Archive for June, 2011

Sophos is a Platinum Sponser at SC Congress Canada

Sophos is a Platinum Sponser at the SC Magazine Congress in Toronto, Canada. I’ll be attending and looking forward to speaking with people on June 14th and 15th during the SC Congress in Toronto, Canada. Come by the booth to talk security or attend our session on “Where’s your data?”

For my impressions of the conference, please see my guest blog posting at Sophos Naked Security.

click for SC Congress Canada


Facebook privacy under scrutiny…again.

I heart Thessa

When I first heard about Thessa’s birthday party in Germany grew to a head count of 1,500 it reminded me that I forgot to go.   Her birthday party was actually not intended to be so large and only 10% of the positive respondents to her Facebook event crashed the party. It’s apparent that this was evidence of poor privacy settings. Both parties are at fault here, Facebook for having too loose of default settings and Thessa for not changing those settings.  Wait, she’s a teenager, so should she be exempt from fault?  It might be a gray area for some, but not me. At what age does the hall pass go away when it comes to being safe and secure online?

The coming of age in this information privacy era is up to the individual.  Once that individual is able to go online and read at a level to understand that there are privacy settings is when the hall pass goes away.  Smaller children using a computer at home still need to rely on their parents to protect them and educate them about better online etiquette and safe computing.  The parents should be changing the less fun sections of their favorite social media web sites to protect their children.  In case you are having trouble getting through the techno-babble and computerese, I provided some basic steps on how to be safer online with Facebook.

Keep in mind that these instructions may change the next time Facebook relaunches their interface.

1. In the upper right hand corner of Facebook there is the Account drop-down menu you see here. After the menu appears, click on the ‘Privacy Settings’ menu option.
2. The ‘Privacy Settings’ menu option will take you to a page to choose your privacy settings. As you can see in my example, the dots are almost all to the right. To achieve this, click the ‘Customize settings’ link that you see in the red triangle.

Click to enlarge

3. The ‘Customize settings’ link will take you to a page that is much longer than shown here. There is the important part where you will need to go through each setting to restrict who can see what information about you. Please do this with your children, of any age, to protect them.

Click to enlarge

As far as Thessa, when I heard she fled her own party. I wondered if she was heading to the Hamburg-Bramfeld Costco to get more chips. Those chaps look hungry.

Health Information Privacy –

From the website:
“As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.  These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches.  Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.  The following breaches have been reported to the Secretary:”

Breaches over 500

Breaches affecting over 500 individuals

While searching for statistics on data breaches, I stumbled upon the U.S Department of Health and Human Services web page for Breaches Affecting 500 or More Individuals. As of this posting there are 288 recorded incidents of unprotected health information leaking since September 9th, 2009. I like how the HHS offers to save the entire data set of information in CSV and XML formats for personal consumption. For example, this gives you the ability to sum the total of ‘Individuals Affected’ column to put things in perspective.

Sony Data Breach Timeline

In an effort to keep things straight in my head, it made sense to create a timeline of the Sony data breaches (and near data breaches) which were reported either by Sony or by the individuals themselves. This chronology is primarily the attacks which resulted in data loss pieced together by different news sources and not any of the other events in the timeline, such as PSN coming back online. If you find something that’s in need of being updated, please send me an email through this blog.

Hopefully Sony will get their security straightened out in time before the next attack occurs.

Sony Business Unit

(or suspect)

