Archive for May, 2011

Unseen, uncaught!

Posted by spaquet on May 24, 2011  |   Comments Off

According to Trend Micro researcher Karl Dominguez: The vulnerability was actively being exploited using emails that contained malicious scripts and was able to stole email without warning.

Successful attacks required only that a Hotmail user open the malicious email or view it in a preview window. The commands embedded in the emails uploaded users’ correspondences and user contacts to servers under the control of attackers without requiring the victim to click on links or otherwise take any action.

The scripts also also had the capability of enabling email forwarding on the targeted Hotmail account, allowing attackers to view emails sent to the victim in the future…

Microsoft has now patched this bug, but it illustrates how important IT rules can be since it allowed attackers to silently steal confidential correspondences and user contacts from unsuspecting victims.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

the bill please !

Posted by spaquet on May 24, 2011  |   Comments Off

The cost of a criminal intrusion that exposed sensitive data for more than 100 million Sony customers and resulted in a 23-day closure of the PlayStation Network will cost the company at least $171 million.

The estimated cost doesn’t included expenses related to any lawsuits that may be filed in response to the security breach, which was discovered on April 19. The estimate includes expenses of an identity theft prevention program and promotional packages to win back customers, among other things.

But the final cost might be far over since some Sony PlayStation Network services still have not been brought back online, as the PlayStation Store, which remains down, closing a venue that allowed the company to sell downloadable games.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

Hack on Sony-owned ISP…

Posted by spaquet on May 22, 2011  |   Comments Off

2011 is not the year for Sony. After its PlayStation network being hacked, now it’s the turn of its own ISP…

So-Net Entertainment, a Sony subsidiary, was hacked by intruders who made off with about $1,200 worth of virtual points and gained access to 90 email accounts.

The hack took place on Monday and Tuesday and was discovered on Wednesday after customer complaints were reported. There’s no evidence the attackers accessed personal data such as names, addresses, and phone numbers (but as some email account have been accessed it does not seem to be such a true fact…)

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

And the winner is…

Posted by spaquet on May 19, 2011  |   Comments Off

Sony!

Just four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts.

The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an attacker know the date of birth and email address associated with a targeted user’s account… forcing Sony to disable the login pages in order to prevent attacks.

Following the publication of this hack, Sony issued the following statement:

“We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”

But this blunder raises new doubts about Sony’s ability to secure the PlayStation Network just as the company is trying to regain the confidence of dubious government officials and its 77 million account holders. Sony took down the service on April 20, following the discovery that core parts of its network had suffered a criminal intrusion that stole names, user names, passwords, birth dates, addresses, and other sensitive details of all its users. Company executives have said they can’t rule out the possibility that credit card data was also taken.

The exploit involved the bypass of a digital token system that Sony used when users reset their PSN password. Attackers could carry out the attack by visiting https://store.playstation.com/accounts/reset/resetPassword.action?token and then, in a separate browser tab, opening a different page on us.playstation.com and following Sony’s reset procedure, which required only the date of birth and email address associated with the account.

The attacker would then return to the original tab and, armed with the browser cookie just issued by Sony’s servers, complete an image verification on the page. The attacker would then proceed to a scree allowing him to change the victim’s password.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

Sony PlayStation Network, the final word ?

Posted by spaquet on May 16, 2011  |   Comments Off

About one month after a serious breach in security occurred, exposing more than 77 million users’ personal details, Sony is gradually setting back to operation its PlayStation Network.

According to Kazuo Hirai, the executive deputy president of Sony Corp, Sony is making data protection a top priority.

Let’s hope this time they will.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

More information can be found here

Sony PlayStation Network hack follow up

Posted by spaquet on May 14, 2011  |   Comments Off

Bloomberg News reported that the hackers who breached the security of Sony’s PlayStation network and gained access to sensitive data for 77 million subscribers used Amazon’s web services cloud to launch the attack.

The attackers rented a sever from Amazon’s EC2 service and penetrated the popular network from there, the news outlet said, citing an unnamed person with knowledge of the matter. The hackers supplied fake information to Amazon. to open a valid account (now closed).

