Encryption

13th SONY HACK : Sony Europe hacked by Lebanese hacker… Again

Posted on


By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.

Idahc tweet about Sony hackIdahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/

Infragard Atlanta, an FBI affiliate, hacked by LulzSec

Posted on


Infragard logo

In a self-titled hack attack called “F**k FBI Friday” the hacking group known as LulzSec has published details on users and associates of the non-profit organization known asInfragard.

Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.

Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner.

One interesting point to note is that not all of the users passwords were cracked… Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn’t be bothered to crack them.

In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text “LET IT FLOW YOU STUPID FBI BATTLESHIPS” in a window titled “NATO – National Agency of Tiny Origamis LOL”.

defaced website below…pics.proof.

Aside from defacing their site and stealing their user database, they tested out the users and passwords against other services and discovered many of the members were reusing passwords on other sites – an violation of FBI/Infragard guidelines.

LulzSec singled out one of these users, Karim Hijazi, who used his Infragard password for both his personal and corporate Gmail accounts according to the hackers.

They’ve published a BitTorrent with what they claim are nearly 1000 of Hijazi’s corporate emails and a IRC chat transcript that proclaims to be a conversation they had with him.

They also disclosed a list of personal information including his home address, mobile phone and other details.

It’s hard to say when these attacks will end, but a great start would be to carefully analyze your security practices and ensure that your data isproperly encrypted and to regularly scan your servers for vulnerabilities.

As for LulzSec? It appears they have declared war on one of the premier police forces in the world… Their fate remains a mystery.

src :http://nakedsecurity.sophos.com/2011/06/04/infragard-atlanta-an-fbi-affiliate-hacked-by-lulzsec/

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/

Sony Pictures attacked again, 4.5 million records exposed

Posted on


Sony Pictures Website Hacked, 1 Million Accounts Exposed

The same hackers who recently attacked PBS.org have turned their attention back to Sony by releasing the latest dump of information stolen from Sony’s websites.

While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.

The data stolen includes:

  • A link to a vulnerable sonypictures.com webpage. 
  • 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.
     
  • 21,000 IDs associated with a DB table labeled “BEAUTY_USERS” including email addresses and plain text passwords.
     
  • ~20,000 Sony Music coupons (out of 3.5 million in the DB).
     
  • Just under 18,000 emails and plain text passwords from a Seinfeld “Del Boca” sweepstakes.
     
  • Over 65,000 Sony Music codes.
     
  • Several other tables including those from Sony BMG in The Netherlands and Belgium.

The attackers, LulzSec, stated in their file titled “PRETENTIOUS PRESS STATEMENT.txt”:

“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

This sounds like a broken record… Passwords and sensitive user details stored in plain text… Attackers using “a very simple SQL injection” to compromise a major media conglomerate.

Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

Sony passwords leakedThe take away for the average internet users is clear. Don’t trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

I took a brief look at some of the information disclosed and many passwords used were things like “faithful”, “hockey”, “123456”, “freddie”, “123qaz” and “michael”.

Companies collecting information from their customers have a duty to protect that information as well.

In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.

Interested in some practical help with data security? Download our Data Security Toolkit.

Interested in encrypting your own personal files? Try out Sophos Free Encryption.

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/