Tag Archives: Phising
It was revealed recently that Android phones has a security issue that makes you vulnerable to an attack every time you log into a unsecured website. Researchers at the University of Ulm, in Germany, said that any Android phone running a version of Android prior to 2.3.3 were vulnerable. That unfortunately affects most of the phones since the new version of Android was just released that fixes the security hole.
The Android phones store authentication tokens when you log into your google accounts, Facebook or twitter and stores them on your phone for around 14 days. The researchers found that if someone set up a special Wi-Fi connection they could capture those authentication tokens. The rogue Wi-Fi would have to act as a popular connection where public Wi-Fi is used. It would then have to impersonate the SSID and it would more and likely need to be in a location away from the connection it is impersonating but still where there would be a lot of phone activity.
Android phones sometimes will automatically connection to “known” Wi-Fi spots unless you have that feature turned off. If your phone auto-connected to the rogue Wi-Fi connection as your phone attempted to log into Twitter, Facebook or some of your Google applications your phone would send the authentication token and it would be possible for the rogue connection to capture it.
Probably one of the easiest thing to do now is to modify your phones settings to keep your Wi-Fi connection off until you actually plan on using it. I normally do this anyway since it will help keep the battery usage low. I normally also turn off the GPS as well until I’m running an application that actually needs it. When you need to use the Wi-Fi feature you can easily turn it back on when you are in a well know Wi-Fi hotspot that you actually trust. Just remember to turn it back off when you are done with it. If you do this your probably notice a longer battery life. The other thing that is advised is to only login via https: type sites.
Following these steps until Google is able to patch in fixes should help for the time being.
The U.S House of Representatives Energy and Commerce committee had submitted some questions to Sony regarding their breach of security and the risk that it posed to its customers. Sony actually answered the questions and submitted them back to the committee. If you want to read all 8 pages you can read it here.
I’ve read through it and was surprised to find out that Sony had actually hired three different network security and forensic experts to help them determine what actually happened. The subcommittee wanted to know what day did Sony found out about the intrusion at what point did they contact authorities. Sony responded that they noticed something originally on April 19th and determined on the 20th they found actual evidence of the intrusion. They then stated that they started working with the FBI around the 22nd and let the public know about the issue around the 26th. The Committee wanted to know why they waited so long to let the public know in which Sony then outlines how large their network infrastructure is and explained that due to its size and complexity they didn’t want to give out anything until they had determined what had actually happened.
They explained that on the 25th that had suspected that credit card information might have been stolen and still are not sure if it has or not but decided to let the public know that it was at least possible that their credit card information was stolen. In further questions from the committee Sony explained that they feel that 77 million Playstation Network accounts had been compromised and that 12.5 million of them had Credit card information stored on them with 5.6 million of those being U.S accounts. Sony tells the committee that they have been in contact with the major credit card companies and so far it does not appear any fraud has happened yet with those accounts.
As far as preventive measures Sony tells the committee that they believe they have figured out how the intrusion began and are of course coming up with multiple procedures to prevent this from occurring again. One step of course would be increasing encryption of the data, adding additional firewalls, adding software to help detect intrusions and to respond automatically. Sony also talked about moving the data center to a new location with enhanced security and finally they added the fact that they now have a Chief Security Information Officer.
One of Sony’s most interesting answers were to the committee’s question regarding what steps Sony is taking to mitigate the effects of the breach and asked if Sony would be offering credit monitoring. Sony’s answer was that they would offer U.S. customers complimentary identity theft protection services but then they add more to it. They then add as follow up answers that they are offering customers a “Welcome Back” package such as free downloads, free 30 day subscriptions to services. I don’t know if the committee was as concerned with how Sony was going to keep their current clients as much as how was Sony going to protect them.
When Sony was asked if they know who is responsible for the attack they responded with no. I’ve seen other blogs where folks are pointing back to a hacker group known as Anonymous but Sony isn’t pointing the finger at them other than saying that they find a file on their hacked server named Anonymous with the content of the file saying “We are Legion”. A lot of folks are screaming that the Sony Playstation network isn’t up yet considering that Sony said that the network would be up this week. All I can say is the week isn’t over yet.
