NEWS - June 03, 2011

Sony Pictures attacked again, 4.5 million records exposed

The same hackers who recently attacked have turned their attention back to Sony by releasing the latest dump of information stolen from Sony's websites.

While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.

The data stolen includes:

• A link to a vulnerable webpage.

• 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.

• 21,000 IDs associated with a DB table labeled "BEAUTY_USERS" including email addresses and plain text passwords.

• ~20,000 Sony Music coupons (out of 3.5 million in the DB).

Continued :

Hacktivists break into Sony Pictures database
New Sony hack exposes more consumer passwords
Discussion is locked
Reply to: NEWS - June 03, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 03, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Skype protocol being reverse engineered

A freelance researcher named Efim Bushmanov has created a site named "skype-open-source" and says that he is reverse engineering the VoIP service Skype "to make skype open source". Skype's proprietary protocols have allowed the company to maintain control over its peer-to-peer voice and video communications network and have been the subject of various types of research over the years.

Bushmanov is not taking a clean room approach, where a researcher examines the network inputs and outputs of the software. He has instead opted for the potentially riskier process of modifying the Skype binary files to remove autoupdate, obfuscation and anti-debugging measures. Bushmanov may also be taking a risk by redistributing these modified files; they are easier to decompile and it is easier to trace and log what the code does, but they are still Skype's intellectual property.

Continued :

Also: Skype protocol cracked - what happens next?

- Collapse -
Spotting Web-Based Email Attacks

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, "Google: China Hacked Email."

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn't exactly news. I'm surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Google said "the goal of this effort seems to have been to monitor the contents of targeted users' emails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)"

Continued :

Also: Admin: Gmail phishers stalked victims for months

Related: Google: Phishers stole e-mail from U.S. officials, others

- Collapse -
E-Mail Fraud Hides Behind Friendly Face

Most people know to ignore the e-mail overture from a Nigerian prince offering riches in exchange for a bank account number. That is a scam, plain to the eye.

But what if the e-mail appears to come from a colleague down the hall? And all he asks is that you add some personal information to a company database?

This is spear phishing, a rapidly proliferating form of fraud that comes with a familiar face: messages that seem to be from co-workers, friends or family members, customized to trick you into letting your guard down online. And it has turned into a major problem, according to technology companies and computer security experts.

On Wednesday, Google disclosed that it had discovered and disrupted an effort to use such pinpoint tactics to steal hundreds of Gmail passwords and monitor the accounts of prominent people, including senior government officials. Secretary of State Hillary Rodham Clinton said Thursday that the F.B.I. would investigate Google's assertion that the campaign originated in China.

Such tactics were also used in an attack on a company called RSA Security, which security experts say may have given hackers the tools to carry out a serious intrusion last month at Lockheed Martin, the world's largest military contractor.

The security specialists say these efforts are a far cry from more standard phishing attempts, which involve spraying the Internet with millions of e-mails that appear to be from, say, Citibank in the hope of snaring a few unfortunate Citibank customers. Spear phishing entails sending highly targeted pitches that can look authentic because they appear to come from a trusted source and contain plausible messages.

As such, the specialists say, the overtures are becoming very difficult for recipients to detect.

"It's a really nasty tactic because it's so personalized," said Bruce Schneier, the chief security technology officer of the British company BT Group. "It's an e-mail from your mother saying she needs your Social Security number for the will she's doing."

Mr. Schneier said the attacks are more like a traditional con game than a technically sophisticated intrusion. "This is hacking the person," he said. "It's not hacking the computer."

Continued :

- Collapse -
Hotmail and Yahoo users also victims of targeted attacks

Web mail users at Yahoo and Hotmail have been hit with the same kind of targeted attacks that were disclosed earlier this week by Google, according to security software vendor Trend Micro.

Trend Micro described two similar attacks against Yahoo Mail and Windows Live Hotmail in a blog post, published Thursday. "It's an ongoing issue for more than just Gmail," said Nart Villeneuve, a senior threat researcher with Trend Micro. Villeneuve believes that Facebook accounts have also been used to spread similar attacks.

