CounterMeasures - A Security Blog � web

ACTA, entrench & resist?

Rik Ferguson — Mon, 30 Jan 2012 17:03:09 +0000

It’s probably prudent to mention again that these blog posts represent strictly my own opinion, see my disclaimer here. In the security presentation game, we spend a lot of time talking about “bad actors”, today it has a somewhat different meaning.

The concerns with ACTA centre mostly around how the bill enforces liability on website for any links that point to disputed content and how ISPs may be obliged to dig deeper into their customers’ online activity. In the world of User Generated Content, the potential for any site to be forced to close down, in a Stalinesque way to become a “non-site” as it is obliterated from search results or even have its domain name seized, all as a result of the actions of its users, is seen as too great a threat to business online.

ACTA is in many senses the big brother of SOPA. SOPA would have had negligible effect outside of the US, as the proposed bill would only remove sites from the US visible part of the web (and even then there are plenty of ways around it). ACTA is proposed as a global “Agreement” which has been negotiated in closed-shops with only one side of the debate having been represented and no jurisdictional or democratic oversight. The closed shop appears to have been cynically and deliberately set up outside of existing structures such as the WTO perhaps to protect vested interests of large corporations and a subset, in fact a tiny minority, of governments.

Our business is not only about security, as far as I am concerned it is also about privacy and trust and this kind of legislation has a damaging effect on all three of those. Under ACTA, ISPs will become accountable for the actions of their subscribers and as such will have no option but to monitor the content that is being both posted and accessed by their customers. This represents a gross invasion of privacy and under much of the western world’s communications intercept laws is already currently at least a legal grey area, if not outright illegal. Under ACTA that same (as in SOPA) issue of sites that link to copyrighted content surfaces again with we sites facing similar risks and similar levels of accountability.

Under current copyright law (which itself should not be considered immutable) rights owners have the legal recourse to seek to defend their own property, however by the same token it should be recognised that “the internet” or even “that web site” does not fall under that definition. To propose legislation that would enable an entire site to be “disappeared” because of a link to copyright content is draconian in the extreme and undemocratic to boot.

The internet is not intellectual property, the internet is the crucible of modern innovation and in large part generated by “we the people”. US law, and many others besides, classify copyright as the right to revenue from the copying of original work in a fixed medium, the internet has surpassed this concept. If I link to a video you posted, in what sense am I “copying” and in what sense is that truly “tangible”? Is the rendering of a picture in my browser copying, or is it simply “display? How do we deal with the concepts of mash-ups, crowd-sourcing and social networks when antiquated laws must apply, and what happened to my freedom of expression?

Security is a much deeper concept that endpoints and data, security is my right to access and use the global resources available to me, unimpeded by the legal ramifications of the actions of other internet users. Legislation such as ACTA and SOPA would make this impossible. The mantra of online innovation should be adapt and survive, the mantra of rights holders is to often “entrench and resist”.

The only niche left for innovation & collaboration in an ACTA world is for ACTA compliance solutions that continually monitor your web properties for infringements (thereby monitoring also the content of any linked site as well) and remove any offending UGC promptly.

Polish Government under DDoS, Anonymous ACTA up again.

Rik Ferguson — Sun, 22 Jan 2012 22:54:55 +0000

Anonymous are again making headlines, as the majority of Polish government related web sites are taken offline in DDoS attacks over the weekend as a protest about an international agreement perceived as being cooked up in years of secret talks between governments and industry.

As the dust settles and the mutual back-slapping begins over the withdrawal of the SOPA bill in the US, an older and potentially uglier beast has once again reared its head in Europe. This particular beast is called ACTA (Anti-Counterfeiting Trade Agreement ) and you can certainly be forgiven if you haven’t heard of it before, even though it predates both SOPA and PIPA.

ACTA is what is known as a “plurilateral agreement” aimed at establishing international (not just US) standards on intellectual property rights enforcement. SOPA would have negligible effects outise of the US, but ACTA is a global agreement. It aims to create its own governing body outside of the existing World Trade Organisation, the World Intellectual Property Organisation and the United Nations. Preliminary talks began as far back as 2006 including Canada, the United States, Japan, the EU and Switzerland. Official negotiations began in 2008 with the addition of Australia, Mexico, Morocco, New Zealand, South Korea and Singapore. Alongside these national government representatives, an advisory body of large US-based corporations was involved, including the RIAA, the MPAA, International Intellectual Property Alliance and Pharmaceutical Research & Manufacturers of America.

