Toshiba website hacked – email addresses and passwords exposed

Toshiba logoToshiba announced this weekend that a web server run by its US sales subsidiary had been hacked, and the email addresses, telephone numbers and passwords of hundreds of customers had been compromised.

The Japanese electronics firm said that the server was run by Toshiba America Information Systems Inc., and held personal data relating to 7,520 customers. Fortunately, according to the firm, the personal information exposed did not include any credit card data.

Nevertheless, you don't want your email address and password falling into hands of malicious hackers.

Not only could cybercriminals "try out" your passwords to see if they unlock any of your other online accounts (too many people use the same password on multiple websites), but they could also target you with attacks pretending to come from Toshiba.

After all, you have a business relationship with Toshiba - so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.

A Toshiba spokesperson told the Wall Street Journal, that the Toshiba subsidiary's IT staff first noticed a problem with the web server on July 11th, and confirmed on July 13th that it had been hacked.

"We will continue the investigation and intend to thoroughly protect customers' information and manage (related computer) systems to prevent a recurrence."

All customers potentially affected by the hack are said to have been informed of the problem by the firm.

If you run a website it's essential to ensure it is as secure as possible from hacker attacks.

If you haven't already done so, read this informative paper by SophosLabs, "Securing websites", which covers some of the issues.

Follow @gcluley

Bootmgr fehlt Windows 7


Wer dieses Bild schon einmal gesehen hat nachdem er seinen Rechner gestartet hat, kennt das. Man denkt schnell, “oh nein Neuinstallation” und ich gebe zu mir ging es zumeist genauso.
Allerdings dachte ich beim letzten Mal, ich könnte ja mal die Reparaturfunktionen von Windows 7 ausprobieren.
Und mit ein wenig lesen wurde ich auch fündig.
Zuerst muss man die Reparaturkonsole von Windows 7 starten indem man von der Windows 7 CD bootet.
Ich hab ein paar Screenshots gemacht die das ganze recht anschaulich zeigen sollten.


Die Befehle wie im folgenden Screenshot zu sehen nacheinander eingeben.

Zur Sicherheit mit Diskpart kontrollieren das die Partition auch aktiv ist.

Danach sollte die der Host wieder normal laufen.

vSphere 5 Launch

Gestern war wie viele wissen der Launch von vSphere 5.
Die neue Version bringt einige interessante Features, wie 32 vCpus oder 3D Beschleunigung für Windows Aero.
Allerdings bereitet mir das neue Lizenzmodell irgendwo Bauchschmerzen, aber irgendwie auch wieder nicht.
Ich versuche meine Gedanken dazu mal nieder zu schreiben.
Ich gehe von einem Szenario aus wie ich es bei uns im RZ vorfinde, drei Hosts mit je zwei CPUs und 128GB Ram. Die Lizenz ist Enterprise Plus, d.H. nach dem neuen Lizenzmodell darf ich pro Host 2 x 48GB Ram als vRam verwenden.
Würde wenn man das ganze flach betrachtet bedeuten, man kann 96GB von 128GB benutzen und 32 würden brach liegen.
Das klingt erstmal ärgerlich und hat mich ehrlich gesagt erstmal geschockt.
Aber VMware hat sich dann doch etwas dabei gedacht, und der vRam wird nicht pro host sondern pro Cluster berechnet, bedeutet ich kann insgesamt 288GB an RAM für meine virtuelle Maschinen vergeben.
Bleibt am ende ein Gap von 96GB die brach liegen würden.
Jetzt aber zu der Krux des ganzen, ich kenne niemanden der seine 3 Hosts komplett auslasten würde, es muss ja immer noch ein Fenster für HA übrig sein.
Gehen wir davon aus, wir würden die 288GB die uns VMware zugesteht voll auslasten, dann hätten wir bei Ausfall eines Hosts schon ein Overcommitment von 32GB.
Mit anderen Worten niemand wird auch wenn er 384GB RAM in seinem Cluster hat diese voll ausnutzen, weil er Reserven für den HA Fall haben muss.
Ich hoffe, ich kann hiermit einigen die Angst vor einem Umzug auf vSphere 5 doch ein wenig nehmen.

Dropbox lets anyone log in as anyone – so check your files now!

Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they've entrusted to the service, following the company's admission that it messed up its access controls for several hours.

(Updated: please see footnote below.)

Unlike the majority of data breaches we've reported on lately - where usernames and passwords were stolen, allowing attackers and miscreants to access other people's accounts illegally - Dropbox's "hack" was of a more embarrassing sort.

Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people's accounts without knowing their passwords at all. (Dropbox isn't alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg's own fan page being hacked.)

Ouch.