Google made headlines Wednesday after revealing that several hundred Gmail users -- including government officials, activists and journalists -- had been the victims of targeted spearphishing attacks.

Google mentioned phishing on Wednesday, but the criminals have been using other attacks too. In March, Google said that hackers were taking advantage of a flaw in Microsoft's Windows software to launch politically motivated hacks against activists.

Corporate networks have been under attack for years, but hackers now see personal Web mail accounts as a way to get information that can help them sneak into computers that would otherwise be locked down. "People always think of these attacks as isolated cases, but they're more like a series of successful and failed attacks over a longer period of time," Villeneuve said. "It's not a one-off attack."

Continued :

Also: Report: Gmail Not Alone; Yahoo! And Hotmail Users Phished Also

- Collapse -
Northrop Grumman May Have Been Hit by Cyberattack
Northrop Grumman May Have Been Hit by Cyberattack, Source Says

Top military contractor Northrop Grumman Corp. may have been hit by a cyber assault, the latest in a string of alarming attacks against military suppliers, a source within the company told

Lockheed Martin said its network had been compromised last week, and defense contractor L-3 Communications was targeted recently, as well. Both intrusions involved the use of remote-access security tokens, experts say.

On May 26, Northrop Grumman shut down remote access to its network without warning -- catching even senior managers by surprise and leading to speculation that a similar breach had occurred.

"We went through a domain name and password reset across the entire organization," the source told "This caught even my executive management off guard and caused chaos."

"I've been here a good amount of time and they've never done anything this way -- we always have advanced notice," the person said, speculating that the surprise action was a response to a similar network assault.

Continued :
- Collapse -
Friendster password emails spark site hack fears

Multiple users have reported receiving spam emails containing their Friendster password in plain text.

The appearance of the suspicious emails to registered Friendster addresses (widely reported by numerous Twitter users on Thursday) has spawned fears that Friendster database might have been hacked. An alternative theory is that a partner of the once massive social networking site might have leaked the data.

All this remains unconfirmed. We've asked Friendster for a response but are yet to hear back.

We ran an early blog report explaining the suspicious emails past net security firm Sophos: it said that although any individual report might be circumstantial, the collective weight of reports leaves Friendster with some explaining to do.

In the meantime users who received the suspicious emails would be well advised to change their passwords, especially if they used their Friendster password on other sites.

Friendster was one of the original social networking websites but its position was usurped by MySpace and Facebook, at least in the West, where it has since become a topic of parody. The site remained popular in Asia.

Continued :

Also: Emails with Friendster Plain Text Passwords Spark Fears of Hacked Database

- Collapse -
Doctor Who Finale Scam Bandwagon Extravaganza of Doom

From the Sunbelt Blog:

The mid-series finale for Doctor Who ("A good man goes to war", fact fans) is rapidly approaching, and big plot twists means lots of sites trying to take advantage of early spoilers. Oh, and making some spare change at your expense too.

Behold the wonders of Youtube: [Screenshot]

If I were a betting man, I'd be putting lots of money on the fact that none of the above sites actually contain "A good man goes to war", but instead pop survey questions followed by random link dumps. Like this, for example: [Screenshot]

Yeah, you have to watch out for videos having "lenght" problems. Visit the site, and you can expect a content gateway and a collection of surveys to pick and choose from: [Screenshot]

Continued :

- Collapse -
Pharma Spammers Brandjack YouTube

Spam messages promoting pharmaceutical products have been perhaps the most commonly seen spam attacks over the past several years. Pharmaceutical products are deceptively marketed through spam emails employing a variety of obfuscation techniques. Symantec recently observed a pharmaceutical spam campaign abusing the YouTube brand. Similar spam campaigns abusing popular brands have been seen in the past, however, the email volume observed in this particular spam attack has been immense.

Sample From and Subject lines observed in this spam attack are below.