The negotiations were classified as “Secret” in the US on the grounds that there was a risk of damage to national security. The process by which negotiations took place, without public scrutiny or judicial oversight and the way in which the details of ACTA only emerged as a series of leaks until a draft was eventually published in 201O, after the 8th round of negotiations, has attracted widespread criticism from academics and groups such as the EFF.

The major concerns regarding the actual content of the draft centre around a couple of important issues. Perceived infringement on communications privacy for Internet users, as ISPs are obliged to filter content in more depth as a result of their liability for the actions of their subscribers and an increase in liability for websites that link to copyrighted material (sound familiar?) . There has also been concern that the section dealing with border controls would authorise invasive searches of personal laptops or MP3 players in the search for copyright infringing material. It should be noted that EU legislation prohibits travellers from checks if the offending goods are not a part of “large-scale” traffic and US legislation amply demonstrates that unilateral implementation of invasive border searches is entirely to be expected.

So why Poland, and why today? Well, the government of the Donald Tusk made a surprise announcement ( two PDFs in Polish) on the 19th January that they would be signing ACTA one week later on the 26th, taking them down the road to ratification. Many Poles feel that this has been done without inclusion or open debate and without a mandate from the people. The strength of feeling is immediately visible in Twitter, with thousands of Poles making tweets of thanks to Anonymous for this initial and ongoing action. Even those not actively participating in the DDoS have contributed to the failures of multiple websites by attempting to access them in their browser to see if the site had been taken offline.

Whatever the rights and wrongs of the proposed agreement, it is certainly true to say that democracy is never served in secret, where the interests of only one side of the debate are represented. The Polish Minister for Administration and Digitalisation, Michal Boni has asked Prime Minister Donald Tusk to reconsider the decision before signing and a further meeting has been scheduled for the 24th Jan.

You can’t fight the power, but the power has shifted.

Rik Ferguson — Fri, 20 Jan 2012 11:04:35 +0000

One of the largest file sharing services on the Internet was shut down yesterday in US legal action. The site is charged with violation of copyright laws. The indictment (now available on scribd) charges seven individuals with online piracy, four of whom have already been arrested in New Zealand. This 72 page document also details the estimated cost to copyright holders at more than $500 million USD, while themselves allegedly earning $175 million in advertising revenue. The maximum penalty for the offenders could total 50 years of jail time.

Search warrants were executed in nine countries and 18 domain names, including mega-upload.com, were seized along with associated servers.

This indictment, unsealed right in the middle of impassioned debate over SOPA and PIPA quickly aroused the wrath of the Internet community, particularly Anonymous who have been exhorting their supporters to participate in Distributed Denial of Service attacks against US government web sites including the Dept of Justice, the FBI, the Copy right Office and the RIAA and MPAA, who were successfully taken offline as a result.

Anonymous supporters have been using the Low Orbit Ion Cannon (previously detailed here) as well as a new technique of embedded JavaScript. Several web pages have been loaded with JavaScript and the simple act of rendering that page in a web browser will in most cases recruit the browsing computer to the DDoS attack. The attacks have attracted a high level of participation and public sympathy and quickly became a trending topic on Twitter under the #OpMegaupload hashtag.

Akamai’s Real-time Web Monitor is currently showing attack traffic online at more than 24% above normal, giving some idea of the scope and geographic spread of public sympathy.

Whatever your views on online file sharing, there is no denying that this is an issue urgently in need of a solution. Consumers, artists and corporations seem to have devised workable methods in the music industry. A return to the generation of income through live performance has reinvigorated the music scene in many countries and cites. Artists have harnessed the power of the Internet for a direct sales model that bypasses the increasingly archaic music industry and online music stores have evolved to facilitate this, with the participation of the corporations, providing music at reasonable cost. It could even be argued that the new iTunes Match service represents the capitulation of the music industry to the new reality of illegal downloads. This model is beginning to be repeated in the printed world too.

