Sony Blames Anonymous For Latest Hack...

from the easiest-framing-ever dept

Apparently Sony has decided to pick on an easy target for its latest data breach: Anonymous. Sony is claiming it found a file named "Anonymous" on the server, with the non-group's phrase "We are Legion" in the file:

"The attacks were coordinated against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker," Sony chairman Kazuo Hirai said in the letter.

"What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes."

Of course, those two sentences don't seem to match. Anonymous isn't known (at all) for trying to steal credit card information for criminal purposes. Its entire purpose is more along the lines of vigilante protests. Also, Anonymous may be the easiest "group" in the world to frame. Because it's not a group and anyone and everyone can be a part of it, you just put a file named "Anonymous" somewhere along with the phrase "We are Legion" and clueless dupes assume it was "the" Anonymous rather than a bunch of organized crime hackers searching for credit card details. It very well could have been an Anonymous operation, but it seems like Sony should have a bit more proof before making such a definitive statement on the matter.

Filed Under: anonymous, breach, data
Companies: sony

Things Get Worse And Worse For Sony As Another Massive Data Breach Detected

from the this-is-why-you-don't-trust-rootkitters dept

For the few of you left who still trusted Sony, now comes news of yet another massive data breach, this time for Sony Online Entertainment (SOE) users. SOE is their online multiplayer games offering. It sounds like a similar issue to the PSN hack, again with lots of data being taken. Making matters worse, apparently for players outside the US, Sony kept credit card numbers and/or bank details in an "outdated database" (read, one not properly secured or encrypted, apparently). And... Sony is now admitting that the breach occurred a few weeks ago, so this info has probably already been put to use. So, we've got the rootkit, the PSN and now the SOE issue. Who actually willingly pays Sony for anything any more?

Filed Under: breach, sony online entertainment
Companies: sony

If You Discover A Privacy Data Breach, You Probably Shouldn't Wait Three Months To Tell Users

from the fined dept

Insurance firm Wellpoint apparently left its medical records easily exposed on its servers from last October until March, exposing 470,000 users' medical records, credit card numbers and "other sensitive info." The company discovered the breach in February, but apparently waited until June to tell users. The company has now been fined $300,000 for not promptly notifying users, though that does seem like a rather low number considering how many records were apparently exposed...

Filed Under: breach, privacy, reporting
Companies: wellpoint

Company That Had The Largest Ever Credit Card Data Breach... Apparently Breached Again [Update]

from the hits-you-in-the-heartland dept

Remember Heartland Payment Systems? It's the giant credit card clearinghouse that was involved in the largest ever security breach in terms of the number of credit card numbers exposed. They were successfully targeted by the same guys who had also set the previous record for largest credit card data breach, so you could question whether the issue was just a sophisticated group of hackers or poor security at Heartland (or, possibly, a combination of both). Either way, it looks like Heartland may still have some issues. Carlo sends over the news that a new security breach has been discovered at a restaurant in Austin, Texas that appears to involve someone hacking into the network between the restaurant and Heartland. It's not yet clear if this goes beyond that one restaurant, but this can't look good for Heartland.

Update: Heartland got in touch to let us know that this appears to be an issue outside of Heartland's system, and that Heartland is not the target of the investigation into the breach. Heartland's press release is basically pointing out that the weakness was with the restaurant's credit card security, not its own.

Filed Under: breach, credit cards, security
Companies: heartland payment systems

Could AT&T's iPad Email Leak Really Be A Much, Much More Serious Security Breach?

from the doesn't-sound-good dept

Last week, we wrote about the security glitch by AT&T, that allowed hackers to figure out the email addresses of 114,000 iPad users. A few people in the comments mocked this news, claiming that such info was pretty much meaningless, as email addresses are hardly private info these days. Of course, that ignored the connection of the email address to the fact that you bought an iPad. But now, some are realizing the potential security problems with this may be significantly worse. Slashdot point us to a story where someone walks through how poor security choices by the various mobile operators means that knowing the information revealed by the glitch can actually reveal much, much more. As the blog post walks through the details, it concludes that potentially, the data from the breach in some cases (though, not all) could then be used to figure out a lot more:

So yeah, knowing someone's ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you're prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.

