Fraud techniques revealed in recent debit card case

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term ÔÇ£unlimited operationÔÇØ.┬á Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.┬á In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.┬á These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.

I have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.

Another government data breach weakens public confidence

Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining personal information including names, social security numbers, driverÔÇÖs license numbers, pictures, fingerprint and handwriting samples, dates of birth and family information for hundreds of DOE employees.┬á The hackers did not gain access to classified information which investigators believe was the target of the attack.

Until yesterday, the hacker group Anonymous was viewed as a potential perpetrator since one of their factions, Parastoo, claimed responsibility on pastebin.  However, the posted information was dated and investigators believe Parastoo is not responsible for the attack.  According to an article published on February 4 in the Washington Free Beacon, unnamed government officials confirmed that the attack involved a foreign nation state.  This nation state is most likely China based on repeated attempts by Chinese hackers to gain access to DOE information and the value such information has to Chinese efforts.  If so, this employee information will probably be used to launch further attacks and gain the confidence of DOE employees with access to sensitive information.

The DOE and FBI are still investigating the incident but speculation abounds as to how the attack on their systems took place including weak server security configurations, poor user training and an over-reliance on outdated methods.  The security of DOE systems has certainly been called into question and some suggest that government agencies such as the DOE should rely more on the help of industry experts and security firms.

Discussions continue on “hack back”

Back in November, I blogged about the hack back initiative here in the United States.  Well, similar debates are taking place in Canada.  In January of 2012, Public Safety Canada commissioned a report on hacking, specifically hacking related to online protesting and activism known as hacktivism.  The report recommended several exemptions to existing legislation to allow researchers, investigators and even journalists to hack into other computers.  Some of the hack back recommendations included allowing security researchers to attack and reverse engineer software in order to determine security concerns (Montreal Gazette), investigators to take additional actions in investigating attacks such as data breaches and malware and reporters to break into private computers to obtain information in the interest of public welfare (Postmedia).

Over the past year, a discussion has taken place between Public Safety Canada and the ministerÔÇÖs office on this subject resulting in a decision by Public Safety Canada on January 16, 2013 to reject the recommendations.┬á This is by no means a complete loss for those supporting hack back since such large scale initiatives often take years to implement.┬á Alana Maurushat, the author of the report wrote, ÔÇ£no surprise that there is no inclination to take up recommendationsÔǪthese things often take decades of slow changes.ÔÇØ┬á The past year of discussion will increase awareness of the hack back initiative and I will most likely see other proposals in the future that will address the shortfalls of this proposal which Public Safety Canada has not provided.

Hack Back: Eye for an eye in cyberspace

Like paparazzi on celebrities, hackers pound on our organizational doors almost every second of the day.  It makes us want to hack them back; take them out of the game and cease this never-ending battery of my systems.  This is especially tempting following a data breach.  Despite this temptation, most restrain themselves because of laws that prohibit the use of computer programs and systems to attack others such.  However, increases in damages and loss due to computer hacking has caused some to question this restraint.

At the 2012 RSA conference, Paul Asadoorian and John Strand proposed fighting back by frustrating hackers with systems that waste their time, tracking attackers, and then disabling them.    Unfortunately, many times attackers use other systems to perpetrate their attacks so the act of disabling their systems could take down a company that has no knowledge of the attack.

Some argue that since the systems used by attackers are vulnerable, they are contributing to the problem and that disabling those systems is simply part of the overall solution to make us safe.  The loss of availability for one company is a benefit to the community.

So far these arguments have focused on reacting to an attack but Symantec proposed taking it a step further in their article Malicious Malware: attacking the attackers.  They suggested stopping attackers before they issue an attack.  Some methods including distributing hacker tools that track the attacker to taking control of hacker botnets would put the hackers on the defensive.