From: YouTube Service <>

Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube

Subject: YouTube Service sent you a message: Best Unrated Videos To Watch

Subject: YouTube Support sent you a message: Your video has been removed due to terms of use violation

Continued :

- Collapse -
Dangerous colours

New techniques for obfuscating malicious code on websites are a good way to mislead both users and protection software alike. Recently, I came across an interesting attack against the osCommerce online shopping platform in which malicious script was injected into PHP files by exploiting a Remote File Inclusion vulnerability in osCommerce software. [Screenshot]

This PHP script works as an infector and is used to add the following code just after specified tags in HTML files and at the top of JavaScript files: [Screenshot]

At first glance, this code doesn't look as suspicious as it usually does - there is nothing that stands out: no <iframe> tag, no unescape() function, nor is there an eval(). Instead, we just have a function which seems somehow related to colours displayed on the web page and an array filled with values pretending to be a hex representation of these colours. Unwary users could overlook this code assuming that it's legitimate and belongs to the page, but if we follow it, we can see what it really does. The code takes the values from the array, converts them in some way and builds an ASCII string, so it can then use either the document.write or document.createElement method to append text to the web page source code. It the latter case, the created element has a type of text/javascript.

Now does it look suspicious enough to you?

Continued :

- Collapse -
How Safe is Your Password?

Symantec's Security Response Blog:

I received reports this week of emails that reference transactions of which the recipients have no knowledge. The email includes a link for more detail, which then attempts to download a ZIP attachment. Nothing new here; most savvy users would know better than to open an attachment in an unsolicited email.

The interesting thing about this email, however, is that it includes a password previously used by the recipient. Seeing private data in an email like this would definitely raise suspicions that the sender has some kind of connection to the recipient, or worse, has comprised their account details. The ultimate goal for the sender is that the user's curiosity would be piqued sufficiently to open the attachment which would, of course, deliver the inevitable malware payload.

Symantec detects the file as Trojan.Zbot, also called Zeus, which is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information.

So how did these scammers get the passwords? It seems fairly certain that a Web site database has been comprised. A number of sources on the Internet believe it was a major international social gaming Web site which is now most popular in Asia.

Continued :

- Collapse -
Electronic Health Records: A Ticking Time Bomb?

TrendLabs Malware Blog:

The various security issues inherently unique to the healthcare sector is an area which I have been following pretty closely over the course of the past couple of years, for a few reasons.

First - and thankfully - there appears to be increasing concern in the healthcare industry that the recent spate of security breaches could bleed over into the healthcare sector, and could have an adverse effect on the already troubled industry. As reported">]reported in the New York Times on Monday, there is a renewed emphasis on the protection of patient medical data, in the face of an onslaught of consumer privacy data breaches.

As stated in the Times article, "?in the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to the government data."

These numbers seem to grow with time, and it is especially troubling that these "improper exposures" have not received the same notoriety that similar data breaches have received in other industries.

I think that number may be somewhat misleading, or may only deal with "improper disclosures", since a still unidentified party hacked into the online systems of the Virginia Prescription Drug Monitoring Program in a 2009 incident, allegedly stole approximately 8.3 million patient records, and demanded a $10 Million dollar ransom.

Continued :

- Collapse -
Anonymous leaks 10,000 'top secret' Iranian gov't emails

Hacker group Anonymous has successfully stolen and released more than 10,000 emails from Iran's Ministry of Foreign Affairs. And more attacks on the repressive regime are "in the works."

Hacker group Anonymous has leaked 10,365 "top secret" emails from Iran's Ministry of Foreign Affairs. Anonymous says the files were accessed after the group infiltrated the Iranian Passport and Visa Office email center. All the files are currently available for download from the MediaFire website, as well as BitTorrent sources.

Most of the emails concern standard visa applications for "an oil meeting," according to an unnamed source who spoke with the International Business Times. And "many" of those are reportedly for people "from China." A quick perusing of the files shows that, in most case, the emails are from Iranian government officials alerting visa applicants of their status.

