Archive for April, 2011

Breaking News!

Posted: April 27, 2011 in Uncategorized

Needless to say, it’s not breaking news at all.

This just in from Reuters, about Sony, ” The electronics conglomerate is the latest Japanese company to come under fire for not disclosing bad news quickly.”

Turns out, now they are calling it a breach now. It has moved beyond an ‘external intrusion.’ To quote Reuters, “Sony learned that user information had been stolen from its PlayStation Network seven days ago, prompting it to shut down the network immediately. But Sony did not tell the public until Tuesday.”  Say what? They learned of the data theft of user data, including credit cards of 77 million users and just now are admitting it? It could already have been assumed. I posted that it was definitely likely that was the case a few days ago.

No one in the security industry is surprised that this has happned. You would believe that a company the size of Sony would have better defenses. In actuality it just implies there are that many more potential weak spots.

None of the information in this newstory ( http://news.yahoo.com/s/nm/20110426/tc_nm/us_sony_stoldendata ) is of any surprise to me. I am not surprised they were hacked. I am not surprised it was of that magnitude. I am not even surprised they have tried to keep it hush hush. The consumer needs to better educate themselves to these risks. The companies need to take more responsibility for their actions. Let us hope that this is a learning experience for all involved and even for those who are just on the sidelines watching. My fear is that those various parties will have learned naught and within the coming weeks, months, and years, it will simply happen again, there or somewhere else.

In addition, on the Playstation.com website they are now informing customers to pursue credit reports, et al to ensure that data hasn’t been taken and that mysterious charges do not show up on credit cards. I applaud their efforts to communicate. I think they are a bit late. By now, the whole world it seems is aware of the situation.

Advertisements

My PS3 is broken

Posted: April 24, 2011 in Uncategorized

No, it’s not broken. But I was just on the phone with my son over at his mom’s house. He said the Playstation Network was down. I went to check for myself.

A quote from their website “An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience.”

An external intrusion. Interesting choice of phrasing. Is that a corporate doublespeak for they got hacked? External intrusion. Someone not belonging to this company has managed to acquire access to our networks. External intrusion. All your data are belong to them.

It would make much more sense, when dealing with the gaming community to just come right out and say “WE GOT PWNED!”

That would be more honest. It would be more logical. It wouldn’t try to wrap itself in some corporate dogma regarding an attempt to make it seem like a lesser deal. Yes, the implications are that someone has customer data. Someone perhaps could try to download thousands of NetFlix videos and bill them to me. Oh wait, I don’t have any funds in my Playstation Store account at the moment. OK, I am safe. But you might want to inform those that did. Whatever the case may be, external intrusion doesn’t sound like a true representation.

It sounds like they are trying to pretend to be Doogie Howser, M.D. and use big vocabulary words that their high school age friend(s) won’t understand in an effort to make themselves feel ‘superior.’ Sorry guys, I know this is Sony, but these are gamers (and movie buyers, et al) they can handle it. Face it. Yes, we the PS3 owners of the world will wait while you fix it. We have no choice. But call it what it is.

“YOU GOT PWNED!”

The Open Society

Posted: April 22, 2011 in Security

I have been just as guilt of this as some. Posting something on FB and not realizing the repercussions.

However, it has come to my attention recently, that sites such as FB create risks far above and beyond what data a particular app may be storing about you and who might have access to that data.

It is worse than that. So much worse. I’d like to tell you a little bit about what I have learned over the past few weeks. It may cause you cull your friends list down to people that you actually know, not just those that invite you to be their ‘friends’ in ‘Farmville.’

Hackers and identity thieves are using facebook. They are harvesting data and utilizing it in ways that many cannot or could not foresee. Individuals are being socially engineered by some very craft folk who can be a bit sneaky.

Firstly, having your phone number or address on FB is just bad. It makes no realistic sense to have it listed on there. Secondly, posting where you are at RIGHT NOW with your blackberry or other smart phone is at times tacky, at times a bit snarky and show-offy, and downright risky. Great, you aren’t home! Guess, Mr. Thief now knows where you live and that you are somewhere else. Perhaps far enough away that with traffic it will be at least a couple hours before you could be home.

But wait, only my friends can see that. I trust them. It is no big deal. I recently culled my friends list. I know many other people are doing the same. Perhaps you accepted a friend request from someone who plays MW. You have no real idea who that person is. Maybe you checked out their FB profile. They appear to be an interesting person. It says they live a couple hundred miles away, maybe they do, maybe they don’t. The honest truth is that you know ZERO about that person. Perhaps they are a friend of a friend, in which case you can at least have third party knowledge about them and their character. Let us hope so.

I know of a few incidents where individuals were victims of some interesting social engineering. Do a search for Robin Sage. Read the newspaper articles about it. Perhaps watch the DefCon or BlackHat videos from the person who perpetrated this event and why he did it. You will have a whole new appreciation for vetting your digital friends.

And through none of this have I even mentioned the fact that allowing your boyfriend, girlfriend, significant other, etc access to your FB page. Giving them your password, and then being amazed when as the result of a bad break-up or argument, that your FB page is defaced or suddenly you have tons of ‘friends’ that you don’t even know. Ouch.

As time passes, and more and more potential employers perform the very same actions regarding character research that many of you are already doing, some of the things posted on that FB page are going to come back to haunt the individual. Many of us, and I include myself, immediately upon meeting someone, or shortly thereafter go check out FB to see if that person has a FB page. We do our own reconnaissance of the person to see if the things they like or do are in contrast or similar to our own. Is this really a person that I might want to be friends with? Employers and other individuals do the same. We all want to share. FB and similar sites allow us to do so. I suppose blogging is no different. In the end, recognizing the risks and performing our own due diligence is the only logical action to pursue.

Security in a Hectic World

Posted: April 22, 2011 in Security

As part of my educational continuance, it has come to my attention that providing an industry related blog will count toward Continuing Education credit with CompTIA. This is not of utmost importance at the moment, but why procrastinate. The thing to do is start now.

I have given speeches recently for one of my classes regarding password usage, the fact that email isn’t safe, if it is digital it probably still sits on someones file server somewhere, and the purely relative protections provided by antivirus and malware protection, albeit better than none at all.

I have probably viewed over 40 hours of conference footage within the past couple weeks. I have been amazed by the material provided by great individuals such as Fyodor, Adrian Crenshaw, Dave Kennedy and others.

In the wake of competing in the state CCDC competition and finishing runner-up, I have put it upon myself to learn as much as I can about information security as I can possibly fit into the hours in the day and what space remains between my ears.

I welcome any readers to this blog and hope to hear from those interested in the field about any materials they think may be of assitance. From those not in the field, don’t hesitate to ask questions, if I don’t have the answers, I will endeavor to help you find them so we both learn.

Good day.