Sony Screams About Hackers But They’ve Invaded Our Privacy For Years

Sony make believe security

The hack attack on Sony Pictures Entertainment that’s been making headlines over the last couple of weeks is just the latest in a line of security breaches at Sony that stretch back to 2011. Many companies get attacked just because they are vulnerable targets, but Sony seems to have raised the special ire of the hacktivist community. Let’s look at how that happened, and go through a timeline of the company’s major security breaches.

Subscribe to my weekly video podcast for this Sony story and much more

Why is Sony such a juicy target for hackers?

In 2005, Sony began producing audio CDs with intrusive digital rights management (DRM) software included on the disc. If someone loaded the disc into their computer, it automatically installed a rootkit that made changes to the computer’s operating system and prevented it from copying the CD. The disc also installed software that would track the user’s listening habits and made the computer vulnerable to hackers. Worst of all, there was no easy way to uninstall it.

Another event that ticked off the hacking community occurred in 2010, when a well-known hacker named George Hotz broke the copy-protection on the PlayStation 3 and made it possible for users to play pirated games. Sony took the hacker to court, and even got a judge to order the company hosting the hacker’s web site to turn over server logs that would allow them to identify the IP addresses of people who accessed his site. The same month Sony settled with Hotz out of court, the first major attack occurred.

APRIL 2011 Attack

  • Attack on PlayStation Network (PSN).
  • Perpetrated by the hactivist group Anonymous.
  • Personal details of 77 million PSN users stolen.
  • PSN service knocked offline for 23 days.
  • Cost to the company: A minimum of $171 million.

MAY 2011 Attack

  • Attack on Sony Online Entertainment.
  • Unknown perpetrators.
  • Personal details and credit card information of 24.6 million customers stolen

JUNE 2011 Attack

  • Attack on Sony Pictures Entertainment.
  • Perpetrated by the hactivist group LulzSec.
  • Personal details of over a million accounts stolen.
  • The hackers claimed passwords were stored in plain text, unencrypted and were easy to find.

AUGUST 2014 Attack

  • Distributed Denial of Service (DDoS) attack on PSN (along with other online gaming networks).
  • Perpetrated by hactivist group Lizard Squad.
  • No customer data compromised.
  • Lizard Squad called in a bomb threat against American Airlines to force a jet carrying a Sony executive out of the sky.

NOVEMBER 2014 Attack

  • Another attack on Sony Pictures Entertainment.
  • Perpetrated by Guardians of Peace (GoP).
  • Possible North Korean government involvement.
  • Widespread knockdown of Sony’s internal network.
  • So far the hackers have concentrated on releasing embarrassing and damaging information about the company and its executives.
  • Details still coming to light, including executive emails, pay disparities, and personal feuds with actors, actresses and employees.

Visit Berkeley’s www.CyberSecurityDictionary.com for more definitions and subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

Feds Caution Large Companies About New Malware Threat

FBI_Malware_Warning

On December 2nd, the Federal Bureau of Investigation sent a confidential notice about the recent hacking attack on Sony Pictures Entertainment to security staff at some large U.S. companies. While the notice did not specify Sony Pictures, it provided details on how the hack was pulled off. It also warned that data destroyed by the malware could be impossible or too costly to recover by current forensic data retrieval methods.

The malware can reportedly overwrite data and destroy the master boot record on the computer’s hard drive data. Sony Pictures has not confirmed whether this is true in their case.

Details on how the attack began are also sketchy, but these kinds of attacks usually start with inside help or a successful phishing attempt. Once hackers have found their way into the system, they can move through the network.

Sony Pictures Still Struggling to Recover

More than a week after the hack attack that brought down Sony Pictures Entertainment, some services have been restored while others remain offline. Employees regained access to email and telephone services last Monday, but only in certain buildings.

The hackers responsible claimed to have up to 100 terabytes of data stolen from the company during the attack. This data includes sensitive information such as executive salaries, employee social security numbers and server security keys. A short time after the attack digital copies of five unreleased Sony Pictures movies were leaked to illegal file sharing sites, though it’s not clear if the films were stolen by the hackers or leaked through other means.