In the early 1900′s music publishers decried the arrival of the “player piano” as a threat to their way of life, when I was a kid, every record bore the legend “Home taping is killing music“, Hollywood was scared to death at the advent of the VCR…

The simple truth is, technology ever advances and with it come new opportunities. Many consumers are taking advantage of those opportunities to access copyrighted material quickly, easily and cheaply (or for free). It is only by facilitating that behaviour backed by a forward-looking business model that the traditional industry can hope to survive into the future.

It’s true that you can’t fight the power, but the power has shifted.

PayPal’s Destructive Dispute Resolution

Rik Ferguson — Wed, 04 Jan 2012 16:31:51 +0000

Destroyed violin image courtesy of Regretsy

While paying a visit to the fantastically disturbing Regretsy site today I couldn’t help but be amazed by the sorry tale that was submitted by a regular visitor to the site.

A lady by the name of Erica relates in her email how she had sold ”an old French violin” (in her words a pre-World War II violin) to a buyer in Canada and accepted payment for the item through PayPal. The payment in question was for the not inconsiderable sum of $2500.

Unfortunately the buyer was not happy with the authenticity of the violin, raising a dispute over the label (the paper sticker inside the violin identifying the luthier that supposedly crafted the instrument). Labels in the violin world are notoriously unreliable and have been faked for centuries, in fact it was a common “marketing” practice in the Victorian era to attach fake Stradivarius labels to contemporary violins because they were “made in the style of”… The consensus of opinion in the murky world of violin sales seems to be that a label is only the starting point for the valuation of an instrument and that for any truly reliable opinion, a specialist instrument valuer should be consulted.

Of course it is the buyer’s prerogative to raise a dispute through the official PayPal process if they feel that they have been deceived into buying counterfeit goods and, not having seen the original advertisement for sale, it would be impossible to form an opinion on that. What really stopped me in my tracks though, were the instructions the buyer received from PayPal in order to qualify for a refund.

Rather than have the violin returned to the seller, PayPal reportedly instructed the buyer that he must destroy the violin and provide evidence of its destruction in order to get his $2500 refunded. This all apparently happened without the involvement of any independent verification and resulted in the photograph you see in this post.

This process is all detailed in the Dispute Resolution terms and conditions on the PayPal site “If you lose a Significantly Not as Described Claim because the item you sold is counterfeit, you will be required to provide a full refund to the buyer and you will not receive the item back (it may be destroyed).” All decisions are at PayPal’s discretion and are final “based on any criteria PayPal deems appropriate“.

One very upset violin seller and a destroyed violin, is only a part of the issue here. PayPal’s dispute resolution process in the format described above leaves itself wide open for abuse. Let’s say I fancy myself a nice designer label watch or handbag (for someone else, you understand) but I can’t afford the real thing, what can I do? Well I could always go and see my friendly street corner counterfeit Rolex or Gucci salesperson and pick one up nice and cheap, then go online and buy the real thing. When it arrives I simply show the counterfeit as proof that I was deceived, provide evidence of its destruction, get my money back and keep my nice shiny new purchase.

When the purchase is only a few pounds, euros or dollars this is of relatively minor importance but when we are talking about antiques or designer goods, the sums involved can rapidly escalate and so can the risk.

With online purchases, it’s not just caveat emptor but caveat venditor as well. If you are selling expensive items online it is advisable to collect as much evidence as you can of the authenticity and condition of the item in question prior to shipment. Make sure you share this evidence with your buyer and keep a record of all communications. On the buyer side, make sure you fully satisfy yourself of the true nature of the item you are purchasing before parting with any cash. Both parties may wish to consider using a reputable escrow service where the cash is held by a trusted third party until both buyer and seller are satisfied.

Obviously the PayPal story as told by Erica is only one side of a two-sided story, there is no mention for example of whether the buyer intially directly asked the seller for a refund, but for PayPal to have chosen to instruct the buyer to destroy the very item that was in dispute seems short-sighted in the extreme and that’s without having to consider the wanton destruction of a beautiful musical instrument.

