Toshiba website hacked – email addresses and passwords exposed

Toshiba logoToshiba announced this weekend that a web server run by its US sales subsidiary had been hacked, and the email addresses, telephone numbers and passwords of hundreds of customers had been compromised.

The Japanese electronics firm said that the server was run by Toshiba America Information Systems Inc., and held personal data relating to 7,520 customers. Fortunately, according to the firm, the personal information exposed did not include any credit card data.

Nevertheless, you don't want your email address and password falling into hands of malicious hackers.

Not only could cybercriminals "try out" your passwords to see if they unlock any of your other online accounts (too many people use the same password on multiple websites), but they could also target you with attacks pretending to come from Toshiba.

After all, you have a business relationship with Toshiba - so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.

A Toshiba spokesperson told the Wall Street Journal, that the Toshiba subsidiary's IT staff first noticed a problem with the web server on July 11th, and confirmed on July 13th that it had been hacked.

"We will continue the investigation and intend to thoroughly protect customers' information and manage (related computer) systems to prevent a recurrence."

All customers potentially affected by the hack are said to have been informed of the problem by the firm.

If you run a website it's essential to ensure it is as secure as possible from hacker attacks.

If you haven't already done so, read this informative paper by SophosLabs, "Securing websites", which covers some of the issues.

Follow @gcluley

Lady Gaga website stays strangely silent over database hack

Lady Gaga hackedA gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga's UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.

The press reported that a source close to Lady Gaga said that she was:

"upset and hopes police get to the bottom of how this was allowed to happen"

If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn't, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.

Although it's right that the authorities should be informed regarding SwagSec's illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans' information?

Lady Gaga user database

Lady Gaga's record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:

"The hackers took a content database dump from www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."

The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.

But although Universal says that it has contacted everyone who was affected - can they be confident that they know the extent of SwagSec's hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.

Wouldn't it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn't find anything to warn the wider array of Lady Gaga fans.

You may remember that the SwagSec hacking group defaced Amy Winehouse's website earlier this month as well.

One wonders what eccentric female troubadour they will target next..

Follow @gcluley

Dropbox lets anyone log in as anyone – so check your files now!

Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they've entrusted to the service, following the company's admission that it messed up its access controls for several hours.

(Updated: please see footnote below.)

Unlike the majority of data breaches we've reported on lately - where usernames and passwords were stolen, allowing attackers and miscreants to access other people's accounts illegally - Dropbox's "hack" was of a more embarrassing sort.

Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people's accounts without knowing their passwords at all. (Dropbox isn't alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg's own fan page being hacked.)

Ouch.

One popular use of services like Dropbox is to get around the restrictions many companies put on emailing around large files. If I'm working at home and have a huge spreadsheet which I know my IT manager won't let through the email gateway, I can just upload it to Dropbox and share the resulting web link with my colleagues.

In theory, the risk of this should be no worse that me copying the file to a USB key and letting my colleagues copy it from there. (In fact, if you're not careful with USB keys, they may pose a larger risk than sharing web links, since the USB key may contain other files - such as malware - besides the spreadsheet you just saved on it.)

But the safety of a web link allowing you to share a file "through the cloud" depends very strongly on who's able to access that link. If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse.

Dropbox can also automatically synchronise your own files between all your various devices, such as your desktop PC, your Mac laptop and your smartphone.

In the company's own promotional video, an intrepid adventurer named Josh uses Dropbox to share and to synchronise detailed information between his numerous devices for his forthcoming safari in Africa.

That means that unauthorised access to your Dropbox data could give cybercrooks an enormous amount of information about your life, your plans and your identity. And unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world.

Dropbox did well to fix the problem within four hours, and to admit this openly on its blog.

But the "eternal beta" flavour of many cloud services - where updates and improvements are rolled out regularly and frequently to suit the service provider rather than its users - is an often-underestimated risk.

By the way, one way to improve the safety of web-based file sharing is to encrypt the files you share before you upload them. Only someone with the password will be able to decrypt those files. And if you don't have the password, you won't be able to alter their content, either.

If you're interested, Sophos has a free tool for Windows users that you can use to encrypt and compress sensitive information. You can use it for free both commercially and personally.

* Download now (direct download, no registration, Windows only)

* Learn more

Footnote. As alert Twitterer Andy Durdin points out, you can readily see if someone else has changed your Dropbox files. But you can't see if someone else has been snooping through your data.

Dropbox suggests on its blog that less than 1% of accounts were accessed during the unprotected period, and that it will contact those users in case the access was unauthorised.

If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.

Follow @duckblog

Infragard Atlanta, an FBI affiliate, hacked by LulzSec

Infragard logoIn a self-titled hack attack called "F**k FBI Friday" the hacking group known as LulzSec has published details on users and associates of the non-profit organization known as Infragard.

Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.

Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner.

One interesting point to note is that not all of the users passwords were cracked... Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn't be bothered to crack them.

In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text "LET IT FLOW YOU STUPID FBI BATTLESHIPS" in a window titled "NATO - National Agency of Tiny Origamis LOL".

Infragard Atlanta's defaced website

Aside from defacing their site and stealing their user database, they tested out the users and passwords against other services and discovered many of the members were reusing passwords on other sites - an violation of FBI/Infragard guidelines.