There are people on both sides of the fence such some such as John Pescatore, head of GartnerÔÇÖs Internet security practice and former NSA and Secret Service agent, doubting whether it can really help.┬á Pescatore says ÔÇ£There is no business case for it and no positive outcome.ÔÇØ┬á Others like cyberwar researcher Sandro Gaycken, believe that governments who have the sanction to attack back, have not been doing enough.┬á He believes hacking back can help and that it is justified.┬á ┬áGaycken says, “Vigilantism could seem justified. ItÔÇÖs that way with self-defense: if the state is not there, and IÔÇÖm attacked, I can hit back.”

In response to concerns about legality, Asadoorian and Strand recommended modifying system banners and warnings to include a statement that by accessing this system you agree that information such as location would be collected on those and that your system will be subject to a security check.  In this way, attackers would be allowing you to collect information on them and to run tools to analyze their systems.  However, attackers are not authorized to make such a decision on behalf of those whose systems he or she has compromised so statements like this may be of little value.

The debate is going on right now with serious cyber security discussions on whether hacking back should be officially allowed in the United States.  What are your thoughts?

Bots and Denial of Service (DoS) used against banks

 

Did you know that computers often become infected with virus-like programs called “bots” causing “denial of service” incidents on websites? Similar to the large data centers that comprise cloud based computing services, hackers have been creating botnets, large networks of infected computers that can operate collectively to perform malicious tasks. Portions of these networks are leased out to others who use them to launch attacks against web sites, among other things.

The recent bank attacks are examples of what can be done easily with the power of a botnet and nefarious schemes. For more information on the recent incidents, read my quotes from the Cleveland.com article, “KeyCorp, U.S. Bank web sites hit in the latest cyber attack against nation’s largest banks.”

Rogue certificate authorities destroy trust on the Internet

For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an ownerÔÇÖs name.┬á The process relies on trust.┬á ÔÇ£SecureÔÇØ websites utilize such a certificate to validate their identity.┬á This digital certificate is usually procured from a company that will verify the identity of the company administrating the site.┬á The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root.┬á This chain of certificates is called a certificate hierarchy.┬á A small group of trusted certificate authorities is installed on computers within the operating system.┬á These authorities include such names as Equifax, VeriSign and Thawte.┬á So what happens when the system breaks down?

Last year a series of attacks took place against certificate authorities resulting in the issuance of many rogue certificates. These attacks began with a SQL injection attack against ComodoÔÇÖs GlobalTrust and InstantSSL databases resulting in the issuance of rogue certificates for addons.mozilla.org, login.skype.com, login.live.com, mail.google.com, google.com, and login.yahoo.com.┬á This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as *.google.com which allowed the certificate to be used for any google.com site.┬á In response, DigiNotar was removed from the trusted list so that all the certificates it had issued ┬áwere no longer valid.

Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated.┬á Users then will be redirected to such sites through phishing or ÔÇÿÔÇØman in the middleÔÇØ attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem legitimate.  For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates.  The threat of rogue certificates is so crucial  that McAfee lists rogue certificates as one of their 10 threat predictions for 2012.

In the wake of attacks on certificate authorities, security professionals are speculating whether there are other certificate authorities that are compromised but do not yet know it.  The containment action against DigiNotar was extreme but necessary given the scope of the compromised certificates.  A significant disruption of e-commerce could result if other root certificate authorities need to be similarly revoked.

There are several ways companies can protect their users from the damage caused by the use of rogue certificates.  The most important action that can be taken is to install browser patches as soon as they are released because updates to root certificate authorities will be distributed through these patches.  In order to do this, revisit your patch management policy to determine optimal patch deployment intervals and minimize the amount of time machines are vulnerable to attacks.

Similar to server hardening and other security techniques that limit asset exposure, an examination and subsequent reduction of the number of trusted certificate authorities is important in assuring safe computer usage.  Some certificate authorities are region specific, thus, they can be removed if sites in those countries are not utilized.

It is important to configure the Internet browser to check for certificate revocations.┬á Certificate revocation lists are maintained by certificate authorities who list the certificates that should not be trusted anymore.┬á Depending on the browserÔÇÖs settings, it may be accepting revoked certificates.┬á Make sure the browser is set to treat certificates as invalid if the Online Certificate Status Protocol (OCSP) connection fails.

