NEWS - June 20, 2011

Sega says 1.3 million users affected by cyber attack

Japanese video game developer Sega Corp said on Sunday that information belonging to 1.3 million customers has been stolen from its database, the latest in a rash of global cyber attacks against video game companies.

Names, birth dates, e-mail addresses and encrypted passwords of users of Sega Pass online network members had been compromised, Sega said in a statement, though payment data such as credit card numbers was safe. Sega Pass had been shut down.

"We are deeply sorry for causing trouble to our customers. We want to work on strengthening security," said Yoko Nagasawa, a Sega spokeswoman, adding it is unclear when the firm would restart Sega Pass.

The attack against Sega, a division of Sega Sammy Holdings that makes game software such as Sonic the Hedgehog as well as slot machines, follows other recent significant breaches including Citigroup, which said over 360,000 accounts were hit in May, and the International Monetary Fund.

The drama surrounding the recent round of video game breaches paled compared to what PlayStation maker Sony Corp experienced following two high-profile attacks that surfaced in April.

Those breaches led to the theft of account data for more than 100 million customers, making it the largest ever hacking of data outside the financial services industry.

Continued :

Sega's saggy security
Sega Says More Than One Million Affected By Sega Pass Breach
Reports: Sega customer database hacked
Discussion is locked
Reply to: NEWS - June 20, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 20, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Attackers Exploiting Critical Flash Bug Via Drive-By
.. Download

Attackers have begun actively exploiting the critical Adobe Flash vulnerability that Adobe patched last week, using rigged Web pages and phishing techniques to compromise vulnerable machines. The attack code is being hosted on a number of sites around the Web right now, researchers said.

Adobe warned last week when it released a patch for the bug that the vulnerability in Flash can be used for remote code execution, and that's being proven out right now. Researchers at Websense have found a number of sites that are rigged with malicious code designed to exploit the Flash vulnerability and the exploit itself is using some rather advanced techniques in order to compromise users' machines.

The attack begins as most drive-by download attacks do, with a user visiting a malicious site with a browser running a vulnerable version of Flash. The site loads a malicious Flash file, which contains the exploit for the Flash bug and begins the exploitation chain. From there, the interesting parts kick in.

Continued :

Related: Attackers exploit latest Flash bug on large scale, says researcher
- Collapse -
Look out! Outlook phishing form spammed out

Are you an Outlook user? Have you received a message telling you that your account needs to be reconfigured, and requesting that you enter your username and password?

Here's an email message that we have seen sent out to internet users: [Screenshot]

Subject: Notification from Microsoft Outlook - please read

Message body:
Dear Microsoft Outlook username,

Please download and open attachment to reconfigure your Microsoft Outlook information again.

If you do make the mistake of opening the attached file, you will be presented with a form which asks you for all the information a remote hacker would need to access your email account. [Screenshot]

Don't make it easy for the phishers, the spammers, the identity thieves and hackers to break into your online accounts. Messages like this should always be treated as highly suspicious.

- Collapse -
Software Cracks: A Great Way to Infect Your PC

I often get emails from people asking if it's safe to download executable programs from peer-to-peer filesharing networks. I always answer with an emphatic "NO!," and the warning that pirated software and cracks - programs designed to generate product keys or serial numbers for popular software and games - are almost always bundled with some kind of malware. But I seldom come across more than anecdotal data that backs this up.

Recently, I heard from Alfred Huger, vice president of engineering at Immunet, an anti-virus company recently purchased by Sourcefire. Huger was reaching out to offer feedback on my 3 Rules for Online Safety post. He told me that the rules should have included this warning: Do not download pirated software and cracks from filesharing networks and cracks sites because they are a major source of malware infections.

I replied that people who knowingly engage in this type of risky behavior probably don't care much about my three rules, and that the advice was meant for people who were interesting in learning how to stay safe online. But I was curious about his comment, and asked if he had data to support it. Huger said these types of infections were closely correlated with cases in which Immunet users opted to dispute its malware detection for specific files. Files that are "convicted" by anti-virus programs are considered malicious and are placed in a quarantine area on the user's system. But if users still want to access the file, or they don't believe or care that it's malicious, they can reverse or "roll back" that conviction.

Continued :

- Collapse -
Mozilla to add built-in PDF viewer to Firefox

Mozilla is working on a project that will add PDF rendering to Firefox using HTML5 and JavaScript, eliminating the need for users to run Adobe's own plug-in.