Malware Used by the Hackers Linked to Previous North Korean Attacks

Authorities have yet to determine who is behind the attacks, but some security experts feel North Korea is a strong possibility. A web site run by the North Korean government blasted Sony Pictures for creating an upcoming action comedy with a plot centered around an assassination attempt on North Korean leader Kim Jong Un. The movie in question was not one of the films leaked. When asked whether North Korean hackers were responsible, a spokesman for the country’s United Nations mission cryptically responded with, “I kindly advise you to just wait and see.”

The malware the FBI warned about was written in Korean and has similarities to malware used in a malware attack on South Korean banks and television broadcasters in 2013. The two countries are hostile neighbors, and South Korea is a frequent target of North Korean hacking attacks.

According to an undisclosed source, Sony Pictures has hired the Mandiant division of FireEye to assist with the investigation and recovery. Both companies and the FBI are continuing to pursue the matter.

Subscribe to my 2 Minute Cyber Security Briefing podcast on iTunes or Youtube.

Sony Pictures Shut Down by Hack Attack

Sony Pictures Hacked by North Korea

Last week Sony Pictures Entertainment experienced every network administrator and business owner’s worst nightmare. On November 24th, anonymous sources inside Sony Pictures claimed the entire network was compromised. This part of the company is responsible for marketing and distribution of motion picture and TV programs.

One of the sources posted a picture of a crude CGI a skeleton to the online message board Reddit. The image contained message threatening to release company secrets if the hackers’ demands were not met. The message also indicated the group Guardians of Peace (#GOP) was behind the attack, and included links to files containing classified financial information, employee social security numbers and private network keys. The hackers also gained control over several Twitter channels linked to various Sony Pictures movie properties such as The Amazing Spider-Man and Starship Troopers.

Possible Foreign Involvement

The hackers’ demands and motivation were are not clear, but there could be a link to the North Korean government. On November 27th, a web site controlled by the government criticized an upcoming action comedy film by Sony Pictures Entertainment. In “The Interview” tabloid television reporters played by James Franco and Seth Rogen become involved in a CIA plot to assassinate North Korean leader Jim Kong Un.

Sony Pictures has not confirmed or denied the link, but the North Korean government is known to employ a large cyber espionage team. Hackers linked to the regime have been linked to attacks on non-government targets such as foreign banks and other private businesses.

Entire Network Paralyzed

The company released a statement calling it an “IT matter” but multiple news organizations reported their response was to completely shut down the network, leaving employees unable to get on the Internet or even check their email. Sony administrators advised employees not to turn on their computers and to disconnect mobile devices from the company WiFi network. Some employees were told to work from home. While the company has not released specific details, some sources indicate the hack was an inside job and began with a single server.

A History of Hacks

This isn’t the first time the Japanese technology company has had a major network security breach. Sony Pictures was hacked in June of 2011, exposing the data of approximately 37,000 users. This attack was particularly embarrassing, partly because sensitive account information such as passwords was stored in a plain text file. Anyone with access to the database could open it and read the contents.

In April of the same year, Sony’s video game division suffered a devastating attack that knocked the PlayStation Network offline for weeks and leaked the account information of hundreds of millions of users. In August of this year the PlayStation Network was forced offline again by a distributed denial of service attack.

While Sony isn’t the first company to suffer a major data breach and it certainly won’t be the last, the attack serves as a reminder of what can happen when companies let their guard down.

Learn more about hacked government and corporate interests from our downloadable WHITEPAPERS and by SUBSCRIBING to my 2 Minute Cyber Security Briefing video podcast.

Dirtboxes – Cellular Spies in the Sky

Dirtbox

Last week the Wall Street Journal broke a story on cellular spying that has troublesome implications for wireless security experts and privacy advocates. According to anonymous sources cited by the paper, the United States government is mounting devices known as dirtboxes on small planes and using them to sweep up cell phone data on innocent citizens. The aircraft are currently flying out of five major airports, covering an area that encompasses most of the continental United States.