’tis the season to be squatting

Rik Ferguson — Wed, 14 Dec 2011 16:06:36 +0000

In the run up to Christmas criminals are abusing the opportunity to prey on online shoppers with tired eyes and weary fingers. Many thousands of misspelled versions of popular retail destinations have been registered by criminals in the hope that the unwary consumer will land there by accident. Customers of popular online retailers such as John Lewis, Debenhams and Argos have all been targeted.

Image from Joe Shlabotnik's Flickr stream under creative commons

The criminal websites are often copies of the legitimate website, copies that aim to pass off counterfeit goods, redirect the visitor through money-spinning advertising links or to harvest personal and financial information if a “purchase” is made. In other instances the misspelled domain names can lead to objectionable content or even to websites loaded with exploits that aim to infect the victim machine with information stealing malware or to recruit it into a botnet, a network of compromised machines under the remote control of a criminal.

Typosquatting has been around almost as long as the world-wide web, in fact US legislation dating back to 1999, the Anticybersquatting Consumer Protection Act, contains a specific clause (Section 3a) aimed at combatting this phenomenon. In the past individual companies have been known to spend large amounts of money in bringing cybersquatters to justice. Lego, for example, have previously spent more than half a million US dollars pursuing cybersquatters through the Uniform Domain-Name Dispute-Resolution Policy (UDRP) going after such domain names as legoworskhop.com in and effort to protect their brand.

However in this most recent outbreak of typosquatting, we are not talking about domain names which simply include the names of well-known brands, rather those that prey on our lack of attention to detail. In the rush to get the online Christmas shopping done, how sure can you really be that you were shopping at the legitimate debenhams.com rather than the typosquatted debanhams.com, or marksandspencer.com rather than marsandspencer.com or markandspencer.com (I would recommend *not* visiting these by the way.

This year and last, British law enforcement have been doing their best to crack down on dodgy online shopfronts, however efforts to suspend illegitimate domain names can only ever represent a game of whac-a-mole in the fight against evil online traders. Criminals can register vast reserves of domain names in advance and, when one gets shut down, simply activate another as required.

And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet

“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

1. 4.4.1 .co.uk; or

2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters”

Until regulation is tightened and international cooperation is improved then well-intentioned law-enforcement initiatives will only be treating the symptom not addressing the cause.

In the meantime, be careful where you click and if you are planning on some serious online shopping sessions you may be wise to create yourself some bookmarks to popular online shopping sites rather than relying on your typing skills standing up to the Christmas rush.

On that note here are 5 great tips for shopping safely online from Trend Labs.

Verified by Visa?

Rik Ferguson — Thu, 01 Dec 2011 15:18:43 +0000

used under creative commons from johnsnape's Flickr

In 2001 Visa introduced a security protocol they called 3DS, short for 3 Domain Secure in an attempt to reduce the incidence of credit card fraud in online purchases. 3DS is better known by the names used by the various card issuers when they implement the system “Verified by Visa“, “MasterCard Secure Code“, “J/Secure” (JCB International) and “SafeKey” (American Express). the trouble is that 3DS doesn’t really present any barrier at all, to even the average fraudster, at least in the way that is is implemented by card issuers that I tested.

In the FAQ published by Visa they say “Verified by Visa protects your card against unauthorised transactions, giving you complete confidence when shopping online“. Later in the same FAQ they also state “If you forget your password you can easily reset it” and therein lies the problem. The following relates to implementations by the credit card issuers I was able to test, not necessarily to the entire 3DS system.

The problem stems from a very basic design flaw. If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but…

What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.

The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitmate account holder, let’s have a look at that “Identification” phase.

Second step in password reset

Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.

So what should be improved? There’s nothing new or amazing here, just some really basic steps that need to be incorporated into the process.

Upon enrolling in the system, cardholders should be requested to set a “Secret question” which will later serve as authentication data for a passsword change.

Instead of simply clicking through to the reset screen, a one time password reset URL should be delivered to a registered email address.

Whever a change to the account details is requested, or is succesful, the registered email address should receive a notification message.

Oh, one more thing, it would be really great if I could use special characters in my password, please.

The mobile threat: FUD or MUD

Rik Ferguson — Mon, 21 Nov 2011 13:38:21 +0000

Preface: This blog is not about open source vs closed, it’s also not about Android vs iOS or any other mobile operating system. It’s about criminals vs people, it’s about hype and reality and it’s about knee-jerk self-preservation vs openness and consideration.

