All posts by Sathya Bhat

Sathyajith aka "Sathya" or "cpg" loves working on computers, and actively participates in many online communities. Sathya is a Community Moderator on Super User, a collaboratively maintained Q&A site which is part of the Stack Exchange network. Sathya also contributes to and is a Super Moderator at Chip India Forums. While not writing SQL queries or coding in PL/SQL, Sathya is also a gamer, a Linux enthusiast, and maintains a blog on Linux & OpenSource. You can reach Sathya on twitter.

Groupon India (SoSasta.com) Suffers Security Issue, User Account Information Possibly Compromised

Groupon, a leading daily deals store which entered into the Indian markets via acquisition of Kolkata based local deals shop SoSasta.com, suffered a “security issue” on their systems. The break-in happened over the weekend and it is highly likely that all usernames and passwords were stolen.

Communicating via an email that was sent to subscribers, SoSasta.com Customer Care informed the subscribers about a security incident that happened over the weekend. While the email doesn’t mention what was the exact extent of damage, they do mention that none of financial information – such as Credit/Debit Card numbers or NetBanking details have been compromised. In addition, they also recommend changing of passwords as a precautionary measure.

Below is the full email that was sent to the subscribers:

Hi SoSasta Subscriber,

Over this weekend, we’ve been alerted to a security issue potentially affecting subscribers of Sosasta. We wanted to let you know that the issue has been brought under control and your accounts are secure. However, as a precautionary measure, we recommend that you change your SoSasta password immediately, by visiting the SoSasta website (Sign-In using your existing password, then click on Profile followed by Change Password). If you use the same email/password combination at other websites, we recommend you change those passwords as soon as possible, too.

Please be aware that none of your financial information (Credit Card, Debit Card, NetBanking etc) has been compromised since this information is not stored on SoSasta, as per law.

If you have any concerns or find any unusual changes in your SoSasta account, please contact our Customer Support team as soon as possible at 1800 103 2111 between 9.30 a.m. and 6.30 p.m. IST, Monday to Saturday so that we can review your account.

You should know that we are working aggressively to prevent this from happening again. Sosasta takes security and privacy very seriously — it’s important to us to provide you with a safe shopping experience of the highest quality, and we will do everything possible to keep your trust. Please accept our apology for any inconvenience or concern we’ve caused.

Sincerely,
SoSasta Customer Support

If you have a SoSasta.com account, we recommend that you change your password immediately. Also, Techie-Buzz also recommends that you make use of password managers such as LastPass – rather than reusing the same password – which can lead to serious consequences.

Team Fortress 2 Goes Free to Play, Queue Your Download for the Weekend

Team Fortress 2

Team Fortress 2,  one of the most actively played multiplayer game received an even bigger boost following Valve’s announcement to make Team Fortress 2 free – forever. Released as part of the  Ãœber  update, Valve has made it clear that Team Fortress 2 will henceforth be free to download and play.

In addition to the free to play piece, the  Ãœber  update brings in a new map, redesigned crafting and training screens and a one-click start to play option. This will let you jump directly into a game after selection of the gameplay mode. The player will be pitted against random opponents into the best available server.

If you’re like me who had spent $50 and purchased the retail edition who might be grumbling against the game being free to play – it’s worth noting that your premium account will have access to rare  items by means of item drops. Premium players will also be able to store more items in the backpack, and will have access to more powerful trading and crafting abilities as compared to the free account.

Team Fortress 2 Accounts Comparison

Having said that, credit must be given to Valve for keeping Team Fortress 2 actively updated. To give you a bit of perspective, Team Fortress 2 was released way back in October 2007 after several delays and significant changes in art direction.

Team Fortress 2 - back in the old days

In an age where most developers are pushing out half complete games and then  demanding additional moolah for “unlocking” “premium” content – Valve has always been prompt in keeping Team Fortress 2 updated with fresh content, maps and gamestyles – all for free.

So Team Fortress 2 fans who have been holding back on getting it because of lack of funds – your time has come. Go download it from Steam. Get ready for some fryin’.

(Team Fortress old style image courtesy The Wikipedia)

 

LulzSec Breaks Into Sony Developer Network, Leaks Their Source Code

Continuing  their recent streak of break-ins into Sony web properties, the self proclaimed “world’s leaders in high-quality entertainment at your expense” Lulzsec just released a full 54MB archive consisting of Sony Computer Entertainment’s Developer network source code. Lulzsec tweeted their latest accomplishment just under half hour ago.

