04/28/2011

Major Data Breach: 70 Million PSN Accounts Stolen

On the heels of the Epsilon data breach comes one of equal, and perhaps greater, severity: Sony's PSN (PlayStation Network) had what they're calling, an illegal and unauthorized intrusion into our network.

The gang at GamrFeed have more on the PSN Data Breach Details, including that, There is a laundry list of compromised personal information, including the loss of logins, passwords, street addresses, and purchase histories. Even credit card information could be at risk

Bleh.

Being a gamer myself, and a PlayStation owner, too, my first reaction was a sigh and a feeling of resignation. "This kind of stuff happens," I thought to myself.

Then, I read deeper into the PSN Blog about the Data Breach.

[Editor's Note: the following is a verbatim quote from Sony's blog that has been re-formatted for easier readability than their multi-line lawyereese. Bold added for emphasis is ours.]

We believe that an unauthorized person has obtained the following information that you provided:
  • name
  • address
    • city
    • state
    • zip
    • country
  • email address
  • birthdate
  • PlayStation Network/Qriocity password
  • [PlayStation Network/Qriocity] login
  • handle/PSN online ID
"It is also possible that your profile data, including
  • purchase history
  • billing address
    • city
    • state
    • zip
  • your PlayStation Network/Qriocity password security answers
may have been obtained.

"If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained
.

Now why the heck does any of this matter?

It's just a gaming network, right? Who cares what games I've bought or when!

Not so fast there, Sparky.

The real danger here isn't even in the possibility of the credit card info having been stolen. (Look, if there's a possibility it was stolen, just call it what it is and say the data was stolen, ok?)

The real danger is for those folks who use the same usernames and passwords in multiple places, like at PSN and for their Hotmail account--or any other, for that email account for that matter. Now with that, cyber thief can dig into your email account and from there easily spring board to bank accounts and all sorts of other places.

How will they find me amongst 70 million accounts?

Forget about digging through them by hand. Think of it happening programmatically. Just trust me on this one: it's easy to do.

It's trivial for a skilled programmer to grab the information they've gleaned from your PSN account and use it to try to login to your email account. From there, getting to your bank accounts and whatnot isn't all that hard. (Who hasn't used a "reset password" link at a website that gets sent to your email?)

Alright, what-if's aside, aside from Sony's recommendations, which only take part of the problem into account, here's what you should do immediately if you're on the Sony PSN:

1. Change username and password especially on bank and email accounts where they're the same as on PSN Keep the bad guys out of your email... and bank.
2. Change your security questions/answers anywhere else you use the same questions/answers as on PSN Make it harder for someone to reset your bank/email/other password and steal from you (or steal your info.)
3. Change your PSN security questions/answers on PSN Make it harder for someone to reset your PSN account and gain access to it.
4. Change username and password on PSN Make it harder for someone to reset your PSN account and gain access to it.

The last important take-away from this data breach is that you should already assume the data is in the hands of a spammer and cyberthief. 

As such, you need to expect that you'll receive many extremely targeted spearphishing emails. After all, according to Sony's own statement on the breach, the thieves probably have your name, email, credit card billing address, and date of birth.

What's to stop them from sending, "Happy Birthday!" emails offering to give you something free in exchange for your credit card info (for age verification only, of course...)?

Or for that matter from sending you, "Your data was stolen. Please click this link to reset it. Oh, and enter your new payment information while you're there, too?"

Or, how about, "Your data was stolen. We need your social security number now to ensure you're who you say you are."

The number of different ways this information can be abused is just about limitless, and while your antivirus software or Internet security suite can help you avoid a phishing attack to some extent, the best way to avoid them is to be smart about the links you're clicking and to look and really read the web site addresses you're going to.

The age of the spearphishing attack is upon us. Your information's security is, ultimately, no one's responsibility but your own.

04/25/2011

For Crying out Loud... Password Protect Your Wireless Router!

A debate that somehow always seems to pop up in my own life is the importance of securing your WiFi / wireless router. My friends have all gotten my lecture. My family has all gotten my lecture.

My friends-of-friends have all gotten it, too. Over the years, I've dialed it down from, Leave now. Just leave. Go home. Password protect your router before you do anything else, to something like, Oh no, it's fiiiiiine. The only thing you risk is some jailtime and a few phone calls to the ACLU. Otherwise, it's fine to run an open router.

And somehow despite stories showing up in MSN like this one about the Buffalo man who didn't secure his wireless router, people still think I'm exaggerating the risk and/or that, "it won't happen to me... I know my neighbors!"

Right. Ok. Copy that. Roger. Gotchya. You can leave yours open then. Really. It's fine.