Sony announced that they will start bringing up their network this week in phases regionally. This after their network was down for a week after a criminal cyber attack on their services. Sony had taken down their services voluntarily and brought in a third-party security team to help them determine how the criminals had gotten in and to figure out what was accessed. Sony had sent out emails to Playstation Network users to let them know that their information could have been stolen and stated that credit card information could have been at risk as well.
In their most recent announcement Sony takes about bringing up their network in phases. To quote them directly:
The initial phase of the rollout will include, but is not limited to, the following:
- Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems
-This includes titles requiring online verification and downloaded games
- Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
- Access to account management and password reset
- Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
- Friends List
- Chat Functionality
They report that they will be working with security firms to add additional security and adding a new Chief Information Security Officer position in their firm. Some of the new security measures they will be implementing will be:
- Added automated software monitoring and configuration management to help defend against new attacks
- Enhanced levels of data protection and encryption
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
- Implementation of additional firewalls
Sony also plans on giving out some rewards to their members for the trouble of the down time. They also say they will be offering some complimentary assistance to those who may have had their credit card information stolen. They are also announcing the roll out of the “Welcome Back” program. To quote Sony:
Central components of the “Welcome Back” program will include:
- Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
- All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
- Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.
Additional “Welcome Back” entertainment and service offerings will be rolled out over the coming weeks as the company returns the PlayStation Network and Qriocity services to the quality standard users have grown to enjoy and strive to exceed those exceptions.
I know my son is looking forward to the network coming back up and is wondering what content will be available for free downloads. Since this news is being published and we already know that our emails have probably been compromised I would warn against emails offering free content from Sony if you “click here”. It’ll be nice to get back online via the PSN I hadn’t turned on my BlackOps game since the network was down. My trigger finger has been itchy and it’ll be nice to playing again against some of the other players.
It looks like Sony posted a few Q&A’s regarding the inrusion that they had on their Sony Playstation network. They took the questions from comments on their blog and decided to answer some of the most common questions. This first batch seems to be mostly about service restoration and what was at risk.
Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.
Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.UPDATE: While we do ask for CSC codes, we do not store them in our database.
Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “DoNotReply@ac.playstation.net” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.
Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.
Q: Have all PlayStation Network and Qriocity users been notified of the situation?
A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit http://us.playstation.com/support/ and http://www.qriocity.com/us/en/for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.
Q: What steps is Sony taking to protect my personal data in the future?
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.
Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.
Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.
The following was posted the next day and relate more directly to gaming questions.
Q: Will our download history/friends list/settings be affected by the PSN downtime?
A: No, they will not.
Q: Will trophies that were earned in single-player offline games during the outage be intact when the service resumes?
A: These trophies are intact and will be re-synched when the network is once again operational.
Q: Will my PS+ cloud saves be retrievable?
A: Yes, once PSN is restored.
Q: What if we have a subscription to PS3 MMOs DC Universe Online or Free Realms? Will we get compensation for that?
A: From Sony Online Entertainment: “We apologize for any inconvenience players may have experienced as a result of the recent service interruption. As a global leader in online gaming, SOE is committed to delivering stable and entertaining games for players of all ages. To thank players for their patience, we will be hosting special events across our game portfolio. We are also working on a “make good” plan for players of the PS3 versions of DC Universe Online and Free Realms. Details will be available soon on the individual game websites and forums.”
Q: Will there be a goodwill gesture for the time we haven’t been able to utilize PSN/Qriocity?
A: We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.
For the past week I’ve been getting emails from some of my credit card companies telling me that a company that they use, Epsilon, had some sort of unauthorized entry into their system. It appears that this company is used to send out emails to customers and such. It appears that multiple companies that I do business with actually use this company since I’ve received some many different warnings regarding the same incident from multiple vendors that I use. From the emails I have been receiving it appears that lists of clients emails have been given out. Now according to Epsilon none of my private account information has gone out but perhaps only my email address.