Firefox addons such as CertPatrol, Convergence or Perspectives routinely check certificates against a collection of network notaries or against a locally stored database of certificates to further  validate certificate credibility.  These add-ons warn users when the certificates are different from those recorded elsewhere.  A change in a certificate is no guarantee that the certificate is a rogue certificate but it is a warning sign that the certificate is potentially rogue.

Attacks in recent years have shown that the certificate trust relationship can be exploited to be used to impersonate legitimate sites and services.  The best way to assure actual service  is to maintain current computer browser and operating system patches.  In addition to keeping patches current, reduce your potential exposure to rogue certificates by limiting the number of certificate authorities you trust and enforce certificate revocation checking.

For more information:

Why Diginotar may turn out more important than Stuxnet

Certificate authority hack points to bigger problems

Compromised certificate authorities: How to protect yourself

Timeline for the DigiNotar hack

 

The risks of networked entertainment devices

The latest televisions and Blu-ray players are being shipped with more than high definition video and audio.  Internet access and a host of new applications are being built in to run directly on these devices.  A popular built-in feature is wireless access which enables the user to avoid plugging in an  Ethernet cable.  Accessing the Internet and your favorite apps directly from your TV is convenient.  However, what security risk does this pose?

Are TVs and Blue Ray Players a Security Risk?

The primary question is, ÔÇ£Are these devices a security risk?ÔÇØ Examining the features of these systems and comparing it to existing systems that already have a risk profile will help answer ┬áthis question.

In order to access the Internet, a device needs a browser. Currently, ┬ámanufacturers have decided not to develop their own browsers but to use existing products that have proven effective on other platforms.┬á Some devices come equipped with a version of Opera while others utilize GoogleÔÇÖs Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using MicrosoftÔÇÖs Windows ÔÇ£media extender technology.ÔÇØ┬á The default installation of the media center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player access to files on the home or office network.

Yet another consideration is the type of content that will be available on these devices.  In the past year, a large number of exploits focused on Adobe Flash or Java.  Blu-ray players currently support Java in order to display content often included on Blu-ray disks, while some of the TV browsers support flash content.  Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Internet capable television or blu ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for a long period of time.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.  It did not take long for cell phones to be exploited after Internet access and applications were ported to them. Similarly, as Internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.

So What Can You Do? 

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.   These updates only enhanced functionality, not security.

Companies who have adopted Internet capable devices should consider keeping them on a separate network segment.  Both home and business users can disconnect devices from the network if Internet features are not needed.  By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content.  This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.  When using the media center extender, consider reducing access from the default of full access to read only.  See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).   Eventually, security patches for these Internet capable devices will be released just like security patches are released for software applications and operating systems.  However, unlike computers, users are not familiar with the firmware update process and not all companies make it easy to upgrade their products. In the future, companies will need to develop  procedures for regularly updating devices.

In conclusion, an Internet TV or Blu-ray player could be vulnerable once exploits are developed for these devices.  As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.  The firmware on these devices can be upgraded but manufacturers have not released any security updates for their devices. Until manufactures address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

  1. Disconnect it from the network unless it is needed to use specific Internet features
  2. Allow the device to turn off and not download content automatically
  3. Configure tighter security on Windows media extenders.

 

DDoS (Distributed Denial-of-Service) response strategies

The site is down!┬á These are haunting words for most businesses, and todayÔÇÖs topic: the DDoS (Distributed Denial-of-Service) attack. This particularly nasty type of attack attempts to disrupt the availability of systems by overwhelming servers, saturating bandwidth or through other techniques. ┬áYmy business is most likely heavily reliant upon specific systems and this article provides an overview of the DDoS attack that could potentially take these key systems down and techniques for combating the DDoS.

It is best to understand what the DoS and DDoS attacks are and how they work before discussing how to combat them.┬á DoS (Denial of Service) attacks disrupt the availability of key information systems so that legitimate users cannot access these resources.┬á The DDoS attack accomplishes the same thing by using a distributed set of computers or ÔÇ£botsÔÇØ or ÔÇ£zombiesÔÇØ and it is extremely powerful because it is using the power of thousands of computers and the bandwidth of many networks to perform the attack.┬á Both the DoS and DDoS result in lost sales, lost customer confidence, reduced productivity or increased work for support staff.┬á So how does the DDoS attack work?

