The incident came to light only recently, when hackers started to upload code sneak peeks and information to the Internet.

Symantec by then asked users of pcAnywhere to stop using the software to analyze and mitigate any arising risks. Symantec later on released a security recommendations whitepaper that described possible risk scenarios.

• The encoding and encryption elements within pcAnywhere are vulnerable, making users susceptible to man-in-the-middle attacks, depending on the configuration and use of the product. If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.
• A secondary risk: If a malicious user obtains the cryptographic key, they can launch unauthorized remote control sessions and thus access systems and sensitive data.
• If the cryptographic key itself is using Active Directory credentials, it is also possible for attackers to perpetrate other malicious activities on the network.
• In an internal pcAnywhere environment, if a network sniffer was in place on a customer’s internal network and the attacker had access to the encryption details, the pcAnywhere traffic could be intercepted and decoded. This implies that a customer either has a malicious insider who planted the network sniffer or has an unknown Botnet operating in their environment. As always, security best practices are encouraged to mitigate this risk.
• Since pcAnywhere exchanges user login credentials, the risk exists that a network sniffer or Botnet could intercept this exchange of information, though it would still be difficult to actually interpret the data even if the pcAnywhere source code is released.
• For environments with remote users, this credential exchange introduces an additional level of exposure to external attacks.

These information where later removed from the whitepaper after a patch had been issued.

The hackers in the meantime have released email correspondence on PasteBin. Here it gets a bit blurry as both sides apparently tried to broker a deal that would prevent the source codes from being released to the public. According to Symantec, it was a sting operation from the very beginning. The hackers on the other hand stated that they tried to “humiliate them” further.

A torrent of the source code has since then been released on the popular Bittorrent indexing site The Piratebay where it quickly climbed into the top 5 seeded files of the Misc category.

The hackers have already announced that they will also release the Norton Antivirus source code.

Should Norton and Symantec customers be worried about the source code release? Symantec stated that user’s who have upgraded the products to the latest version have nothing to worry about.

The company nevertheless decided to reset all FTP and shell user access passwords for all Dreamhost users. This should not be confused with the account password used to log into the Dreamhost site itself though. Dreamhost customers who are using the same passwords for multiple services should change passwords on all of them to eliminate the possibility of unauthorized access to those accounts.

Dreamhost furthermore notes that users should also be changing email passwords of all Dreamhost managed email addresses as soon as possible.

We have been sending out update emails to every account owner we have, letting them know what happened, and how to proceed from here on out. As a precaution, we advise every user to change all email passwords as well. We are not forcing this change, however, so make sure you take care of that ASAP.

Shell and ftp passwords can be changed in the Manage Users interface which is accessible here. Dreamhost customers need to click on the edit button next to the ftp or shell user to change the log in password for that account.

A company representative noted that neither credit card data nor web panel logins were accessed by the attackers. If you read through all of the 270 or so comments on the Dreamhost blog, you will notice that many customers were quite infuriated about the level of information they received. Web panel access was not available at all times due to users trying to change their passwords, and rumors spread that Dreamhost was storing passwords in plain text (which was later refuted by a Dreamhost employee who stated that they were hashed).

Lets take a look at what Dreamhost customers need to do right now:

• Log into the web panel and change FTP, SFTP, MYSQL, Email and other account passwords. Some passwords have been reset automatically by Dreamhost which means that they need to be changed anyway to regain access.
• Change passwords on other accounts if the same password was used for access.

Passwords with a reasonable length should be safe, but it is nevertheless better to make the changes to be certain that the attackers cannot use successfully decrypted passwords to gain account or service access. A password manager like KeePass can aid in the creation of secure passwords.

Are you a Dreamhost customer? If so, when did you receive notification about the security incident and what did you experience afterwards?

Tony Hsie, Zappos’ CEO, notes that the credit card and payment database has not been affected or accessed by the attacker.

While not in immediate danger, customers are asked to change their account passwords at the next possible moment to protect their accounts from unauthorized access. If the attackers managed to dump the account username and password, they have likely started to decrypt the passwords with the help of dictionary lists and brute forcing. The attackers cannot use the information directly on the Zappos site though, as passwords have been reset by the company. Customers are asked to create a new password by “clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there”. It is alternatively possible to open the Password Change page right away on the website which leads to the create a new password page.

Zappos notes that users should change passwords on other websites if they have used the same password for accounts on those sites. If the attackers manage to decrypt the passwords, they could try to log into email accounts or other popular web services.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

Resetting more than 24 million customer passwords must have not been an easy decision for the company CEO. Other hacked companies have reacted differently in the past, for instance by only emailing their customers about the breach and asking them in the email to change their account passwords. The better safe than sorry approach seems to be better suited for these kind of situations. What’s your take on the news, and do you think that Zappos made the right move?