What are Dirtboxes?

The odd name comes from the acronym of the company that originally developed the devices, Digital Receiver Technology Inc. The company is currently owned by the aerospace manufacturer Boeing.

Dirtboxes are devices that take advantage of a feature built into every cellular device. Cell phones are designed to seek out and connect with the strongest tower on the carrier’s network. This ensures the user has the best possible signal at all times. The user has no way of selecting which tower the phone chooses, even if the device is hacked and rooted.

A dirtbox impersonates a tower with a stronger signal and tricks the cellular device into connecting to it instead. The user doesn’t have to be using the phone when the dirtbox flies within range. Any phone that is powered on and not in airplane mode will connect automatically. When the phone connects to the dirtbox or tower, it transmits its location information, unique identifier and phone number.

How Are Dirtboxes Used?

Dirtboxes are not a new technology. They’ve been used in ground-based surveillance operations and to keep inmates in prisons from making calls on contraband phones for years.

The difference here is the scope. While a ground-based system might pick up a few dozen phones, a dirtbox mounted on an aircraft flying over a densely-populated area might pick up registration data on hundreds of thousands of devices. They could also be used to pinpoint a user’s location and to pull data off their device such as photos and text messages.

In addition to the sticky privacy issues, dirtboxes can cause problems for cell phone carriers and users. They disrupt the carrier’s cellular network and can cause dropped calls. According to one of the WSJ’s anonymous sources, calls to 911 are not affected.

The major question is, what is happening to the data gathered on citizens who are not the subject of a criminal investigation? In the past, federal judges have ruled that stockpiling data on unintended targets for later use is unconstitutional. The WSJ quoted someone close to the program as saying, “What is done on U.S. soil is completely legal. Whether it should be done is a separate question.”

Learn more about cell phone detection and interception technologies from our downloadable WHITEPAPERS and by SUBSCRIBING to my 2 Minute Cyber Security Briefing video podcast.

Penetration Testing Basics

penetration_testing

As computer networks become more complex, they become more vulnerable to hackers. These weak points can take the form of hardware, operating system bugs, software and users who don’t adhere to security policies. One of the best ways to uncover them is to get a hacker to break in.

What is Penetration Testing?

It’s essentially a legal form of hacking carried out as a test of the target organization’s defenses. The target company either has their IT staff try to break into the system or hires an outside security firm that specializes in this form of attack. While the attacker may be just one person or an entire team, for ease of reading let’s stick to referring to them as a single individual.

The main goal of the test is to see if a hacker can get in, and if they can how far into the system they can get. The testing process itself is either done manually or by using automated software. Penetration testing generally breaks down into several categories, depending on the conditions of the test being performed.

Types of Penetration Testing

White box testing gives the hacker access to information about the internal details of the network. The goal is to provide them with as much information as possible so they can base their test around knowledge of the network’s strengths and weaknesses. This approach minimizes testing time and provides a deeper, more comprehensive test. The drawback is it doesn’t mimic the (lack of) information a real hacker would have.

Black box testing is the closest to a typical hack. The attacker receives no information about the network and must figure it out and gain access on their own. The drawback here is testing times are more unpredictable, and some parts of the network may not get thoroughly tested.

Gray box falls between these two extremes, with the attacker getting certain information such as they might receive by breaking into a normal user’s account.

Penetration testers can also run scenarios based on whether or not someone on the opposing team is aware of the attack and can take steps to thwart the intrusion.

Once the test is complete, the attacker compiles a complete report, including all the steps they took and vulnerabilities they noticed. Companies can then assess these vulnerabilities and prioritize getting them fixed.

Is Penetration Testing for Me?

If your business network is connected to the Internet, odds are hackers have at the very least made attempts to get in. There are crawler applications out there that allow hackers to systematically find vulnerable networks. Some company servers receive thousands of attacks an hour.

Some industries have regulations that require penetration testing on a regular schedule for security purposes. Other do them sporadically when requested. The most unfortunate ones do them after they’ve been attacked and had their systems compromised and they’re facing a PR nightmare. You don’t want your business in the last group.