Understanding the DDoS

DDoS attacks rely on the power of many distributed machines so the first part of a DDoS attack is assembling an army of bots.  Using automated tools, attackers scmy the Internet in search of vulnerable machines that are exploited and turned into bots by installing software on them that waits for commands from a command and control server.  These bots are used to enslave other bots until a sufficient army is assembled for the attack.

The attacker is now ready to initiate an attack with their bot army.  Attacks are initiated automatically or semi-automatically.  Automatic attacks already have the target programmed into them by the attacker so the attack takes place as soon as the bot army is assembled.  This minimizes interaction the attacker has with the bot army and makes it more difficult for him or her to be identified.  In semi-automatic attacks, instructions are sent to the bot army by the attacker through command and control servers once the bot army is assembled.

Some DDoS attacks called protocol attacks target a specific protocol or vulnerability and others use brute-force.  Protocol attacks take advantage of a bug in the software or a feature of the communication to tie up resources of the target so that legitimate traffic cannot be serviced.  Brute-force attacks bombard the system with otherwise seemingly legitimate transactions.   Protocol attacks would seem like the more advanced method but they can be stopped by altering the system to remove the bug or changing the way the system operates so that the feature cannot be exploited.  The brute-force attack is no different from legitimate traffic except for its increased volume so it is more difficult to combat.

So what can you do to prevent or mitigate DDoS?  We have selected five practical things you can do to protect against a DDoS attack.

Infrastructure Improvements

First, consider increasing bandwidth and server performance.  DDoS attacks attempt to overwhelm available resources so additional resources will allow you to withstand greater attacks.  This involves having more server space or bandwidth than necessary.  Such over-provisioning addresses the number one problem brought on by a DDoS attack, link and equipment saturation.  Unfortunately, it can be difficult to determine how much extra hardware and bandwidth is necessary to sustain an attack as even some of the largest companies have succumbed to DDoS attacks.  When attacks fail, attackers often gather a larger bot army and try again.

Traffic Filtering

Consider configuring your firewall or IDS (Intrusion Detection System) to filter DDoS traffic, if the functionality is available, or consider upgrading to a system that does.  DDoS traffic filtering devices prevent SYN, TCP Flooding and other types of DDoS attacks.  Such devices typically analyze TCP flow control, conduct packet filtering and utilize blacklists and whitelists.

Real Time Monitoring

Another way to protect your data against a DDoS attack is through real-time monitoring.  Real-time monitoring can identify a DDoS attack early.  Such a system must be actively monitored so that action can be taken quickly to resolve the situation.  DDoS attacks can ramp up quickly so administrators might not have much time to respond once an alert comes in.  Integration of site and device monitoring with SIEM can leverage existing technology to protect against this attack.

It should be noted that not all DDoS attacks happen immediately.  Some attacks develop slowly so that they will not be noticed as easily.  They gradually increase the number of requests made to resources until the resources become unavailable.  It is important to have baselines of system performance and expected use so that these can be compared to active data in order to classify traffic as legitimate or a potential DDoS attack.

Consider monitoring log file sizes and growth rates.  Some monitoring tools will create a more critical event and alert when a large number of informational events are generated so that administrators can stay on top of problem areas.  Informational events might not appear in reports and individually they would not indicate a problem but collectively they could indicate a DDoS attempt or some other hacking activity.

Log Maintenance 

Genuine users and DDoS attacks both log server events and this can cause some services to reject connections if the log fills up.   As mentioned earlier, log file growth rates and sizes could indicate an attack but in order to prevent a full log from making a system unavailable you can either increase log file sizes, archive logs, or roll the logs over.  If systems are set to refuse connections when the log is full you should not implement log rollover because the refusal is a security mechanism meant to prevent unauthorized access.  In this case you should either use archiving or larger log files to keep servers available.