Valve at this point in time has no evidence that the intruders were able to crack or access credit card numbers or user passwords.

The forums have been taken offline for the time being until the investigation ends. Forum users will be asked to change their password the next time they log into the forums once they are accessible again.

Steam accounts do not seem to be affected according to Valve as forum accounts and Steam accounts are not identical.

Users who have a Steam forum account should do the following:

• Change Steam account and other passwords if it is the same as the forum account password.
• Monitor their Credit Card statements if they have ever paid by Credit Card on Steam.
• Be aware of the possibility of targeted phishing attacks, e.g. disguising as Valve.

It is unlikely that attackers will be able to decrypt the credit card information or passwords. What they may do however is to run a dictionary of the top 1000 passwords against all user accounts to get full access to those accounts. Users who have used weak passwords for their Steam forum account need to change the password as soon as the forums come back up. They also need to make 100% sure that the password is not used for any other services, e.g. their email address or social networking sites. It is recommended to change the password on those sites and services right away to avoid further damage.

The free online service HackNotifier is more or less a frontend that users can use to search for email addresses that were leaked in hacking attempts. You basically enter your email address – or the email address of someone else into the form on the main page to see if it was listed in one of the hacked user databases.

You then get to review your status on the next page. The service lets you know immediately if your account is insecure and if it has been compromised.

HackNotifier lists the company that was compromised and the day it happened. A link points to third party websites that offer additional information about the hack. It then asks you to change your account passwords if you have not already done so.

Users can sign up for the company’s service to receive notifications when their email account gets hacked again. This obviously is only effective if the hackers publish the user database on the Internet. The service at the time of writing has information about 20 leaks and almost 1.5 million accounts in their database.

HackNotifier assures that they do not save email addresses that users enter on their front page to check whether the account has been compromised.

Probably the biggest issue is that most hackers do not dump user databases publicly. It can still be frightening to see your email address listed as compromised on the results page.

You can check out HackNotifier here. A similar service is Should I Change My Password.

According to his information, PayPal accounts are sold for as little as $50 per 100 unverified accounts. 50 cents per account may not seem like much, but you need to consider that unverified means that the original owner has not linked the account to a bank account or credit card. This limits what can be done with the account (while it is possible to use it to move money, it cannot be used to make purchases if the PayPal balance is not sufficient).

Verified accounts on the other hand start at prices of $2.50 for PayPal accounts with a balance of up to $10, and more if the balance is larger. You see a larger account with a balance of more than 1000 Dollars go for $45 at the site selling those hacked accounts.

It is rather interesting that the site not only lists the account balance, first name address and type of account but also much of the user’s email address. Registration at the site is closed and only possible by contacting a site operator over ICQ.

Considering that email addresses are listed, it would make sense of PayPal to try and get an account to block all hacked accounts before third parties can use them for illegal activities.

Brian believes that the majority of accounts for sale have been collected via phishing attacks, but that trojans on user computers have also been used considering that some of the PayPal accounts are sold with linked email account log ins.

It feels kinda strange that a site like this can operate for a relatively long time without being taken down by the authorities. I won’t link directly to the site, but you find the link and a sister site mentioned in Brian’s article.

I personally would have expected the accounts to be sold at higher prices. This can either mean that demand is not high, or that the site operators have access to a lot of hacked PayPal accounts.

What’s your take on this?

It is claimed that thousands of people who entered competitions on the The Sun’s official website have been contacted by the newspaper to warn them that their personal information may have been stolen. Apparently the data was copied from The Sun’s database when their site was hacked into on 19th July of this year. Some information has been found already posted online, including applications for the “Miss Scotland” competition. The Sun has said in a statement that the matter has been reported to the police and the Information Commissioner.

Unfortunately for The Sun, there is very little they can do to rescue this situation. Once details have been removed and copied, it can change hands very quickly, so apart from issuing an apology to those affected, their hands will be tied, even though they say they are working with the authorities to resolve the matter. They [The Sun] have said they will be contacting all customers affected.

Data stolen appears to be information including names, addresses, dates of birth, email addresses and phone numbers. Although no financial data has been stolen (apparently), the information taken could be used in attempts at identity theft. With unscrupulous people looking at ways to capture this kind of information in bulk, the database is sure to attract the attention of many criminals online.

It has been suggested that a sample of the data stolen has already been posted on Pastebin, which is a popular document sharing website. Once there, it will be in the public forum where it may be copied to many other sites. Fortunately there has been no suggestion that the entire database has been posted yet. No doubt The Sun, and its publisher, News Group, will be watching with baited breath to see if the database crops up anywhere. They will of course be hoping the damage can be limited to only a small section of data.

