Vulnerability

LulzSec suspect pleads not guilty to Sony Pictures website hack

Posted on


Cody Kretsinger. (CNN/KTVK)

A 23-year-old man, suspected of being a member of the LulzSec hacking gang, has pleaded not guilty to an attack on the Sony Pictures website.

Cody Kretsinger, from Phoenix, Arizona, pleaded not guilty to conspiracy and unauthorized impairment of a protected computer during a hearing at Los Angeles District Court.

Kretsinger is alleged to be the LulzSec member known as “Recursion”, and is accused of being involved in an SQL injection attack that stole information from Sony Pictures in June, exposing users email addresses and passwords.

Approximately 150,000 confidential records were subsequently published online by LulzSec who mocked Sony’s weak security:

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

HideMyAss logoProsecutors claim that Kretsinger used the HideMyAss.com proxy server website to disguise his IP address as he allegedly probed Sony Pictures’ computer systems in May 2011, hunting for vulnerabilities.

HideMyAss.com’s terms and conditions stipulate that their service is not to be used for illegal activity, however, and they co-operated with the authorities when a court order was received requesting information.

Kretsinger’s trial is scheduled to begin on December 13th. If convicted he faces up to 15 years in prison.SRC

Hurricane Irene clickjacking scam on Facebook

Posted on


Hurricane Irene

States in the USA, such as Vermont and New Jersey, are continuing to deal with heavy flooding in the aftermath of Hurricane Irene.

And we weren’t surprised to find internet scammers attempting to profit from other people’s misery.

For instance, here is a clickjacking scam which at the time of writing is still active on Facebook.

Hurricane Irene Facebook clickjacking scam

This Facebook page reads:

VIDEO SHOCK - Hurricane Irene New York kills All

All? Hmm.. that would be a rather fanciful claim even for the most sensationalist tabloid report. But maybe it will be enough to make you click further.

Hurricane Irene Facebook clickjacking scam

BAM! Too late. You’ve been clickjacked. Even before you’ve had a chance to notice that the page is suddenly talking to you in Italian, the webpage has taken your click onto what you thought was the video’s play button and secretly behind-the-scenes tricked you into saying you “Like” the page – thus promoting it to your online Facebook friends.

If you were running an add-on like NoScript for Firefox you would have been protected by a warning message:

Hurricane Irene Facebook clickjacking scam intercepted by NoScript

But let’s imagine that you weren’t protected. What happens next?

Hurricane Irene Facebook clickjacking scam

The page insists that you share the link to the Facebook page, presumably in an attempt to increase its viral spread. So far things don’t seem to be working well for the scammers – as only 12 people have said they “Like” the page (and one of those is my test account). Maybe folks are suspicious about a claim that Hurricane Irene has killed *everyone* in New York.

Hurricane Irene Facebook clickjacking scam

You’re still keen to watch the video, of course, but first the scammers want you to take an online survey – which not only asks you for personal information but also can earn them commission.

If you are hit by a scam like this you should remove the page from the list of pages that your Facebook profile likes..

Unlike Hurricane Irene Facebook clickjacking scam

..and remove it from your newsfeed, reporting it as spam to Facebook.

Remove Hurricane Irene Facebook clickjacking scam

The good news is that this particular scam hasn’t become widespread, but many others do.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 100,000 people regularly discuss the latest attacks.

Scrubs star Zach Braff’s website hacked to say he is gay

Posted on


Remember Zach Braff (Did his parents really choose this name for him?), star of hospital comedy series Scrubs where he played the hapless and endearing character Dr John Dorian?

Well, yesterday Braff announced on Facebook that his website was hacked to display a bogus letter to loyal fans admitting that he was gay.

According to several media reports, Braff’s publicist says that the website was old and hadn’t not been updated since 2006.