Sony has been under an ever-increasing spate of attacks and break-ins – the most recent being Sony Brazil, Sony Europe and  Sony Pictures Russia which was one of the most biggest hacks with over a million user names and passwords stolen. With this latest break-in ,16 of Sony’s web properties have been hacked into just under 45 days, giving an average hack rate of an astonishing 2.8 websites hacked per day.

While Lulzsec claims that the archive comprises of the Developer  network source code, a commentator on Hacker News mentions that the archive consists of Website source code rather than the actual PSN code.

Sony Goes Down Again, This Time SQL Injection Takes Down SonyBMG

In what seems to be yet another set of never ending series of hacks, break-ins, Sony took another hit when the Greece website of it’s music division, SonyBMG was hit by SQL injection.

Sophos reports that an anonymous poster has uploaded to pastebin.com  a full user database, including the usernames, real names and email addresses of users registered on SonyMusic.gr.

After searching a bit, I found the relevant paste where the data was uploaded(I won’t link here, you should be able to find out) – but it would appear that about 8,385 rows of user data have been leaked.

If you’ve an account at SonyMusic.gr, I recommend you change your password ASAP – else you might end up unknowingly spamming your entire contact list.

Mono founder Miguel de Icaza Launches Xamarin

Barely a fortnight after being laid off by Novell post the Attachment acquisition, Mono founder Miguel de Icaza and his team of Mono engineers are back on their feet with a new startup, Xamarin. Announcing in his blog post today, Miguel mentions that his new startup, named Xamarin will  focus on Mono-based products.

He mentions that development has already started, and Xamarin is looking at delivering the iPhone stack first, followed by Android and Moonlight ports will follow. The new .net for iPhone and Android will be source compatible with MonoTouch and MonoDroid.

Talking about the situation at hand, Miguel writes,

We have been trying to spin Mono off from Novell for more than a year now. Everyone agreed that Mono would have a brighter future as an independent company, so a plan was prepared last year.

To make a long story short, the plan to spin off was not executed. Instead on Monday May 2nd, the Canadian and American teams were laid off; Europe, Brazil and Japan followed a few days later.

[…]

Now, two weeks later, we have a plan in place, which includes both angel funding for keeping the team together, as well as a couple of engineering contracts that will help us stay together as a team while we ship our revenue generating products.

[…]
Our plan is to maximize the pleasure that developers derive from using Mono and .NET languages on their favorite platforms.

We do have some funding to get started and ship our initial products. But we are looking to raise more capital […]

Here’s wishing Miguel de Icaza & his team the very best!

 

 

 

How PlayStation Network Attack, Password Reuse And Unmonitored Account Resulted in Mass Phishing

Today seemed like just another day. Little did I know, in a span of about 20 minutes, the resulting set of events would be hugely embarrassing for me. I had barely woken up, when my phone started going bonkers with notifications coming from emails, chats & twitter replies. A glance at the notifications indicated that my email account had been compromised and phishing emails had been sent to every one in my contacts list.

The Analysis

I logged into my Google Apps email account and had a look at the recent account activity details, nothing out of the ordinary there.

Gmail Recent Account Activity

Checking the sent mail folder indicated that no emails had been sent in the recent past. It occurred to me to check my other Gmail account.

And indeed, soon as I logged in to my Gmail account, there was a huge red mark indicating activity from China.

Gmail Suspicious Activity

 

Sure enough, the Sent folder had a copy of the spam mail

Spam email

So, what went wrong? It all boils down to a culmination of the PlayStation Network hacking,  some bad habits from my yesteryear and some nice features from Gmail which resulted in the phishing email to look like it came from my current domain account instead of the old Gmail account.  Let’s have a look at each vector:

  1. PlayStation Network break-in
  2. Not monitoring my email account
  3. Password Reuse
  4. Send mail as and Reply-to set to my domain address

 

PlayStation Network break-in

PlayStation network was hacked recently, with all 77 million accounts compromised as a result of this break-in. I firmly believe this is the primary reason behind my  email account being compromised. The fact that my email account was accessed from a China IP barely 2 days after the break-in before sending off the mails is proof enough to convince me that the user information was sold off to spammers in China.