It appears that the data was stolen at the same time The Sun’s website was hacked into and defaced in July. Hacktivist group “Lulz” has been linked to the attack, when Lulz Security (LulzSec) claimed responsibility for it. At the time it appeared that the damage was limited to vandalism, but now it’s possible the situation could be much worse. In July, Lulz posted a bogus story on The Sun’s site claiming that Rupert Murdoch had died. At the same time, those using the site to enter competitions were redirected to another bogus site that was capturing user information.

It is thought that the data stolen from the site could go back as far as two years, and that will leave users of The Sun’s website wondering why their personal information was being stored for so long.

Friday the hacking community Lulz Security (LulzSec) posted a file which it claimed contained the username and password information of 62,000 random individuals using popular websites like Facebook and PayPal. While it is doubtful that Lulz itself plans to use that information to do anything but embarrass those websites, other people who now have access to that data may be less playful.

It is unknown how this information was acquired or from what source. However, if you find yourself in a situation in which your Facebook or PayPal accounts have been compromised in a similar hacking campaign, there are important steps that you must take to secure your information and retake control of that loose data.

Mark Ward, a financial IT professional from Colorado, warns anyone who has been compromised to ask the two big questions of information loss: how did it happen and why.

“Anyone who has lost login information of any kind should immediately check the computers they use to access accounts for malware, keyloggers or rootkits. Otherwise, no matter how often you change your information thieves will retain access to the information.”

If you were foolish enough to use that login information in multiple places, change it everywhere – or you might find those accounts compromises as well. Next, identify why you were targeted.

“LulzSec rarely goes after individuals – if your information comes up in their attacks you were probably just caught in the crossfire.”

If you are someone who they may take personal interest in, however, take care to protect all other information and let those connected to you know you have been targeted. They may be approached for further information.

The loss of PayPal login information is typically more pressing than the loss of Facebook data, and as such requires forceful and immediate action. Begin by reporting the breach to PayPal and closing the account immediately. This stops that account from being used for any illegal purposes that you might otherwise wind up being liable for. Next, contact the financial institutions connected to the PayPal account and have them monitor your funds. It may be necessary to close those accounts in time, but it typically is not necessary to do so immediately.

Finally, and perhaps most importantly, contact any individuals with whom you regularly do business through that account and let them know that you have been compromised. Your past actions will be visible to any digital thieves, and it is very possible that they may be contacted by email or phone by people claiming to be you. Consider setting up a secure passphrase with PayPal business partners so that they can know that it really is you they are talking to.

Facebook contains mostly social information and is not connected to your finances and as such it is less crucial to contact connections to such an account as quickly. Again, notify Facebook, telling them of the breach, and close the account. This severs your connections to any photos that may be linked to your account. Let your friends know that you have been hacked, and advice them to be weary of anyone claiming to be you.

As skirmishes online increase in frequency, more and more people will likely get caught in attacks on groups they have no significant connections to. By following these simple steps, the damage of a breach can be minimized and you can return to your usual online activities without delay.

Martin’s Words of Wisdom

If you had an account at one of the hacked company sites, and used the same account login, email, password combination at other sites, your first step needs to be to change your passwords at all those sites. Before you do anything else, change your account passwords.

PayPal users can improve security with identity protection devices. It costs little money and adds two factor authentication to PayPal. Attackers who get your username and password, cannot access the PayPal account because they do not have the code that gets generated on the fly when you use the device locally.

I probably would not go as far as to close down the account. I’d change the account password, get the security device and monitor my PayPal funds closely to react immediately when I’d spot an unauthorized transfer. You may however want to cut the link to your debit and credit cards in PayPal to avoid that they are charged automatically whenever a payment is made that exceeds the account balance.

One of the detainees, a 31 year old man, was apprehended in the southern city of Almeria sometime after May 18th, according to the police. There was a server in his apartment in the northern port city of Gijon from which they believe Anonymous attacked the Web sites of the Sony Playstation online gaming store.

They’ve also stated that the same computer was also employed in coordinated hacks against two Spanish banks, BBVA and Bankia, as well the Italian energy company Enel. Government sites in Spain, Egypt, Algeria, Libya, Iran, Chile, Colombia and New Zealand were also attacked using this server, the police claim.

This investigation was opened last October after the attack on the Spanish Ministry of Culture’s Web site in protest against Spanish legislation increasing punishments for illegal downloads.

