic White House through a republican House of
Representatives.
Other experts agreed that the timing is right for federal
cybersecurity legislation. Different rules and regulations set up by
states have been costly for enterprises, said Pete Lindstrom, a
research director with Malvern, Pennsylvania-based Spire Security.
“Any time you’re consolidating the procedural requirements for
notification, I think it’s generally a good thing,” Lindstrom said.
“Right now, with each state deciding how notification should occur,
it’s a huge burden on enterprises to actually comply with all the
different state laws.”
Lindstrom said privacy advocates will be watching the bill closely,
but legislators are keenly aware of ongoing sensitivity over privacy
issues.
“States are going to dislike it because it usurps some of their
authority, but generally the House and the Senate are going to like it
because it gives them more oversight and people care,” Lindstrom said.
Some like Avivah Litan, a vice president and distinguished analyst at
Gartner Inc., see the law as “pretty innocuous” and do not anticipate
much of a fight on Capitol Hill. Since companies already have to
comply with state disclosure laws they have little reason to fight a
bill seeking to make their legal maneuverings easier; however, Litan
is sure there will be lobby groups who come out against the bill.
“I think this law can only improve security,” Litan said. “I think it
is one of the better things they’ve done in cybersecurity, and I’m not
usually very generous with them. I’ve got lots of other criticisms of
the Obama administration, but I think this law is actually a good
proposal.”
The unified federal law will be especially helpful to smaller
businesses, preventing them from having to deal with expensive and
specialized lawyers, especially if the businesses operate in multiple
states, said Good Harbor’s Rosenbach. This is because larger companies
often have the resources to deal with multiple and varying state laws
while smaller businesses do not, which could be an impediment to
competitiveness.
“The private sector, above all else when it comes to cybersecurity,
wants something that is stable and easy to understand because then
it’s easy for them to plan for future investment and they have a more
stable kind of operating environment,” Rosenbach said.
the United States with a standard set of data breach notification
rules and experts say the time has never been better for the proposed
data breach notification law (PDF).
The Obama administration is seeking to standardize the amount of time
companies can wait before informing consumers of a data breach
involving consumer data. At the same time, the White House issued a
document outlining its International Strategy for Cyberspace (PDF),
which outlines a roadmap in how the federal government would help
secure distributed networks, protect intellectual property and build
disaster response plans.
The new data security legislation sent to Congress follows a string of
high-profile data breaches. It would require companies to notify
potential victims “without unreasonable delay.” Other requirements
include the notification of a major media outlet and all major
credit-reporting agencies within 60 days if the credit card data on
more than 5,000 individuals is at risk.
The bill and a document outlining the country’s national security
strategy comes just two years after President Barack Obama’s Strategic
Cyber security Review, which outlined cybersecurity and made it
paramount to U.S. national security.
“There hasn’t been a high number of very high-profile attacks and data
breaches that have drawn the concern of Congress,” said Eric
Rosenbach, principal and lead of the Global Cybersecurity Consulting
Practice at Good Harbor Consulting. “You see now, within the last two
or three years, that there has been a number of high-profile attacks
that change the context in which people think about this.”
The Obama administration said it sought to construct a ubiquitous
piece of legislation that would benefit the private sector and protect
consumers, thus creating one consistent federal standard for data
breech notification. A unified federal law will help “push forward
the new momentum of cloud computing,” by creating one set of rules
that large corporations have to deal with instead of several,
Rosenbach said.
Rosenbach believes that while this proposal is important, it will not
make it through the legislative process unchanged, especially coming
from a democratic White House through a republican House of
Representatives.
Other experts agreed that the timing is right for federal
cybersecurity legislation. Different rules and regulations set up by
states have been costly for enterprises, said Pete Lindstrom, a
research director with Malvern, Pennsylvania-based Spire Security.
“Any time you’re consolidating the procedural requirements for
notification, I think it’s generally a good thing,” Lindstrom said.
“Right now, with each state deciding how notification should occur,
it’s a huge burden on enterprises to actually comply with all the
different state laws.”