Last Wednesday, Chris DiBona (Open Source Programs Manager at Google Inc.) made a post on his Google+ profile hitting out at claims about “open source being inherently insecure’ and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market“.

While Chris does make some reasonable points regarding the comparative resilience and security of open source code, I can’t help but feel that he is wilfully missing the point when it comes to the current threat landscape that confronts smartphone users today. I’ll deal with the points I disagree with in the same sequence that Chris raises them:

1 – “All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.”

Yes Chris, the major vendors all distribute apps based on the Marketplace or App Store model. One or more rogue or plain malicious apps have been discovered in most of those distribution channels and some of them get removed. Some of them even get removed in a timely fashion. Perhaps this is where some of the criticism based on “openness” has been misunderstood. As far as I am concerned, the problem pertinent to Android is not that the OS itself is open source, like I said you made some valid points about that, but that the app distribution mechanism is entirely open. Android embraces the concept of multiple third party marketplaces in addition to the “official” marketplace, even in the “official” marketplace there is no upfront vetting of code or functionality. Couple that with the undeniable and deserved popularity of the platform, it is no surprise that criminals are already actively exploiting an opportunity here. It’s not the open source, it’s the openness of the source.

2 – “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.”

Well now, this seems to be plainly stating that there is no malware problem for the popular mobile platforms. The weight of evidence (not to mention criminal intent) would seem to be heavily against you here Chris and Android itself seems to be the target of choice. TrendLabs for example have documented a 1410% increase in Android malware in the period January to July 2011. Let me be very clear. I am well aware that this rate of increase is starting from a low base, those four figure increases are not as shocking as they may at first appear. In raw numbers the total amount of malware is of course orders of magnitude lower than for example the Wintel platform. However the more important figure is not the total number of malware, but the rate of increase of that malware quarter on quarter and year on year. That demonstrates current, active and sustained criminal interest in the mobile platform. It’s not complicated, criminals follow consumers; always have, always will.

3 – “If you read an analyst report about ‘viruses’ infecting ios, android or rim, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence. If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans. ”

I think the figures referenced above and the litany of mobile woe researched and documented by TrendLabs here speak for themselves. This clinging desperately to the term “virus” in a last ditch attempt to demonstrate that a platform is free of malware is exactly the same language I have heard from MacOS enthusiasts (I am one before you flame me) who have been historically unwilling to admit that now the criminals are after them as well. It may well be that there are no viruses in the strictest definition of the term Chris, where do you stand on criminal malware for mobile devices?

4 – “Please note: Policy engines, and those tools that manage devices from an corporate IT department are not the same thing at all, but sometimes marketers in companies that sell such things sometimes tack on ‘virus’ protection. That part is a lie, tell your vendor to cut it out.”

So we agree that security of mobile devices extends far beyond the threat from malware. Of course there is loss, theft, inappropriate access, device tracking, web-based threats through social networking or phishing for example and many other areas to consider (by the way this is important for the consumer too) but advising your users to request that vendors remove functionality designed to detect malicious software? Well I guess that’s one way to make a platform appear malware free…

Am I ashamed of myself? Not at all. I’d prefer to offer protection against a growing threat to personal and business security than to bury my head in the sand and defend my stance with wild accusation.

Your post very much accuses security vendors of FUD, sowing Fear, Uncertainty and Doubt. I hope I have demonstrated that is very much not the case. Maybe your outburst was more a case of MUD? Myopic Unalloyed Denial.

The mystery of the “hacked” Facebook accounts

Rik Ferguson — Wed, 19 Oct 2011 14:30:36 +0000

After a day of investigation it seems that “Team SwaStika” may be attempting to take credit for compromising account details that they really had nothing to do with.

The two lists of hacked accounts (Part 1 and Part 2) have both been circulated online before the Pastebin posts were made by Team SwaStika. The list entitled Part 1 appears to have been doing the rounds on various underground forums for the better part of a year. The second list entitled Part 2 by Team SwaStika is much more recent. The first evidence I can find of the accounts listed in Part 2 is only 19 days old.