The other two suspects were apprehended in Barcelona and Valencia, respectively. Unfortunately, the police’s statement did not state the timing of these arrests clearly nor did it mention whether any of the three arrested were still being detained. They were, however, expected to be charged with forming an illegal association to attack public and corporate web sites. The charged group members could face up to three years in prison if found guilty.

It is clear that Anonymous has not been the sole perpetrator of the attacks against Sony. About a dozen of Sony’s web sites and services around the world have been hacked and, as the public is well aware, the largest breach caused the PSN Network to be completely shut down for close to a month and compromised the sensitive information of countless users. While Anonymous and other “hactivist” groups have cheerfully advertised their responsibility for some of the attacks, no one has come forward to claim the PSN attack that cost Sony so much downtime. LulzSec has even been quiet on that score and they have not been shy about proclaiming to the world whenever they’ve successfully caught a corporation with its proverbial pants down.

Sony has estimated that the combined attacks will cost it about $173 million in damages, including legal costs, lower sales and free offers to lure back customers and information technology spending. Mami Imada, a spokeswoman for Sony in Tokyo, told the press that she had no information regarding the arrests made in Spain and declined further comment on behalf of the company.

The attacks by Anonymous members were accomplished by making use of a computer program called LOIC to crash Web sites by flooding them with “denial-of-service” attacks, according to police. They know this because, since October, they’ve been analyzing more than two million lines of chat logs and Web pages used by the group. This also allowed them to identify the leadership in Spain that had the capacity to “make decisions and direct attacks.”

Among recent attacks, “hactivists” also brought down the site of the Spanish National Electoral Commission last month, right before regional and municipal elections. It was that attack, on May 18th, that proved to be a fatal step for the 31 year old team member as it led to the arrest in Almeria.

It’s clear that this year might very well end up the year of the hackers. It leads those of us who use computers regularly, and that would be the great majority of us, to wonder what’s really going on and how safe our data is in the cloud. Even data stored by respected companies like Sony or banks does not seem to be safe in these times.

How do you react when a site that you are a user of gets hacked?

Despite having successfully orchestrated a major hack on Sony just a few days ago, they announced Friday that they had successfully infiltrated the Atlanta chapter of Infragard. For those not in the know, Infragard is an FBI affiliate. The hackers then uploaded Infragard’s user database to the internet, compromising security for the company and its affiliates. An associated company’s use of botnets was exposed as well, claims the group, and they are claiming that the documents they exposed also reveal an attempt by someone involved to pay LulzSec not to expose the breach.

LulzSec actually took complete control of Infragard’s Atlanta Chapter website, defacing it. One of their main reports was that while there were not many logins (around 180), all of them were affiliated with the FBI in one way or another.

Ironically, Infragard is a private-public partnership between the FBI and US businesses. Their business is “designed to protect IT systems from hacker attacks and other intrusions.” It would appear they are going to have to rethink their security protocols.

LulzSec really seems to be driving home the intense need for appropriate security measures to be taken by companies who are holding extremely valuable personal information for clients. One “weak link” can expose literally thousands of networks to a security breach, as was well demonstrated by their exposure of Karim Hijaz’s indiscretions when it came to his password. It must be understood that reusing passwords in several different places is frowned upon by both the FBI and Infragard handbooks and, indeed, by any person or organization concerned about security.

The attack on Infragard exposed Hijazi’s repeated use of his Infragard password in other places, including accounts of his personal business as well as his personal e-mail. Hacking one system gave them access to all of the major information Hijazi was privy to, compromising not only his own security, but that of the FBI, Infragard, his personal business, all of this clients as well as his personal activities. Particularly interesting to note is the fact that Hijazi’s personal business, “Unveillance” is a whitehat company that specializes in data breaches and botnets. LulzSec reported on their website that Karim was contacted personally by them and told all that they had done and that he purportedly offered them money in exchange for eliminating his competitors by illegal hacking means and for their silence. Supposedly they even discussed plans for him to give them insider information regarding his botnet information.

Hijazi issued a public statement shortly thereafter and is quoted here:

Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as “LulzSec.” During this two week period, I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies and individuals at risk of massive Distributed Denial of Service (DDoS) attacks.

In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities.

While this author cannot vouch one way or the other for the truth of Hijazi’s or LulzSec’ claims, she can provide the last response LulzSec regarding Hijazi’s claims:

Karim compromised his entire company and the personal lives of his colleagues, then attempted to silence us with promises of financial gain and mutual benefits … [he] used the same password for all of his online accounts and all accounts linked to a company he owns. Then he tried to bargain with hackers so his company wouldn’t crumble.

Regardless of whose claims are the complete truth, one thing is for certain: LulzSec is not playing around. Companies holding vitally sensitive information would do well to make sure their security protocols are truly secure, for their own sakes as well as the sakes of the clients who trust them.