Not monitoring my email account

Before switching over to my Google Apps account, I had been using this Gmail account. Once the Google Apps account had been setup, I migrated all my contacts and mail over to my Google Apps account. Furthermore I had also used Google Apps’s Auto Forwarding to ensure that any stray email to the old id would get fetched and forwarded automatically to my new account. This resulted in me never monitoring the account. If I had monitored the account, I would have noticed the big red mark under Gmail’s unusual activity and would have changed the password right then.

Password reuse

You’ve heard this before lots of times, and probably are guilty of it – password reuse refers to using the common password across most/all of web services that you use. What starts as convenience turns out to be a single point of failure – just access to this one password is enough for spammers / hackers to gain access to all your accounts.  In my case even though password reuse is something I had kicked out quite some time ago ( thanks to LastPass), back then when I had setup my accounts – I had used the same password for Gmail & PSN. With spammers getting access to my password with the PSN break-in and my failure in having used the same password – getting access to my account was easy.

Send mail as and Reply-to set to my domain address

Gmail has this nice “Send mail as” feature – basically it allows you to send email originating from one Gmail account to appear as originating from another Gmail account(that you have access to, of course). I had used this feature, along with Reply-to set to my current email address during my stages of migration from Gmail to Google Apps. Post migration, however I let these settings remain as-is and did not change them.

End result of all of these:

  • My Gmail account was broken in
  • All the contacts in my contact list were spammed with phishing email
  • To make this worse, they appeared to have originated from my domain account, instead of the dormant Gmail account.

So, what happened then?

As I had mentioned above, soon as the email was sent, I received numerous emails, IMs, and twitter replies about phishing mail being sent from my account. I used the steps outlined by Keith in his earlier post about how to handle a situation like this. I changed the password on my prior Gmail account immediately(mind you: my previous password was not a dictionary password – and neither was it easy to guess or brute force). I sent an apology email to the unintended  recipients  of the phishing mail. (Un)fortunately, Gmail had already marked mails coming from that account as suspicious and that my account might have been compromised so I had to reply to some people mentioning that the second email was a genuine one from me.

Learnings from this event

As a Super User, I take pride (and great pains as well) in knowing and trying to ensure that accounts were never compromised. Today’s account has been a huge embarrassment – and a learning experience for me. To summarize:

  • The ghost of your past bad practices will return!
  • Never, ever let any account, especially as critical as email – even if it dormant – go unmonitored. If you aren’t using it, close it or delete it.
  • On event of any service break-in – always change the password!
  • Don’t use the same password for each service

 

 

 

LastPass Faces Unknown “network anomaly”, Forces Password Reset For All

LastPass logoI’m a huge fan of LastPass – it’s a great software for managing all your passwords. I was slightly surprised and concerned , when trying to login to LastPass account, I was greeted with a “Re-enable your LastPass account” page.

LastPass Activate Page

Upon verifying my email address, LastPass then proceeded with asking me to reset my master password. In a blog post, LastPass explained what happened:

 

Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn’t find that root cause. […] Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

To counter that potential threat, we’re going to force everyone to change their master passwords.

While it is disconcerting that the data transferred is big enough to represent the email address & the salted password hashes, the fact that they have disclosed this and are forcing a password reset, rather than requesting people to change the password is solace.

On the bright(!) side of this, LastPass have mentioned that they will be introducing PBKDF2, a technique where a pseudo-random function is applied to the input password along with a salt( a 256-bit one, in LastPass’s case) repeatedly ( 100,000 in LastPass’s case) to produce a cryptographic key, which is then used to encrypt the password – as a deterrent to further reduce chances of brute-force attacks from being able to crack a password.

As of now, LastPass mentions that they don’t have enough data to thoroughly analyze what happened and the chosen attack method. They have, however clarified that the systems in question has been taken offline.

Amazon’s North Virginia Data Center Goes Down, Takes FourSquare, Quora, Reddit Along With It

Amazon AWSAmazon’s Cloud Computing Platform as a Service(PaaS) solution, Amazon Elastic Compute Cloud (EC2) and it’s related services, Elastic Block Storage (EBS) & Relational Database Service were severely affected today as a result of downtime in North Virginia data centers.

This incident has brought down several of Amazon’s high profile clients, including FourSquare, Reddit, Quora, Heroku and several other startups relying on EC2. The problems started at about 01:00 PDT and Amazon is still working on it to recover and bring the services back on their feet. While Amazon hasn’t yet provided the full details of the outage, they have however posted an update saying that a networking event resulted in large re-mirroring of EBS volumes in US-EAST-1 region, which is catered to by the North Virginia data center.