For the record, once and for all: being lazy is never a valid excuse in the eyes of the law. Being inept seldom works either. Same goes for ignorance.

The single biggest thing YOU need to understand about wireless security is this:

Just because you can't see someone else using your wireless connection doesn't mean it isn't happening.

The same thing goes for PC security, too:

Just because you can't see the person who's infected your PC with some sort of spyware or trojan doesn't mean it hasn't happened.

Now let's talk about the poor guy in Buffalo, NY. According to the MSN piece,

For two hours that March morning in Buffalo, agents tapped away at the homeowner's desktop computer, eventually taking it with them, along with the iPads and iPhones belonging to him and his wife.

"Within three days, investigators determined that the homeowner had been telling the truth: If someone was downloading child pornography through his wireless signal, it wasn't him. About a week later, agents arrested a 25-year-old neighbor and charged him with distribution of child pornography.

"The case is pending in federal court.

All this because, again according to the piece, That new wireless router. He'd gotten fed up trying to set a password.

How many other people have had similar things happen is anyone's guess. Here are a couple of more stories the MSN article mentions specifically,

  1. A Sarasota, Florida, man, got a similar visit from the FBI last year after someone on a boat docked in a marina outside his building used a potato chip can as an antenna to boost his wireless signal and download an astounding 10 million images of child porn.
  2. A North Syracuse, New York, man who... opened his door to police who'd been following an electronic trail of illegal videos and images. The man's neighbor pleaded guilty April 12.

The fact of the matter is, yes, it can be tricky, but it's not that hard. In fact, we have a simple six-step article at our site on, "How to Secure Your Wireless Connection."

You could read it and take the steps to secure your connection. Or you could spend the time thinking of what your excuse is going to be when someone steals your Internet connection and does terrible things with it.

04/19/2011

Epsilon Email Break-In... Updated List of Affected Companies

It comes as no surprise that a lot of people and businesses have been affected by the Epsilon break-in.

What may be a surprise to some is the breadth of the affected industries. In our previous blog on the Epsilon break-in, I said,

It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies.

Given the growing size of the list, that looks more true than ever.  Take a look at the list below.

If you have an account with one of these banks or have shopped with one of these retailers/e-tailers, you're more susceptible to a highly targeted spear-phishing attack.

They know your name and email address, and they know the banks, credit card companies, and other financial institutions you deal with. They know where you've shopped.

You, like me, are a prime target for someone looking to contact you by email and trick you into giving up your highly confidential information or steal from you. It's a fact. Because they know more about you, it's much, much easier to gain your trust.

Today, I came across this updated list of companies affected by the Epsilon Breach at CAUSE.org (The Coalition Against Unsolicited Commercial Email). [Thanks to CAUSE.org for doing the tremendous leg work to put this list together.]

 

Banks/Financial Institutions
  • Ameriprise
  • American Express
  • Barclay's L.L. Bean Visa card
  • Barclays Bank of Delaware
  • Best Buy Canada Reward Zone
  • BJ's Visa
  • Capital One
  • Catherine's card
  • Citi
  • Express card
  • ExxonMobil card
  • Home Depot card
  • JPMorgan Chase
  • MoneyGram
  • MyPoints Reward Visa
  • NTB card
  • Scottrade
  • Smile Generation Financial
  • Stonebridge Life Insurance
  • TIAA-CREF
  • TD Ameritrade
  • US Bank
  • Victoria's Secret card
  • Visa
  • World Financial Network National Bank
  •  

    Retailers / e-Tailers
  • 1-800-FLOWERS
  • Abe Books
  • Abercrombie & Fitch
  • AIR MILES Reward Program (Canada)
  • Ameriprise
  • Ann Taylor
  • AshleyStewart
  • Avenue
  • Beachbody
  • bebe
  • Benefit Cosmetics
  • Best Buy
  • Borders
  • Brookstone
  • Chadwick's
  • Charter Communications
  • City Market
  • College Board
  • Crate & Barrel
  • Crucial
  • David's Bridal
  • Dell Australia
  • Dillons
  • Disney Destinations (The Walt Disney Travel Company)
  • Domestications
  • Dressbarn
  • Eddie Bauer Friends
  • Eileen Fisher
  • Ethan Allen
  • Eurosport Soccer
  • Fashion Bug
  • Food 4 Less
  • Fred Meyer
  • Fry's
  • Gander Mountain
  • Giant Eagle
  • Giant Eagle Fuelperks
  • GlaxoSmithKline Consumer Healthcare
  • Hilton Honors
  • Home Shoppers Network (HSN)
  • J.Crew
  • J.Jill
  • Jay C
  • Jessica London
  • Justice
  • King Soopers
  • KingSize Direct
  • Kroger
  • Lacoste
  • Lane Bryant
  • Marks & Spencer
  • Marriott Rewards
  • Maurice's
  • McKinsey Quarterly
  • New York & Company
  • OneStopPlus
  • PacSun
  • Palais Royal
  • Polo Ralph Lauren
  • PotterBarnKids
  • PotteryBarn
  • QFC / Quality Food Centers
  • QualityHealth
  • Radio Shack
  • Ralphs
  • Red Roof Inn
  • Reeds Jewelers
  • Ritz-Carlton Rewards
  • Robert Half International
  • Sears
  • Shell
  • Smith Brands
  • Sportsman's Guide
  • Stage
  • Target
  • Tastefully Simple
  • The Limited
  • The Place
  • TiVo
  • Trek
  • TripAdvisor.com
  • United Retail Group
  • Value City Furniture
  • Verizon
  • Viking River Cruises
  • Walgreens
  • Woman Within