As a side note, as this article was being written, it has come out that Lulzsec has hacked Nintendo as well, though Nintendo claims that no user information has been compromised. We will update this article as more information becomes available.

It may surprise some, then, that after all of the media attention surrounding this major breach of security, that the group called “Lulzsec” is claiming to have attacked the servers yet again and say that they have walked away with unencrypted security information. According to examples of their hacking as provided on Twitter (when challenged for proof of their claims) it looks as though they did indeed hack Sony networks and web sites, including Sony Music Belgium, Sony Music Netherlands and Sony Pictures. Lulzsec wrote, on the site of Pastebin, the following:

“We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons’.”

The sobering claim from Lulzsec is that the group says that not only did it gain access to SonyPictures.com with a single SQL injection, but, “What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it,” (as posted online). “This is disgraceful and insecure: they were asking for it. “

While it’s probable that the general public would not agree that Sony was asking to have its customers private information compromised, it’s hard to disagree on the point about nothing being encrypted. After such an unprecedented and well publicized attack in April, one can’t help but wonder how “industry standard” doesn’t require the encryption of sensitive information. Employee and admin passwords can well be looked upon as the gateway to everything else and with customers around the world, one would think that Sony would have a vested interest in protecting their private information. That certainly seemed to be the case when considering their swift response to previous hackings.

After careful consideration, most would agree that Beth Givens, director of Privacy Rights Clearinghouse has a good point. She suggests that Sony has resorted to using industry standards for security. “If that’s true,” she says, “then perhaps it is time to re-evaluate and even go beyond such standards.” Sony’s clients all over the world can’t help but agree. In the meantime, they should change their passwords and be on the lookout for suspicious activities on their accounts and be careful not to fall for fishing scams that appear to be from Sony.

Sony scrambled to give its customers something like an explanation after PSN went down. It was not very successful. It tried to relate just enough info to ease its customers without going into too much detail. In fact, it spent the day before the suspension of Sony Online Entertainment telling its customers that everything was under control and would be back up soon. Oh, and by the way, members could have a month’s service free for their trouble.

LastPass is a utility for storing passwords. You only have to remember a master password, and it remembers all the rest. If you’re not good at creating secure, I.E. non dictionary passwords, it can create them for you. It has support for all of the major browsers, and most of the mobile platforms as well.

When LastPass saw a potential problem, the company explained to its customers exactly what was going on. There was a post up before anything bad happened. Service wasn’t even interrupted when customers were notified that there was a potential problem.

Let’s talk about Sony and security for a moment shall we? When the company discovered that PSN was hacked, Sony released the information that customer names, numbers and addresses had been taken, but couldn’t be sure whether or not credit card info was stolen. When Sony Online Entertainment was hacked, the company told customers that thousands of credit card numbers were taken as well.

LastPass was much more aware of security, it seems, than Sony. The company let customers know that there may have been a hacking incident before it was certain that there had been one. Someone noticed increased traffic on a database and didn’t know why, so the company played it safe. They recommended that customers change their master password just in case the database was hacked.

LastPass has shown itself both in terms of openness with its customers and in its business practices to really care about the security of the information it’s been given. Sony, on the other hand, has shown that it has trouble dealing with this kind of security issue. Granted, LastPass is in the security field, but considering the amount of your info and money Sony has, the company should be more aware of potential risks and be more prepared for them, don’t you think?

Are you a user of LastPass? Are you on PSN? What are your views on the way the two companies have dealt with their security issues? What could either company have done better in your view in terms both of relations with their customers and in terms of security? Am I being unfair to Sony?

That said, it’s done now and a massive 77 million people have had their personal information exposed.  We still don’t know how much information this includes and what it could be used for.  One thing is for certain, people such as the ‘security expert’ who went on the BBC this week and said if you haven’t seen fraudulent transactions on your credit card yet you’re probably safe, are just idiots.  How quickly do these people think criminals can get through 77 million records?

I thought I’d write up some strategies here to help keep you and your personal information safe online.  Some of these you will be able to implement and some you won’t, but in conjunction they ought to make you safer.

Keep your email and online files password safest

This isn’t just to do with Spam, it’s something I wrote about here a few days ago.  Create yourself a super-strong password (see below for advice on how to do this) that you use only for your email, contacts and anywhere that you store documents online, such as SkyDrive or DropBox.  It’s essential to keep this information safe.  You are being trusted by others with valuable contact information attached to your email account for, sometimes, several hundred other people including their full addresses, mobile phone numbers, dates of birth and more.  This isn’t to mention any personal financial or other sensitive data you’re storing in your online files.