A list with content exactly matching this second Pastebin post by Team SwaStika was uploaded to a compromised website by the better known group of hackers Group Hp-Hack. Group Hp-Hack is a Saudi Arabian hacker group that has previously gained notoriety in August of this year for defacing the websites of Joomla Canada and ethicalhackingcourses.com (which remains defaced to this day).

The html list of alleged Facebook logins uploaded to a compromised web server was created in Microsoft Word and has a creation date of 1st October 2011 but was posted with the claim (in Arabic) that the list only represents 10% of the 7 million accounts that were breached by Group Hp-Hack.

Group Hp-Hack defacement

I have informed the owners of the compromised server and advised them to remove the content and once again passed this information to Facebook’s security team

Over 10,000 Facebook account details hacked and published

Rik Ferguson — Tue, 18 Oct 2011 12:02:51 +0000

An update to this investigation is available here.
_____________________________________________________________________________________________________
A hacking group calling themselves “Team Swastika” have published what they claim to be the usernames and passwords for over ten thousand Facebook accounts on Pastebin, an online service for sharing large quantities of text data online. It should be noted that the PR agency for Facebook in the UK gave me the following statement, “This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of e-mail and password combinations that are not associated with any live Facebook accounts“.

Team Swastika are a new arrival on the hacking scene, having announced their “launch” only six days ago. although they have only one tweet to their name they have already caused concern by publishing database tables and user credentials stolen from the websites of the Indian Embassy in Nepal and the Government of Bhutan, apparently by SQL injection attack.

This latest publication of what they claim to be more than ten thousand Facebook user credentials is without context and with no indication of the means by which they were stolen. The posts themselves have already been removed by Pastebin but I managed to get a look at them before this happened…

Stolen credentials for Facebook accounts

The compromised user accounts come from all over the globe, and a quick glance through the list of associated passwords shows that the majority of affected users are not using complex passwords, with many being simply a derivation of the user name, a favourite football club or a short numerical password.

The ongoing effect of such a large scale compromise can be disastrous for affected users, particularly if the password is shared for multiple accounts. It can lead to compromise of the victim’s email account which can act as the skeleton key for many other online services, as any password reset procedure will normally pass through the account owner’s email inbox for verification. regaining control of a compromised account can be a costly and time consuming process, as this recent victim explains.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to achieve this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

I have not verified if the credentials as posted are legitimate, for reasons of privacy, but have passed the full list of affected accounts on to Facebook security so that they can warn and protect their users.

Sony (not) hacked

Rik Ferguson — Wed, 12 Oct 2011 13:45:25 +0000

Enter your password

News reports today are characterising an attack against the Sony PlayStation Network (PSN) and Sony Entertainment Online (SOE) as “another hack” or “Sony hacked again“. However, according to a blog post from Sony’s SVP and Chief Information Security Officer, that simply isn’t the case.

The attack against PSN accounts belonging to Sony subscribers went like this… Person or persons unknown, built or obtained a database of username and password pairs which they attempted to use to log into the PSN and SOE. The “overwhelming majority” of access attempts using these pairs of credentials failed, in fact less than 0.1% were successful. For this reason Sony suspect that the credentials used were not stolen from Sony directly, either now or in past intrusions. The database in question was most probably email and password pairs that have been obtained elsewhere but were being used in a brute force attack against Sony, in the knowledge that users have the unfortunate habit of reusing passwords across multiple services.

When Sony detected this irregular activity against its servers it immediately locked out all of the affected accounts and is informing the affected users that they need to change their passwords. Only a small fraction of that 0.1% showed evidence of irregular activity before Sony locked them down, meaning that the damage was successfully contained.

In reality this story should not be characterised as a failure over at Sony, but rather a success. Through their own monitoring systems they detected anomalous behaviour, acted quickly to contain the damage and locked out the accounts affected. They are also obliging the affected users to change their service passwords to better secure themselves in the future. Of course given the past intrusion at Sony, there is every possibility that the data does relate to that stolen from Sony earlier but also indicates that the mass password reset policy it instituted after the event served to render the majority of that data unusable.

After all it is not, as Sony have learned to their cost, whether you get attacked that is important, it’s how you deal with it. The lesson for Sony customers is not that Sony hasn’t learned lessons, it is rather that we as users still have some important lessons to learn.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.