Sony Continues To Be Threatened By Cyber Criminals

The Sony Corporation, after suffering a cyber attack on its Playstation Network of 70 million users in late April, is still receiving formative threats.

A group of cyber criminals who have taken responsibility for breaking into PBS' site last week, calling themselves LulzSec, are upping the ante with the technology company.

From CNET:

The group...has been promising Sony attacks since this past weekend when it posted to its Twitter account that it is engaged in an operation it calls "Sownage," shorthand for Sony Ownage. The group stated at the time that it was working on hatching a plan that would be the "beginning of the end" for Sony. It has yet to reveal what it has planned. But yesterday the group said that the attack was already under way, seemingly without Sony's knowledge.

We at Razorpoint Security continue to take a serious interest in this story. If you feel your company needs tighter network security in defending against cyber-criminality, reach out to us.

Security Provider Finds Vulnarabilities In Cisco System's Devices

At Razorpoint Security, we always stress that gadgets are not always the answer to finding holes in network security. But when it's the devices themselves that are allowing this breach, the network could at times be more complex to monitor. Such is the case with Cisco Systems, who recently found out their equipment has vulnerabilities they've been trying to patch up since 2010.

According to PC World's Business Center,

"The findings hint at two apparently contradictory themes, that of uniformity and complexity.

"The uniformity derives from the commoditization of IT equipment over the last decade, which has left companies of all sizes, in all countries and in all business sectors using similar families of products which are therefore open to the same vulnerabilities, including PSIRT 109444.

"As networks have become more uniform around standards and more commoditized, vendors have responded by competing in terms of features and development, which has created more complexity within the product families of dominant vendors such as Cisco. As complexity rises, so do the problems associated with management. Dimension also found that many network devices looked at in its assessments suffered from a range of configuration and policy violation issues in ways connected to this theme."

Cloud Computing Security

The next rush into creating complex networks for corporations and personal computing has been to store personal data on a cloud. The cloud uses a large network instead of localization to run applications and devices.

With so many people investing in the cloud to bring server costs down, it would seem obvious that the more people working on the same network, the more vulnerable it becomes.

Many service providers understand this, but have put the burden on their customers to keep information secured.

From The Wall Street Journal:

"The majority of cloud service providers do not consider security as one of their most important responsibilities according to a surprising survey released yesterday.

"The survey of 127 cloud service providers, 24 in six European countries, the others in the U.S., by the U.S.-based Ponemon Institute found that a majority of providers believe it is their customer’s responsibility to secure data."

Experts: Web Generation Clueless About Online Privacy

Last April Fool's Day, the online game store Gamestation.co.uk created a customer license agreement that asked gamers for their immortal souls. About 7,500 gamers unthinkingly clicked the "agree" button without reading the devilishly fine print.

The gamers kept their souls, but plenty of netizens have clicked "I agree" to download a new music service, software update or game demo without realizing that they had agreed to let the service provider access their personal information. Many more don't bother to figure out how to update their ever-changing privacy settings on social networks such as Facebook.

Thoughtless users don't deserve all the blame for giving up their personal privacy so easily. Online privacy safeguards have been deliberately designed to be irrelevant or annoying to the online experience, said Bruce Schneier, a security consultant who works with British Telecom.

The challenge is whether new generations that have never known a world without the Internet can adapt their online habits to better secure their privacy.

"The business of social networking sites is to invade privacy, because they want more users who lead to more revenue," Schneier explained. "The [user settings] are deliberately designed to be difficult to navigate and opaque."

Schneier spoke as a member of a panel at a symposium titled "Promoting Security and Sustaining Privacy: How Do We Find the Right Balance?" at the American Association for the Advancement of Science conference in Washington, D.C. on Feb. 19.

The Internet generation gap

Some of those who inherit the digital age often don't realize just how much information is being gathered about them all the time when they surf the Web. Others have simply become used to trading away personal information in exchange for Internet-based services that they find useful.

Either way, sometimes it seems the "kids don't give a damn," according to Stephan Lechner of the European Commission's Joint Research Centre Institute for Protection and Security of the Citizen.

But Lechner, who sat on the panel, also pointed to the clunky legal language of long customer license agreements by bringing up the April Fool's example.

Schneier put a slightly different spin on the problem.

"The Internet generation cares very much about privacy," Schneier said. "They might be terrible at it, but they care about it."

Many young netizens have "social fluency" when it comes to navigating the Internet, but they lack the technical knowledge of "where the computer ends and the Internet begins," Schneier pointed out.

They may not know that much of the information which they disclose to social networking websites and consumer websites is no longer as "private" in any strong sense of the word.

But teaching people to better safeguard their privacy can prove tricky as people spend more and more of their time doing computer-related tasks and storing data purely online – the huge trend known as cloud computing.

Other issues come up because of shifting privacy safeguards, such as Facebook's habit of regularly changing its privacy policies.

"This is a problem if you are educating the young and the unknowledgeable; how would you educate them if the info you tell them is outdated in a very short time?" Lechner said.

Forever playing catch-up

The panel experts mostly agreed that humans may never catch up if they hope to adjust social noms and behaviors to the rapid pace of new technological advances.

"I'm wondering if we can't educate users," Schneier said. "I'm not sure we can. I think things are moving too fast."

But a more hopeful view came from Katharina Zweig, a computer science researcher at the University of Heidelberg in Germany, who attended the symposium as an audience member.