Use different passwords in different places

This isn’t always easy to do as people have trouble remembering passwords so tend to have just one or two.  There’s nothing to stop you writing down a list of passwords in a file on your phone (if you have a code lock on the handset) or at home if you have them in code.  For instance you could have the letter s appended to the beginning of the password.  To any glancing eye it just looks like an extra letter on the code.  You will know that is the password you use for shopping websites.  A g could signify gaming websites and so on.  While remembering passwords might be a pain when away from home and on new computers, your own computer equipment will usually remember the passwords for you.

Create a strong password

The strongest and most secure password follow the same rules…

• Make it at least 10 characters in length
• Use a mixture of Lower and Upper-case letters
• Use numbers (you can substitute some for letters too, 0/o, 1/i/l, 5/s and so on)
• Use symbols (which you can also substitute for letters, $/s, _/L, #/o for instance)
• Do not ever use the following (common words, names, date of birth, the word password)

One thing to note with this is that many websites still won’t allow you to use certain characters (usually *) in passwords.

Never use your banking passwords or PIN

Your banking password and card PIN number are for your banking ONLY.  Do not ever use them on any other service or website!

Minimise the information you share

This can be difficult.  On websites such as social networking it’s easier to do and you should never share…

• Address
• Phone numbers
• Date of Birth

But sometimes, especially in the case of a website you’ll have financial dealings with this is unavoidable as they need your date of birth and address for security.  Go back to my previous rule about different passwords for different websites for this situation then.

If a web service is hacked though any and all information that you share is vulnerable.  If you must give away this information to validate yourself on a website can you remove or change it afterwards?  Will the website’s service still work for you if you later log into your account and either remove the information completely or change it, perhaps by changing the phone number to 12345?

Be careful with usernames and email addresses

You can inadvertantly share useful information in your email address and usernames.  It’s common for someone to append their date or year of birth to these.  Always avoid doing so!

Use online banking

If you use online banking you can keep a much closer eye on transactions on your accounts.  Rather than have to wait up to 30 days for your statement to arrive, online banking will usually show you the most recent transactions whenever you log in.  This is an excellent way to see if someone is fraudulently using your credit or debit cards so that you can inform the bank promptly and have those cards cancelled, minimising the economic effect on you.  Remember it can take the banks a while to refund money to you.

Reduce the surface area for attack

Again this is something I wrote about at the beginning of the week.  Try not to sign up for every website and web service going.  Don’t spread yourself out on the web so far that you’ll never remember where you have accounts.  Keep and eye on your email and junk folder.  Occasionally these websites will send you an email and you can use this as a reminder to go back there and either remove or replace any personal and sensitive information, or preferably, just close the account completely.

Be vigilant

To be honest there’s absolutely nothing you can do to prevent a hacking attack such as the one that recently hit Sony.  It could happen to any company at any time, no matter how big or small they are.  The trick is to not have the information that can be exploited avillable to begin with but this is rarely easy in today’s Internet age.  The best advice I can give is simply to be vigilant and aware of what’s going on with your banking and your accounts.  With these simple rules you won’t be completely protected, but you can at least minimise the damage if something does go wrong.

Yesterday Sony revealed additional information, and boy does it look back. Information about the situation are provided to all customers of the service in an email.

The email speaks of an “illegal and unauthorized intrusion” in which certain “service user account information” were stolen by the attackers.

The important part follows with a list of information that have been stolen. This includes:

name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID.

Please note that the email address, login and passwords have been stolen. This is likely going to turn ugly considering that many users on the web use the same email and password combination on a lot of sites.

If you are a customer of PSN or Qriocity you need to immediately change your passwords on site where you may have used the same password, and on your email account.

Sony furthermore says that it is possible that profile data may have also been obtained by the attackers, which would include purchase history and billing address. Even worse, they cannot eliminate the possibility that created card data was taken as well.

That’s the worst case scenario, and there is not lot that users of the network can do at this time, but to actively monitor their credit card bills to check for unauthorized payments.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.

The data stolen could also be used in custom attacks as the attackers could use the user’s name and other information to make requests look legit.

Sony asks all users to change their PSN passwords as soon as the service goes online again.

A frequently asked questions section has been uploaded to the Playstation website which contains further information and support phone numbers.

To paraphrase: PSN users need to change their web account passwords immediately, especially if they are identical to their PSN password. They also need to change the password of their email accounts if identical, and need to monitor their credit card statements and account statements to make sure that no unauthorized payments are made from the accounts.

Since the hack has been first noticed on April 17, it is advised to look at your account statements for April to see if you find any unauthorized payments.

