Tag Archives | hacking

Playstation Store Returns as Sony Hacking Continues

Sony just can’t get back on track. On Wednesday evening, the Playstation Store came back online, finally making the Playstation Network whole again after April’s devastating security breach.

But now, a group of hackers known as Lulz Security claims to have breached Sony Pictures’ website, stealing e-mails, passwords, addresses, birth dates and opt-in information for more than a million users. All of this information is now posted to the Internet.

To be clear, we’re talking about two different divisions of Sony. The hacking of Sony Pictures has no effect on the Playstation Network. Still, this is another embarrassing security breach for Sony, and a sign that the company isn’t finished fending off hackers. It’s not even the first attack since the breaches of PSN and Sony Online Entertainment in April. Other smaller attacks have included a leaked database in Japan and a phishing scam site on Sony’s Thai web domain.

On the bright side, the Playstation Network has remained relatively stable since online play resumed in mid-May. That’s the best way Sony Computer Entertainment can redeem itself, along with the “welcome back” package of free games and other benefits that’s reportedly in its final testing stages.

But as a whole, Sony needs to show its customers that it’s taking security more seriously. Obviously, the entire company is now a target, and customers are the innocent bystanders. Perhaps it’s time for CEO Howard Stringer to change his tone.


Sony CEO Sir Howard Stringer’s Surprising, Cranky New Tone

Facing increasing criticism of his company’s handling of the PSN hack — and now apparently a new security issue — Sony’s CEO Sir Howard Stringer has suddenly become much more vocal in striking down critics. The company’s new logic appears to be that “no network is 100 percent secure,” and that the attack on its servers was “unprecedented.”

Stringer’s comments came in the form of interviews with several outlets, including Bloomberg, Reuters, the Wall Street Journal, and others. He argued that the company’s notification of the hack within a week was faster than other companies have alerted their own users of data loss, sometimes months after the fact.

Continue Reading →


WordPress.com Hit Again: This Time Hacked

It’s been a rough go for WordPress. Its been the target of several attacks lately, including a denial-of-service attack last month that severely crippled its servers for several hours. This time, its potentially more embarrassing for the blogging service, as it apparently has been hacked.

Whoever did it pretty much has full access: founder Matt Mullenweg said in a post to the company blog that the hacker has “root” access. In plain English? The WordPress server is this hacker’s oyster, and he or she is free to do whatever they want because they have administrative privileges.

Mullenweg says the company isn’t clear on what exactly may have been revealed and is going over its logs. He guessed they took a look at the source code, parts of which he called “sensitive.” The company is busy securing the server to prevent a repeat, and wouldn’t share much more.

Until we know exactly what happened, its hard to judge the potential effects. If you have an account on the service, and especially a “VIP” account, it may just be a good idea to change your password.

One comment

Sony Tries to Scrub PS3 Jailbreaks From the Web

After four years of solid security, Sony’s Playstation 3 hacking defenses have fallen, and all the company can do now is try to snuff the hackers themselves.

Sony has filed a restraining order (and filed a lawsuit — see update below) against three named hackers — including George Hotz of iPhone jailbreak fame — along with two pseudonyms and numerous John and Jane Does, all of whom were involved in the latest jailbreak for PS3 firmware 3.55. It’s not a proper lawsuit yet, but Sony’s trying to get all information related to the PS3 jailbreak removed from the Web.

Continue Reading →


Droid X on Lockdown, But Hacks Won't Brick It

If the Droid X’s U.S. launch had just one pockmark, it was the hoopla that transpired when one Android enthusiast declared the phone would become a brick when hacked.

It all started when My Droid World forum admin p3droid declared that a chip called eFuse was triggered to blow when the Droid X’s digitally-signed bootloader is tampered with, rendering the phone unusable. Attempts to run custom ROMs on the phone, such as Cyanogen, would likely produce a Motorola-branded doorstop that only the company could fix. MobileCrunch’s Devin Coldewey ran with the story, as did other sites, and a debate ensued on whether the phone does, in fact, have a hardware-killing security feature.

So Engadget cleared the air with Motorola, who said the phone is not rigged to blow, but it does go into “Recovery Mode” when booted with unauthorized software. This is for security reasons, and for meeting carrier, partner and legal requirements, Motorola said. Re-installing Motorola-approved software restores the Droid X to normal.

Okay, great. But I think the debate yesterday was misdirected. The problem is not that the Droid X becomes a brick when hacked, but that it cannot be hacked. While the lack of a phone-killing security feature means hackers are at a greater liberty to tinker, they won’t get anywhere. Motorola Milestone, the original Droid’s overseas sibling, has the same digitally-signed bootloader, and its security measures haven’t been broken yet. There are workarounds for loading custom ROMs on the Milestone, but they are difficult to perform, and there are other drawbacks, as explained by TheUnlockr.