Visit www.bvsystems.com for wireless security products and subscribe to our 2 Minute Cyber Security Briefing video podcast on Youtube & iTunes.

Fighting Phone Cramming

ATT-Cramming

Cramming is the term for adding an unauthorized charge on your phone bill. It’s most common on mobile phones, but land lines can fall victim as well. The phone company or mobile carrier may add charges the customer doesn’t recognize later. However, the vast majority of cramming complaints come from third-parties for “premium text messaging.”

These services started back in the days of feature phones, before smartphones were common. They provided a way for users to get information, wallpapers and ringtones to ordinary phones before they could browse the web. Some people still use these premium messaging features, but smartphones have made them largely irrelevant.

How Does It Happen?

In the case of charges added by the phone company, a sales rep might unintentionally cram when the customer activates a line or changes their plan. For example, the rep add may a paid feature that starts with a free month without warning the customer it’s not a free feature. The customer overlooks the free feature the first month, then notices once it starts charging.

Cramming by third-parties usually starts when the customer enters their phone number into a web page run by scammers or sends a text message to a number advertised in movie theater and late-night television ads. However, it’s not always possible to tell exactly how the charges were added. Some customers have been scammed without doing any of these things.

What Do If I Notice Unauthorized Charges?

If you notice you are getting spam texts or see unauthorized charges on your bill, contact the phone company or carrier immediately. A live representative can usually credit back the charge, but make sure they also remove the feature or it will return on your next bill.

What Are Companies Doing About Cramming?

Cramming has been a problem for many years, and some companies have been the target of lawsuits over the practice. AT&T was recently ordered to pay $80 million to the Federal Trade Commission for customer refunds

First-party cramming will likely remain an issue as long as there are overenthusiastic sales reps, but there has been progress on blocking third-party cramming. Some companies have abolished premium messaging charges, while others make you request a block. Ask your phone company if they allow premium messaging services, and how to prevent them if they do.

How Can I Prevent Cramming From Happening to Me?

Somewhere on your phone bill is an itemized list of features, taxes and fees. Look through the list every time you get a bill, especially if your bill changes from month to month. It’s easy for a small charge to slip by unnoticed if your bill isn’t static.

Be careful where you enter your mobile number on the web and when sending text messages to commercial services. If a service offers something free in exchange for your number, read the fine print carefully. It’s often easy to sign up and very difficult to cancel.

What hidden charges has your carrier crammed down your bill?

White House Breached

White House Hacked

On October 29th, White House spokesman Josh Earnest confirmed an attack on computer systems used by top aids. The actual attack happened several weeks before the announcement, and the White House has released few details on the attack. Anonymous sources told the Wall Street Journal the attack was detected by an unnamed ally that passed the information along. Government sources claim no classified information was stolen. If nothing was stolen, why is the attack a big deal?

The Possible Russian Connection

While government officials declined to name the perpetrators, many security experts believe the attack originated in Russia. Tensions between the Russian government and the United States have been growing due to the armed conflict in the Ukraine.

Similar attacks by hackers linked to the Russian government have hit United States defense contractors, the NATO and the Ukrainian government. The attackers in these events exploited a previously unknown flaw in the Windows operating system.

Types of Malicious Hackers

Hackers attack for many reasons, but malicious hackers generally fall into three categories:

Cyber criminals are out for financial gain. This is the type of hacker responsible for attacks on consumer bank account and businesses like retailers and financial institutions. Their end goal is to steal money or information they can sell. They may operate solo or be connected with an organized crime group.

Hactivists are hackers who either have a cause or just want to cause trouble. The group Anonymous falls into this category. They might cause disruption and damage to their victim’s image, but they’re not looking for financial gain. Their main goal is to attract attention and punish people or organizations they see as their opposition.

Espionage agents are hackers who work for foreign governments. Some of them see their efforts as a way to help their country, others are directly employed by the state. They are out to gather intelligence, damage equipment and steal classified information. These hackers usually target foreign government agencies and the contractors that work with them. When they do attack businesses, they generally don’t steal money.