  • For the companies involved, there's no shame in my opinion. They put their trust in a company with, at that point, an excellent record for systems and information security. 

    It just so happens that even with that, someone (or more likely a group) broke into their systems and stole the data Epsilon had been recording, storing, and using on their customers' behalves.

    Is Epsilon to blame, definitely, but I don't feel the companies are. Outsourcing to what you believe is a competent third party is often not just a good but actually the best business decision.

    It really doesn't make sense for most companies to spend the time and resources to devote to something as mundane as email address collection and marketing. It really doesn't.

    No matter how good each individual company's staff gets, because of the scale of Epsilon's operations, they see more, and so they're more likely to make the right decisions about security.

    What this really boils down to is a question of personal responsibility. Each of us, as individual consumers and businesses, need to be smart about what we do with our information and what to do when we're contacted.

    That means thinking before you click. Thinking before you type. And thinking before you hit "submit" on a form.

    And it also means keeping your PC patched and your antivirus software up to date, too. Together, being smart about what you do online and keeping your PC secure can be just the difference between being safe and being someone's identity theft prey.

    04/16/2011

    DOJ and FBI flex muscles: Takedown of international botnet

    Paul Roberts from Threat Post brings news in the battle against botnets: The Coreflood Trojan botnet takedown.

    The U.S. Department of Justice stated Wednesday that they'd taken steps to disable an international botnet of over 2 million infected PCs. What's significant about this botnet is that it was stealing corporate data including user names and passwords and other financial data.

    According to a statement from the U.S. Attorney's office for the District of Connecticut, thirteen defendants were charged in a civil complaint. A total of 29 domain names were seized in a raid connected to malware--code named "coreflood" --on machines attempting to communicate with the command and control servers.

    The "coreflood" malware is believed to have been originated out of Russia and has been active for  ten years, which is staggering and unbelievable in-and-of itself. The DOJ said it had received a temporary restraining order allowing it to disable the malware.

    This crackdown is considered to be one of the largest actions taken by U.S. law enforcement against an international botnet Trojan virus. In the past year, a similar botnet takedown was driven by the private sector (Micrsoft and FireEye).

    [Editor's Note: See our prior post: Microsoft Working to Take Down Win32/Rustock Botnet. This crackdown against the "coreflood" malware and command and control servers mirrored the efforts by Dutch authorities that disabled Bredolab botnet back in October.]

    According to the U.S. Attorney's office, five command and control servers were halted, plus the 29 domain name sites that communicated to these C&C servers.

    The government replaced the C&C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. While the infected machines were not disinfected of the malware, of course, the hope is that security software providers will develop tools to remove the coreflood malware and that victims will update their antivirus definitions.

    04/07/2011

    Epsilon Break-In... What's the Lowdown?

    By now you've probably gotten notice, as I have, from at least one bank / credit card company / financial institution that, Epsilon, the company they use to send email messages to you had a network breach.

    Looking at even a short list of affected firms, Epsilon, a company most consumers have never heard of, appears to have (or to have had) a sizable portion of top banks in the U.S. amongst its client base.

    But, it wasn't just banks that were hit.

    It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies. (Major hat tip to Brian Krebs of Krebs on Security who has been doing a stellar job keeping atop this list as more companies are added to the growing list of companies affected by the Epsilon break-in.)

    Companies Affected by the Epsilon Break-In (So Far)
    • 1800-Flowers
    • Abe Books
    • Air Miles CA
    • Ameriprise Financial
    • Barclays Bank of Delaware
    • Beachbody
    • Bebe Stores Inc.
    • Benefit Cosmetics
    • BestBuy
    • Brookstone
    • Capital One
    • Charter Communications (Charter.com)
    • Chase
    • Citibank
    • City Market
    • The College Board
    • Crucial.com
    • Dell Australia
    • Dillons
    • Disney Vacations
    • Eurosport/Soccer.com
    • Eddie Bauer
    • Food 4 Less
    • Fred Meyer
    • Fry’s
    • Hilton Honors
    • The Home Shopping Network
    • Jay C
    • JP Morgan Chase
    • King Soopers
    • Kroger
    • LL Bean
    • Marks & Spencer (UK)
    • Marriott Rewards
    • McKinsey Quarterly
    • Moneygram
    • New York & Co.
    • QFC
    • Ralphs
    • Red Roof Inns Inc.
    • Ritz Carlton
    • Robert Half
    • Smith Brands
    • Target
    • TD Ameritrade
    • TIAA-CREF
    • TiVo
    • US Bank
    • Verizon
    • Viking River Cruises
    • Walgreens
    • World Financial Network National Bank

    Alright, so what's the big deal?

    Well, for starters, it means spear-phishing risk for Y-O-U if you've ever had dealings with any of these firms.

    While it's not yet perfectly clear what personal information was stolen from Epsilon, it's definitely clear names and email addresses were. What also isn't clear is if the companies with whom you have the relationships were stolen.

    And, that's where a part of this becomes especially tricky.

    If the spammers know you're a Target customer, for instance, and they know your name, and of course, your email, they can send you an email that looks perfectly like legitimate email from Target.

    (N.B. We use Target only for illustrative purposes in this piece, not for any other reason. You can replace "Target" with the name of any of the other companies above with whom you've personally done business.)

    Now image your email sent to [email protected] addressed to YOU in the email and looking and sounding like it's coming from Target.

    Imagine something like the following:

    Subject: Get a $100 Target gift card... on us!
    From: Target Stores <"[email protected]">
    Date: April 7, 2011
    To: Nicole Campbell <"[email protected]">
    Hi Nicole,

    Thanks again for your recent Target purchase!

    We're writing from the customer satisfaction division with a brief survey of your online or in-store shopping experience.

    As a way of saying, "Thank you!" all survey participants will receive a free $100 gift card from Target for use anytime.

    Click here to get started.

    Thanks again,
    Your friends at Target and Target.com


    And, here's where the scam is just unfolding.

    Kroger, for instance, recently saw its customers lured by spams apparently from the Epsilon breach.

    Quoting Krebs from his piece, he says, In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software.

    In at least one attempt email recipients were pushed to buy Adobe Reader, which is free software.

    Why? How are they making money if the software is free?

    There's the catch: in most cases like these, you're not really buying anything, and here's what has happened:

    You've just given the spammers/cyberthieves your credit card number and "permission" to charge your card. If you're lucky, they only charge your card for as much as you've given them permission to. If you're really lucky, they don't give you a virus or spyware to download instead of the real software.

    Whatever the case, you may be facing a hefty credit card bill and some serious phone calls and letters to your credit card company to get them to absolve you of the charges.

    Now, back to our Target example.

    There are countless ways the spammers could spin things to get you to (a) give them your credit card number and/or (b) download a virus or spyware

    1. You need our special free "survey software"
    2. Your browser needs a special free plug-in to take the survey
    3. You need to upgrade your Adobe Reader for $10 to take the survey to get the $100 gift card

    The list could go on-and-on.

    So here are the take home messages from the Epsilon break-in:

    1. Use your head when it comes to messages emailed to you
    2. Just because something is addressed to you and addresses you by your name, doesn't make it legit
    3. Does the email have "free" offers or ways to earn gifts or money for very little work
    4. Were you expecting to receive the message? (If you just signed up to get coupons, and a coupon email comes five minute later, it's probably safe.)
    5. How are the grammar and spelling in it? Commonly the bad guys are overseas and their English is often imperfect, and other conventions are often different from ours.

      Commonly you'll see a price in a scam email written as 35$ instead of $35 as is the convention here in the U.S.
    6. Are they asking you to "verify" anything. Let me tell you something: companies don't need you to verify anything. Ever. You got their email, they know who you are. An email asking for verification is almost definitively a scam.

    These are just a few things to be on the lookout for. Most importantly of all, especially given the number of banks and credit card companies involved is: never, ever, EVER put your social security number into a link that you clicked on in an email.

    I cannot even once think of a legitimate bank or credit card email requiring this.

    And lastly, lest it go unsaid, use an Internet security suite. The best ones include good anti-phishing and malicious website filters.

    While nothing is perfect, between the filters built into today's top web browsers and top Internet security software, you can offset the threat posed by scammers, the emails they send, and the sneaky websites they setup.