One popular use of services like Dropbox is to get around the restrictions many companies put on emailing around large files. If I'm working at home and have a huge spreadsheet which I know my IT manager won't let through the email gateway, I can just upload it to Dropbox and share the resulting web link with my colleagues.

In theory, the risk of this should be no worse that me copying the file to a USB key and letting my colleagues copy it from there. (In fact, if you're not careful with USB keys, they may pose a larger risk than sharing web links, since the USB key may contain other files - such as malware - besides the spreadsheet you just saved on it.)

But the safety of a web link allowing you to share a file "through the cloud" depends very strongly on who's able to access that link. If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse.

Dropbox can also automatically synchronise your own files between all your various devices, such as your desktop PC, your Mac laptop and your smartphone.

In the company's own promotional video, an intrepid adventurer named Josh uses Dropbox to share and to synchronise detailed information between his numerous devices for his forthcoming safari in Africa.

That means that unauthorised access to your Dropbox data could give cybercrooks an enormous amount of information about your life, your plans and your identity. And unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world.

Dropbox did well to fix the problem within four hours, and to admit this openly on its blog.

But the "eternal beta" flavour of many cloud services - where updates and improvements are rolled out regularly and frequently to suit the service provider rather than its users - is an often-underestimated risk.

By the way, one way to improve the safety of web-based file sharing is to encrypt the files you share before you upload them. Only someone with the password will be able to decrypt those files. And if you don't have the password, you won't be able to alter their content, either.

If you're interested, Sophos has a free tool for Windows users that you can use to encrypt and compress sensitive information. You can use it for free both commercially and personally.

* Download now (direct download, no registration, Windows only)

* Learn more

Footnote. As alert Twitterer Andy Durdin points out, you can readily see if someone else has changed your Dropbox files. But you can't see if someone else has been snooping through your data.

Dropbox suggests on its blog that less than 1% of accounts were accessed during the unprotected period, and that it will contact those users in case the access was unauthorised.

If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.

Follow @duckblog

Sony Europe hacked by Lebanese hacker… Again

Story updated 5-June-2011: Information on the SonyPictures.RU attack can be found at the end of the post.

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

Snapshot of database dump on pastebin

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

SQL injection flaw? Check. Plain text passwords? Check. People's personally identifiable information totally unprotected? Check.

Idahc tweet about Sony hackIdahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: "I was Bored and I play the game of the year : 'hacker vs Sony'." He posted the link to pastebin with the simple note "Sony Hacked: pastebin.com/OMITTED lol."

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

A great resource with detailed information on how to protect against SQL injection attacks is available at codeproject.com.

You can also download our free technical paper Securing Websites.

Update: In addition to the attack detailed above, the hacking group known as LulzSec has compromised SonyPictures.RU through another SQL injection flaw. No personal information was disclosed in the attack; it appears to have been designed just to continue to point out security flaws in Sony's infrastructure to create PR problems for the media giant. In the note, LulzSec left a message: "In Soviet Russia, SQL injects you..."

Pastebin of sonypictures.ru


Sony Pictures attacked again, 4.5 million records exposed

LulzSec message to SonyThe same hackers who recently attacked PBS.org have turned their attention back to Sony by releasing the latest dump of information stolen from Sony's websites.

While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.

The data stolen includes:

  • A link to a vulnerable sonypictures.com webpage.
  • 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.
  • 21,000 IDs associated with a DB table labeled "BEAUTY_USERS" including email addresses and plain text passwords.
  • ~20,000 Sony Music coupons (out of 3.5 million in the DB).
  • Just under 18,000 emails and plain text passwords from a Seinfeld "Del Boca" sweepstakes.
  • Over 65,000 Sony Music codes.
  • Several other tables including those from Sony BMG in The Netherlands and Belgium.

The attackers, LulzSec, stated in their file titled "PRETENTIOUS PRESS STATEMENT.txt":

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

This sounds like a broken record... Passwords and sensitive user details stored in plain text... Attackers using "a very simple SQL injection" to compromise a major media conglomerate.

Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

Sony passwords leakedThe take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

I took a brief look at some of the information disclosed and many passwords used were things like "faithful", "hockey", "123456", "freddie", "123qaz" and "michael".

Companies collecting information from their customers have a duty to protect that information as well.

In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.

Interested in some practical help with data security? Download our Data Security Toolkit.

Interested in encrypting your own personal files? Try out Sophos Free Encryption.


Malware on your Mac? Don’t expect AppleCare to help you remove it

Fake anti-virus on the MacZDNet writer Ed Bott has today published a fascinating conversation with an AppleCare support rep on the subject of Mac malware.

For reasons which will become obvious when you read the interview, the Apple support rep has chosen to remain anonymous. Chances are that if he hadn't kept his identity secret that he would be thrown out of the company pretty quickly.

