05/18/2011

The Latest on the PSN Break-in and Service Restoration

There has been a whooooole lot that has gone on since the original news broke on the Sony Playstation Network data breach.

Among other things, there's been Congressional testimony, which should give some indication as to the seriousness of what has happened. In these testimonies, the Consumerist reports in a piece on the PSN breach that,

Dr. Gene Spafford of Purdue University [who in his testimony before Congress] said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

And, that's not the least of it. It gets much worse. Spafford, the Consumerist piece goes on to say,

...Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.'

"The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches, said Spafford.

These accusations raise even more questions, like,

"Whodunnit?"

Reuters in their article on the Playstation Network data theft, Sony points the finger at the hacktivist group Anonymous, who, they say, bears indirect responsibility.

Daily Kos has posted the official, lengthy and articulate response from Anonymous about the PSN Break-in, wherein it says in part,

Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history.

"No one who is actually associated with our movement would do something that would prompt a massive law enforcement response.

 "On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track.  

 "The framing of others for crimes has been a common practice throughout history. 

In other words: Anonymous didn't do it.

So, back to the PSN and when it's coming back online.

Initially, there was discussion--and ultimately success--in bringing part of the Playstation network back online starting on May 14th, as reported by Joystiq.

It was short-lived though, when a lot of users (again as reported by Joystiq in a posted called PSN website sign-ins disabled) were greeted with a message on May 18th, telling them, The server is currently down for maintenance.

Perhaps most interestingly of all was that Sony wasn't given permission to restart services for the Playstation Network in Japan (where Sony is headquartered) 'til it met two conditions,

  1. Preventative measures
  2. Steps taken "..."regain consumer confidence over personal data such as credit card information."

Where does it stand now?

Accordingly to Engadget, which appears to have the latest as of May 18th, the PSN had to be taken offline again.

According to Sony's official blog response on the outage,

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved.

"In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

"Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3.

"Otherwise, they can continue to do so via the website as soon as we bring that site back up.

We're glad service has been restored and sorry to see it came to this.

All-in-all, the whole thing is ugly.

100 million accounts appear to've been compromised, Sony appears it may've been negligent, and definitely bears some blame here, and it has reached a point where both U.S. and Japanese agencies are getting involved at a high level.

What should consumers do? Is this even worth thinking about?

For starters, yes, it's worth thinking about.

Security experts are definitely very concerned about phishing--and more targeted spear-phishing--attacks coming from all the confidential data cleaned from the break-in.

The most obvious step would be to change your email address and close the old account, but let's be honest, that's impractical.

Short of that, the next smartest thing to do is to make sure your antivirus software is updated and your realtime protection and anti-phishing filters are turned on.

I certainly expect this data to be exploited. Practically speaking, it's a gold mine, and I for one don't believe it's a question of "if" attacks will happen but a question of "when."

04/28/2011

Major Data Breach: 70 Million PSN Accounts Stolen

On the heels of the Epsilon data breach comes one of equal, and perhaps greater, severity: Sony's PSN (PlayStation Network) had what they're calling, an illegal and unauthorized intrusion into our network.

The gang at GamrFeed have more on the PSN Data Breach Details, including that, There is a laundry list of compromised personal information, including the loss of logins, passwords, street addresses, and purchase histories. Even credit card information could be at risk

Bleh.

Being a gamer myself, and a PlayStation owner, too, my first reaction was a sigh and a feeling of resignation. "This kind of stuff happens," I thought to myself.

Then, I read deeper into the PSN Blog about the Data Breach.

[Editor's Note: the following is a verbatim quote from Sony's blog that has been re-formatted for easier readability than their multi-line lawyereese. Bold added for emphasis is ours.]

We believe that an unauthorized person has obtained the following information that you provided:
  • name
  • address
    • city
    • state
    • zip
    • country
  • email address
  • birthdate
  • PlayStation Network/Qriocity password
  • [PlayStation Network/Qriocity] login
  • handle/PSN online ID
"It is also possible that your profile data, including
  • purchase history
  • billing address
    • city
    • state
    • zip
  • your PlayStation Network/Qriocity password security answers
may have been obtained.

"If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained
.

Now why the heck does any of this matter?

It's just a gaming network, right? Who cares what games I've bought or when!

Not so fast there, Sparky.

The real danger here isn't even in the possibility of the credit card info having been stolen. (Look, if there's a possibility it was stolen, just call it what it is and say the data was stolen, ok?)

The real danger is for those folks who use the same usernames and passwords in multiple places, like at PSN and for their Hotmail account--or any other, for that email account for that matter. Now with that, cyber thief can dig into your email account and from there easily spring board to bank accounts and all sorts of other places.

How will they find me amongst 70 million accounts?

Forget about digging through them by hand. Think of it happening programmatically. Just trust me on this one: it's easy to do.

It's trivial for a skilled programmer to grab the information they've gleaned from your PSN account and use it to try to login to your email account. From there, getting to your bank accounts and whatnot isn't all that hard. (Who hasn't used a "reset password" link at a website that gets sent to your email?)