1 April 17th
Sony PlayStation Network/Qriocity Anonymous
2 May 2nd
Sony Online Entertainment
3 May 5th
Sony Electronics, Inc. Sony
Sony Electronics, Inc.
  • The Hacker News coverage of this data breach, which doesn’t look like a hack attack, explains how this is negligence. Using a Google search for on “ filetype:xls” resulted in access to an Excel spreadsheet containing 2,500 pieces of user data. As the THN puts it “Huh, is this called Hacking ????” Well said. It’s called searching.
  • Naked Security Blog Posting
4 May 17th
Sony PlayStation Network/Qriocity
  • The Hacker News coverage of this attack explains that it’s not a true hack, simply reuse of already exposed user data.
5 May 20th
Sony Thailand
  • No public claim has been found for this attack.
  • In this attack a phishing website was setup targeting an Italian credit card company on the Sony Thailand web server. I couldn’t find any definitive quantity of lost user data, but it’s safe to say there’s a high probability of a breach. Magnitude unknown, nonetheless, a breach.
  • source from Digital Trends posting
6 May 21st
So-net Entertainment
  • No public claim has been found for this attack.
  • Computer World reported that So-net, an ISP subsidiary of Sony, had a breach of about $1,200 virtual tokens by the intruder redeeming 130 accounts. In addition, 73 accounts were breached, but not redeemed, and 90 e-mail accounts were compromised.
7 May 21st
Sony Music Indonesia Defaced k4L0ng666
  • While no actual data was taken during this defacement, it existing in the timeline.
  • The Hacker News report on this defacement.
8 May 22nd
Sony BMG Greece b4d_vipera
9 May 23rd Sony Music Japan Lulz SecurityLulzSec
10 May 24th Sony Ericson
11 June 2nd Sony Pictures Lulz Security
  • Lulz Security made is very clear they were behind this data breach. They broadcasted their activities under operation “Sownage” which is a pun on ‘Sony’ + ‘ownage’. The most disturbing aspect of this is that Sony didn’t use any obfuscation/hashing/encryption on the passwords.
  • “Over 1,000,000 users’ passwords, email addresses, home addresses, dates of birth, as well as administrator login passwords acquired by hackers ”
    (source DATALOSSdb ID: 3790)
  • This incident 3790 also includes data from Sony BMG Belgium and Sony BMG Netherlands.
  • Naked Security blog posting
12 June 3rd Sony Europe idahc_hacker
  • Idahc was at it again using another simple SQL Injection method to gain unauthorized access to 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
  • Naked Security blog posting
13 June 5th Sony Pictures Russia
  • An undisclosed group or individual used another simple SQL Injection method to gain unauthorized access. Extent of the data breach is still undetermined. This could have possibly been an upstart hacking club testing the waters and their salt.
  • Data loss included the database structure of the cosmocard_1 catalog.
  • Naked Security blog posting
14 June 6th Sony CED Network Lulz SecurityLulzSec
  • In a couple of tweets LulzSec presented Sony Computer Entertainment Development Network source code out into the wild. SQL Injection method to gain unauthorized access to 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
  • Via they shared the source code in a 58MB download in the form of a torrent.
  • The Hacker News coverage
15 June 6th Sony BMG Music NA Lulz SecurityLulzSec
  • In the same torrent made available on, Lulz Security made publicly available Sony BMG internal network diagrams.
  • The network diagrams included a great deal of detail about the Sony BMG Music network. Unfortunately for the author, Shawn Gyorfy, it included his name. I like to take pride in my work as well, but not when it’s labelled ‘INTERNAL USE ONLY’ for the world to read. In addition to the diagrams, there were PDFs which included hub sites, router IDs, Circuit IDs, IP addresses, site contact names and phone numbers, VLAN information, networking product make, model, hostname and management IP address.
  • The Hacker News coverage
16 June 8th Sony BMG Music Portugal idahc_hacker
  • Idahc the Lebanese hacker in a pastebin post declared that he or she is not a black hat hacker, but a gray hat. Idahc backed this statement up by only dumping Sony customer’s email addresses and not the entire database.
  • The attack was conducted by exploiting 3 flaws in the Sony web site, which were 1) SQL injection, 2) XSS and 3) iFrame injection.
  • Naked Security blog post
17 June 8th The Sony Marketing Co.
  • This is from the Sony Japan web site:
  • The Sony marketing company, to dawn on June 8, “spoofing” occurs for unauthorized access attempts by a third party e-mail address and password, and Sonisutoa earn by shopping for Sony products in Sony ” “point, and we found that there is a possibility that the exchange coupon and shopping available in Sonisutoa.
    We have so minimize the damage done to the following measures.
    The evidence of leakage of personal information including email address and password from us is not confirmed.
    The situation, apologize for the inconvenience and worries that your customers and everyone in between.
  • Number of potential email addresses used to exchange illegal exchange status by fraud masquerading Sony Points ■: Number of points that were considered illegal to exchange coupons shopping 278,000 95 points (about 280,000 yen worth)
18 June 19th Sony Pictures France idahc_hacker
  • Idahc the Lebanese hacker did a duet with his French friend Auth3ntiq on Sony Pictures France. In a pastebin post declared again that they are not black hat hackers. Possibly in a ruch but this time they didn’t state that they are gray hat hackers.
  • Using another SQLi, the data breach included the /etc/passwd file dump and a snippet of “emails found : 177172”.
%d bloggers like this: