Category Archives: Security

More information on the the LizardSquad

Krebs post at Krebsonsecurity.com has plenty of details on the LizardSquad, from his article:

The Lizard Squad, a band of young hooligans that recently became Internet famous for launching crippling distributed denial-of-service (DDoS) attacks against the largest online gaming networks, is now advertising own Lizard-branded DDoS-for-hire service…Last, but certainly not least, it appears that Vinnie Omari — the young man I identified earlier this week as being a self-proclaimed member of of the Lizard kids — has apparently just been arrested by the police in the United Kingdom (see screen shot below). Sources tell KrebsOnSecurity that Vinnie is one of many individuals associated with this sad little club who are being rounded up and questioned.

I am always interested in how these types of hacks get carried out. You can read the full article from Krebs here. He has plenty of information on the hack.

It looks like the authorities are catching up with the novice hackers.

-Dave

Advertisements

LizardSquad?

LizardSquad sounds like a name from a video game. Unfortunately they are a hacking group that attacked Sony’s PlayStation and Microsoft’s Xbox networks over Christmas. They were indeed successful at taking both networks down on Christmas day.

So who are these guys?

Of course we don’t really know because anonymity is their best defense. Two people that claim to be the LizardSquad did an interview with BBC. You can read about the interview over at Krebs. But what we do know is that the attack was not a very sophisticated one. It was a simple DDoS attack, the surprising thing is that the PlayStation network in the Xbox network was so vulnerable to a common or basic type of attack. It appears the group was really looking for fame and perhaps some money – which they got in the form of $300,000 worth of vouchers from Megaupload.

It seems unlikely we will hear from this group again as one person has been arrested in Finland and there are reports that a second person is being sought at this time.

Hopefully they did not interrupt your Christmas plans – although we have a PlayStation and an Xbox here they are rarely used so they did not interfere with my Christmas.

Happy new year!

– Dave

Are Finger Prints Secure?

According to welivesecurity.com

…Jan Krissler, claims to have ‘copied’ the thumbprint of Germany’s Defense Minister from standard photos, in machine-readable form.

Does this mean that fingerprints are not a secure biometric method?

We can expect that as more devices rely on fingerprints to secure them, the evil hackers will be working on ways to overcome fingerprint readers. 2 Factor authentication is the best method for keeping your information safe.

You can read my blog on 2 factor authentication here, or watch a video of how to use with gmail here:

-Dave

It’s Official Sony was Hacked by North Korea

The FBI released a statement today concluding that North Korea was involved with the hack of Sony Pictures. From FBI Statement:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

The full text of the FBI statement can be read here.

-Dave

Fed Releases Payment Fraud Summary

The Federal Reserve bank of Minneapolis released its 2014 payment fraud summary survey of banks. Why is this interesting? From the executive summary:

Payments fraud remains a significant concern for financial institutions and other corporations in the ninth district and surrounding region. While financial institutions are much more likely to report payment fraud attempts (75% experienced attempted fraud) and losses (70%) than non-financial companies, the proportion of financial institutions reporting fraud attempts and losses has actually decreased since 2012, when most respondents reported fraud attempts (94%) and losses (90%).

While attempted payment fraud has decreased over the past two years from 94% to 75% is still at a very high level. The financial institutions have been implementing stronger fraud prevention techniques which are beginning to have some success. Beginning in October 2015, merchants that haven’t installed a card swipe terminal that accepts chip cards will be liable for all the fraud involved with a chipped card. This policy is making the merchants accept some of the burden of fraudulent charges. Currently the financial institutions bear the majority of the direct cost of fraudulent charges.

In 2015 if you have the option to change your credit or debit card to a chipped card I would recommend that you do so. This will better protect you and your financial institution from having your information “stolen.”

I have been wondering why the financial institutions don’t change their credit and debit cards from an “always on” model to a model where your credit card is “always off.” In other words when I go to purchase something at the store when I am ready to complete the purchase I tap an app on my phone and turn on the card for a single purchase and it automatically turns the card off after the transaction is complete. This model would certainly cut down on the amount of fraud that is generated, and it appears that we have all the technology we need to accomplish it.

The full text of the Federal Reserve fraud summary can be read here:

2014PaymentsFraudSurveySummaryofRegionalResults

-Dave

Another Holiday Season Breech

We may need to change the name from the Holiday Season to the Hacker Season. How does “Happy Hackers” sound.

It doesn’t sound good to me either.

Krebs is reporting that Bebe Stores inc. is the latest victim of a data breech as reported by Krebs:

Data gathered from several financial institutions and at least one underground cybercrime shop suggest that thieves have stolen credit and debit card data from Bebe Stores Inc., a nationwide chain of some 200 women’s clothing stores.

The full article can be read here.

-Dave

More Details on the Sony Hack

Krebs has tracked down more details on what was actually stolen you can read his full article here. From his article:

The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures: According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems.

The hackers stole information and then proceeded to destroy (delete) the files on the servers.

It still appears that the hackers were only after the Sony and it’s employees and not consumer information.

This information about this breech is getting worse by the day.

-Dave

Let the Holiday Season Begin with Some Phishing…

We couldn’t get through the first holiday weekend with some cyber crime. welivesecurity.com is reporting that 2 phishing emails are making the rounds from their article:

Two phishing emails have shown up in my inbox in the last two days, masquerading as orders from popular American retailers: The Home Depot (a home-improvement store chain) and Costco (a warehouse club). Both serve as timely reminders that, as Americans recover from their Thanksgiving celebrations and the online search for holiday bargains begins, criminals are also active online, seeking to exploit the seasonal surge in shopping activity, from Black Friday to Cyber Monday, and beyond. Hopefully, it goes without saying that you should delete messages like this right away (if you really are expecting notification about an order from a retailer, confirm it with a phone call, or by typing the company URL into your browser and navigating to the order tracking page).

Enjoy the season and stay safe don’t open or click on links from email that looks suspicious.

-Dave

Keeping your Google Account Secure

If you are using public or work computers to access your Google account here I have put together a YouTube video for keeping your account secure. Being connected to your Google account across multiple devices certainly makes it easy to access your favorite websites and tools. However this ease of access to your Google accounts can also be a security concern. Google has some built in security tools for monitoring and securing your Google account across multiple devices.

There are two common scenarios where you should consider using two-step verification.

  1. If you frequently use a work computer to access your Google accounts I would strongly recommend enacting two-step verification to access your accounts. Companies have the ability to log your keystrokes on work computers – this means it would be fairly easy for them to capture your Google account password. By enabling two-step verification someone would have to have your password and your phone present to access your account.
  2. If you use public computers you will also wanna enable two-step verification so on the off chance that someone captures your password on a public computer they also would need to have your phone present to access your Google account.

In either the work scenario or the public computer scenario it would be wise to have a unique password just for your Google account. If you have a unique password just for your Google account and if someone were to capture that password they would not be able to use it to access any of your other digital/online accounts. If you need some help on creating passwords check out my password posts herehere, and here. Enjoy the video!

– Dave

The Sony Hack is Worse than Previously Reported

Oh boy the amount of data that has been stolen from Sony maybe much worse than the first reports.

According to a Reddit thread the following items are among the supposedly compromised data:

  • PDF files that apparently contain the passports, visas, and other associated identity documents of cast and crew for various Sony productions, such as actors Jonah Hill, Cameron Diaz, and Angelina Jolie (plus a file called Emmerich, Roland Greencard.pdf).
  • Over 700 documents containing passwords, including spreadsheets and Word files titled “FTP passwords,” “ResearchPasswords,” “ACCOUNTING PASSWORDS,” “Personal passwords,” and other files named for specific creative resource sites.
  • 179 Outlook archival .pst mailboxes, including the mail folder of an executive at Sony Pictures Releasing Canada, an IT Audit Supervisor at Sony, as well as many “archive.pst” and “backup.pst” files.
  • Business documents including film budgets (“JR_Accrued Mktg Cost 0513 – Evil Dead.xls”) and contract documents (“Cameron Diaz – Pre-approved Medical Rider.doc”).

And from The Wrap

Further disturbing is that thus far the studio’s IT experts have been unable to reverse the attack and get the computer system back to normal. “The IT department has absolutely no idea what hit them or if they can recover any of their files or operating systems, or even turn on their computers Monday,” said the insider.

The full article from The Wrap can be found here.

The only good news for consumers is the hackers did not appear to go after consumer or Play Station Network personal data.

This is a big mess for Sony to clean up. I will be interested to read about the details of the hack if they are ever made public.

-Dave