There is a later edit, when he realizes that the voicemail/phone calls/SMS stuff might not be that big of a deal, since the iPad is not a phone device, but it's still instructive of how a "simple" data breach can lead to much more in certain circumstances.

Filed Under: breach, ipad, security
Companies: apple, at&t

Script Kiddie Botnet Operators Ask For Jobs From Security Company That Shut Them Down

from the didn't-work dept

The BBC has a story about how the operators of one of the larger botnets that was recently shut down showed up at the offices of a security researcher who helped bring them down... asking for a job. The article highlights how the researcher, Luis Corrons, basically had figured out who was running the botnet after one of the operators made a mistake and revealed his home computer... which actually was not far from where Corrons worked. It was shut down at the end of last year, but a few months later, Corrons had an interesting experience:

In late March Mr Corrons was preparing for a meeting at Panda's Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.

One asked if he was Luis Corrons. He said yes while wondering who they were.

They introduced themselves which left him no wiser. Then, one of them said; "I'm Ostiator and this is Netkairo."

"It was then I realised these guys were the ones that were arrested in the Mariposa case," he told the BBC. "I thought they wanted to teach me a lesson."

Instead, they asked him for a job, saying that the shutdown of the botnet had "robbed them of their livelihood." Apparently, the two guys started following Corrons on Twitter, sending messages his way and commenting on his blog, before asking for work again. They finally brought in one of the guys for an interview, noting that they wouldn't hire anyone involved in criminal activity. The guy responded that he hadn't been charged with anything. However, Corrons also quickly realized that the guy barely had any technical skills -- pointing out that he didn't write the bot, he just ran it:

"He got really annoyed at that moment, when we told him he was not good enough," said Mr Corrons. Subsequent discussion revealed just how poor their skills were.

"They were given the botnet with all the stuff they needed," said Mr Corrons. "Using it was like using any other program."

So, for the script kiddies out there, perhaps before asking for a job from the security researchers who bring your botnet down, you do a bit of work to make sure you have the actual skills.

Filed Under: breach, jobs, security

Once Again, Court Says If There's No Real Harm, There's No Legal Recourse For Privacy Breach

from the why-doesn't-that-apply-elsewhere? dept

Way back in 2006, we noted a series of cases where people had brought lawsuits over claimed "privacy" breaches, involving lost or leaked data, where the courts repeatedly ruled that if there was no evidence that the leaked data was used for nefarious purposes, there was no case. Odd that this applies to things like privacy, but when you see a similar situation with copyright, no one ever has to show any actual harm. Either way, it looks like courts are continuing to follow this particular line of thought, as a lawsuit against Gap for losing private data has been rejected under the same line of thinking. This also almost certainly means that all those class action lawsuits against Google for possibly collecting some WiFi data, are completely dead in the water. In those cases, the plaintiffs don't even show any evidence that their data was collected, let alone give any proof of harm.

Filed Under: breach, harm, privacy
Companies: the gap

Looks Like The Guy Who Set The Record For Largest Credit Card Breach Was Breaking His Own Record

from the raising-the-bar dept

Back in January, we noted that it looked like there might be a new winner in the battle to see who was responsible for the largest ever credit card breach. Until that time, the honor had gone to a series of department stores owned by TJX (TJ Maxx, Marshalls, etc.). That involved info on 94 million credit card holders. Not bad. But the newer deal, involving Heartland Payment Systems appeared to effect well over 100 million. Now, you may have seen the news reports this week that have upped that total to 130 million, as part of the announcement of indictments against three individuals for illegally accessing the data. But, what's fascinating is that the one guy in custody, Albert Gonzalez, was already in custody for his role in the TJX hack (along with some other retailers). Oh, and there's also the tidbit about how he was a government informant, handing over info on (you guessed it) the underworld involved in stolen credit card numbers.

Filed Under: albert gonzalez, breach, credit cards
Companies: heartland payment systems, tjx

TJX Offers One-Day Sale To Make Up For Massive Data Breach

from the how-generous dept

Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.

Filed Under: breach, sale, security
Companies: tjx

Canadian Passport Website Falls For Oldest Privacy Breach On The Web

from the that-one-again? dept

Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user's account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it's been quite some time since we've heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.

Filed Under: breach, canada, passports, security, url, websites