The PDF reader may be included in Firefox within three months, said Andreas Gal, a Mozilla researcher who on Wednesday unveiled work the company had done quietly for the last month.

If Mozilla follows through on its plans, it would make Firefox the second major browser -- after Google's Chrome -- to offer in-browser PDF rendering.

But while Chrome relies on an API (application programming interface) to craft its own native-code plug-in, Mozilla will exclusively use HTML5 and JavaScript to display Adobe's popular document format.

Gal touted that as more secure.

"The traditional approach to rendering PDFs in a browser is to use a native-code plug-in, either Adobe's own PDF Reader or other commercial renderers, or some open-source alternative," Gal said in a post to his personal blog.

"From a security perspective, this enlarges the trusted code base, and because of that, Google's Chrome browser goes through quite some pain to sandbox the PDF renderer to avoid code injection attacks. An HTML5-based implementation is completely immune to this class of problems," he said.

Continued :

- Collapse -
Bitcoin flattened by sell-and-buy theft

Bitcoin, is a great idea. The digital currency threatens to undermine traditional banks - and those thieving scoundrels deserve to have their hand-stitched rugs pulled from beneath their feet.

Now we learn that the main Bitcoin exchange, Mt. Gox, suffered a database breach in which a system auditor who had read-only access to the database had their computer compromised. The infiltrator - who was using a Hong Kong-based IP address - cleaned out one big account and flogged its contents, buying them back directly after he'd effectively crashed the currency to cut the Coin's notional value from over $17 to less than a single cent. Unfortunatley for the rogue trader there was a $1000 per day withdrawal limit on the account so s/he could only get out with $1000 worth of coins.

The sale of the coins took place overnight and was captured on video here.

Mt. Gox said it was investigating the incident and was working on various fixes. "The Bitcoin will be back to around 17.5$/BTC after we roll back all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST)," the outfit said.

Apart from the single hack, "no account was compromised, and nothing was lost," the statement continues. "Due to the large impact this had on the Bitcoin market, we will roll back every trade which happened since the big sale, and ensure this account is secure before opening access again."

Continued :

Also: Bitcoin collapses on malicious trade

Related: Symantec Uncovers Bitcoin-Stealing Trojan

- Collapse -
ICANN approves new top-level domains: Now .anything possible

Forget .com: ICANN has made it now possible to create an almost limitless number of custom domain names, a move the organization believes could usher in a new Internet boom.

In the most significant change to domain name regulations since the institution of .com, the Board of ICANN, the body that regulates how domain names work, has approved the creation of new generic top-level domains (gTLDs) that will allow for a near-infinite variety of new website addresses. The colossal decision not only enables corporations and other organizations to create domains like drink.coke or, but they could theoretically create .almost .anything .they .can .think .of.

"ICANN has opened the Internet's addressing system to the limitless possibilities of the human imagination. No one can predict where this historic decision will take us," said Rod Beckstrom, President and chief executive of ICANN in a statement.

"Today's decision will usher in a new Internet age," said Peter Dengate Thrush, chairman of ICANN's Board of Directors told reporters. "We have provided a platform for creativity and inspiration, and for the next big dot-thing."

Despite these claims of grandeur, three massive barriers will hold back the onrush of new domains. First, the price: new custom domain available through the program will cost $185,000 to register. Second, those seeking to acquire one of these new domains must prove legitimacy to their claim of the terms they want to use in their web address. Third, only "established public or private organizations" can apply. And those that do must prove that they have the technological infrastructure to support the domain.

Continued :

Also: ".brands" approach with Internet name shake-up

- Collapse -
Spam storm clogs the Kindle self-publishing platform

The Kindle's ebook store has become a new outlet for self-publishing spammers in the past few months, forcing users to wade through a growing number of low-value, subpar content to get to the titles they want. This recent trend may be damaging to Amazon's push into self-publishing and may even dig into the Kindle's reputation, hurting the 10 percent of business Citigroup analysts say the product will account for in 2012.

Spammers are exploiting something known as PLR content, or Private Label Rights. Though there is potential for this work to be of high quality, PLR allows someone to grab informational content for free or for very cheap on the internet and reformat it as a digital book. The form of PLR these spammers use tends to be poorly written, generic and lets them put anyone's name on it, slap a catchy title and churn it out for 99 cents. Amazon then pays out 30 to 70 percent of the revenue.

