2
Sony hacked repeatedly as new hacker group emerges I t has become almost impossible to keep track of just how many times Sony has been hacked in the past couple of months. And it seems that many of the compromises of the firm’s servers involve the same weaknesses that the organisation seems unable or unwilling to fix. Hacking Sony has become so popular that a term has been coined for the activ- ity – ‘sownage’. At the time of writing, there have been as many as 17 breaches of Sony’s systems (depending on what you count as a ‘hack’) since the end of April. The very high-profile compro- mises of the PlayStation Network (PSN) and Sony Online Entertainment (SOE) put as many as 100 million customer records at risk. This hack, which may have exploited outdated and unpatched versions of Linux and Apache, was origi- nally blamed on the Anonymous group, which had been targeting Sony with denial of services attacks. Sony said it found a ‘calling card’ left on one of its systems: Anonymous denied the claim, but given that the group has no control over its members, it’s possible that both sides are right. These attacks have since been followed by a string of smaller breaches. One – the theft of a database with details of 2,500 sweepstakes winners – involved no hacking at all. It seems the Excel file was left publicly available on a server. Subsequently, there were website deface- ments and a phishing site was found being hosted on one of Sony’s servers. Latterly, a new group has entered the fray. LulzSec, or Lulz Security, is an anonymous group with apparently lit- tle in the way of an agenda other than the desire for bragging rights about its alleged hacking prowess. The group is credited with SQL injection attacks against Sony websites in Japan, Belgium and the Netherlands, the breach of a 4.5 million record database held by Sony Pictures in which as many as 1 million passwords – stored in plain text – may have been compromised. LulzSec also downloaded 54Mb of source code for the Sony Computer Entertainment Developer Network. At the time of writ- ing, there were rumours of a LulzSec member having been arrested, but the group denies this. At the beginning of June, Sony and Epsilon (which also suffered a major database breach recently) were called before a Congressional commit- tee. Tim Schaaff, president of Sony Network Entertainment International, told the committee: “Sony Network Entertainment and Sony Online Entertainment have always made con- certed and substantial efforts to main- tain and improve their data security systems.” However, this was before databases were leaked via one of the firm’s Russian sites and the theft of source code by LulzSec. Atrrition.org has also put together a list, dating back to 1999, showing more than 40 breaches of Sony systems – mainly website defacements. In addition, it appears that most of the recent attacks involved little more than simple SQL injection techniques. Attrition.org has a useful timeline of the Sony hacks, although it’s likely that it’s already out of date. The timeline is here: <http://attrition.org/security/rants/ sony_aka_sownage.html>. Sony has not been the only target for LulzSec. If first came to the public’s atten- tion when it hacked the website of the US Public Broadcasting Service (PBS). The broadcaster had aired a documentary about Wikileaks that LulzSec apparently thought was less than flattering. The group also breached the servers of Infragard, a firm that specialises in monitoring data leaks. LulzSec attacked the company’s Atlanta organisation and managed to leak the login credentials for 180 users. LulzSec characterised the hack as an attack on the FBI, as Infragard works closely with the federal organisa- tion. Presumably, the FBI itself would have been a more difficult prospect and Infragard represented a soft target. One of the users whose details were stolen was Karim Hijazi, CEO of Unveillance, a firm that investigates data breaches. Hijazi’s Gmail account was subsequently compromised because it used the same password. A war of words subsequently broke out in which Hijazi claimed he’d been blackmailed by LulzSec while the hacker group said the Unveillance CEO had asked them to work with him to hack competitors and that the group, “ was just stringing him along to further expose the corruption of white hats”. ISF advises on consumerisation T he floodtide of consumer devices being used in the workplace is causing severe headaches for secu- rity staff. The Information Security Forum has issued a report analysing the challenges, trends and solutions for this so-called ‘consumerisation’. According to the report, ‘Securing Consumer Devices’, many of the issues stem from the fact that these devices were not designed to be used in a cor- porate environment, and are therefore difficult to secure using standard policies and technologies. Apart from misuse of the device and vulnerable software there are also legal issues around who owns the device and the data on it. ISF’s report offers guidance on plan- ning your security response, addressing both how people use the devices and what protection solutions, provisioning and support you’ll need. It also covers statutory requirements. This is all broken down into four key areas: a section on governance looks at achieving proper vis- ibility of the devices in your organisation and defining policies around ownership; the section on users covers employee awareness and acceptable use policies; there are technical issues around Continued on page 20 NEWS June 2011 Computer Fraud & Security 3 The PBS website after defacement by Lulzsec.