Why Don’t We Have More Information?

There’s no doubt the White House networks and other government computer systems are attacked constantly. Details are hard to come by, because the last thing a target wants is to tell the enemy their attack was successful.

When hackers find a zero-day exploit, there’s no way to prepare because it’s a problem the developer or manufacturer is not yet aware of. The best the target can do is harden their network as much as possible and make sure they have the latest security updates.

How do you test your network for vulnerabilities? That’s something we’ll be looking at next week.

The Battle Over Digital Payments at the Cash Register

Apple Pay vs. CurrentC

Apple has launched their their new digital wallet service, but not all North American retailers are on board with the new service. Retailers that are members of the Merchant Customer Exchange (MCX) organization are developing an alternative based around an app that uses visual QR codes. The app is called CurrentC, and is currently in a pilot program scheduled to last through the end of 2014.

MCX members include Walmart, 7-11, Best Buy, Rite Aid, CVS and Target. Merchants that sign up for CurrentC cannot use other digital wallet services. Members that previously had the near-field communication (NFC) hardware used by Apple Pay and Google Wallet have removed it from their stores, a move that has upset some Apple and Android users.

Why Do Some Retailers Want CurrentC Over Apple Pay?

There are three major reasons. The first is Apple Pay still uses credit cards, meaning retailers must pay up to 3% percent of the charged amount to the credit card issuer. CurrentC access the user’s bank account directly, meaning the retailer can keep more of the money.

Apple Pay NFC

The second is due to the importance retailers place on customer data and demographics information. CurrentC collects and shares more data about the people who use it than Apple Pay and other digital wallet services. Customers can set their privacy levels in the app, but most will probably just leave it at the default settings. The MCX has claimed CurrentC has better security than its competitors, but whenever there’s valuable information there are people looking to steal it.

The third reason relates to hardware costs. Retailers that want to use services like Apple Pay must install expensive NFC readers at each register. In contrast, CurrentC is software-based and uses the same technology as the familiar UPC barcode. When retailers start changing over to more secure credit cards next year, those that have not signed up with a digital wallet service may opt to go with NFC when they upgrade.

CurrentC Hacked

On October 29th, the MCX announced CurrentC unknown hackers had broken into the service and gained access to user email information. The MCX PR agent claimed many of the email addresses were dummy accounts used for testing, and no other customer data was stolen. They also stated neither the CurrentC app or user devices were affected.

Stealing email addresses isn’t a serious breach in itself, but it is an embarrassment to the fledgling organization. Especially given Walmart specifically stated they went with CurrentC over Apple Pay due to better security. It could also show the MCX needs to focus on securing the information they are storing.

If you choose to use CurrentC on your device, make sure you browse through the security dashboard and disable the settings you don’t want to share.

Subscribe to our 2 Minute CyberSecurity Briefing channel on Youtube or our video Podcast on iTunes for coverage on this story and the latest cyber security news events.

Visit www.CyberSecurityDictionary.com for linked terms in this blog and many more definitions.

What payment platform would you prefer and why?

Is Chinese Government Behind Apple iCloud Attacks?

China_MITM_iCloud_Attack

The October 17th launch of the iPhone 6 in China was overshadowed by a hack attack aimed at stealing Chinese users’ iCloud login information. Less than 24 hours after the release of the highly-anticipated smartphone, anti-censorship advocates in China tweeted about the attack. On the 20th they posted more information on a blog at greatfire.org accusing the Chinese government of being behind the attack.

How did the attack take place?

The hackers used a black hat technique known as a man-in-the-middle (MITM) attack. When a computer or device accesses a secured web page through the browser, the remote server provides a security certificate verifying it is the correct site. MITM attacks reroute the Internet traffic through another server that uses a fake certificate to fool the device into thinking it is communicating directly with the original site. When a user puts in their login name and password, the middleman can intercept the information.

