HUGE ALERT TO ALL THOSE READING THIS: If you use one password on all services online then stop reading this post and go change ALL of those passwords. Done? Okay, good. Read on.
Here is the bad news: your Credit Card information has probably been stolen. Here is the extremely bad news: the hackers also know where you live and your phone number, as well as the password that you use on most of your services (if you are the one password is enough for a bajillion accounts I am very secure!kind of person). Here’s the gist:-
What they have stolen:-
- Email Addresses
- PSN ID/Password
- Probably Your Trophies As Well
What they might have stolen:-
- Purchase History
- Credit Card numbers used for purchase
- Security question on your PSN account (which is usually the same across many platforms, so change this one too)
If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.
How did the hackers obtain your password in the first place?
Why, it was in plaintext, my good man!
<user2> sent as plaintext
<user3> did you censor that card?
<user2> ya its fake
<user1> wow, plaintext :S
<user5> plaintext wow
<user3> im never putting in my details like that
<user2> ya is all fake lol
<user2> i never used cc on ps3
<user2> normally you ATLEAST enccrypt the securtity code, even if its ssl
As the entire chat log of the hackers while they were penetrating the PlayStation Network shows at one point of time, I really cannot believe that a network that puts so much Digital Rights Management (DRM) protection on every game manages to store passwords without any kind of encryption. Thoroughly unbelievable. It is going to take a lot of coaxing from them for me to get back to the network. Thoroughly disgusting and outrageous.
The United States Government’s National Security Agency (aka the where-privacy-goes-to-die agency) is apparently building a new supercomputer called the for its High Performance Computing Centre. The supercomputer will cost about $895.6 million, as revealed by unclassified documents. The supercomputer is to be built at the headquarters of the agency in Fort Meade, Md. and is slated for completion by 2015.
The NSA is a surveillance organization (to use a nonspecific and broad generalization) that has been operating since 1952 and is responsible for the decryption of foreign intelligence and the safeguarding and encryption of USA’s domestic signals. The agency has a history of using supercomputers, starting with the purchase and use of one of the first Cray supercomputers (The Cray X-MP/24) which is now decommissioned and is on display at the National Cryptologic Museum.
While exactly how large this computer that the NSA is building is unknown, it is very likely that the computer will be able to perform at 1 exaFLOP. A FLOP, or FLoating point OPerations per Second is a measure of how fast a computer is. It is basically the number of floating point calculations performed in unit time by the computer. A simple hand-held calculator is about 10 FLOPS on an average to show instantaneous results.
An exaFLOP is 10 followed by 18 zeroes (10^18)
In comparison, the combined computing power of the top 500 supercomputers in the world is about 32.4 petaFLOPS (32.4 x 10^15). That is, the new supercomputer being constructed by the NSA is about 31 times faster than the top 500 supercomputers in the world taken together.
However, all this is still speculation, garnered by the power requirements for the new computer about 60 megaWatts. The calculation is based on the Sequoia BlueGene/Q IBM supercomputer that is also under production that needs performs around 20 petaFLOPS and needs 6 megaWatts of power.
Of course, the NSA needs more computing power to sift through all the emails, phone calls and messages we send each day, right?
Over the past couple of years or so, I have used Microsoft Security Essentials as my only virus and malware protection tool. The Free Antivirus tool from Microsoft is definitely worth installing on your PC.
If you are someone who does not like to install Antivirus on your PC or just want to check whether your current Antivirus is really working well, a new tool from Microsoft will come in handy.
Microsoft Safety Scanner is a free security software from Microsoft which provides users with on-demand scanning while allowing users to remove viruses, spywares, Trojans and another malicious software from their PC. Safety Scanner works along with your current Antivirus software, so you don’t have to uninstall your current AV protection to use it.
One of the bad things about Microsoft Safety Scanner is that it expires every 10 days. Users will have to download a new version to scan your system every ten days which could be annoying considering that it is around 70MB in size. A simple definition update should be added so that users don’t have to download new versions every 10 days.
Users must also note that unlike traditional Antivirus systems the Safety Scanner does not provide continuous protection and should not be used as a replacement for traditional Antivirus software. Microsoft Security Scanner should only be used to additionally scan your PC. If you intend to replace your current Antivirus you might check out our Free Antivirus section to find a suitable alternative.
Additionally, you may also want to read the following articles related to Online Security:
Download Microsoft Safety Scanner
I have come to love Evernote as a note-taking and idea collecting software. I have used it extensively for the past couple of years or more to store bits and pieces of information that has come in handy all through these years.
I always had a problem with storing sensitive information in Evernote, because of the lack of security/password protection in the app. For example, if you login to the Evernote app and leave it open, anyone who has access to your PC or mobile device can view the notes and get access to your sensitive information.
In fact, anyone who has access to the local database storage file on your PC will be able to view those notes on another PC or installation. This is a scary proposition considering how much losing sensitive information could affect you.
Luckily, Evernote provides users with a very handy feature that allows them to encrypt part of their notes. Users can use it to encrypt sensitive text in their notes (It only works with text). To encrypt your notes in Evernote, follow the steps given below.
Whenever you install an app on your Android or iOS device, you are entering into an agreement to allow a certain level of control on your phone and its data. However, people hardly care about the implications and seemingly, neither do app manufacturers anymore.
Veracode is an independent security firm investigating into privacy of Android apps and Pandora has emerged as the new culprit of data leakage. Pandora sends a massive amount of personal information including your GPS data, device ID, connection ID, Device brand, model, birth date and gender back to ad servers. That is some serious breach of privacy and Pandora has declined to comment on this at all.
