24.6 million Sony Online Entertainment accounts stolen

Sony's ongoing investigation of illegal intrusions into Sony Online Entertainment systems revealed that attackers may have stolen personal information from approximately 24.6 million SOE accounts, as well as certain information from an outdated database from 2007.

The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

With the current outage of the PlayStation Network and Qriocity services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.

The company is working with the FBI and continuing its own full investigation while working to restore all services.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

• name
• address
• e-mail address
• birthdate
• gender
• phone number
• login name
• hashed password.

In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

• bank account number
• customer name
• account name
• customer address.

SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation 3 MMOs.

Osama bin Laden spam invades Facebook

I guess the news about the death of Osama bin Laden is starting to reach everyone around the world. Every time something big as this happens, people get curious and start searching on the Internet.

Facebook ads are already spreading using videos of the death of Osama bin Laden as a trigger. On one Page we can see multiple users posting the same URL, with the following message:"Sweet! FREE Subway To Celebrate Osamas Death - 56 Left HURRY!" or "2 Southwest Plane Tickets for Free - 56 Left Hurry" and then a link to a short URL service (tiny.cc).


When you click the link, you will be redirected to a page, where it says that you need to post a message to get more instruction on how you can win.


If the user writes the message, it will post a new message on the user’s wall, to spread the message further, and then just redirect you to another page where you can win something else. The scheme of this scam is to keep redirecting you to pages where you have to enter information such as email, and eventually get money for all new users or clicks.


Please make sure that your computer is up to date with all the security patches, that your antivirus is updated and if you do click on the links from Facebook and other social media pages, make sure that you don’t give out any important information (username, passwords).

Since the bad guys seem to be taking advantage of this opportunity quite heavily, we expect to see more malicious code getting triggered by the death of Osama bin Laden.

Mobile Security: Camelot And The Wild West

The only secure device is one that is not connected to a network. However, this more or less defeats the purpose of mobile devices. Especially with the onset of social media and cloud computing, users are no longer just browsing the internet. As mobile devices become the primary platform for users, so will hackers' attention.

Just last month Google pushed the "Android Market Security Tool" onto at least 256,000 infected devices to remove apps with DroidDream malware, first reported by the Android Police. DroidDream was published within seemingly legitimate apps on the Android Marketplace which, once installed on Androids prior to 2.2.2, could obtain personal information as well as download additional code to run. The 58 apps infected with the malware were removed from the marketplace within minutes.

As with desktops, mobile malware can come in the form of anything from fake antivirus to "phishing" apps (apps posing as trusted banks or businesses), and they can be contracted through messages, app marketplaces, third-party marketplaces, and yes, even through the web browser. And this isn't just the case for Android. Even the iPhone has its own bout of security issues. Then, why is there so much hype regarding Android security?

The iPhone and Android exist in different worlds. The first is like Camelot, the second like the Wild West. On the iPhone platform, the operating system itself is tightly controlled and the App Store has strict regulations and screening. iOS users are looked after and protected by the "castle guards" at Apple. Exploits for iPhone are available only to very careless and those who install third party applications. The OS offers various encryption features and any known security holes in the OS are fixed and made available for users to easily upgrade upon syncing with their computer.

The Android platform is open source and there is little marketplace oversight. Users must lookout for themselves and the unguarded are vulnerable to exploit. There remains no built-in encryption available to apps, hence Skype's recent upgrade. That said, the lack of cooperation between carriers and Google to provide updates for the OS only compounds the issue, as this article discusses. Google has made security patches to its OS, but carriers have been unwilling to push the upgrades to its phones.

Both users and enterprises alike should realize the vast differences in the Android and iPhone environments. Be sure to confirm the authenticity of an app before installing, browse only trustworthy sites, and, as much as possible, keep devices upgraded.

Newest IOS Update Jailbroken Already

Less than a week after Apple released the newest version of their mobile operating system iOS, the iPhone Dev Team has released its updated client for jailbreaking. Called redsn0w, this client allows iPhone users to install third party apps without the use of iTunes or the Apple approval process. For a lot of people, this is a very tempting offer even in the face of potentially voiding the warrantee. As of the writing of this article, only the iPad 2 remains impervious to redsn0w.