ISF advises on consumerisation

  • View
    220

  • Download
    0

Embed Size (px)

Citation preview

Page 1: ISF advises on consumerisation

Sony hacked repeatedly as new hacker group emerges

It has become almost impossible to keep track of just how many

times Sony has been hacked in the past couple of months. And it seems that many of the compromises of the firm’s servers involve the same weaknesses that the organisation seems unable or unwilling to fix.

Hacking Sony has become so popular that a term has been coined for the activ-ity – ‘sownage’. At the time of writing, there have been as many as 17 breaches of Sony’s systems (depending on what you count as a ‘hack’) since the end of April. The very high-profile compro-mises of the PlayStation Network (PSN) and Sony Online Entertainment (SOE) put as many as 100 million customer records at risk. This hack, which may have exploited outdated and unpatched versions of Linux and Apache, was origi-nally blamed on the Anonymous group, which had been targeting Sony with denial of services attacks. Sony said it found a ‘calling card’ left on one of its systems: Anonymous denied the claim, but given that the group has no control over its members, it’s possible that both sides are right.

These attacks have since been followed by a string of smaller breaches. One – the theft of a database with details of 2,500 sweepstakes winners – involved no hacking at all. It seems the Excel file was left publicly available on a server. Subsequently, there were website deface-ments and a phishing site was found being hosted on one of Sony’s servers.

Latterly, a new group has entered the fray. LulzSec, or Lulz Security, is an anonymous group with apparently lit-tle in the way of an agenda other than the desire for bragging rights about its alleged hacking prowess. The group is credited with SQL injection attacks against Sony websites in Japan, Belgium and the Netherlands, the breach of a 4.5 million record database held by Sony Pictures in which as many as 1 million passwords – stored in plain text – may have been compromised. LulzSec also

downloaded 54Mb of source code for the Sony Computer Entertainment Developer Network. At the time of writ-ing, there were rumours of a LulzSec member having been arrested, but the group denies this.

At the beginning of June, Sony and Epsilon (which also suffered a major database breach recently) were called before a Congressional commit-tee. Tim Schaaff, president of Sony Network Entertainment International, told the committee: “Sony Network Entertainment and Sony Online Entertainment have always made con-certed and substantial efforts to main-tain and improve their data security systems.”

However, this was before databases were leaked via one of the firm’s Russian sites and the theft of source code by LulzSec. Atrrition.org has also put together a list, dating back to 1999, showing more than 40 breaches of Sony systems – mainly website defacements. In addition, it appears that most of the recent attacks involved little more than simple SQL injection techniques.

Attrition.org has a useful timeline of the Sony hacks, although it’s likely that it’s already out of date. The timeline is here: <http://attrition.org/security/rants/sony_aka_sownage.html>.

Sony has not been the only target for LulzSec. If first came to the public’s atten-tion when it hacked the website of the US Public Broadcasting Service (PBS). The broadcaster had aired a documentary about Wikileaks that LulzSec apparently thought was less than flattering.

The group also breached the servers of Infragard, a firm that specialises in monitoring data leaks. LulzSec attacked the company’s Atlanta organisation and managed to leak the login credentials for 180 users. LulzSec characterised the hack as an attack on the FBI, as Infragard works closely with the federal organisa-tion. Presumably, the FBI itself would have been a more difficult prospect and Infragard represented a soft target.

One of the users whose details were stolen was Karim Hijazi, CEO of Unveillance, a firm that investigates data breaches. Hijazi’s Gmail account was subsequently compromised because

it used the same password. A war of words subsequently broke out in which Hijazi claimed he’d been blackmailed by LulzSec while the hacker group said the Unveillance CEO had asked them to work with him to hack competitors and that the group, “ was just stringing him along to further expose the corruption of white hats”.

ISF advises on consumerisation

The floodtide of consumer devices

being used in the workplace is

causing severe headaches for secu-

rity staff. The Information Security

Forum has issued a report analysing

the challenges, trends and solutions

for this so-called ‘consumerisation’.According to the report, ‘Securing

Consumer Devices’, many of the issues stem from the fact that these devices were not designed to be used in a cor-porate environment, and are therefore difficult to secure using standard policies and technologies. Apart from misuse of the device and vulnerable software there are also legal issues around who owns the device and the data on it.