Lindstrom said privacy advocates will be watching the bill closely,
but legislators are keenly aware of ongoing sensitivity over privacy
issues.
“States are going to dislike it because it usurps some of their
authority, but generally the House and the Senate are going to like it
because it gives them more oversight and people care,” Lindstrom said.
Some like Avivah Litan, a vice president and distinguished analyst at
Gartner Inc., see the law as “pretty innocuous” and do not anticipate
much of a fight on Capitol Hill. Since companies already have to
comply with state disclosure laws they have little reason to fight a
bill seeking to make their legal maneuverings easier; however, Litan
is sure there will be lobby groups who come out against the bill.
“I think this law can only improve security,” Litan said. “I think it
is one of the better things they’ve done in cybersecurity, and I’m not
usually very generous with them. I’ve got lots of other criticisms of
the Obama administration, but I think this law is actually a good
proposal.”
The unified federal law will be especially helpful to smaller
businesses, preventing them from having to deal with expensive and
specialized lawyers, especially if the businesses operate in multiple
states, said Good Harbor’s Rosenbach. This is because larger companies
often have the resources to deal with multiple and varying state laws
while smaller businesses do not, which could be an impediment to
competitiveness.
“The private sector, above all else when it comes to cybersecurity,
wants something that is stable and easy to understand because then
it’s easy for them to plan for future investment and they have a more
stable kind of operating environment,” Rosenbach said.
LulzSec Sony dump online
Greetings folks. We're LulzSec, and welcome to Sownage. Enclosed you will find
various collections of data stolen from internal Sony networks and websites,
all of which we accessed easily and without the need for outside support or
money.
We recently broke into SonyPictures.com and compromised over 1,000,000 users'
personal information, including passwords, email addresses, home addresses,
dates of birth, and all Sony opt-in data associated with their accounts. Among
other things, we also compromised all admin details of Sony Pictures (including
passwords) along with 75,000 "music codes" and 3.5 million "music coupons".
Due to a lack of resource on our part (The Lulz Boat needs additional funding!)
we were unable to fully copy all of this information, however we have samples
for you in our files to prove its authenticity. In theory we could have taken
every last bit of information, but it would have taken several more weeks.
Our goal here is not to come across as master hackers, hence what we're about
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of
the most primitive and common vulnerabilities, as we should all know by now.
>From a single injection, we accessed EVERYTHING. Why do you put such faith in a
company that allows itself to become open to these simple attacks?
What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just a
matter of taking it. This is disgraceful and insecure: they were asking for it.
This is an embarrassment to Sony; the SQLi link is provided in our file
contents, and we invite anyone with the balls to check for themselves that what
we say is true. You may even want to plunder those 3.5 million coupons while
you can.
Included in our collection are databases from Sony BMG Belgium & Netherlands.
These also contain varied assortments of Sony user and staffer information.
various collections of data stolen from internal Sony networks and websites,
all of which we accessed easily and without the need for outside support or
money.
We recently broke into SonyPictures.com and compromised over 1,000,000 users'
personal information, including passwords, email addresses, home addresses,
dates of birth, and all Sony opt-in data associated with their accounts. Among
other things, we also compromised all admin details of Sony Pictures (including
passwords) along with 75,000 "music codes" and 3.5 million "music coupons".
Due to a lack of resource on our part (The Lulz Boat needs additional funding!)
we were unable to fully copy all of this information, however we have samples
for you in our files to prove its authenticity. In theory we could have taken
every last bit of information, but it would have taken several more weeks.
Our goal here is not to come across as master hackers, hence what we're about
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of
the most primitive and common vulnerabilities, as we should all know by now.
>From a single injection, we accessed EVERYTHING. Why do you put such faith in a
company that allows itself to become open to these simple attacks?
What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just a
matter of taking it. This is disgraceful and insecure: they were asking for it.
This is an embarrassment to Sony; the SQLi link is provided in our file
contents, and we invite anyone with the balls to check for themselves that what
we say is true. You may even want to plunder those 3.5 million coupons while
you can.