Amazon AWS Status

This re-mirroring resulted in significant latency, making sites hosted in this region go offline. At the time of writing this, Reddit was under emergency read-only mode, Quora & FourSquare have put up a static “We’re having technical difficulties” page, while Heroku was crawling.

Amazon’s EBS has come under fire off late due to their elevated error rates, so much so that reddit’s admin jedberg has mentioned about “figuring out ways how to not use EBS anymore”. EBS’s last outage was just about a month ago, taking reddit down for a good part of the day.

It is, however, important to note that some other services using AWS, such as Netflix & Twilio have not suffered downtime due to their use of AWS instances from multiple availability zones, ensuring that even if a data center goes down, the instances from other availability zones are able to continue serving the websites.

 

What Are Mac & Windows Users Saying About Unity?

When Ubuntu 11.04 was announced, one of the announcements which sent shockwaves was the fact that Ubuntu would no longer have Gnome as the default Desktop Environment, instead settling for Unity. Last week, Canonical’s User Experience Lead Charline Poirier  ran a user experience test of Unity.

Unity

The user test sample size was rather small ( spread over 11 people) and comprised mainly of Windows and Mac users.  Each of the users were given a  Lenovo ThinkPad T410i running Ubuntu Natty (11.04) with unity 3.8.2-0ubuntu1 and asked to perform several tasks. After analysing the results, here’s what they found:

  • Everyone understood most of the launcher items, the indicator icons, used Firefox to check their mail, launched LibreOffice Writer to write a letter and found and opened an existing document.
  • Only about half the participants could easily rearrange the items in the launcher, figured out how to change the background wallpaper and were about to find and launch a game that was not present in the launcher
  • Few participants though that LibreOffice Calc is a calculator, the Me Menu icon as the close close button.
  • Two people were asked to play MP3 songs on a USB key, but none of them were actually able to accomplish the task
  • Nobody understood what Ubuntu One was. ( Ubuntu One is Canonical’s online data storage and file sync application)

During this test, the participants found some unexpected bugs:

  • About half the participants crashed Ubunty within an hour of their testing, and on double clicking Applications/Files& Folders resulted in screen flicker with no other effects.
  • None of the participants were able to understand the Intention of the Ubuntu button

The user feedback was quite positive – most found Unity very nice, clean, easy way to get their documents. Some of the participants did wish that some settings and a way to find out their hardware info placement could be a lot more prominent.

What’re your thoughts on Unity? Do you like it? Or will you go back to classic Gnome? Do drop in a comment and let us know!

 

Extragram Brings A Great Web Interface to Instagram

Instagram, the current darling of the social media conscious photo sharing crowd has had a great run with their iPhone app, with over a million people using their service. If there’s one thing missing with Instagram, however is a decent web interface to it. Even with you logged into Instagram, there’s no way to go through your posted images.

Recently, Instagram had opened their API with hopes that third-party developers would make use of their API. Enter Extragram. Extragram aims to be the web front-end of Instagram, leveraging the Instagram API.

Extragram Homepage

Using Extragram doesn’t require you to have a separate account, clicking on sign in takes you to sign in to your Instagram account. Heck, even if you don’t have an Instagram account, you can take a sneak peek of Extragram. Once logged in, you can browse through the images using the standard grid view, or  using the excellent filmstrip view.

Extragram popular images view

Extragram Popular Images Filmstrip view

The default view is the popular images view, though you can also choose to browse through your friends’ pictures – or go on an ego trip and reminisce on your images.

extragram-myphotos.png

The map view is nice touch – allowing you to search by area/city and then browse through some of the most popular images in the area.

Extragram Mapview

The great thing about Extragram is – you aren’t restricted to just browsing the images. Found a great image? Add it to your favorites or share it on twitter/facebook amongst other services. Discovered a particularly creative photographer? Follow the person!

Comment from Extragram

With a slick UI, some great design and intuitive navigation, Extragram fills in the void of a decent webclient that was sorely missing in Instagram. If you’re an Instagram user, Extragram will definitely make you spend more time going through Instagram images. Even you’re not an Instagram user, this site just might compel you to join Instagram. What’re your thoughts on Extragram? Do give it a spin and drop in a comment or two with your thoughts on it.