ISF’s report offers guidance on plan-ning your security response, addressing both how people use the devices and what protection solutions, provisioning and support you’ll need. It also covers statutory requirements. This is all broken down into four key areas: a section on governance looks at achieving proper vis-ibility of the devices in your organisation and defining policies around ownership; the section on users covers employee awareness and acceptable use policies; there are technical issues around

Continued on page 20

NEWS

June 2011 Computer Fraud & Security3

The PBS website after defacement by Lulzsec.

Page 2: ISF advises on consumerisation

Calendar

CALENDAR

20Computer Fraud & Security June 2011

...Continued from page 3

the devices themselves; and a section on applications and issues to do with software.

A free executive summary of the report, as well as more information about the report itself, are available here: <https://www.securityforum.org/about/sampledocuments/publicdownloadcon-sumerisation>.

McAfee, working with Carnegie Mellon University, has also issued a report – ‘Mobility and Security’ – on the consum-erisation problem. It suggests that enter-prise policies and practices are lagging behind the influx of new technologies. A survey of 1,500 mobile device users and IT decision-makers found that 95% of organisations have policies in place governing the use of mobile devices such a smartphones, but that only a third of employees were aware of them.

“It’s not uncommon for smartphones to carry significant amounts of sensitive corporate data. A third of such devices’ losses resulted in a financial impact on the organisation”

In addition, the policies currently in place are inadequate. For example, one habit that few address is the tendency for employees to keep passwords, PINs and credit card details on their mobile devices. There is also a blurring of the distinction between work and personal life: the survey discovered that 63% of mobile devices that regularly connect to enterprise networks are used for both work and private purposes.

Although concerns have been raised about the possibility of malware being introduced into the enterprise network by inadequately protected smartphones, the McAfee study concludes that theft or loss of the devices constitutes a bigger security threat. It’s not uncommon for smartphones to carry significant amounts of sensitive corporate data. A third of such devices losses resulted in a financial impact on the organisation, says McAfee.

McAfee’s report is here: <hthttp://www.mcafee.com/us/resources/reports/rp-cylab-mobile-security.pdf>.

Mapping European cyber-security

The European Network and Information Security Agency

(ENISA), the EU’s cyber-security office, has launched an updated edi-tion of its country reports, review-ing the Network and Information Security (NIS) situation in EU Member States and other European countries. This third edition includes both an overview and separate reports on 30 countries.

It’s a mixed picture when it comes to nations’ preparedness for dealing with cybercrime, network attacks and network resilience, the organisa-tion reports. There’s no consistency in terms of national NIS strategies. However, many countries are enhanc-ing their efforts and making progress. Information exchange mechanisms and co-operation among key stake-holders also vary from country to country.

The reports include details of what ENISA consider to be successful NIS initiatives, presented as blueprints for others to consider. Areas examined include security incident management and reporting, risk management and emerging risks, network resilience, privacy and trust, and awareness raising.

Each national report outlines the individual country’s NIS strategy; regulatory framework and major policy measures; and key stakeholders and their mandate, role and responsibilities. It also provides an overview of the main NIS activities, stakeholders’ interac-tions, information exchange mecha-nisms, co-operation platforms, and country-specific facts, trends, and ‘good practice’ case studies.

“Mapping the IT security position for each country provides a key source of information for the sharing of good practices with policy and decision-mak-ers,” said Professor Udo Helmbrecht, executive director of ENISA.

The country reports are available for download here: <http://www.enisa.europa.eu/act/sr/country-reports>.

1–9 July 2011 SANS CanberraCanberra, Australiawww.sans.org/info/72344

5–6 July 2011 Smart Grid Security China 2011Beijing, Chinawww.pyxisconsult.com/sgsc

7–8 July 10th European Conference on Information Warfare and Security Tallinn, Estoniahttp://bit.ly/dlZD3e

7–8 JulyEighth Conference on Detection of Intrusions and Malware & Vulnerability AssessmentAmsterdam, The Netherlandswww.cs.vu.nl/dimva2011/

15–24 July SANSFIRE Washington DC, USwww.sans.org/info/72774

18–22 JulyCloud Computing and Ethical Hacking World Symposium and Exhibition Johannesburg, South Africawww.amabhubesi.com

25–30 JulySANS TokyoTokyo, Japanwww.sans.org/info/72889

30 July–4 Aug 2011Blackhat 2011Las Vegas, Nevada, USwww.blackhat.com