Included in our collection are databases from Sony BMG Belgium & Netherlands.
These also contain varied assortments of Sony user and staffer information.
Sony Pictures attacked again, 4.5 million records exposed
Sony Pictures attacked again, 4.5 million records exposed
by Chester Wisniewski on June 2, 2011
The same hackers who recently attacked PBS.org have turned their attention
back to Sony by releasing the latest dump of information stolen from
Sony's websites.
While the information disclosed includes approximately 150,000 records,
the hackers claim the databases exposed contain over 4.5 million records,
at least a million of which include user information.
The data stolen includes:
* A link to a vulnerable sonypictures.com webpage.
* 12,500 users related to Auto Trader (Contest entrants?) including
birth dates, addresses, email addresses, full names, plain text passwords,
user IDs and phone numbers.
* 21,000 IDs associated with a DB table labeled "BEAUTY_USERS"
including email addresses and plain text passwords.
* ~20,000 Sony Music coupons (out of 3.5 million in the DB).
* Just under 18,000 emails and plain text passwords from a Seinfeld
"Del Boca" sweepstakes.
* Over 65,000 Sony Music codes.
* Several other tables including those from Sony BMG in The
Netherlands and Belgium.
by Chester Wisniewski on June 2, 2011
The same hackers who recently attacked PBS.org have turned their attention
back to Sony by releasing the latest dump of information stolen from
Sony's websites.
While the information disclosed includes approximately 150,000 records,
the hackers claim the databases exposed contain over 4.5 million records,
at least a million of which include user information.
The data stolen includes:
* A link to a vulnerable sonypictures.com webpage.
* 12,500 users related to Auto Trader (Contest entrants?) including
birth dates, addresses, email addresses, full names, plain text passwords,
user IDs and phone numbers.
* 21,000 IDs associated with a DB table labeled "BEAUTY_USERS"
including email addresses and plain text passwords.
* ~20,000 Sony Music coupons (out of 3.5 million in the DB).
* Just under 18,000 emails and plain text passwords from a Seinfeld
"Del Boca" sweepstakes.
* Over 65,000 Sony Music codes.
* Several other tables including those from Sony BMG in The
Netherlands and Belgium.
LibriVox Forum Hacked
> Dear Librivoxer,
>
> This is Hugh, the founder of LibriVox, writing to let you know that,
> unfortunately, a hacker broke into the LibriVox forum, caused a bit of
> damage (now fixed), but more worryingly, got access to our complete
> database including emails and encrypted passwords. We have locked them out
> of the system, and we?ve fixed the vandalism, but they still have our
> database.
>
> So, in order to protect our users & the LibriVox accounts:
>
> * we have RESET ALL USER PASSWORDS (including yours)
> * the next time you login your password will be invalid
> * you will have to reset your password, using this link:
> http://forum.librivox.org/ucp.php?mode=sendpassword
>
> NOTE1: PLEASE DO NOT USE THE SAME PASSWORD YOU USED BEFORE!
>
> NOTE2: IF YOU USE THE SAME PASSWORD ON OTHER INTERNET SERVICES, WE
> RECOMMEND YOU CHANGE THOSE PASSWORDS TOO.
>
> If you have difficulty resetting your password, please reply to this email
> and ask for help. Be sure to include your forum username.
> LibrivoxPasswordReset@librivox.org
>
> In the interests of full disclosure, here is some extra information:
> (1) The database contained every piece of communications sent through the
> forum, including all private messages. This information is now in the
> possession of the hacker.
>
> (2) All forum passwords in the database are encrypted. However, if your
> password was very simple, it will be trivial for the hacker to break the
> encryption using "brute-force" techniques. They will likely attempt exactly
> this, so if you use the same password on any other Internet service, you
> should immediately change your password at those services.
>
> We are very sorry that this happened, and once this is sorted out as best
> as it can be, we?ll be doing a more thorough security review.
>
> If you have questions, please don?t hesitate to contact me.