LulzSec singled out one of these users, Karim Hijazi, who used his Infragard password for both his personal and corporate Gmail accounts according to the hackers.

They've published a BitTorrent with what they claim are nearly 1000 of Hijazi's corporate emails and a IRC chat transcript that proclaims to be a conversation they had with him.

They also disclosed a list of personal information including his home address, mobile phone and other details.

It's hard to say when these attacks will end, but a great start would be to carefully analyze your security practices and ensure that your data is properly encrypted and to regularly scan your servers for vulnerabilities.

As for LulzSec? It appears they have declared war on one of the premier police forces in the world... Their fate remains a mystery.


Sony Europe hacked by Lebanese hacker… Again

Story updated 5-June-2011: Information on the SonyPictures.RU attack can be found at the end of the post.

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

Snapshot of database dump on pastebin

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

SQL injection flaw? Check. Plain text passwords? Check. People's personally identifiable information totally unprotected? Check.

Idahc tweet about Sony hackIdahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: "I was Bored and I play the game of the year : 'hacker vs Sony'." He posted the link to pastebin with the simple note "Sony Hacked: pastebin.com/OMITTED lol."

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

A great resource with detailed information on how to protect against SQL injection attacks is available at codeproject.com.

You can also download our free technical paper Securing Websites.

Update: In addition to the attack detailed above, the hacking group known as LulzSec has compromised SonyPictures.RU through another SQL injection flaw. No personal information was disclosed in the attack; it appears to have been designed just to continue to point out security flaws in Sony's infrastructure to create PR problems for the media giant. In the note, LulzSec left a message: "In Soviet Russia, SQL injects you..."

Pastebin of sonypictures.ru


Sony PlayStation data breach fiasco: what bugs me about it

I have been skimming the glut of news stories covering the PlayStation hack following Sony's statement yesterday.

The issues that keeps coming back to me are these:

1. Sony, like any company who keeps customer account details, is responsible for keeping this sensitive data safe.

So the question is, How could these details, potentially including credit card details, of a whopping 70 million users not be encrypted? It baffles the mind.

Perhaps the data was indeed encrypted, but if it was, how come Sony haven't stated this?

Let's say I accidentally leave my front door ajar, leave the house for a few days, and return to find that I was robbed. People will say I am a bit of an dodo brain, but I will still get sympathy from friends and family and we will all blame the thief.

But, if I convince all my friends and family to trust me with their prized possessions, pile their valuables on my coffee table, and then leave the front door open, I doubt they will be very supportive when I meekly approach them saying, "whoopsie - someone took them. These things happen, right?"

So it is no wonder that so many people are annoyed. They have a right to be.


2.
What the F*** happened at PSN?

Having read Sony's statement, they thank their "valued" customers for patience/goodwill/understanding (annoying in itself since I doubt many feel patient, generous or understanding). They also tell you to be wary of scams, which is all well and good.

But they don't tell us what happened.

I really REALLY want Sony to stand up and explain how the company screwed up, how the bad guys got into their system, why the data wasn't properly stored: a clear and concise explanation and, where appropriate, a straight-up apology for their oversights/misplaced bets/mistakes/etc

(Shall we place a bet on whether an APT was responsible? - sorry, couldn't help it...)

It won't get your data back, but at least we'll all have some idea of how this happened. And it might do wonders to repair the trust issues it is bound to face with its stakeholders. More importantly, it will help other companies learn from Sony's mistakes.

True, it can take some time to sort through all the bits and bobs before you provide a detailed explanation. But Sony set a rather slooooooow pace by waiting a week between its first announcement and yesterday's statement.

So what can you do?

Read advice on your next steps, including changing your passwords and credit cards, from fellow Naked Security writer Graham Cluley.

Affected users have also been invited to get in touch directly with Sony if you have any questions.

Why not ask for a public explanation and apology? Feel free to share the response with Naked Security.


PlayStation Network hacked: Personal data of up to 70 million people stolen

PlayStation NetworkUsers of Sony's PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

    * Name
    * Address (city, state, zip code)
    * Country
    * Email address
    * Date of birth
    * PlayStation Network/Qriocity password and login
    * Handle/PSN online ID

Sony statement

In addition, Sony warns that profile information - such as your history of past purchases and billing address, as well as the "secret answers" you may have given Sony for password security may also have been obtained.

As if that wasn't bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts - and potentially cause a bigger problem for you.

So you should always use unique passwords.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Oh, and you better be sure that you have changed your "secret answers" too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn't be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account - if you notice that money is missing, you'll have to go through the rigmarole of claiming the money back from your credit card company.

Sony controllerThis security breach is not just a public relations disaster for Sony, it's a very real danger for its many users.

If you're a user of Sony's PlayStation Network now isn't the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you're concerned the card is now compromised.

Should you cancel your credit card?

Look at it this way.

Cancel credit card

If I lost my credit card in the back of a taxi I would cancel my card. I wouldn't wait for a fraudster to sting it for cash. If Sony has lost your credit card details then it's worse as the credit card information is now being held digitally, right in the hands of people best placed to exploit it.

So, yes. I would cancel my credit card.

More information can be found in Sony's blog post and in their FAQ.

Update: Sony has now said that the credit card data was encrypted, but questions still remain about the strength of that encryption.