Sony is still investigating the issue at this point in time. The hack is a marketing fiasco for Sony, and more than a nuisance for customers of the service who now have to fear that their data gets abused by the hacker.

With 70 million users, the data alone could be worth a fortune on the black market. Spammers would love to get their hands on email addresses, names and countries for instance to send out personalized spam to those users.

The following is a short list of simple things you may not think about. In each, an opportunity is created… one you want to avoid. The idea is to tell you what not to do and why. Some advanced methods, like phishing, are a bit more complicated than what is covered here.

1. Recovery E-mail Accounts Can Expire

A recovery e-mail account is method a lot of systems use to help you get back into an account that you have lost the password for. This could be for a site like Facebook or for another e-mail account like Gmail. The idea is simple. You ask the site to send you your password (some will just reset it). The site says: “Sure, it’s been e-mailed to you.” As long as you have access to that other account, you are just fine and dandy.

Check your recovery e-mail account every three months or so. If you do not, the account may be deleted. Someone else can now claim it. If someone claims that account accidentally and you reset your password, then you just lost control of your main account. If it was on purpose, then the next step is to simply go through the password recovery process.

My advice is to check this account before reading any further if you have not done so recently. This is the one tip that I found I had not followed when I heard about it. Fortunately, I grabbed the accounts back before someone else did.

2. Avoid Duplicate Passwords

An easy way to get hacked is to give a site your e-mail address and then use the same password at that site. The same goes if you use the same user name and password at two or more sites. If the site does not encrypt the password, then there is a huge problem. Anyone who works for the site and has access to this information (or gains it) now has everything they need to log-in to your account. While most sites protect passwords, there are still ways for employees to get it. Attacks from within a company are actually the most common. At the least, use a different password for your e-mail account than everything else.

3. Beware Onlookers

Pay attention to your surroundings. A person standing behind you as you sign in to a website may not be as casual as they seem. In age where so many phones and MP3 players can record video, they don’t even need to be facing you. If a person sees you enter your password, there is a good chance they can remember it.

4. Use Public Computers Differently

Watch the settings you use on public computers and always remember to sign out. Be sure to double check this. Most of us have formed habits from using personal computers. We often leave that little box checked “Remember me.” underneath the sign in box. Some may click “Yes” to “Do you want to save this password?” after they log in. Forgetting to click “log off” when a session is finished is common place. This is convenient when it is a personal machine, but disastrous on a public machine. Your account is now as easy for someone else to get into as if it was their own personal machine. There are ways to steal passwords that are saved too.

5. Only Use Trustworthy Computers

Trust the computer you are using as much as you trust the owner. By trust, I refer to both the integrity and the aptitude of the person. For a person who lacks integrity, they may intentionally have software running that records what keys you press (called a “keylogger”). Companies in the U.S. can legally install them on any computer they own. For a person who lacks aptitude, they may unknowingly have spyware on there machine. Spyware can sometimes have the same abilities as a keylogger. In either case, once you use that computer to quick check your FaceBook, your account is compromised. If you used that password for you e-mail or banking, you have a larger problem.

6. Avoid Commonly Used Passwords

Do not use the name of your pet, child, team, favorite color, date, etc. as a password. Never use “password” as a password. Too many people use “123456″ (at least at hotmail and rockyou). All of these are easy to guess. A cracking tool is not required to figure them out.

7. Guard Written Passwords

If you choose to write down a password, protect it like your life savings. Would you leave twenty dollar bills sitting around? Your password is much more valuable than that if it is used for your bank account. Nevertheless, I see passwords siting out in the open. It is not a bad idea to never write down your passwords, but the problems of that are obvious. There is no shame in writing them down, but keep them in a safe place… I’m thinking a safety deposit box at the bank.

Closing

In summary, while most of this stuff is common sense, I hope to help a few people avoid having their accounts compromised. Whether a person is just curious, or they have been a victim of the experience, it is only natural to ask how these things happen.

Lastly, remember the first rule of passwords: don’t ever give them out or share them!

The malware takes the form of a game that spies on the smartphone’s owner and was built using the standard software toolkits that are available  to everyone.  In a report on the experiment today, Experts says that this makes the malware much harder to spot.

There is evidence that criminals are now beginning to target smartphones with their complete lack of virus protection, in order to gain personal details that can be used for identity theft and other crimes.

Chris Wysopal, the co-founder and head of technology at security firm Veracode, who helped the BBC develop its malware, said that smartphones are not at the point PCs were at in 1999, at the birth of the popular internet.

“At that time malicious programs were a nuisance. A decade on and they are big business, he said, with gangs of criminals churning out malware that tries to steal saleable information.”  He said.  “Mobiles offered a potentially more tempting target to those criminals.”