Statement on Zach Braff's website

The hackers allegedly added the following statement to the site:

"To all my loyal fans, I have been hiding this secret inside me for too long...I am excited and proud to announce that I am an open member of the homosexual community. This is not news to those closest to me, and I honor that they have kept it a secret for such a long time."

Zach Braff with girlfriend Taylor BagleyThe news must have come as a surprise to Taylor Bagley, the actor’s girlfriend.

Soon, everything was clearer, as the 36-year-old Scrubs actor released a statement on his Facebook page in an attempt to stamp out the rumours about his sexuality:

"My old website got hacked. Someone issued a "coming out" statement on my behalf. I'm still straight and in love with my girlfriend. But not too straight; I still love musicals, brunch and Doogie Howser."

Zach Braff statement via Facebook

I doubt many of us care whether Braff is gay or not. I certainly don’t. But this story underlines the importance of not forgetting about websites we may have created in the past.

If you have a website that you no longer care about, get rid of it. At the very least, you should keep its security up to date. Old sites are much easier targets for hackers than those with up-to-date defences.

To learn some great tips and tricks on how to better protect your website, check out SophosLabs’ free technical paper, Securing Websites.

Image source for picture of Zach Braff and Taylor Bagley: http://www.globalnews.ca

Toshiba website hacked – email addresses and passwords exposed

Posted on


Toshiba logo

Toshiba announced this weekend that a web server run by its US sales subsidiary had been hacked, and the email addresses, telephone numbers and passwords of hundreds of customers had been compromised.

The Japanese electronics firm said that the server was run by Toshiba America Information Systems Inc., and held personal data relating to 7,520 customers. Fortunately, according to the firm, the personal information exposed did not include any credit card data.

Nevertheless, you don’t want your email address and password falling into hands of malicious hackers.

Not only could cybercriminals “try out” your passwords to see if they unlock any of your other online accounts (too many people use the same password on multiple websites), but they could also target you with attacks pretending to come from Toshiba.

After all, you have a business relationship with Toshiba – so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.

A Toshiba spokesperson told the Wall Street Journal, that the Toshiba subsidiary’s IT staff first noticed a problem with the web server on July 11th, and confirmed on July 13th that it had been hacked.

"We will continue the investigation and intend to thoroughly protect customers' information and manage (related computer) systems to prevent a recurrence."

All customers potentially affected by the hack are said to have been informed of the problem by the firm.

If you run a website it’s essential to ensure it is as secure as possible from hacker attacks.

Lady Gaga website stays strangely silent over database hack

Posted on


Lady Gaga hacked

A gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga’s UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.

The press reported that a source close to Lady Gaga said that she was:

"upset and hopes police get to the bottom of how this was allowed to happen"

If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn’t, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.

Although it’s right that the authorities should be informed regarding SwagSec’s illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans’ information?

Lady Gaga user database

Lady Gaga’s record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:

"The hackers took a content database dump from http://www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."

The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.

But although Universal says that it has contacted everyone who was affected – can they be confident that they know the extent of SwagSec’s hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.

Wouldn’t it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn’t find anything to warn the wider array of Lady Gaga fans.

You may remember that the SwagSec hacking group defaced Amy Winehouse’s website earlier this month as well.

One wonders what eccentric female troubadour they will target next..

WordPress plugins Trojanised, spotted, fixed

Posted on


WordPress just announced that the source code of three plugins for its popular blog-hosting software was maliciously modified.

Plugins consist of add-in modules which you install on your WordPress server in order to implement additional functionality, instead of writing all the needed code yourself.

Where you might use a DLL with a Windows program – for example, to add a feature such as SSL support or an edit control into an existing application – you’d use a plugin with WordPress.

DLLs are usually written in a language such as C or C++ and compiled into native machine code; WordPress plugins are generally written in a mixture of JavaScript, PHP, HTML and CSS.

According to WordPress, the modified plugins were Trojanised to include backdoors.

Web-based backdoors can be extremely dangerous. If you’re a WordPress user, you’ll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as “site.example/wp-admin”. A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you.