In their blog, the iPhone Dev Team announced the release of redsn0w 0.9.6rc14 on Tuesday, merely five days after Apple released iOS 4.3.2 for its devices. Having the update come so soon after the official release is thanks to the lack of a patch for the vulnerability which allowed the last version of iOS to be unlocked. Earlier this week, the iPhone 4 was only able to be jailbroken in a 'tethered' way. This meant that every time the device was rebooted, it would have to be connected to the user's Mac before it would work again. Obviously this is not the ideal situation for a mobile device, but that issue has since been rectified. Anyone who used this 'tethered' jailbreak can download the new client and simply patch their current install to the 'untethered' version.

I am not trying to justify jailbreaking. There are reasons why people do and there are reasons why Apple doesn't want them to, but in the end the decision lies with the user. The iPhone Dev Team strives to make the process as easy as possible for those willing to break out of Apple's so-called 'walled-garden' and install unverified apps. And they do make it look easy by exploiting vulnerabilities in the mobile OS created by a company who prides itself on its security.

Epsilon Email Breach Should Heighten Everyone's Awareness

It's unfortunate, but the largest email security breach has taken place this past week. Epsilon, an online marketing corporation who sends out over 40 billion emails a year had their list of email addresses stolen by sophisticated cyber thieves. Epsilon handled the email campaigns of some of the largest corporations in the country: Best Buy, Walgreens, JPMorgan Chase, Capital One, and more. The breach has put many internet users on heightened alert, and for good reason.

Many have stated that the breach didn't cause a whole lot of damage, as all the cyber thieves stole was a list of email addresses. However, with these addresses they can conduct one of the largest phishing attacks we've ever seen.

In an interview with a local news affiliate, Steve J. Bernas president & CEO of the Better Business Bureau serving Chicago & Northern Illinois gave this advice to users everywhere, "It's fairly common for identity thieves to impersonate credible organizations with what appears to be legitimate email messages seeking to verify account information" he continues, "Along with attempting to get personal information phishing attacks are often the source of potentially harmful computer viruses."

With so many of our emails floating out in the open, it provides us a stark reminder on how to keep our information safe. The first, and most obvious tip is to never provide account numbers or your social security number over an email. No valid company will ever require you to send important information like that over an email.

With the size and scope that Epsilon's client base covered, all sorts of businesses were affected. According to this report, Epsilon handled over 2,500 clients. With such a large number, phishing attacks could come from all sorts of different directions.

Epsilon has responded to the security breach, apologizing to all of those affected, "We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers" continuing, "We take consumer privacy very seriously and work diligently to protect customer information."

While having a list of emails won't directly cause harm, it should put all of us at a greater level of awareness. Phishing attacks are more effective than a lot of people give them credit for. The only way to limit their effectiveness is to stay aware, and educate those around us on how to keep safe.

Keep Your Portable Devices Encrypted

When you're sitting at home or at the office, most physical threats are avoided. To keep people from accessing your computer, simply lock your office door or put your computer to sleep. Unfortunately, most of the steps taken for desktop security aren't afforded to portable devices. They're easily stolen, or misplaced. Which can lead to sensitive data being leaked.

Just ask BP, who had an employee lose their laptop while on a business trip. The story is of particular note because the laptop stored personal data. With information such as social security numbers, and dates of birth. The information belonged to 13,000 people who submitted claims against the company over the oil spill.

The story shows how vulnerable portable devices are when being transported on long trips, or even short ones as well. According to a recent study, 30 of 144 data breaches announced, occurred on portable devices.

These breaches can be avoidable if encryption software is being used on the device. The problem is many companies don't want to invest in the tools. The presents a problem which bothers, Avivah Litan, an analyst for Gartner Inc, "There really is no excuse for not encrypting laptops"

Litan makes the argument that the cost of protection is worth it, and enterprises can find worthwhile discounts. Volume prices can drop to as little as $15 per laptop. She accuses businesses that have the knowledge of data encryption but refuse to use it as being lazy.

Reports of data loss on portable devices will continue to rise if people and businesses continue to refuse the encryption option. The practice might increase cost, but the consequences of what can happen over certain data leaks has to make it worth the investment.