Simeon Coney, of mobile security form Adaptive mobile said…

“In a mobile network the device is intrinsically linked to a payment plan, to a user’s credit,” he said. Nothing happens on a mobile network, no call is made or text is sent, without money changing hands.  Criminals have tapped into that revenue stream by getting phone owners to dial or contact premium rate numbers. Now they are turning their attention to applications and the lucrative information they scoop up.”

The Java application from the BBC was put together in only a few weeks and  gathered contacts, text messages and also gathered the phones’ location.  IT then sent this information to a specially set-up email address.

The malware was only 250 lines of code, with the entire program only 1500 lines of code.  The BBC say in their report that there can be benefits to the way some phone OS manufacturers vet programs.  Apple vets every program for the iPhone and iPad and Blackberry maker RIM and Google can easily switch off malicious applications through use of a code-signing system.  Microsoft’s Windows Phone 7 operating system will also see all programs vetted.

The last time the BBC conducted an experiment like this they took control of a botnet, but when the experiment was over left a message on the screens of the infected PCs worldwide and instructed the botnet to self-destruct.

The attack was dreamt up by security expert Sam Kamkar who demonstrated at the Black Hat hackers conference a website exploiting common shortcomings in a router to reveal it’s real-world location.

He tricked the router into believing the request for it’s ID information was coming from the connected PC, not from the Internet.  He then used the revealed MAC address with a geo-location feature in Firefox to interrogate the database Google gathered when it made its Street View photographs.

The data, which was controversially gathered, linked the MAC addresses of routers to GPS co-ordinates.  “This is geo-location gone terrible,” said Mr Kamkar during his presentation. “Privacy is dead people. I’m sorry.”

Mikko Hyponnen, senior researcher at F Secure called the demonstration “very interesting” adding that such a technique could be used for “stalking or targeted attacks against an individual”.

“The fact that databases like Google Streetview’s Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly.” said Mr Hypponen

In 2005, Mr Kamkar created a work that helped him gain more than 1 million MySpace friends in a single day.

Hackers were able to intercept the email addresses because they were sent unencrypted when the iPad’s were connecting to AT&T’s network.  The mobile phone company says the flaw in it’s network that allowed this has now been patched.

In the letter the company says…

I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.

While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.

AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.

…and it is signed by the Senior Vice President for Public Policy and their Chief Privacy Officer, Dorothy Attwood.

AT&T say they’re working with law enforcement agencies to try and discover who was behind the hack, and questions still may need to be asked about any culpability that Apple may have with a tablet that would allow information to be broadcast in such a manner as it could be intercepted at all.

You can read the full apology email at the Engadget website.

The patch, released through version 10.1 of the Flash player is available now from www.adobe.com and there is also a new version of Adobe Air as well.

The company may have managed to shoot itself in the foot with this patch however as you’ll see from the amusing screenshot below, where the news story about the patch in the new version of the Flash Player is accompanied by a picture of Homer Simplson asking “Ooh. They have the Internet on Computers now!”

Okay, so this is a banner advert for an Adobe Air app, but I had to share the irony of the event with you.

The patch fixes a critical vulnerability which could allow your PC to be hijacked remotely and it covers Windows, Mac and Linux users, so everybody should upgrade.  All PC users should upgrade their version of Flash as soon as possible to prevent their PCs being vulnerable to the flaw.

An update for Acrobat and Acrobat reader is due sometime in the next week or so to fix the same vulnerability.

The group, calling themselves Goatse Security harvested the data using nothing more than a PHP script and are now in possession of some very high profile people’s contact details which include celebrities, white house officials and high ranking military officers.

So who is responsible for this, Apple or AT&T?  To be honest it’s going to be a bit of both and questions need to be asked why the hashing technique, common for exchanging passwords online, hasn’t been implemented here.

Hashing runs your password through a cipher that scrambles it.  It’s a one-way cipher so that the password can never be unscrambled.  A similar cipher scrambles the password on the authenticating computer and then both of these ‘hash codes’ are compared.  The reason for doing this is so that no password is ever put in the open where it can be intercepted.

This is clearly what happened with the iPad hack and it will come as a blow to Apple’s reputation for developing secure operating systems, the iPad OS is based on the same Unix code as their OS X desktop and server operating systems after all.

It remains to be seen if and how quickly a firmware update will be rolled out by Apple to encrypt sensitive data as it’s broadcast over 3G and other wireless networks to authenticate users.  AT&T also have questions to answer on whether this technique can be used to gather sensitive data from any other devices on their network.

Fortunately the hackers notified AT&T of the breach so they could close the hole and came clean about the hack.  The next group of hackers might not feel so benevolent.