WordPress pluginsAs far as I can see, this attack doesn’t affect you or your users unless:

* You run your own installation of the WordPress platform.

* You use one of these plugins: AddThis,WPtouch, or W3 Total Cache.

* You updated your installed copy of one of those plugins in the past 48 hours from wordpress.org.

(WordPress says “in the past day”, but its post is dated simply 21 June 2011. So I’ve boosted that “day” to 48 hours to cover all reasonable interpretations of the WordPress statement. If you changed one of the abovementioned plugins inside a 48-hour window, why not check with WordPress exactly when the danger period was?)

The unwanted source changes have been reversed out, so the very latest versions of the affected plugins are now safe. If you installed a defective one, update it right away and you’ll be safe again.

All wordpress.org passwords for the Support forums, WordPress Trac, and the repository have been force-reset. (This means you have to reset your password, just as you would if you forgot it.)

WordPress also temporarily blocked all access to the plugin repositoryand verified that no other plugins has been Trojanised.

A good response following criminal behaviour.

So, if you’re a WordPress user, don’t freak out when you’re asked to reset your password on your next login. And please take WordPress’s advice:

As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.

(Note. Naked Security runs on the WordPress platform, but we don’t use wordpress.org. We’re hosted by WordPress.com VIP on wordpress.com. We checked with WordPress, and they’ve confirmed that no plugins in the WordPress.com VIP infrastructure were affected. No danger, Will Robinson.)

US military contractors hacked – possible link with RSA SecurID breach

Posted on


F-22 Raptor jet fighter

Hackers have broken into the network of Lockheed Martin and several other US military contractors, according to media reports.

Lockheed Martin, has described the attack as “significant and tenacious”.

Blogger Robert Cringely claimed that Lockheed Martin first detected the security breach last weekend (a fact later confirmed by the weapons maker in a press statement). In response to the attack the firm is said to have promptly blocked all remote VPN access to their internal network, and informed over 100,000 users that they would have to change their passwords.

In addition, it’s claimed that all Lockheed personnel with RSA SecurID tokens will be given new tokens.

From the sound of things, Lockheed Martin took swift and sensible action. It was wise of them to take the step of shutting down access to its internal networks as a precaution, once it believed that unauthorised users may have breached its systems.

SecurID tokenThe mention of RSA SecurID tokens, though, is interesting. They’re the devices used by many companies and organisations to provide two factor authentication to allow provide workers with a more secure way of proving they are who they say they are than just providing a username and password.

You may have used something similar when accessing your online bank account – for instance, a keyfob that displays a sequence of numbers that changes every 30 seconds or so.

The reason why this raises eyebrows is that back in March, RSA admitted that it had been hacked, and some of the information stolen was specifically related to RSA’s SecurID two-factor authentication products.

However, RSA has never made public details of precisely what kind of data was stolen – leading to speculation that the security of the widely-used SecurID tokens might have been compromised.

Is it possible that whatever information was stolen from RSA helped the hackers break into Lockheed Martin? If that’s the case, that’s worrying news for businesses around the world.

An unnamed source with direct knowledge of the attacks is said to have confirmed to Reuters that other military contractors have also been compromised.

It’s important to realise that all of these companies are victims of a criminal act – the authorities will no doubt be keen to uncover who is behind these attacks, and where they might have originated from. Only time will tell if those questions are ever answered satisfactorily.

Update: Lockheed Martin has now confirmed the attack, claiming that its “systems remain secure; no customer, program or employee personal data has been compromised.”

Press statement from Lockheed Martin

Here’s the meat of the statement by Lockheed Martin about the hack:

On Saturday, May 21, Lockheed Martin (NYSE: LMT) detected a significant and tenacious attack on its information systems network. The company's information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.

Throughout the ongoing investigation, Lockheed Martin has continued to keep the appropriate U.S. government agencies informed of our actions. The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security.

To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security. 

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/