Alright, what-if's aside, aside from Sony's recommendations, which only take part of the problem into account, here's what you should do immediately if you're on the Sony PSN:

1. Change username and password especially on bank and email accounts where they're the same as on PSN Keep the bad guys out of your email... and bank.
2. Change your security questions/answers anywhere else you use the same questions/answers as on PSN Make it harder for someone to reset your bank/email/other password and steal from you (or steal your info.)
3. Change your PSN security questions/answers on PSN Make it harder for someone to reset your PSN account and gain access to it.
4. Change username and password on PSN Make it harder for someone to reset your PSN account and gain access to it.

The last important take-away from this data breach is that you should already assume the data is in the hands of a spammer and cyberthief. 

As such, you need to expect that you'll receive many extremely targeted spearphishing emails. After all, according to Sony's own statement on the breach, the thieves probably have your name, email, credit card billing address, and date of birth.

What's to stop them from sending, "Happy Birthday!" emails offering to give you something free in exchange for your credit card info (for age verification only, of course...)?

Or for that matter from sending you, "Your data was stolen. Please click this link to reset it. Oh, and enter your new payment information while you're there, too?"

Or, how about, "Your data was stolen. We need your social security number now to ensure you're who you say you are."

The number of different ways this information can be abused is just about limitless, and while your antivirus software or Internet security suite can help you avoid a phishing attack to some extent, the best way to avoid them is to be smart about the links you're clicking and to look and really read the web site addresses you're going to.

The age of the spearphishing attack is upon us. Your information's security is, ultimately, no one's responsibility but your own.

11/02/2009

Virus Writers Turning to Online Games

A great piece today from the BBC's technology section called, Video gamers face malware deluge talks about the latest computer security / virus threats.

What may seem strange to some is that one of the main purposes of these viruses is to steal the game players online credentials (i.e. their usernames and passwords) to the video games themselves.

This may come as a surprise to many since typically the primary purpose of viruses is to infect the computers themselves; however, in this case it appears the goal is just to steal your access to the games.

Why?

Simple. To make a quick buck.

One of the main things gamers get out of online games is the long-term satisfaction, often including friends and companionship, from playing with the same group of people over a long period of time.

Additionally, gamers as they progress get higher and higher levels of performance their in-game characters get a host of different things including new 'skills', weapons or other attributes. The challenge is the time spent getting there.

Some people, after having seen the excitement that awaits them once they've built up a certain attributes in their in-game character, want to short-circuit the time needed to build up to the high levels, so they purchase the accounts from others who've spent the time playing the game to build up to the high levels.

In some cases these high-level accounts go for hundreds or even thousands of dollars--or more.

And, therein is the profit motive.

These virus writers, rather than attempting to build up their own characters to sell for profit, have created viruses that steal passwords, and by doing so, they can take over the accounts and sell the hard-won, highly lucrative characters to often unsuspecting buyers who're just looking for a way to avoid what some gamers perceive as early-game slog to get to the good stuff.

According to the story,

"Cliff Evans, head of security at Microsoft UK, said its latest look at the software threats facing Windows revealed a strong growth in one family of malicious programs known as taterf.

"In the last six months, Microsoft has seen more than 4.9m infections caused by Taterf - a figure up 156% on the total seen in the last six months of 2008."

Elsewhere in the article, and getting less note since it wasn't the headline, was discussion of worms like Conficker.

Information on the Conficker worm itself and help with Conficker removal have been covered here extensively for a variety of reasons, including as Mr. Evans of Microsoft cites,

"worms that travel networks independently looking for victims were seeing a resurgence.

"Such self-guided programs were now the second biggest security threat to Windows users." [Editor's Note: Emphasis is mine]

Worms, like all malware, are out there for a variety of reasons, but these days the most common one isn't just for the notoriety the virus/worm writer gets as it spreads, as it once was, it's for profit.

The profit may be from selling/using your computer as a spambot, from using it to steal people's banking information or identities, or it may be (as we see now) from selling your online gaming profiles.

All-in-all these worms, viruses, and other malware are threats. Their writers are clever, and they're only coming up with newer, more ingenious ways to ferret themselves into your computer and your life.

 What to do?

  1. Be careful with your passwords. Use different ones for each of your online banks/credit cards/utilities. Use different ones still for your email.

    Using one password everywhere opens you up to even more problems, as if one account is compromised, especially your email, where someone can easily see the places with whom you do business, it's trivial for them to login to these other business' websites and see if your credentials work. 

  2. Be careful with where you point your browser. Avoid using a search engine, even the best ones like Google, Yahoo, MSN/Bing, and Ask just to get to a website whose website address you already know.

  3. Why give the scammers an opportunity to setup a rogue website that looks just like your bank and get it listed in a search engine? It's very, very hard for the engines to know what's a real bank and what's a fake one.

    If you know you're banking with Wells Fargo, for example, why go to Google to get to Wells Fargo? Just type www.wellsfargo.com into your browser and go there directly. Then bookmark it, so you're not subject to a typographical error next time, which could just as easily ensnare you in a malware/phishing trap.

    Taking out that extra step of going to the engines to get to a place you already know could mean the difference between keeping your information safe and not.

All this crapware shows is that it's always smart to run antivirus firewall software, to keep it updated, and to keep your Operating System updated, too.

Lastly, remember: your online safety is your responsibility. Many of the companies you deal with do make efforts to keep your information safe, but in the end it's still your responsibility.