Category Archives: Internet crime

Sony should fire their senior management

Clarification: this attack affected Sony Pictures Entertainment, which is a subsidiary of Sony. As far as we know, the attack did not affect any other parts of Sony.

By now you’ve almost certainly heard about the massive, comprehensive breach of all Sony’s computer systems.

It’s now clear that the attackers gained access months (if not years) ago, and took their time expanding their reach until they had access to almost every system and server controlled by Sony. The attackers then downloaded massive amounts of data from Sony systems, including unreleased films, personal data about employees, internal (and in some cases extremely embarrassing) internal emails, and so on. The final step for the attackers was to wipe hard drives. That’s the point at which Sony finally learned that their systems had been hacked, tipped off by someone who doesn’t even work for Sony.

At this point it’s difficult to estimate the damage, but Sony will be feeling the effects for years to come.

Incredibly, this isn’t the first time Sony has been hacked. In fact, they’ve been hacked as many as 56 times in the last decade or so. Each time this happened, Sony had an opportunity – and a serious responsibility – to improve their security. Instead, as is clearly evident from the details of this most recent attack, Sony has done little or nothing to beef up its security.

Still, one can almost feel some sympathy toward Sony. That is, until you look at what Sony is doing about the latest attack. In a move that only the most clueless corporate lawyer would recommend, Sony is now threatening anyone who reports on this attack, including noted security writer Brian Krebs.

Worse still, there are reports that Sony is performing DDoS attacks against sites that host information take from Sony systems. If true, this is a mind-bogglingly short-sighted move.

Dear Mr. Sony: you should now fire all your senior management. I’m not kidding. These people have – and will continue to – hurt you more than they can possibly help. Time to cut your losses.

Update 2014Dec20: Ars Technica has more.

Update 2014Dec23: Bruce Schneier’s post about this is recommended reading. He looks at some of the ridiculous reactions to this attack and presents a sensible overview of what we really know.

The problem with Tor

Tor is a collection of software that allows its users to access Internet-based resources anonymously. There are a lot of legitimate reasons why a person might want to remain anonymous on the ‘net. Unfortunately, Tor (as well as other proxy and anonymizing services) also allows unscrupulous persons to hide their illegal activities. A recent study shows that a large proportion of attacks against banking sites arrived via Tor.

As a result, major web sites are increasingly blocking access from Tor nodes, in the hope that this will reduce the overall amount of access by those seeking to do damage or obtain private information. The problem is that Tor users with no evil intent are then also prevented from using such sites.

The Tor developers are aware of this problem, and are working to keep Tor relevant by working with site owners to find ways to prevent improper access without blocking Tor completely.

So far there doesn’t appear to be a good, long-term solution to this problem. However, it may be useful to recognize that Tor is just a tool, and like all other tools, it can be used for good, evil, or anything in between. A better approach to security than wholesale blocking is to improve security on the host.

Holiday season warning: beware phony ‘order confirmation’ emails

Brian Krebs recently posted an excellent article about a specific kind of malicious email currently showing up in inboxes everywhere, just in time for the holiday shopping season.

Most web stores send email order confirmations when you buy something, and that’s a good thing. Unfortunately, these emails can be faked easily enough, and the unwary recipient may not notice that the sender’s address doesn’t look quite right, or that the language in the message is somewhat unprofessional. Clicking a link in one of these emails is an extremely bad idea, since it’s likely to lead to browser hijacking, malware, or both.

Warning: avoid using pirated themes on WordPress and other CMS sites

Anyone who operates a WordPress, Joomla or Drupal site should exercise extreme caution when selecting themes and plugins. You should assume that any commercial theme or plugin offered for free contains malware.

Popular Content Management Systems (CMS), including WordPress, Joomla and Drupal can be customized through the use of themes and plugins. A theme is a collection of styles and other files that modify the default appearance of a CMS. A plugin typically adds specific functionality to a CMS. Many CMS themes and plugins are available for free, but the commercial ones are among the most popular, since they often include more and better features.

As with all commercial software, CMS themes and plugins are sometimes copied and offered for free on pirate sites. Unfortunately, it’s very easy for a theme or plugin to be modified so that any site using it can be compromised and then used for illegal activities.

The people at Fox-It recently published a document describing “CryptoPHP” (PDF) – malware that is showing up on CMS sites with alarming regularity. They traced the source of the malware to thousands of themes and plugins that had been modified to include a single line of PHP code that allows CryptoPHP to infect any site that uses one of those themes or plugins.

Recommendation: if you operate a CMS site, do not use any commercial theme or plugin that is offered for free. Make sure you obtain themes and plugins from the developer/author, or from a reputable source like wordpress.org.

There’s more information over on the Wordfence blog.

Fake Windows Support companies shut down

The US Federal Trade Commission, working with law enforcement in Florida, has shut down several companies offering fake computer support services.

The companies involved are PC Cleaner Inc., Netcom3 Global Inc., Inbound Call Experts LLC, Advanced Tech Supportco. LLC, PC Vitalware LLC, Super PC Support LLC, Boost Software Inc., Vast Tech Support LLC, OMG Tech Help, OMG Total Protection, and others.

These scammers made money by tricking Windows users into paying for expensive and unnecessary repairs.

Unfortunately, since this type of scam can be lucrative, similar companies are likely to appear before long, making this yet another game of ‘whac-a-mole‘ for law enforcement.

Password management software now being targeted

If you’re not already using password management software, you should be. It’s an extremely bad idea to use one password for more than one service, which makes remembering all those passwords difficult. With a password manager, you only have to remember one password: the one that allows access to all your other passwords.

I’ve been recommending Password Corral for years. Bruce Schneier’s Password Safe is also excellent. These are both desktop programs. I don’t recommend using an online password manager, because there’s always the possibility that the service itself could be hacked.

Unfortunately, even as we collectively get better at keeping ourselves secure, nefarious hackers shift their focus to more fertile ground. Now, it appears that they are targeting password management tools. It’s easy to see why: if a hacker can break your master password, they will have access to all of your other passwords.

Recommendation: if you are using a password management tool, make sure your master password is long and unique.

Update 2014Nov27: A post on the Duo Security blog has additional details.

Home Depot: massive security breach

Brian Krebs reports on the most recent security breach at a major retailer. According to some reports, the breach started as far back as April 2014. There’s no direct evidence of a breach, but it looks like it’s only a matter of time before that changes, given the suspicious activity related to Home Depot being reported by financial institutions.

Update 2014Sep04: Details are starting to appear, and it looks like almost all Home Depot stores in the USA are affected.

Update 2014Sep19: Brian Krebs has additional details on the scale of the breach. According to Home Depot, as many as 56 million debit and credit card numbers were stolen.

Update 2014Nov08: As if this breach wasn’t already bad enough, apparently the attackers also stole as many as 53 million email addresses from Home Depot systems. Maybe this explains the recent uptick in spam email I’ve noticed.