The problem is that people fail to realize how the software behind social networks or consumer websites can easily dig up personal information online without direct consent of the human user, Zweig said. She suggested teaching people the difference between the capabilities of a computer and a human.

"I think we can educate people about the fundamental difference between computer thinking and human thinking," Zweig told LiveScience.

If successful, such an approach could help young generationsbetter appreciate the faceless programs behind the Internet websites and services.

After all, "the Internet never forgets," said Jeremy Pitt at the Institute for Security, Science and Technology of the Imperial College in London, and the third member of the panel.

"One question my five-year-old daughter asked, which completely floored me, was 'Does the Internet know who I am?'" Pitt said. "This question was wrong on so many levels."

Schneier jumped in before Pitt had finished.

"It's easy -- the answer is yes," Schneier said.

Facebook Phishing Scam Uses Fake Login Page

A new phishing scam currently spreading through Facebook is proving how important it is to read the fine print.

The scam uses chat messages and wall posts on friends’ pages to trick users into thinking they are being directed to a Facebook application, according to the security firm F-Secure.

Instead of landing on the app page, users instead find themselves on a genuine-looking Facebook login page, where they are asked to re-authenticate their account by entering their e-mail address and password.

But if users look carefully at the login page, they realize the URL in the browser’s menu bar includes “.ru” after the regular Facebook.com address, meaning it’s not a legitimate Facebook site, and any information entered can be easily swiped by the cybercriminals perpetrating the phishing scam.

F-Secure says that although this particular Facebook scam hasn’t spread quickly, Facebook users should always be careful when asked to enter any information, and to be especially wary of links, even if they appear to come from friends.

Defend and protect your identity with Razorpoint Security Services!

IPad Hackers Charged For Email Scheme

Back in the Summer of last year, a hacker group called Goatse Security found a breach in AT&T's server security that allowed them to access the email addresses of iPad 3G users. They downloaded over one hundred thousand of those email addresses, then alerted AT&T, who promptly fixed the hole. This past week, two of the hackers belonging to that group were each charged with crimes related to that breach.

Andrew Auernheimer and Daniel Spitler have each been charged with "one count of conspiracy to access a computer without authorization and one count of fraud," according to the New York Times article on the subject. Last July, after the events transpired, the FBI received more than 150 pages of chat logs which detail how the men were able to download these email addresses. What it basically came down to was a program on the AT&T servers which when given an iPad's ID number, would return the email address associated with that iPad. Mr Auernheimer and Mr. Spitler then only had to write a small script to guess ID numbers and store the returned addresses.

Both of the men charged insist they did nothing illegal. Mr. Spitler, when asked why he felt that way, replied by saying "cause I didn't hack anything." Their defense rests in the fact that they were accessing data on a public server with no password or encryption, basically that this data was available to anyone on the Internet. There is no evidence thus far that shows anyone trying to sell the data they uncovered, and they informed AT&T of the security hole, allowing them to fix the problem. AT&T on the other hand, is labeling the data mining as "malicious" and claim that their customers could have been "exposed ... to spam or fraud."

If you feel the need to increase your company network and server security, call Razorpoint today, 212.744.6900!

Researcher Breaks Wi-Fi Passwords Using Cloud Computing Power

According to a press report, a German security specialist plans to give attendees at a hackers convention next week code that they can run on high-performance cloud computer systems to help them break passwords on seemingly secure, low-cost wireless networks – Wi-Fi, for instance.

As much as anything else, however, it's a demonstration of how much computing power is becoming available to larger numbers of people as a service for a fraction of what it costs to buy and maintain a supercomputer.

According to a report in Reuters, Thomas Roth, a security consultant in Cologne, used high-performance capabilities in Amazon.com's (NASDAQ: AMZN) Elastic Compute Cloud (EC2) service to "brute force" breaking passwords on wireless networks.

Roth will be speaking at next week's Black Hat Security Conference in Washington, D.C. His talk is titled "Breaking encryption in the cloud: GPU accelerated supercomputing for everyone."

The main focus of Roth's recent demonstration, however, was to show how easy, given the availability of such high-powered computing power in the cloud, it is today to break passwords that use an encryption algorithm he says was never meant to secure systems.

Roth reportedly said he was able to breach the relatively sophisticated encryption technology -- SHA-1 (Secure Hash Algorithm) -- by tapping a cluster of Nvidia graphics processors, available through Amazon's services, to provide the horsepower needed for the task of zipping through 400,000 possible passwords per second.

"SHA-1 was never made to store passwords. [It] is a hash algorithm ... made for verifying data. It was made to be as fast and as collision free as possible, and that's the problem when using it for storing passwords: It's too fast," Roth said on his blog in November.

Prices for the equivalent of a supercomputer provided as a service via the cloud are low as well. Roth told Reuters that it took 20 minutes to break into a network in his neighborhood, at a cost of 28 cents per minute -- and that, with improvements in the code, he could do the same in as few as six minutes now.

The problem is, as computing speeds climb ever higher and the price falls, the barrier to hackers falls as well.

"The speed of computers is increasing incredibly fast, and so brute forcing will get faster and faster, and the new cloud offerings make parallelization of such use tasks easy and affordable," Roth continued.

An Amazon spokesperson was not available at publication. However, in speaking with Reuters, a spokesperson made the point that the same feat could be achieved on competing cloud computing services as well.

By Stuart J. Johnston
January 12, 2011