Any tech topic with the word “brick” in it makes for a better headline, but I’d rather see the discussion focus on why Motorola doesn’t want its users hacking the Droid X, rather than what nasty things will happen to the phone if they do.


Verisign: 1.5 Million Facebook Accounts Up for Sale

Verisign’s iDefense Labs has discovered a website which lists some 1.5 million compromised Facebook accounts “for sale.” The selling price is $25 per 1,000 accounts with ten friends or less, and $45 per 1,000 for those accounts with more than ten friends.

While the accounts themselves do not contain enough personal information to commit outright identity theft, some social engineering could produce enough to possibly compromise more sensitive online services the account holder may use. Another avenue is the spreading of malware through the compromised user’s friend network, researchers said.

The information was found on a forum in Russian, posted by a hacker going by the handle “kirllos.” Based on the most current available number of users provided by Facebook — some 400 million — the accounts comprise about four tenths of a percent of the entire user base.

It may seem like a small number, however Facebook is not able to estimate how many more accounts may be compromised by other hackers, eWeek’s Brian Prince reports. Spokesperson Andrew Noyes did add that the social networking site is continuously monitoring for suspicious activity and taking action where neccessary.

When an account is compromised and detected by Facebook, the user’s account is suspended. That user must then take steps to confirm the account is secure, including changing the password.

Users should always be wary of adding friends who they do not know directly, and ensure that their privacy settings are set so that personal information is protected. I’ve already found this out the hard way, and have taken steps myself to prevent the possible misuse of my personal information.

I guess the best advice is to just double check that you haven’t let anything slip through the cracks, and stay away from the shady stuff on Facebook!


Song Lyrics Site Serves Up Java Attack Code

Popular lyrics site Songlyrics.com was discovered to be delivering attack code which could open up visitors to remote code execution attacks, several news outlets reported Thursday. The exploit was discovered by researcher Tavis Ormandy last week and reported. Songlyrics.com has taken action to remove the offending code from its website.

Ormandy and partner Ruben Santamarta said it was easy to exploit the issue, and AVG researcher Roger Thompson has called upon Oracle to patch the issue as soon as possible. However, according to the Register, the company has neither answered their requests for comment, nor confirmed the exploit exists at all.


US Army Servers May Have Been Hacked

An Anti-US hacking group known as “m0sted” has apparently hacked into at least two sensitive Army servers, InformationWeek claims, citing “exclusive” information. The breaches are being investigated by the US Army, although they have not been publicly disclosed.

The two servers known to be hacked were one at the McAlester Ammunition Plant in McAlester, Okla. on January 26, and another U.S. Army Corps of Engineers’ Transatlantic Center in Winchester, Va which occurred on September 19, 2007.

In the earlier case, the divisions webpage was hacked redirecting to the group’s own site. That site hosts anti-US and anti-Israeli messages. It is not known whether the group was able to access or download any sensitive data.

Both hacking attempts took advantage of SQL injection vulnerabilities in Microsoft’s server software. Even though the Defense Department has put in place tools to prevent such attacks, the hackers have apparently found a way to bypass those measures.

As part of the investigation, search warrants against Google, Microsoft, and Yahoo have been executed in an effort to reveal the hacker’s identities. The Defense Department is not commenting on the report.


Google Search for Barack Obama Reveals Racial Epithets

A reader tipped us off to the appearance of racial epithets in searches for Barack Obama on Google. When performing a search for our current president, on the first screenful you’ll be greeted with the N-word. Yep, that one.

Apparently someone went into the Wikipedia entry for President Obama at about 11:44pm ET last night, deleting the entire entry to read the epithet three times over. The wording was in such a position that Google’s crawlers picked it up.

The edit was quickly reversed in two minutes. However it apparently was not fast enough for it not to be crawled by Google’s servers. Below is the screenshot. As this is a family site, the front page version has been edited. A uncensored version is posted after the fold.


If anything, this goes to strengthen the argument which seems to be brewing lately over whether Wikipedia should become more stringent over who it lets edit its postings.

Incidents like this are a perfect example of why it should happen. If Wikipedia wants to be a reliable resource, it may be time for the site to start vetting its writers. It’s good that people want to help, but there’s people out there who have nothing better to commit than stupid antics like this.

I have a request for comment out to Google and Wikipedia on the situation, but I’m not expecting much other than a canned response.

Continue Reading →