>
> Sincerely,
> Hugh McGuire
> Founder, Librivox
>
>
> --
> The LibriVox Team
>
> This is Hugh, the founder of LibriVox, writing to let you know that,
> unfortunately, a hacker broke into the LibriVox forum, caused a bit of
> damage (now fixed), but more worryingly, got access to our complete
> database including emails and encrypted passwords. We have locked them out
> of the system, and we?ve fixed the vandalism, but they still have our
> database.
>
> So, in order to protect our users & the LibriVox accounts:
>
> * we have RESET ALL USER PASSWORDS (including yours)
> * the next time you login your password will be invalid
> * you will have to reset your password, using this link:
> http://forum.librivox.org/ucp.
>
> NOTE1: PLEASE DO NOT USE THE SAME PASSWORD YOU USED BEFORE!
>
> NOTE2: IF YOU USE THE SAME PASSWORD ON OTHER INTERNET SERVICES, WE
> RECOMMEND YOU CHANGE THOSE PASSWORDS TOO.
>
> If you have difficulty resetting your password, please reply to this email
> and ask for help. Be sure to include your forum username.
> LibrivoxPasswordReset@
>
> In the interests of full disclosure, here is some extra information:
> (1) The database contained every piece of communications sent through the
> forum, including all private messages. This information is now in the
> possession of the hacker.
>
> (2) All forum passwords in the database are encrypted. However, if your
> password was very simple, it will be trivial for the hacker to break the
> encryption using "brute-force" techniques. They will likely attempt exactly
> this, so if you use the same password on any other Internet service, you
> should immediately change your password at those services.
>
> We are very sorry that this happened, and once this is sorted out as best
> as it can be, we?ll be doing a more thorough security review.
>
> If you have questions, please don?t hesitate to contact me.
>
> Sincerely,
> Hugh McGuire
> Founder, Librivox
>
>
> --
> The LibriVox Team
Sony had HOW many breaches?
We thought keeping track of entities involved in the Epsilon breach
was tough, but the recent spate of attacks on Sony networks has us
working overtime trying to update the database. Thankfully, Jericho
provided yeoman service and compiled a hyperlinked chronology of
recent developments.
The Sony breaches have generated a lot of discussion. Some of it has
centered on Sony's shocking failure to encrypt passwords and it being
all-too-vulnerable to SQLi compromises (if those posting the data
publicly are accurate as to how they compromised certain databases).
Sony undoubtedly has a lot of explaining to do if it hopes to have
future assertions of industry-standard security taken seriously.
To date, the two largest incidents affected over 100 million records.
But were the PSN and Sony Online Entertainment (SOE) attacks two
separate incidents or were they really one breach? Should
DataLossDB.org have recorded one breach with over 100 million
affected, or two incidents involving 77 million and 24.6 million,
respectively? Or should we just treat the last 45 days' incidents as
one #EPIC #FAIL and one big incident? In light of our mission to track
unique breaches, the question is not trivial.
When news of the second incident broke, the first thought was to
update the PSN entry and add another 24.6 million to that counter. But
as more details emerged, it seemed clear that we should treat it as a
separate incident. The attack had occurred on different days than the
the PSN attack, the data compromised were on different networks, it
seems quite likely the different networks had different security
measures involved (Sony later testified that databases with credit
card data were treated with higher security), we did not know if the
same individuals were involved in both attacks, and the company itself
was reporting it as a second incident previously unknown to them and
not as an update to the other breach. Our impression that these were
two unique incidents was subsequently supported by the reports made to
the New Hampshire Attorney General's Office for each incident (here
and here).
Despite what we thought was an accurate way to track these breaches,
one commenter to DataLossDB.org questioned our decision to treat the
reports as two unique incidents. A researcher with Javelin Strategy
commented that treating this as two incidents instead of one benefited
Sony: they would not appear ranked 2nd in our list of all-time largest
breaches on our home page. Since these incidents had the same parent
corporation, he suggested, they should be treated as one aggregated
incident.