According to Bott's source at Apple, AppleCare's call volume is "4-5 times higher than normal" and the overwhelming majority of calls come from Apple customers who have been hit by the current spate of fake anti-virus attacks on the Mac OS X platform.


Mac Security fake anti-virus. Click for a larger version

The Mac Defender fake anti-virus attack, and its variously named variants, are becoming common problems it seems:

It started with one call a day two weeks ago, now it’s every other call. It’s getting worse. And quick.

Perhaps most astonishingly, the interview reveals that Apple's official policy is that representatives are "not supposed to help customers remove malware from their computer."

The reason for the rule, they say, is that even though Mac Defender is easy to remove, we can't set the expectation to customers that we will be able to remove all malware in the future. That's what antivirus is for.

Although the support rep does admit that he often ignores corporate policy and help customers remove infections, he does acknowledge that this could get him into trouble if it comes to the attention of higher management.

But I can sympathise with the support rep, as it's hard to justify refusing to help a user with an infected Mac when it is using scare tactics and unsavoury pop-up windows to hoodwink them into handing over their credit card details for a "fix".

As the AppleCare support rep describes:

Well, I’m sure you’re aware of what Mac Defender pops up on your screen if you don’t buy it. Last call i got before the weekend was a mother screaming at her kids to get out of the room because she didn’t want them seeing the images. So, panicking, yes, I’d say that would be the situation usually. I had a teacher call about Mac Defender last week.

Typical website displayed to users who refuse to pay after the fake anti-virus attack

You can read the full interview on the ZDNet website.

Here's a video where we caught one of the fake anti-virus attacks in action:


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Sophos detects the latest Mac malware as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our protection.

If you're not a Sophos customer, but have a Mac at home, you can still protect your Mac right now.Download our free Mac anti-virus. It's automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition


Mac fake anti-virus attack adopts new disguise

Mac Security fake anti-virusNew versions of the latest malware to hit Mac OS X users have come to light, following the discovery earlier this week of fake anti-virus attacks being spread by SEO poisoning.

Fake anti-virus (also known as scareware or rogueware) is commonly seen on Windows computers, of course, but until now has been rarely encountered on the Apple Mac platform.

The new variants, seen by SophosLabs, are calling themselves "Mac Security" rather than their previous disguise of pretending to be "MacDefender" (which, incidentally, is the name of a genuine security product for the Mac - adding to the confusion).


Mac Security fake anti-virus. Click for a larger version

When I ran the fake anti-virus on a test machine it claimed that a number of innocent files, including Mozilla Firefox, were infected by viruses and told me I would have to register the program in order to cleanup the "infections".


The fake anti-virus tells you that you need to pay money to get a version which cleans-up malware. Click for a larger version

It's precisely these kinds of scare tactics which are regularly used by Windows-based fake anti-virus attacks to hoodwink innocent users into handing over their credit card details. Clearly whoever is responsible for this latest spate of attacks believes that there are rich pickings to be made from Mac users too.

Sophos detects the latest variants as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our detection to protect Mac users.

If you're not a Sophos customer, but have a Mac at home, you can protect your Mac right now if you download our free anti-virus. It's automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

<advert>
Oh, and did I mention that our free Mac anti-virus product recently won a rather prestigious award? ;-)
</advert>


Apple iOS update quashes location tracking “bug”

iPhoneApple has released an iOS update for the iPhone and iPad, addressing concerns that the devices were tracking users' locations.

As was widely reported last month, a bug in Apple's software meant that iPhones and iPads were collecting location-related data and were archiving it on users' computers.

It was found that location information stored on your computer could pinpoint your iPhone's whereabouts for up to a year afterwards - something which caused a storm of protest from those concerned about their privacy.

And you can see their point. After all, someone with access to your PC might find the backup file in your iTunes and determine places that you regularly visit. And you had no idea that that information was being stored.

iPhone tracking

At the time of the revelation I think my biggest concern was the sheer amount of data that was being backed up to PCs. I couldn't see a legitimate reason for up to a year's worth of location data to be held.

Apple responded to the media interest, and admitted that devices were collecting information about cell towers and WiFi hotspots around users' current location, even when users had specifically turned off Location Services.

Apple says that the newly-released iOS 4.3.3 update will no longer back up location data cached on iPhones and iPads to users' computers, and fixes the Location Services bug.

iOS 4.3.3 update

If you install the update, the location data stored on your iPhone or iPad will reportedly only stretch back seven days, and the cache will be deleted in its entirety if you disable Location Services.

It would still be nice, of course, if the cache of location data was also encrypted - to prevent snooping eyes. Apple says that they plan to encrypt the data in the next major iOS software release (iOS 5.0?).