Is Amazon cloud a hacker nest ?

German security researcher Thomas Roth earlier this year showed how tapping the EC2 service allowed him to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own computing gear. For about $1.68, he used special “Cluster GPU Instances” of the Amazon cloud to carry out brute-force cracks that allowed him to access a WPA-PSK protected network in about 20 minutes.

And in late 2009, a ZeuS-based banking trojan used the popular Amazon service as a command and control channel that issued software updates and malicious instructions to PCs that were infected by the malware.

More information can be found here (full Bloomberg article)

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

Cheap and branded bugging devices!

Posted by spaquet on May 14, 2011  |   Comments Off

According to SCMagazine, Internet phones sold by Cisco Systems ship with a weakness that allows them to be turned into remote bugging devices that intercept confidential communications.

The publication quoted consultants from Australia-based HackLabs, who said customers had lost $20,000 a day from exploits, which also included attacks that forced the devices to make calls to premium phone numbers. The consultants said the underlying weaknesses were present in the default settings and could be fixed only by making changes to the phones’ configuration settings.

SC Magazine said that a Cisco spokesman advised users to “apply the relevant recommendations in manuals to secure their systems. There was no explanation why phones are by default open to the attacks described in the article. A more sensible policy might be to ship the phones with the features disabled and allow customers who have a specific need for them to turn them on.

More information on the exploit can be found here.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

Facebook and your privacy, a never ending story

Posted by spaquet on May 10, 2011  |   Comments Off

According to researchers from Symantec, Facebook has leaked access to millions of users’ photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible.

While many access tokens expire shortly after they’re issued, Facebook also supplies offline access tokens that remain valid indefinitely. Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys.

The flaw resides in an authentication scheme that predates the roll out of a newer standard known as OAUTH. Facebook apps that rely on the legacy system and use certain commonly used code variables will leak access tokens in URLs that are automatically opened by the application host. The credentials can then be leaked to advertisers or other third parties that embed iframe tags on the host’s page.

Facebook over the years has regularly been criticized for compromising the security of its users, which now number more than 500 million. The company has rolled out improvements, such as always-on web encryption, although users still must be savvy enough to turn it on themselves, since the SSL feature isn’t enabled by default.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

Syria, Facebook and the Man in the middle

Posted by spaquet on May 8, 2011  |   Comments Off

According to Electronic Frontier Foundation (EFF) a man in the middle attack has been attempted an reported by several Syrian ISPs.

The semi-professional attack against the HTTPS version of the Facebook site relies on a digital certificate unsigned by any Certificate Authority and probable re-routing of traffic by the Syrian Telecom Ministry.

The use of an unsigned certificate as part of the attack means that the certificate is treated as invalid by modern browsers, raising a security warning. Unfortunately many users ignore such warnings, which can be generated for a variety of reason, such as attempting to visit a secure site via a Wi-Fi hotspot connection that requires an initial log-in.

The EFF doesn’t name the perpetrators of the attack, but the ruse bears the hallmarks of an operation by the Syrian government, which is in the midst of cracking down on a popular uprising against the autocratic rule of the al-Assad dynasty. It amounts to an unsubtle attempt to snoop on Facebook posts and updates.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

More information can be found on the EFF site here

When third parties are weak

Posted by spaquet on May 8, 2011  |   Comments Off

Few weeks ago (a patch has been release at the time of writing) Skype was offering a nice way for an attacker to get control of OS X computer.

This fully illustrates that how strong the OS can be, there is always a flaw somewhere on the system, and by the way the same vulnerability was not detected on Windows and Linux version of Skype…

This time, Skype was fast to respond and issued a patch, but failed communicating on it so rumors get back on the front scene this week before prompting a strong come back of Skype spokespersons.

Let’s look at the flow more precisely:

First, researchers who found this critical flaw, found it by accident while exchanging via skype piece of program. They noticed that the payload was executing on the remote end of the chat.

After testing on several Skype version on several system they had established more than a proof of concept for that flaw which has not being seen exploited for now

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.