Sometimes these ebooks will just be stolen content from actual work. Reuters points out a case concerning a New Zealander and her debut historical novel which she found being sold on the platform under a different author's name. The case was resolved by Amazon's British team, but it points to a larger issue. Reuters cited Internet marketer Paul Wolfe, who explained that the common tactic involves copying an bestselling ebook and repackaging it with a new title and cover.

Continued :

Also: Beware of Spam Titles in Kindle Store

- Collapse -
Hackers might face stiffer sentences in U.S.

Even before a loosely organized group of hackers broke into the CIA's and Senate's public websites, the White House asked for stiffer sentences for breaking into government and private computer networks.

Last month the Obama administration pressed Congress to pass stronger cybersecurity measures, including a doubling of the maximum sentence for potentially endangering national security to 20 years in prison.

While it remains to be seen if the proposal will become law, the question of how to fight cyber-crime has risen to the fore in recent weeks with a spate of high-profile, and sometimes, sophisticated, attacks.

The computer break-ins have targeted multinational companies and institutions, including Sony Corp, Citigroup and the International Monetary Fund. Sony faces dozens of lawsuits related to the theft of consumer data from its Playstation network.

Also, in the latest flurry of hack-ins, the loosely organized group Lulz Security said it broke into the Senate's and CIA's public websites, as well as Sony and other targets.

Continued :

Also: Hackers may face 20 years in jail if seen to threaten US national security

- Collapse -
Searches for iCloud Unveil FAKEAV

Everyone's talking about the upcoming iCloud, Apple's newest cloud services offering. From Steve Jobs' announcement earlier this month at the annual Worldwide Developers Conference (WWDC), to the recent Apple trademark lawsuit, iCloud is easily one of today's fast-rising topics. In the course of our research, we discovered several attempts to take advantage of the "iCloud" keyword by cybercriminals behind fake antivirus malware.

Cybercriminals typically use search engine optimization (SEO) poisoning techniques to trigger malicious URLs hosting FAKEAV malware. These blackhat SEO techniques use Google as its referrer to run the malicious file download. In this case, the file downloaded is one named SecurityScanner.exe, or what Trend Micro detects TROJ_FAKEAV.HKZ. [Screenshot]

Using the keyword "icloud mymobi" results in a possibly malicious URL. MyMobi appears to be a compromised news site about gadget information. We've previously blocked the site because of the malicious activity, but since it appears that the site has since then cleaned up, it is now unblocked. In the image pictured above, the domain is infected with files containing the file name ".php3? and the "icloud" keyword. In this instance, hackers insert topics containing keywords to gain high page ranking in Google search results for phishing bait, specifically for the rogue antivirus software, Windows Antispyware for 2012. [Screenshot]

Continued :

- Collapse -
LulzSec claims Soca hack

The hacker group LulzSec claims to have attacked the website of the UK's Serious Organised Crime Agency, also known as Soca.

In a message posted to Twitter at around 4:45pm UK time on Monday, LulzSec stated: "Tango down - - in the name of #AntiSec." The hashtag 'AntiSec' is a reference to an 'Anti-Security' campaign launched by LulzSec on Sunday, to "encourage any vessel, large or small, to open fire on any government or agency that crosses their path".

At the time, LulzSec claimed to be affiliated with rival hacker group Anonymous on the Anti-Security mission.

ZDNet UK can confirm that the website was indeed down for a few minutes, although it is now up and running again. (UPDATE: As at 7:30pm, the Soca website has been going down and coming back up repeatedly; when up, it is frequently very slow to load).

"We are aware of claims that the Soca website has been attacked," a Soca spokesman told ZDNet UK. "The picture is not clear at this time and we are investigating the matter with our service provider."

LulzSec has previously hacked games and entertainment companies, the NHS, the US Senate and the CIA.

Also: SOCA website scalp claimed by LulzSec in apparent DDoS attack

- Collapse -
Free Service helps companies keep Web browsers secure

Qualys announced BrowserCheck Business Edition, a new free service helping organizations identify and fix browser security issues.

The service gives IT administrators a clear view of web browser security across their organizations, and allows them to work with users to fix any security issues.

Security flaws in web browsers and their plug-ins are often the preferred target of malware attacks - especially as people increasingly use their browsers for activities including using web applications, conducting business transactions, using social media and web surfing.

Inside companies, network and desktop administrators responsible for information security of an organization do not have visibility into the state of browser and browser plug-in information within their environments.

Using Qualys BrowserCheck, a service that scans web browsers and plug-ins and provides remediation instructions for any security issues, Qualys BrowserCheck Business Edition helps companies protect computer users from browser-related security issues, while providing administrators with a clear view of browser security across their organizations.

