It's a few months old, but there's an interesting article at that home of Internet satire, The Onion on how they were hacked.

It's always good to see when companies are able to disclose some of these details so the rest of us can learn from their misfortune.

So it looks like Australia may finally have a data breach notification law. It was back in 2011 when the Government started really discussing this again and at that time I wrote a little about it and posted to links to an interesting point/counterpoint as to whether these laws work. While I think the jury may still be out, I hope some law is better than no law and at the very least we get something reasonable that makes sense.
(am I setting the bar too high here?)

At the same time "China" is reported to have hacked the Australian Government, including stealing plans for the new ASIO Headquarters - but it seems we forgive them, so all is OK.

I wonder if/what the Government would have to report if the new laws were in place already?

Privacy is getting more and more attention in Australia, with the Privacy Commissioner recently stating:

"Information security is clearly a significant privacy issue and has emerged as a major challenge for us all. These incidents tell us that 'privacy by design' is essential. Organisations need to build privacy into business as usual practices and new projects"

So since I heard about the leak of the LinkedIn passwords, I've been waiting to see what the first analysis of the dumped hashes would reveal. Theoretically LinkedIn is a bit of a different beast to other sites that have been breached, as the target users are working professionals, the type of people who have more than likely been educated again and again on passwords by their employers.

As for LinkedIn, using unsalted hashes to store passwords? This is security 101 stuff and quite frankly, embarrassing for a company of their size and age. Of course the unsalted part may not be the worst, the big question still remains about how the passwords got stolen in the first place.

As Richard previously posted - change your password! And if you are interested in seeing if your password was included* in the released ones: http://www.leakedin.org/

(*not specifically YOUR password, but a hash of the same password as the one you were using.)

This arrived in my inbox yesterday:

Atari recently learned of a potential security violation in connection with the unauthorized access to Cryptic Studios’ user databases that occurred in December 2010.  At that time, Atari owned Cryptic and the intrusion may have affected users on Atari’s databases as well and, therefore, we are taking proactive measures to correct the issue. This includes notifying certain users who are registered on Atari.com and TDU2.com (Test Drive Unlimited 2).

As a precaution, on Atari.com and TDU2.com, we have reset all accounts for users which we believe were affected. This will require you to reset your password upon attempting to log into each site separately to regain access to your account.  To do so, please refer to our website at http://atari.com/pages/cryptic-studios-security-notice-atari-websites for detailed instructions and more information about this issue.

If the existing user name and password was used to access other online accounts, we highly recommend that you update those passwords as well.

We take the security of our user accounts very seriously and are investigating this issue further with Cryptic Studios.   Please note that this was not an intrusion on our existing database, but one that occurred prior to our divestment of Cryptic Studios in July of 2011.  Cryptic no longer manages Atari’s databases.  Our deepest apologies for the inconvenience.

Atari

December 2010? And it took until April 2012 to tell impacted customers? *sigh*.
Look at what else occurred between the breach and the notification:

• "Arab Spring" uprisings oust leaders in Tunisia, Egypt, Yemen and Libya,
• Southern Sudan became an independent republic.
• The earthquake/tsunami and reactor meltdown in Fukushima, Japan
• British Royal Wedding
• Osama Bin Laden killed by US special forces
• End of the US Space shuttle program
• European economic crisis
• Severe flooding in Thailand and Fiji
• The entire 'occupy' movement
• Encyclopaedia Britannica stops hard-copy publication
• Steve Jobs, Elizabeth Taylor, Peter Falk, Whitney Houston, the King of Tonga and Randy "Macho Man" Savage all died.

Not good enough Atari. On the bright side, despite once owning the home console market, you're less of a household name than Sony so probably won't get as much press....

Just when you thought it was safe to go back in the water Playstation Network, it appears that "Sownage II: Son of Sownage" may be beginning as Sony gets hit with another big Data breach. Or where they? This article (and the message from the Sony CISO) makes it sound more like someone who has compromised data from other sites (perhaps gaming related?) is running their stolen credentials against the Sony Network.

I feel pretty sorry for Sony at this stage. Even the most hardworking and talented Security guys can only do so much at once and this sort of attack - which they may legitimately have been able to do nothing about (other than tell people to not use the same password for Sony as other sites) is still going to be publicized as a "Sony Breach".

Of course I feel less sorry for them after their TOS upgrade that requires end users to mail a letter to opt out of the new terms.

It looks like data breach notification laws are back on the radar here in Australia. 2011, 'the year of the high-profile hack' has brought the need to better protect customer/consumer data back into sharp focus for our politicians.

Personally I think this is a good thing, at least in principle. How it works out in practice will depend, as always, on the details.