Community

Finally, information security departments can work closely with the botnet hunter community. ┬áDDoS attacks rely on bots to perform their work, but if the bots are known about, control of the bots can potentially be wrested out of the attackerÔÇÖs hands. Knowing who to call that can nip the attack in the bud rather than allow it to get too big can save valuable time and effort.┬á Know who to call at your upstream service provider to help filter attacks.┬á Ymy Internet provider might have specialized equipment to help reduce DDoS attacks so put a plan in place to work with them to stop the attack.

The DDoS is an outside invasion, but not one that looks to install or plant something within the company in order to gain information.  Instead, this type of attack constantly hits the server with requests that business is halted.  DDoS can cause a lot of damage to organizations that rely on the availability of key information systems. That is why I have outlined the above five activities that can mitigate the effects of an attack.

Sources and Further Reading

http://www.securityweek.com/content/how-defend-against-ddos-attacks

http://www.computerworld.com/s/article/94014/How_to_defend_against_DDoS_attacks?taxonomyId=17&pageNumber=1

http://www.fortguard.com/DDOS/ucla_tech_report_020018.pdf

Command and control server reveals interesting details on bot usage

 

Previously, I have discussed the dangers of hacking and measures to take against an attack in the LulzSec blogs.  Now I will delve into a different aspect of the wide world of hackers.  We will not, however, look at a specific company or conglomerate that hacked different entities and organizations.  Instead, I will observe the findings of McAfee after they accessed a server that was used for attacks since 2006.  Operation Shady RAT, RAT being short for Remote Access Tool, has introduced new evidence on the targets, motivations, and frequency of hacking that are summarized below.

McAfee took possession of a server that had been utilized as a hacking device since 2006 and analyzed its contents revealing a great deal of information on attack trends and methods used by hackers.  On August 2, 2011, McAfee published their findings in a report titled, Revealed: Operation Shady RAT.  Although, recently there have been highly publicized attacks by Anonymous and LulzSec, these attacks are not new.

Upon the acquisition of a command and control server and the subsequent research into the logs of the server and tracing the attacks the results were shocking.  So shocking that even McAfee employees were surprised at the level of penetration, the wide scope of the attack, and the overall impudence of the intruders.  The perpetrators hacked into seventy-one different companies and organizations by using this server.

The types of targets that Shady RAT attacked ranged the gambit.  These hackers attacked government agencies, but unusually these attacks were not just on American government agencies but worldwide government agencies.  Also, they hit a nonprofit think-tank based in the United States.  These attackers even went as far as to attack Olympic committees of various countries.  Even still the vast majority of attacks were on worldwide government agencies, with a total of twenty-one different government bureaus across the globe being attacked.  In conjunction with the governmental findings, another high-risk industry was the defense contractors.   In fact, thirteen defense contractor attacks were coordinated through the command and control server McAfee obtained access to.

If the results of Operation Shady RAT are considered representative of other attacks, they could call into question some common assumptions held on the focus of attacks.  A common belief is that hacks primarily occur against the United States, Canada, and Europe.  While Operation Shady RAT showed the majority of attacks did occur against those regions, with forty-nine coming against organizations within the United States, fmy against Canada and six against Europe, ten attacks were focused on Asian countries.  Companies in Asian countries often get less attention in the media for hacks against them.  The underlining issue with the attacks carried out by this server is that since the range of companies and organizations is so broad, anyone could be vulnerable.  Protection is not an option for companies.  Everyone needs to be concerned with information security.

Even more intriguing was the findings of the types of attacks used and the evidence of what attackers obtained or attempted to obtain.  The oft-cited motivation for hacking has been commercial gain but the same server was used for commercial hacks and hacks that had no commercial interest.  Hacktivism, hacking to promote a political agenda, is seen clearly in the attacks on the Olympics.  Interestingly, logs from the server outlining attacks on Olympic committees, especially in the time leading up to the 2008 Olympics.  Furthermore, attacks on the non-profit think tank also provide evidence that the hacks were not carried out by a group solely focused on commercial gain.