Similar MITM attacks have occurred recently against Chinese users of Google, Github, Microsoft and Yahoo. The Apple MITM was the most serious, as it was nationwide in scope and occurred while many users were setting up their new devices. The hack only affected a single iCloud server IP address, and Apple was able to block the attack by directing Internet traffic to a different IP address.

Why do security experts believe the Chinese government is involved?

Like other aspects of the media, the Internet is heavily censored in China. The Chinese government regularly spies on private citizens looking for signs of political dissent. Apple stores iCloud information outside of China, out of the direct control of the Chinese government.

Since the Chinese government owns and operates the country’s telecommunications and wireless services, the attack may be an attempt to get around officials not being able to access iCloud information directly. It could also be in response to the iPhone 6’s increased security safeguards and the recent anti-government political demonstrations in Hong Kong.

How can you protect yourself against MITM attacks?

iCloud Safari verified

Unlike browsers commonly used in China, Safari uses an encrypted connection to iCloud

MITM attacks are difficult to orchestrate on such a large scale without deep access to public telecommunications networks. The latest hack may have been limited to Apple users in China, but smaller-scale MITM can happen anywhere. Here are some easy ways you can protect your information.

  • Use two-factor authentication when possible. Without the second piece of information, attackers won’t be able to access your account even if they have your username and password.
  • Watch for browser pop-ups alerting you to an expired or invalid certificate when you visit a secure site. If you receive a notification, view the certificate and verify the information is correct.
  • Do not access sensitive sites over open WiFi networks without using a virtual private network (VPN). MITM attacks are much easier to pull off over open wireless networks, and some criminals even set up their own WiFi hotspots just to steal data. A VPN prevents these attacks by setting up an encrypted connection between your device and the VPN server.

Subscribe to our 2 Minute CyberSecurity Briefing channel on Youtube for coverage on this story and the latest cyber security news events.

Visit www.CyberSecurityDictionary.com for linked terms in this blog and many more definitions.

Has Apple Pay Put An End To Credit Card Security Issues?

Apple Pay

All across America today, retailers have begun to accept Apple Pay purchases using secure encryption, Touch ID and Apple iPhones. So is cash still king or have we crowned a new form of payment winner?

Apple’s new smartphones and iPads use an NFC wireless module to communicate to a merchant’s payment terminal. Once connected, a tokenized transfer occurs, whereby shoppers only transfer a special, single-use digital token that the Point-of-Sale system will decode using a shared secret. At no time does a user’s credit card information ever actually leave the secure enclave contained on their device. This patent pending method also requires Apple’s Touch ID biometric fingerprint verification in order to verify the shopper is who they say they are. Since the Touch ID data is stored in a secured enclave and is also a hash, or a numeric value that represents the data, it’s almost like having 2-factor authentication built in without the hassle of pass codes for the user to enter.

Here is another way to look at it. Your phone and your merchant’s terminal agree upon a secret passphrase, and when that’s successful, they pass the info onto the payment provider or bank which then authorizes payment. Only you and the payment card provider ever know the credit card number used but the merchant’s terminal only ever knows the passphrase, which is unique and automatically generated for one-time use.

Apple does this so that even if the NFC communication is hacked and intercepted by a 3rd party, the data stolen is completely worthless. It’s a measure designed to alleviate the fear that transferring any kind of payment information wirelessly sets a user up for attack, which is likely one of the factors involved in slow adoption of NFC payment methods thus far. Google Wallet and many Android smartphones have been supporting NFC for a few years now but consumer fear and most U.S. merchant’s unwillingness to upgrade to NFC terminals has stalled mass adoption. This is all poised to change now that Apple has addressed some ease of use issues for consumers as well as secured partnerships with over 500 banks and 220,000 stores including Target, Bloomingdales, Duane Reade and of course Apple own retail stores.

Credit card and debit card fraud resulted in losses amounting to $11.27 billion during 2012. And that doesn’t even factor in identity theft and the hassle and cost of issuing new cards for every fraud report. Credit and debit cards trade security for convenience due largely to the fact that most cards are still using 40 year old technology. Is Apple Pay the major overhaul needed to secure an aging retail transaction system? Only time will tell.