The initial attack apparently took place a number of days ago, and the Iranian government has been actively trying to keep news of the breach covered up. Tehran has yet to admit publicly that the breach and data theft every occurred. An Anonymous member said that the attacks were carried out in an attempt to damage Iran's image in "both cyber space and the real world."

Continued :

- Collapse -
TDSS loader now got "legs"

The loader of TDSS, a malicious program about which we have written many times (e.g., here and here) has now got legs, i.e. a self-propagation mechanism. TDSS is a very sophisticated piece of malware, and the cybercriminals have created an ingenious propagation mechanism for its loader.

The TDSS loader was named Net-Worm.Win32.Rorpian, and uses two methods to spread its code:

1. Via removable media
2. Over the LAN

When spreading via removable media, the worm creates the files setup.lnk, myporno.avi.lnk and pornmovs.lnk in addition to autorun.inf. These files are shortcuts to the file rundll32.exe, with parameters pointing to the worm's DLL. This is a standard technique used by many malicious programs.

When spreading over the local area network, the worm uses the following technique. When infecting a computer, the worm checks if a DHCP server is used on the network. If the victim computer is located on a network which uses the DHCP protocol, the worm starts scanning the network to see if there are any available IP addresses on it. Next, the worm launches its own DHCP server and starts listening to the network. If it detects a DHCP request from a computer on the local network, the worm tries to be the first to respond to it, sending the following data:

Continued :

- Collapse -
Facebook phishing: Can you spot the difference?

We've seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.

Here's a typical message: [Screnshot]

hello have you seen this recent video on the president? What is he doing in it?! LOL


What's the president doing in this video. OMG LOL!

Some versions of the message give away that the link will ultimately take you to a website ending with Almost all of the links we see in SophosLabs which end with "" contain "bad stuff". Perhaps it would be simplest if everyone simply avoided links (and close cousins such as as they are tainted by association.

And what sort of name is hzjqorbbmdnf anyway?

Regardless of the dodgy-looking nature of the link - what happens if you click on it?

Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it's a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they'll type in their credentials without thinking.

Here's the fake login page:

Continued :

- Collapse -
Hackers say Acer breach leaked data for 40,000 users

Hackers say they breached the website security of computer-maker Acer and made off with data for 40,000 of its customers.

Screenshots posted on Friday on The Hacker News appeared to show the purchase histories, names, email addresses, and partial addresses and phone numbers for a limited number of customers stored on The site said members of the Pakistan Cyber Army were behind the attack and planned to release the data in the next 24 hours.

"We got mail from PCA that they successfully hacked the FTP of ACER and Stole around 40,000 Users Data, Various Source Codes stored on server," The Hacker News said.

The report comes as dozens of companies and government agencies, including RSA, the Fox network, and the State of Massachusetts, have suffered security breaches that have leaked sensitive consumer information or proprietary company data. At the top of the list is Sony, which over the past six weeks has been the target of a series of devastating hacks that have exposed details for than 100 million customers, including one that surfaced on Thursday.

In some of the cases, the breaches were the result of targeted phishing campaigns, while in others hackers gained entry by exploiting easy-to-spot vulnerabilities in the companies' website applications.

Continued :

- Collapse -
Oracle JavaSE Critical Patch Update Pre-Release Announcement
Oracle Java SE Critical Patch Update Pre-Release Announcement - June 2011


This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for June 2011, which will be released on Tuesday, June 7, 2011. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

This Critical Patch Update is a collection of patches for multiple security vulnerabilities in Oracle Java SE. This Critical Patch Update contains 17 new security vulnerability fixes. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS 2.0 scoring (see Oracle's Use of CVSS Scoring). The highest CVSS 2.0 Base Score for vulnerabilities in this Critical Patch Update is 10.0.
Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

• JDK and JRE 6 Update 25 and earlier for Windows, Solaris, and Linux
• JDK and JRE 5.0 Update 29 and earlier for Windows, Solaris and Linux
• SDK and JRE 1.4.2_31 and earlier for Windows, Solaris and Linux

Oracle Java SE Executive Summary

This Critical Patch Update contains 17 new security vulnerability fixes for Oracle Java SE. All these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
- Collapse -
Mac scareware gang, Apple trade blows yet again

"Newly-named 'MacShield' appears, Apple issues detection update to warn Snow Leopard users"

Scareware makers on Friday again changed their fake security software scam, while Apple issued the third signature update in as many days to combat the con.