Other parts of the world have had data breach notification laws for some time now, and some research [pdf] has shown their impact to be limited. Security guru Bruce Schneier  wrote an essay on the effect of the laws back in 2009 (and Marcus Ranum's counterpoints are here), and despite admitting that the effect may have been minimal, he believes the laws are a step in the right direction. As Bruce put it: "The laws rely on public shaming. It's embarrassing to have to admit to a data breach, and companies should be willing to spend to avoid this PR expense".

In the aftermath of the "Sownage" of earlier this year, I imagine more than one company began a security review to avoid that exact PR nightmare.

 The upside of big data breaches involving passwords is that it gives us Security Pros an understanding of what users are actually doing when they're selecting their passwords. The cynic in me thinks that we can spend time trying to educate employees, family, friends and neighbours into using strong passwords and changing them frequently - and they'll nod and smile and agree it is important...and then go back to using 'abc123' on their Internet banking.
I've blogged before on past analysis into exposed passwords, and now with the recent Sony breach Troy Hunt has posted an analysis of 37,000 of the exposed Sony passwords. Does it contain anything groundbreaking? Well..no. It's a good bit of analysis that pretty much confirms what my inner cynic suspected - half of the passwords had only one character type (with 90% of these being lowercase only) and 45% of the passwords were numbers only. Only 4% of the passwords analyzed were what is commonly considered 'strong' passwords.

One of the nice things Troy did with his analysis was compare the uniqueness of the passwords across the different Sony databases exposed - a luxury one usually doesn't have when examining breached passwords - 92% of passwords where identical for the 2,000 accounts that had the same email address. Troy even managed to cross reference these accounts against the Gawker data breach and found of the 88 common accounts 67% were the same.
Oh and '123456' and 'password' were once again in the top few passwords used.

In other Sony related news - did Sony really sack a bunch of Security staff just before the data breach? That adds a new wrinkle to this most newsworthy of all breaches this year. I haven't seen it suggested, but could a disgruntled ex-employee have played a part?

We're halfway through 2011 and the breachapalooza* continues unabated!

Sony have been hit so many times in fact there's a new term for it: "Sownage". Add to the ever-growing list senate.gov, Citibank, Honda Canada and the IMF.

Although it isn't really news to Security folk, the mainstream media has picked up on it (largely thanks to the scale of Sony's woes) and are continuing to report on the never ending tide of high profile defacements and smash-and-grabs. A quick look at datalossdb shows the number of incidents so far this year (322) is only slightly up on this time last year (300) and behind 2009 (376); while Sony's 77 million records lost is still well behind Heartland's 130 million back in 2008.

With mainstream media interest undoubtably leading to increased interest in boardrooms with executive asking "Can it happen to us?" and "what do we need to do to stop it happening to us?" the question has to be asked are the actions of lulzsec good or bad for the industry? Patrick Gray ruffled a few feathers with his thought-provoking "Why we secretly love LulzSec":

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

Which lead to an equally interesting response from Adam over at the Newschool site.

I think the answer may be a little from column A and a little from column B. In Patrick's defence, he's probably right to some degree. Every Security guy or gal who has ever been overruled or just plain ignored when explaining the need for better security testing, implementation, tools, monitoring, etc etc; probably has a little voice somewhere saying 'I told you so'.
Adam is right too when he says:

We’re being out-communicated by folks who can’t spell.
Why are we being out-communicated? Because we expect management to learn to understand us, rather than framing problems in terms that matter to them. We come in talking about 0days, whale pharts, cross-site request jacking and a whole alphabet soup of things whose impact to the business are so crystal clear obvious that they go without saying.

Although I would point out that sometimes even framing the problem in the right language to the right audience still doesn't result in the desired outcome. The old 'you can lead a horse to water, but you can't make him drink' problem exists if a mentality of 'it can't happen to us' rules. The only plus out of LulzSec actions is that they may be breaking down some of that mentality.

However the most disappointing, or possibly telling, thing is that from what has been reported, is that very little of what lulzsec has accomplished has been particularly difficult or sophisticated. This is not really surprising as it matches what Verizon revealed earlier in the year [pdf] when they reported that 92% of the breaches investigated where 'not particularly sophisticated'. SQL injection may be old school, but it's more popular than ever.

In the meantime, Paul Ducklin from Spohos issued a challenge to the LulzSec group to use their skills, and there obvious spare time, to do something worthwhile like supporting Johnny Long's Hackers for Charity.

That may have to wait until after LulzSec are done warring with 4chan/anonymous, which at the very least may provide some relief to Sony and may give other companies a break.**


*just heard Patrick Gray's risky.biz podcast from last week call it the pwnpocalypse. Why didn't I think of that?