Having your email address given out can be damaging enough. This can bring on more phising scams where you’ll receive an email telling you that your account may have been comprised. The scammers will normally have a link for you to click on to verify your account information. The scammers will more and likely target the most commonly used accounts such as well known credit card companies and perhaps even paypal.
In a previous post I go into more detail on how to detect email phising scams. The whole point behind them is the scammers are hoping that you will in fact fill out your account information. They then store this information and later go access your real account.
I had read an article where a thief had charged up $2400 worth on a stolen credit card and then sent a flowers to the victim thanking them for the money.
So guard your information it’s already possible that your email address has been given out accidently. Don’t click any links to go “verify” your account information. If you really want to verify if you have a problem with your account be sure to type in the web address into your browser to ensure you are going to the real web site and not the faked site. Epsilon says they think that only 2% of their clients may be affected but of course you can really never know what that translates to.
Down below is an example of a paypal email scam.
I’m sure many of you have recieved emails in the past from scammers pretending to be paypal and asking you to reverify your information in hopes that you will give them access to your bank accounts. There have also been emails pretending to be your bank or credit card as well. We’ve all received an email from that Nigerian prince who wants to give us millions of dollars if you give him your information. I’m sure some of you have received a fake email from UPS or Fedex telling you that they have a package waiting for you and please open this attachment which is really a virus inside.
Scammers keep trying to come up with new ways to get your information from you but what can you do to protect yourself? Normally you can install a security suite package on your computer that will help you identify fake websites from false ones in case you accidently do click on the link from a scammer and sent to their site that is hoping to record your information. The other thing you can do is before you click any link you can hover your mouse over the link and your browser will show you what the true url address is. If the URL does not match the link then it is probably a scam. Usually you can see misspellings in the URL listed at the bottom of the browser which is to trying to look like the legitimate website. Perhaps a few letters are just transposed in the hopes that your brain will reorganized the letters and convince you that it is a legitimate website. Here is a photo example of an email sent to me pretending to be from blizzard. Notice the link states one address and down below in the bottem of the browser the true address is shown.
Here are 5 top tips borrowed from another blog http://daol.aol.com/articles/how-to-spot-a-phishing-scam/
Clue No. 1: Check the spelling. Scammers are notorious for their lack of basic spelling and grammar skills. Look for misspelled words and incomplete or awkwardly written sentences. It’s not uncommon for a scam e-mail that is purportedly from a reputable and well known organization to misspell the name of that organization! For example, one e-mail scam aimed at Facebook users spelled the name of the site in lowercase (“facebook”).
Clue No. 2: Who signed it?If it’s a legitimate e-mail from a business, it will be signed with a person’s name and contact information, but if it signs off with something vague, such as “Customer Support,” be wary.
Clue No. 3: DOES THE E-MAIL SCREAM AT YOU IN ALL CAPS?Be especially aware of e-mails that try to get your attention by using all capital letters, especially in the subject line. Using all caps has long been viewed as online shouting. It just isn’t done. The authors of scam e-mails tend to write prose that is over-the-top and very emotional. In addition to a lot of capital letters, look for an excess of exclamation points and dire warnings, such as “Urgent!” or “Danger!”
Clue No. 4: The e-mail has an executable attachment. Phishers can only scam you if you let them. And you do just that if you download e-mail attachments, which can contain computer viruses. Since a favorite way to send a scam e-mail is by making it look as if it were sent to you by someone in your e-mail address book, don’t be fooled by the sender’s name. Never download an attachment unless you are sure it’s legitimate.
Clue No. 5: The e-mail has a link to a Web site. As more people have learned they shouldn’t download attachments from strangers, scammers have caught on. Instead of attaching a file, they include a clickable link to a Web site. Click on that link, and you might be asked to provide personal information. Do it, and you’ve been scammed. For example, you might receive an e-mail that appears to be from your bank, offering you a very low interest rate on a mortgage or home equity loan. If you click on the link, it could ask your name, bank account number and online banking password to get onto the site. Don’t ever provide this information if you got on the site by clicking a link in an e-mail.