Another interesting point made by the article, is the frequency of the attacks and the amount of time the hackers remained in various organizations without detection.  There have been difficulties and controversies over the number of successful attacks that take place because organizations are reluctant to report incidents because of the potential loss in customer confidence.  Operation Shady RAT provides real data on the number of attacks that took place.  The data is limited to only the attacks that took place from this one command and control server but they are unfiltered by corporate PR departments.

In 2006 when this server began directing attacks, only eight organizations were infiltrated, however, by the next year that number had jumped to twenty-nine.  The regularity of the attacks continued to rise until it peaked in 2009 with thirty-eight attacks, and tapered off within the last two years.  Also, the amount of time spent within these companies and organizations is tremendous.  The rate of time spent within a company ranges from just one month to twenty-eight months.  For example, the hack on a South Korean construction company began in 2006 and lasted seventeen months without detection.  Meanwhile, the twelfth United States defense contractor was only under attack and infiltrated for one month.

Upon a thorough reading of the findings of McAfee, I can now conclude that anyone is vulnerable to an attack, not just government offices or major companies.  Also, due to the report a better knowledge of the types of attacks is now out there and available.  Read through some previous postings to find how to protect yourself and your company.

LulzSec and the Sony hacks

Thank you for staying tuned in to my third case study and final installment of my fmy part series on the Lulz Security hacks. Our first entry on the LulzSec hacks gave a broad overview of the group and what they did and how it made people aware of hacking. We then embarked on three case studies beginning with PBS and then Infragard that outlined the attacks and corporate response and lessons learned. This entry will focus on what happened to Sony. Keeping true to form, I will look at the security of the company attacked, the hack done by LulzSec, and the company’s response to that attack.

Sony was hacked recently on two occasions. The first attack against Sony on April 19, 2011 targeted the Playstation network. This attack exposed records for over 70 million Sony Playstation users including usernames, passwords, credit card information, security answers, and addresses. Allan Paller, research director at SANS Institute called the breach the largest identity theft on record. The Washington Post states that LulzSec has not taken credit for this attack however other sources reference a tweet made by LulzSec around the time of the attack where they stated that they were stealing information from Sony. Either way, this attack serves as another lesson in how to better protect valuable information. This attack was successful because passwords were not stored in a hashed format. Hashes allow the program to verify that a password given to it is correct while maintaining the secrecy of the password.

Sony responded to the attack on the Playstation network by allowing US account holders to participate in an identity theft protection program and they issued a 30 day membership to the Playstation plus service. It is unknown, however, if the security problems that caused this attack have been addressed sufficiently. Sony did shut down the Playstation network so that they could take care of the issues without risking further compromise of the system. We applaud Sony for making a decision to improve security even at the cost of the availability of the system. They most certainly lost money while the system was unavailable but they were able to prevent customers of the Playstation network from further harm.

The second attack on June 2, 2011 was against Sony’s pictures and music divisions. LulzSec claimed responsibility for the attack and criticized the lack of security controls that allowed them access to the systems. Their attack exposed more than one million accounts that were stored in an unencrypted text file and stole 75,000 music codes and 3.5 million music coupons that are used to download music from the Sony/BMG site. LulzSec also compromised over one million users’ personal information including emails addresses and passwords. They obtained access to this information by using a SQL injection vulnerability. SQL injection is a method where harmful database queries are executed against a database by inserting the queries, which are formed using SQL (Structured Query Language), into an input to the program often in a web form. The program or web site collects the input and processes it but along the way the query is executed providing the attacker with information from the database.

In order to prevent against the attack against Sony pictures and music, the website code should have implemented web coding best practices including limiting application privileges, validating the input collected before processing it, and reducing the amount of debugging information provided from the web site. They also should have encrypted files that contained confidential information and stored passwords in a hashed format rather than in plain text.

Today I emphasized these two attacks on Sony. We now conclude my fmy part series on the LulzSec hackings and hope that you will ask the question, could my company be next?

For more information

LulzSec Hacks Sony Pictures Website, Steals One Million Passwords

Details on the attack

SQL injection attacks by example

SQL injection protection A guide on how to prevent and stop attacks