Hackers break into Tony Blair’s webmail server, disclose former PM’s address book

Tony BlairA hacking group known as TeaMp0isoN have published private information belonging to former Prime Minister Tony Blair.

TeaMp0isoN have been in the news recently for allegedly hacking into a web site they claimed belonged to a member of LulzSec.

This time they targeted a webmail server used by Tony Blair in December of 2010. It is unclear why they waited for so long to disclose the breach and there is no evidence as of yet to confirm their story.

The information disclosed includes "Tony Blair Office Members Information, Tony Blair Address & Phone Book (Includes family, friends, MPs & lords) and Katie Kay Curriculum vitae (Tony Blairs special adviser)."

Screen capture of stolen Blair address book

Information on Mr. Blair's friends and colleagues includes names, home addresses, home, work and cell phone numbers and email addresses. Additionally Mr. Blair's National Insurance Number (NIN) and Ms. Kay's CV (resume) are also included in the dump.

We don't know what specific flaws were exploited in this attack, but seeing that it is a webmail server the most likely method was SQL injection. It is extremely important to keep web servers patched and up to date, especially if they are running Linux using commonly exploited CMSs, webmail solutions and blogging software.

TeaMp0isoN logo

This attack like many we have reported on this year appears to be politically motivated. The TeaMp0isoN attackers called Mr. Blair a war criminal in a Twitter post and much of the language used is derogatory.


Citibank victimized by hackers, insists cardholders are safe

CitiCardReuters is reporting that Citibank's systems were hacked, resulting in a loss of Personally Identifiable Information (PII).

Citibank says that data for 1% of their cardholders was accessed through this breach, but customers' Social Security Numbers (SSNs), birth dates, card expiration dates and CVV codes are safe.

Information that may have been disclosed to the hackers includes customers' names, account numbers, contact details and email addresses.

According to Citibank's website they are the world's largest provider of credit cards, issuing more than 150,000,000 cards globally. Based on these numbers, information for 1,500,000 or more individuals may have been compromised.

In April Paul Gaulant, former head of the bank's credit card unit, told Reuters, "Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments."

That may be true, but feeling secure is not the same as being secure. How this information was acquired and why it wasn't protected against theft is a far more important question.

Citi has stated they will notify customers believed to be affected by the breach.

Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries.

While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime.

Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims.

Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser. Never click links.

Update: It has been confirmed that there are approximately 220,000 cardholders affected by this incident as it was limited to just US customers. The number above was based on all Citibank cardholders.


Sony Pictures attacked again, 4.5 million records exposed

LulzSec message to SonyThe same hackers who recently attacked PBS.org have turned their attention back to Sony by releasing the latest dump of information stolen from Sony's websites.

While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.

The data stolen includes:

  • A link to a vulnerable sonypictures.com webpage.
  • 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.
  • 21,000 IDs associated with a DB table labeled "BEAUTY_USERS" including email addresses and plain text passwords.
  • ~20,000 Sony Music coupons (out of 3.5 million in the DB).
  • Just under 18,000 emails and plain text passwords from a Seinfeld "Del Boca" sweepstakes.
  • Over 65,000 Sony Music codes.
  • Several other tables including those from Sony BMG in The Netherlands and Belgium.

The attackers, LulzSec, stated in their file titled "PRETENTIOUS PRESS STATEMENT.txt":

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

This sounds like a broken record... Passwords and sensitive user details stored in plain text... Attackers using "a very simple SQL injection" to compromise a major media conglomerate.

Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

Sony passwords leakedThe take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

I took a brief look at some of the information disclosed and many passwords used were things like "faithful", "hockey", "123456", "freddie", "123qaz" and "michael".

Companies collecting information from their customers have a duty to protect that information as well.

In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.

Interested in some practical help with data security? Download our Data Security Toolkit.

Interested in encrypting your own personal files? Try out Sophos Free Encryption.