While those points may appear reasonable to some, we find them
unpersuasive. First, we do not make decisions based on whether an
entity benefits or suffers from a particular decision. We make
decisions based on whether the available information supports
aggregating the data for a particular incident or not. In this case,
although it is the same parent corporation, the available information
does not support aggregation. In other cases, such as a Wellpoint
breach that was initially entered as distinct incidents, when my
research revealed that there was only one incident and that what
appeared to be a second incident was really due to Wellpoint's vendor
not fully securing the web sites after the first report, I recommended
that those incidents be combined, and they will be. But other than a
common target - Sony - where is there any evidence that this was just
one incident? There is none.
We recognize that not everyone will agree with our decision, and
that's fine. Should new information become available that suggests
that a one-incident approach is more appropriate for these incidents,
we will edit our entries.
As always, we welcome constructive thoughts about how to make the
database more useful to stakeholders, but we do not expect all of our
decisions to please everyone.
was tough, but the recent spate of attacks on Sony networks has us
working overtime trying to update the database. Thankfully, Jericho
provided yeoman service and compiled a hyperlinked chronology of
recent developments.
The Sony breaches have generated a lot of discussion. Some of it has
centered on Sony's shocking failure to encrypt passwords and it being
all-too-vulnerable to SQLi compromises (if those posting the data
publicly are accurate as to how they compromised certain databases).
Sony undoubtedly has a lot of explaining to do if it hopes to have
future assertions of industry-standard security taken seriously.
To date, the two largest incidents affected over 100 million records.
But were the PSN and Sony Online Entertainment (SOE) attacks two
separate incidents or were they really one breach? Should
DataLossDB.org have recorded one breach with over 100 million
affected, or two incidents involving 77 million and 24.6 million,
respectively? Or should we just treat the last 45 days' incidents as
one #EPIC #FAIL and one big incident? In light of our mission to track
unique breaches, the question is not trivial.
When news of the second incident broke, the first thought was to
update the PSN entry and add another 24.6 million to that counter. But
as more details emerged, it seemed clear that we should treat it as a
separate incident. The attack had occurred on different days than the
the PSN attack, the data compromised were on different networks, it
seems quite likely the different networks had different security
measures involved (Sony later testified that databases with credit
card data were treated with higher security), we did not know if the
same individuals were involved in both attacks, and the company itself
was reporting it as a second incident previously unknown to them and
not as an update to the other breach. Our impression that these were
two unique incidents was subsequently supported by the reports made to
the New Hampshire Attorney General's Office for each incident (here
and here).
Despite what we thought was an accurate way to track these breaches,
one commenter to DataLossDB.org questioned our decision to treat the
reports as two unique incidents. A researcher with Javelin Strategy
commented that treating this as two incidents instead of one benefited
Sony: they would not appear ranked 2nd in our list of all-time largest
breaches on our home page. Since these incidents had the same parent
corporation, he suggested, they should be treated as one aggregated
incident.
While those points may appear reasonable to some, we find them
unpersuasive. First, we do not make decisions based on whether an
entity benefits or suffers from a particular decision. We make
decisions based on whether the available information supports
aggregating the data for a particular incident or not. In this case,
although it is the same parent corporation, the available information
does not support aggregation. In other cases, such as a Wellpoint
breach that was initially entered as distinct incidents, when my
research revealed that there was only one incident and that what
appeared to be a second incident was really due to Wellpoint's vendor
not fully securing the web sites after the first report, I recommended
that those incidents be combined, and they will be. But other than a
common target - Sony - where is there any evidence that this was just
one incident? There is none.
We recognize that not everyone will agree with our decision, and
that's fine. Should new information become available that suggests
that a one-incident approach is more appropriate for these incidents,
we will edit our entries.
As always, we welcome constructive thoughts about how to make the
database more useful to stakeholders, but we do not expect all of our
decisions to please everyone.
Acer Europe Customer Details Exposed
According to a report from The Hacker News, the personal data of approximately 40,000 Acer customers were made available online via the company's Acer-Euro.com FTP server. The 13 MB ZIP archive contained an Excel spreadsheet with the various customer details, including first and last names, country of residence and email addresses, as well as product model and serial numbers owned by these customers.
Subscribe to:
Posts (Atom)