Continued :

- Collapse -
Attack on Israeli Certificate Authority

For security reasons, the Israeli StartSSL Certificate Authority (CA) has temporarily suspended all its certification services. Apparently, attackers attempted to bypass the authority's security systems and intrude into its servers.

Talking to The H's associates at heise Security, StartSSL's CEO Eddy Nigg said that the attackers' goals were similar to those behind the intrusions into the reseller servers of StartSSL's competitor Comodo - to issue unauthorised SSL certificates (for already existing domains). However, the CEO said that the latest attacks were unsuccessful. The incident, which happened on 15 June, is still under investigation. According to StartSSL, the security of existing certificates is not affected.

The CA is part of StartCom and is one of the few authorities where users can obtain free SSL certificates which are valid for a year. The root certificates are included in all modern browsers, but users may need to provide an intermediate certificate when using them on their own servers. The article "SSL for free - Setting up free certificates" demonstrates how to apply for a StartSSL certificate (once the site is back up and running) and implement it, and the intermediate certificate, on an Apache web server.

- Collapse -
Mozilla rejects Microsoft's WebGL criticism

Mozilla's VP of Technical Strategy, Mike Shaver has rejected Microsoft's criticism of WebGL in which it said it would not implement the 3D graphics standard because of security issues in the design. Shaver says that "there is no question that the web needs 3D capabilities" to enable developers to create "advanced visualisations, games or new user interfaces" and points at Molehill (Adobe's 3D for Flash) and Microsoft's Silverlight 3D which are offering just those capabilities.

Shaver says that parts of the application stack, such as font engines, video codecs and image libraries, have been exposed in the past when new capabilities have been added and that these new threats were then "modelled, understood and mitigated". Pointing out mitigation strategies already built into Mozilla's Firefox stack - such as drivers being blocked if they are not on a whitelist and shader code being checked for validity - he believes that these, and future extensions, will make the WebGL platform more robust.

"It may be that we're more comfortable living on top of a stack we don't control all the way to the metal than are OS vendors" says Shaver in closing, "but our conversations with the developers of the drivers in question make us confident that they're as committed as us and Microsoft to a robust and secure experience for our shared users".

Continued :

Microsoft Considers WebGL a Security Risk
Hole found in Firefox 4 WebGL implementation

- Collapse -
Quantum crypto felled by 'Perfect Eavesdropper' exploit

Researchers have devised a technique for eavesdropping on communications secured through quantum cryptography that allows an attacker to surreptitiously construct the secret key encrypting the secret content.

The so-called Perfect Eavesdropper uses off-the-shelf hardware to defeat a key benefit of the alternative crypto system, namely that the use of properties rooted in quantum physics offers a theoretically fool-proof way for parties to exchange the secret key securing their communications without being intercepted. QKD, or quantum key distribution, allows a trusted party to construct a key by transmitting light to the other trusted party one photon at a time and then measuring their properties.

In theory, anyone monitoring the transmissions passing between the two parties will automatically be detected because in the world of quantum mechanics the act of eavesdropping taints the key in ways that are clear to the trusted parties.

The researchers, from the the National University of Singapore, the Norwegian University of Science and Technology, and the University Graduate Center in Norway, were able to compromise the QKD by making the key exchange behave in a classical way. Using readily available equipment that fits inside a suitcase, they intercepted single photons traveling over a 290-meter fiber link network and then re-emitted the corresponding pulses of light.

Continued :

- Collapse -
Anonymous, LulzSec Groups Team Up In 'AntiSec' Hacking
.. Campaign

"Government agencies, banks, in the bull's eye as hactivists vow to grab classified information, email spools"

The Anonymous and LulzSec hacker groups have teamed up to target government agencies and banks and leak any classified information -- including emails -- in a hacking operation they have dubbed "AntiSec."

The first victim of the new wave of attacks was the U.K.'s Serious Organised Crime Agency (SOCA), whose website was down for a while today but is now back up and running. LulzSec took credit for the outage, but warned that DDoS was only one of its weapons. "DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes," the group posted today via its Twitter account.

The loosely affiliated hacktivist group announced its intentions via Twitter and a posting on Pastebin this morning. "Welcome to Operation Anti-Security (#AntiSec) - we encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word "AntiSec" on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships," the posting said, encouraging volunteers to join in the hacking of government agencies and banks and other major organizations.

Continued :

CNET Forums