**Edit 18/6:  or maybe they're not as they're still exposing records.

Sony's woes continue, as although they have restored their PSN network, they are being accused of still having plenty to do with flaws in their password reset function and multiple vulnerabilites being discovered by researchers in their other websites.
Adding salt into the very public wound, an investigation into Sony's data protection measures by the UK Information Commissioner's Office mirrors the announced investigation by the Australian Privacy Commissioner. It will be interesting to see the findings.

Sony are learning the hard way a lesson that many other organizations should be heeding, computer networks are incredibly complex and difficult and defending them is even more complex and difficult. If your business is providing online services to a large customer base, security needs to be part of the culture of the company - it needs to be evaluated, implemented and questioned at every level with every developer, every DBA, every sysadmin, every network engineer taking responsibility to proactively secure their area and every project manager and every business manager understanding the importance of security and the potential damage of a significant breach. Maybe it's too much to ask...?

 To my mind it is quite a surprise that Sony did did not have a CISO and unfortunate that it took such a major incident for them to appoint one. It seems it may have been a typical 'it can't happen to us' attitude that many managers and executives adopt.

Hopefully the major publicity surrounding this breach will lead to other organizations to reassess their data security efforts.

Data breaches are big news recently and it seems no-one is immune...

From Sony Online Entertainment's huge breach (and criticized response) to the Australian Government and the (slightly less recent) incredible embarrassment of Security Vendor RSA's breach and the Epsilon breach, which was largely publicized in Australia as the 'Dell Australia' breach.

Will the sheer number of high-profile data breaches provide some more motivation for businesses to employ better security safeguards and to demand vendors provide more secure products? Will they wake up the general populace to the importance of not using the same password for everything and opening every attachment that promises dancing pigs?

I won't hold my breath, but I will cross my fingers and hope.

The always interesting Verizon Annual Data Breach report [pdf] is out for 2011 and is (as always) as interesting as it is depressing. A big upswing (+22%) in externally-sourced attacks and a change of targets from Financial institutions to hospitality and retail are interesting. The fourth-highest number of breaches resulting from default or easily-guessable passwords is depressing.
Download it as it is well worth a read.

Lush Cosmetics seem to be the latest Australian retailer to have suffered a credit card breach.

From the article:

"Yesterday we were contacted by the web hosting provder to say there had been an unauthorised access of the website and data had been downloaded," he said.
"That was picked up by some extra monitoring that we had put in place.
"Once we got that information, we got the ball rolling trying to get a hold of a forensic investigator to help us understand, what was going on, and (we began) talking to banks and credit card holds and working through the process of how to address the problem and what steps we need to take."

"We would hope that by being upfront and open as soon as possible customers would see we are an ethical business and we are upfront and we will make the enhancements required."

 While I do applaud the company's reaction of going public immediately and contacting their 39,000 Australian customers, I do find it a little disturbing that security comes under "enhancements" - it does make it sound like a luxury add-on (eg: leather car seats) as opposed to a pretty fundamental requirement (eg: seatbelts or airbags).
Real details on the breach are scarce, so there's no indication if they were storing credit card numbers in cleartext (hello PCI-DSS!) or if they suspect the bad guyshad just pwned the server and were capturing transactions as they occurred.

I guess the good news it that it is hitting the major news sites down under - so other businesses may review their web security and ask themselves "have we done enough?"

Vodafone - one of the world's biggest telecommunication companies - has been hit with an embarrassing data breach here in Australia. While the details are in dispute (some stories say the data was open to everyone, others say not), they all acknowledge that there has been a significant breach at a time when the company is already reeling from negative press about poor reception and data transfer speeds on their network.

To quote Vodafone:

"Customer information is stored on Vodafone's internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,"

Well it must be secure. They used the word secure twice!

Seriously though, while I can understand with all the partners and shops nation-wide that Vodafone found the easiest way to provide CRM access was to use the internet; it is a serious lapse in judgement for Vodafone to not require multifactor authentication on their web portal. What were they thinking?*


The Australian points out that it's likely that Vodafone won't get more than a public 'slap on the wrist' as the Privacy Commissioner currently has no power to act on breaches of the Privacy Act. Gah!

Adopting security is often about incentives. If the Privacy Commissioner can't 'punish' the company for the breach and implementing something like multifactor authentication can't be sold as a customer benefit ("Sign up with us and your data won't be stolen again!") then we're left relying on the company to 'do the right thing' - which has been shown again and again to not be a great incentive to businesses (it could be argued that if 'doing the right thing' was a sufficient incentive, Vodafone would have already used multifactor authentication on their CRM portal - I imagine someone inside of Vodafone is saying "I told you so" today...).


*probably that usernames and passwords are cheaper than multifactor authentication. Which they are, just not safer...