The newest version of what's generically called "MacDefender" appeared Friday, according to a pair of security companies. The phony antivirus program now goes by the name "MacShield," the fifth title since the early-May appearance of the scheme.

Apple in turn released another signature update early Friday to XProtect, the bare bones anti-malware tool tucked into Mac OS X 10.6, aka Snow Leopard. According to logs on several Macs, Apple started pushing the update -- the third in the last three days -- a few minutes after midnight GMT, or around 7 p.m. Thursday ET.

The new signature was labeled "OSX.MacDefender.D" by Apple.

According to Peter James, a spokesman for the French antivirus firm Intego, Apple's MacDefender.D signature detects the MacShield variant, warning users after they've downloaded it and urging them to toss the file into the Trash.

Apple initially updated Snow Leopard on Tuesday with signatures to sniff out two previous versions of the "scareware" and to provide users a tool that scrubbed infected Macs of the phony software.

Continued :

From Intego: MacDefender Changes Name Again: Now MacShield

- Collapse -
China says it's not behind Google email hacking

China denied it supports hacking activities and said it is part of global efforts to combat computer security threats Thursday, a day after Google disclosed some of its email users suffered hacking attacks that orginated within the country.

Google disclosed Wednesday that personal Gmail accounts of several hundred people, including senior U.S. government officials, military personnel and political activists, had been breached.

Google traced the origin of the attacks to Jinan, China, the home city of a military vocational school whose computers were linked to an assault 17 months ago on Google's systems.

China is firmly opposed to activities that sabotage Internet and computer security, including hacking, Foreign Ministry spokesman Hong Lei told reporters Thursday.

Hong said hacking was a global problem and Chinese networks had also been targeted by hackers, but he gave no specifics. He said China was working to crack down on the problem, but he didn't respond when asked whether it would investigate this specific incident.

"Allegations that the Chinese government supports hacking activities are completely unfounded and made with ulterior motives," Hong said.

U.S. authorities were investigating Google's disclosure, the coordinator for cyber issues at the U.S. State Department said Thursday in London. Christopher Painter said the hacking illustrated a problem of attribution in cyberspace.

Continued :

Also: China denies role in latest Google attack

- Collapse -
Should You Start Lying Online?

From TrendLabs Malware Blog:

Provocative headline, isn't it? Well, yes, but stay with me for a bit. Let me explain why lying online may be a good thing.

If you're not worried about data breaches yet, you ought to be. It seems that data loss issues have been cropping up left and right. In an ideal world, sites and institutions would do a much better job of securing our data. However, we're not yet in that ideal world, so we just have to deal with the consequences.

Unfortunately, the advice that's normally given tends to amount to "be careful about what you were already doing." The truth is that once your data has been stolen, it's out in the wild for online crooks to play with. You may not suffer immediate problems-not unless your financial information was leaked-but I'd still rather not have my e-mail address in an online gang's address book.

The bottom line is that everyone online-that means you and me, reader-has to be responsible for their data. Too many sites ask for too much information which you may not want them to know. Does a message board really need to know how much money you earn, what industry you work for, or what your birthday is?

The question then is when should you give out real information? If something involves money (i.e., buying or selling something) it's not a time to lie. If it involves the government or any other group where there would be real consequences to giving out the wrong information- "lying," as it were-don't. If it's something much less important, though, like joining a message board you may want to consider "lying"-or giving out false information. Why not? Your real information is too valuable for you to hand over too casually especially since they can be used for marketing or advertising purposes.

Continued :

CNET Forums