Thursday, April 28, 2011

SECURITY - Cybercrime With World-Wide Impact

"Sony PlayStation System Hacking Incident Highlights Web-Security Gaps" PBS Newshour Transcript 4/27/2011 (includes video)

Excerpt

RAY SUAREZ (Newshour): The latest episode involved millions of people around the world who use Sony's PlayStation video game system and who may have had their credit card information stolen in a hacking incident.

The intrusion caused the company to shut down PlayStation's Internet network a week ago. It provides access to online gaming, music, movies, sports and TV shows. Seventy-seven million user accounts were disconnected worldwide. But it wasn't until yesterday that Sony disclosed a hacker obtained information, including players' names, addresses, birth dates, email addresses, passwords and log-in names.

And on the company's blog, Sony spokesman Patrick Seybold said, "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."

Near Sony headquarters in Tokyo, some said the breach may stop them from using PlayStation.

KAZUNORI SANO, resident of Tokyo (through translator): I will be afraid of playing with the game machine after hearing of this. I don't want my credit card information to be leaked out somewhere else in the world.

RAY SUAREZ: And in Australia, police urged PlayStation users to be vigilant.

DETECTIVE SUPERINTENDENT COL DYSON, New South Wales State Police Force: It would appear that the risk in relation to credit cards may be low. But if people have concerns, they should be talking to their banks and watching for unauthorized usage of the cards.

RAY SUAREZ: Some industry experts say the scale of the breach could cost the company billions of dollars.

THOMAS PUHA, "Pelaaja": This is going to have a very negative impact on a business that they have built up, because I think a lot of -- obviously, a lot of consumers will really be very wary of putting their credit card information back online or even buying anything.

RAY SUAREZ: Sony said it expects the PlayStation Network to be restored in a week. In the meantime, an outside security firm has been hired to investigate what Sony deems the malicious intrusion.

For a closer look at all this, we turn to Kevin Poulsen, senior editor at Wired.com. A former hacker himself, he's also author of a new book, "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground."

And, Kevin, for those people who aren't gamers, why would you have to load personal information into a game console in the first place?

KEVIN POULSEN, Wired.com: Well, a lot of gaming takes place now online. You have multiplayer games where you could play with or against opponents live in real time.

And, of course, a game console isn't just a game console anymore. You want to be able to download movies and other content. And all -- you pay for all of that, which means you have to give up this information.

RAY SUAREZ: Sony says it has no direct evidence that credit card numbers were taken, but it says -- quote -- "We cannot rule out the possibility."

When you have had a breach, when someone has been rifling around in your files electronically, can you tell what they have seen and what they haven't?

KEVIN POULSEN: There are usually -- there's usually some kind of trail left, yes. But if the hacker is good and took steps to cover his or her tracks, then it could -- it could take a while to extract that.

I imagine that's why Sony took so long to announce this. They were probably hoping to find better news. They were probably hoping to find evidence that the -- that information wasn't accessed. Now that they have brought in an outside company, I expect they will know a lot more than they do now, eventually. Of course, they -- they may know more than they're telling us now.

RAY SUAREZ: The PlayStation system has been down for over week, disappointing a lot of people who are frequent users.

Does that long-term shutdown tell you something about the seriousness of the breach, that they're not patching it, but rebuilding the whole network?

KEVIN POULSEN: Absolutely.

It's a really radical measure to take. And it's surely going to cost them a lot of money and a lot of fan loyalty. There are people that aren't even going care about the breach itself who are just going to be extremely angry that they were denied access to the PlayStation Network for so long. So, it's bad news all around.

If this had just been a casual intruder, a recreational intruder, some kid working from his bedroom, I doubt they would have taken this measure. So, they probably have some indication that this was a serious, focused attack.

RAY SUAREZ: Well, as we reported earlier, they got user names, passwords, various other kinds of personal information. What's the risk to account holders at this point?

KEVIN POULSEN: You know, the biggest risk is probably with the personal information, especially the passwords, because a lot of people use the same passwords everywhere.

So, that, coupled with your email address and your real name and your date of birth, the hackers will, if this was done for profit, then, all of that could wind up being sold on the black market, probably for a nice sum of money.

And then, whoever buys it, other computer intruders could use the information to try and hack into other accounts held by these PlayStation Network users. It could be anything from Facebook to online banking. You could use it to stage scams targeting the users in other ways.

So, it could be -- it could wind up that this becomes the first stage in a lingering problem that haunts users for a long time, if, in fact, that that was the nature of the breach.

Stress this quote, "You know, the biggest risk is probably with the personal information, especially the passwords, because a lot of people use the same passwords everywhere."

HINT, do not use the same password for all your online accounts.

Thursday, April 7, 2011

SECURITY - Vulnerability of Internet Certificates

"An Attack Sheds Light on Internet Security Holes" by RIVA RICHMOND, New York Times 4/6/2011

Excerpt

The Comodo Group, an Internet security company, has been attacked in the last month by a talkative and professed patriotic Iranian hacker who infiltrated several of the company’s partners and used them to threaten the security of myriad big-name Web sites.

But the case is a problem for not only Comodo, which initially believed the attack was the work of the Iranian government. It has also cast a spotlight on the global system that supposedly secures communications and commerce on the Web.

The encryption used by many Web sites to prevent eavesdropping on their interactions with visitors is not very secure. This technology is in use when Web addresses start with “https” (in which “s” stands for secure) and a closed lock icon appears on Web browsers. These sites rely on third-party organizations, like Comodo, to provide “certificates” that guarantee sites’ authenticity to Web browsers.

But many security experts say the problems start with the proliferation of organizations permitted to issue certificates. Browser makers like Microsoft, Mozilla, Google and Apple have authorized a large and growing number of entities around the world — both private companies and government bodies — to create them. Many private “certificate authorities” have, in turn, worked with resellers and deputized other unknown companies to issue certificates in a “chain of trust” that now involves many hundreds of players, any of which may in fact be a weak link.

The Electronic Frontier Foundation, an online civil liberties group, has explored the Internet in an attempt to map this nebulous system. As of December, 676 organizations were signing certificates, it found. Other security experts suspect that the scan missed many and that the number is much higher.

Making matters worse, entities that issue certificates, though required to seek authorization from site owners, can technically issue certificates for any Web site. This means that governments that control certificate authorities and hackers who break into their systems can issue certificates for any site at will.

Experts say that both the certificate system and the technology it employs have long been in need of an overhaul, but that the technology industry has not been able to muster the will to do it. “It hasn’t been perceived to be a big enough problem that needs to be fixed,” said Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton. “This is a wake-up call. This is a small leak that is evidence of a much more fundamental structural problem.”

In the Comodo case, the hacker infiltrated an Italian computer reseller and used its access to Comodo’s systems to automatically create certificates for Web sites operated by Google, Yahoo, Microsoft, Skype and Mozilla. With the certificates, the hacker could set up servers that appear to work for those sites and try to view the unscrambled e-mail of millions of people, experts say.