The great Wikileaks scandal that is currently occupying the media's attention has brought to light some interesting food for thought beyond the actual leaked documents and the ultimate insider threat scenario.

Wikileaks has been under denial of service attack for a number of days now, allegedly caused by a 'hacktivist' called 'th3j35t3r' (The jester). The attack has ramped up from the 2-4Gbps that forced the site from it's original host to the Amazon EC2 Cloud Service, where it intensified to a 10Gbps+ attack. Amazon then subsequently dropped hosting of the site, succumbing to both political pressure along with the ongoing DDOS attack.

Does this add an extra wrinkle to the 'put it all in the cloud' future promoted by some organizations or individuals? It does bring up concerns about how a cloud provider would react if your organization came under sustained denial of service attack. The allegations that the attacks were the actions of a single hacker using new software called XerXes that requires no zombie network or botnet to be effective is also extremely concerning.

I attended the AISA national seminar day earlier this week (which was a great day), and one of the panel discussions touched on whether there was a need for greater regulation or government intervention in IT Security. The prevailing view was that over-regulation would stifle innovation and government mandated minimum requirements would lead to businesses doing the bare minimum and no more.

I don't disagree with those points, but I do believe that Australia is stll behind the US/Europe in understanding Information Risk in the boardroom and one of the ways to make sure it gets on the radar and stays there is mandatory breach notification.

My view was somewhat echoed in a recent itnews story that made the good point that individual data breaches may be too small for authorities to really investigate but the implementation of a IC3-style centralized reporting body could assist in aggregating many small breaches into a large one and show a pattern of behaviour or negligence by an organization.

On a similar note I (re)discovered a link to a useful document that I had used in a Uni assignment last year that compares Data Breach Notification Laws around the world [pdf]. Although a little out-of-date (2009), it's still a great little summary.

On data breaches, there is of course Wikileaks. Wow. Infosec Island has a nice piece on how the forthcoming "megaleak" from a major US bank will be 'Enron-esque' in the fallout (if you haven't seen it, I recommend Enron:The Smartest Guys in the Room).

If it is as big as promised, it will be interesting to see the effect on corporate security (and is probably a great time to be a salesman with a good DLP solution...)

Oh dear. This is just depressing...

If the UK MoD can't get something this basic right, is there any hope for those of us tasked with educating uninterested corporate users?

The Toshiba Satellite A30 is an older laptop so was probably running XP rather then the bitlocker-capable Vista or Windows 7, but still.....

I hope the Taliban/Al Quaeda/Threat of the Month don't use eBay!

Affinity Health in the US has had to notify @400,000 customers and staff of a potential data breach. A firm suffering a data breach? "Nothing new there!" you say.

In this case though, the method the data was lost is a little more unusual (as was the method of discovery). You see, CBS was investigating the ticking "digital time bomb" of office photocopiers and purchased 4 copiers. Upon removing the hard drives and running a forensic tool over them they found confidential police data on 2 machines, construction plans and payroll data on a third and on the fourth - patient information from Affinity Health.

A quick search on datalossdb shows a few entries for fax machine breaches (mostly by sending a fax to the wrong number), but only one entry for copiers - the Affinity Health breach.

The CBS article asks, "Has the industry failed..to inform the general public of the potential risks involved with a copier?" to which the President of Sharp Imaging says "yes".

They do point out all the major manufacturers offer 'encryption options' or security packages, but without providing any information on what percentage of buyers are willing to pay the extra dollars.

Here's a thought - include it by default! Make it impossible to buy a digital photocopier without encryption or secure deletion!

I think it was in the Mitnick book "Stealing the Network" (or perhaps it was in "The Art of Intrusion") that a hacker stealthily entered a network and took control of a digital copier.

In the meantime, what does you organization do with it's old copiers when the lease ends or they end-of-life?

One of the difficulties of working in the infosec space in Australia can be the lack of region-specific information available. I blogged recently about a Ponemon institute study that was Australian-based and have recently come discovered Chris Gatford of hacklabs.com had started maintaining a record of security incidents in Australia and New Zealand.

This is a nice addition to some of the existing resouces available, such as datalossdb.org (which records all different kinds of data loss) and zone-h.org which keeps a good record of website defacements.

This goes squarely in the 'oh dear' category and comes only months after this lapse, it appears government bodies need to be a little more mindful of where they are putting sensitive information...

The Australian has reported that the Ponemon Institute has released a report on the Cost of a Data Breach based on data from the Australian market.

For those of us 'down under' it is great to see some reporting based on the local conditions, rather than the usual reports from the US and Europe. Unfortunately the report is only based on the 16 completed responses from the 114 companies that were asked to participate, however I see it as a good start that I hope will continue.