The folks over at Veracode have expressed their concern by saying,
In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a person’s life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.
Pandora might argue that the data collected through this process is used to serve personalized content but sending it to advertisement servers is not something the users opt-in for.
The WordPress team has released a new update to WordPress 3.1 which contains several security fixes in the code. WordPress 3.1.1 fixes almost thirty issues in WordPress 3.1.
The new security patches were discovered by WordPress core developers and hardens CSRF prevention in the media uploader. It also adds a patch to avoid a PHP crash in certain environments because of links in comments. The third big patch fixes an XSS flaw in the code.
There are also several other performance improvements and fixes for IIS6 support, fixes for taxonomy and PATHINFO permalinks and fixes for various other query and taxonomy issues caused by plugin compatibility.
I highly recommend that you update your WordPress installation to WordPress 3.1.1 to avoid being affected by these security loopholes.
Vulnerability disclosure is a method of publishing information about a problem, often related to computer security which if gone unreported can result in serious consequences. One of the contentions involving disclosure is often up to what amount of information need to be disclosed. Too little information might result in the disclosure being brushed off, and too much disclosure gives people willing to exploit the vulnerability a head start in causing some serious damage with it.
Vulnerability Arbitration(Vulnarb.com) is a neat concept by Zed Shaw which aims in helping security researches, consumers, and the affected companies deal with security vulnerabilities in a timely and a responsible manner.
- Security researchers to disclose the vulnerabilities that they found in a responsible way
- Consumers get to know which products are affected, but not know what the vulnerability is
- Incentive for companies to fix security holes
The concept with Vulnarb is to use a site’s public SSL certificate and a generated random key to encrypt the vulnerability disclosure. The affected company can then use their private SSL certificate to decrypt the encrypted message and act upon it. Once the vulnerability has been fixed, the company can then publish the decrypted disclosure indicating that it has been fixed or indicate that the disclosure is incorrect.
For the time being, Zed has indicated this is a concept and has invited people to test it out and see if it can work. Indeed, this looks like a great idea. Do feel free to head over to Vulnarb, check it out and drop in a comment or two about this.
Epsilon, a marketing firm acquired by Alliance Data which handles loyalty marketing of several big brands, was hit by a security breach. This security breach resulted in infiltration of their email systems. Epsilon maintains that only a subset of their user data was harvested and as of now, only the email address and usernames were gathered.
Security Now which initially reported that only Kroger, United States’ largest traditional grocer was hit, now has confirmed that several big brands were also affected. Some of the brands hit include
- Home Shopping Network
- JP Morgan Chase
- Marriott Rewards
- McKinsey & Company
- New York & Company
- Ritz-Carlton Rewards
- The College Board
- US Bank
Epsilon’s assessment has determined that no other personally identifiable information is at risk and are currently investigating the matter.
Citi tweeted about the breach with a link to the message on Citi’s site, calling upon users to be careful about phishing scams via email.
TiVO has also issued a public interest message, maintaining that no Credit Card details and other such personally identifiable information was available to Epsilon and as such, such data is safe.
While it might be conceived that customer names and email address harvesting does not pose much of threat, such data in the hands of spammers is likely to result in a much more personalized phishing attack attempts.
To be safe from phishing, never click on links or open email attachments from unknown sources. Remember: No one will ever ask to confirm your password/Credit Card details by entering them in a webpage!
The European Union has faced a massive cyber-attack, of a scale so high, that it has asked members to change their passwords, and has shut all access to their intranet and the email-servers. This sounds like a breach has already taken place and the EU was unable to prevent it. Disconnecting their computers from the network was the only probably solution.
The European Union was about to discuss critical strategies on the current war in Libya besides other discussions.
Antony Gravili, the spokesperson for the inter-institutional relations and administration commissioner, told the BBC News,
We are already taking urgent measures to tackle this. An inquiry’s been launched. This isn’t unusual as the commission is frequently targeted.
The attacks are speculated to have a link to the attack on the French foreign-ministry where files related to the G20 summit were attacked. There is no word yet on whether any computers are affected or not. However, a prompt shutdown has indeed been successful in mitigating some of the risk. The EU has also taken additional precaution in asking users to renew their login credentials.
There has been an alarming increase of attacks on the government in recent months. EU has already issued an investigation and the findings of the investigation will reveal some interesting data.
Earlier in the week, we reported that Internet Explorer (running on Windows 7) and Safari (running on Snow Leopard) had been hacked almost instantaneously on the first day of pwn2own, an annual hackfest. Google’s Chrome browser made it through as the sole participant who had registered to take a crack at Chrome failed to turn up.
The following days of the competition witnessed Firefox web browser, and Android and Windows Phone 7 mobile operating systems survive pwn2own 2011 in a similar manner as contestants either failed to turn up or withdrew.
On the other hand, Apple’s poor show in the competition continued with the legendary Charlie Miller succeeding in bypassing iPhone’s defense by exploiting a bug present in Mobile Safari.
RIM’s Blackberry OS, which was tested next, also fell quite easily. Once again, a flaw in its Webkit based browser was the culprit. The team made up of Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann targeted the browser as unlike RIM’s operating system, WebKit is well documented and well known.
Meanwhile, after examining the vulnerabilities exploited by Stephen Fewer to hack Internet Explorer 8, Microsoft has stated that they have already fixed the concerned vulnerability in Internet Explorer 9. It didn’t however explain why older versions of internet explorer were yet to be patched, and when, if at all, they will be patched. All the exploits used in the competition are properties of TippingPoint ZDI, which passes them on to the concerned vendors, and provides them six months to fix the issue.