Sony Music Japan hacked through SQL injection flaw

Sony Music Japan logoAnother day, another attack on Sony. I reported yesterday on the SQL injection attack exposing user information on SonyMusic.gr and today attackers have found flaws in SonyMusic.co.jp.

The Hacker News sent us a tip this evening documenting a couple of vulnerable web pages on SonyMusic.co.jp that allowed hackers to access their contents through SQL injection.

Screenshot of Sony Japan hack from Pastebin.com

The good news? The database information that was published does not contain names, passwords or other personally identifiable information. The attackers noted that there are two other databases on the site that are vulnerable and it remains unclear whether they contain sensitive information.

It isn’t clear whether the hackers are able to inject data into the database, or simply access the tables and records it contains. If they are able to alter the records, this could be used to insert malicious code that could be used to compromise people browsing the site.

The attackers appear to be the same crew who targeted Fox.com earlier this month. Known as Lulz Security, the group appears to attack sites primarily for fun and political reasons, not to steal credit cards and commit other types of fraud.

This doesn’t change the criminality of their behavior. Accessing systems without authorization is still a crime in most countries.

Will Sony stop the bleeding? The attackers stated in their message “This isn’t a 1337 h4x0r, we just want to embarrass Sony some more.”

While there is an enormous target on Sony’s back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?

I hope this is the last time I have to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.

Do-not-track off to a slow start, Mozilla adds support for Android

Private: Do not readWhenever an average consumer is confronted with the idea of “opting in,” typically they don’t bother. They are not aware they have a choice, it’s too complicated to follow through or they simply don’t understand the importance.

A great example of this is Facebook’s introduction of HTTPS via opt-in back in January. In a post on the Facebook developer blog, Naitik Shah points out that 9.6 million Facebook users are now using HTTPS on the service.

This sounds like a big number, but it is less than two percent of Facebook users, a rather dismal example of why security and privacy should be the default, not the alternative.

Similarly this week there has been talk of the ad industry’s voluntary do-not-track HTTP header. At a privacy conference Mozilla’s Alex Fowler noted that only one to two percent of Firefox users have enabled the do-not-track option.

Introduced in Firefox 4, the do-not-track option is rather difficult to locate. Fowler said that in future updates the do-not-track option will “be much more prominently displayed.”

Firefox 4 do-not-track preference

Internet Explorer 9 includes a do-not-track feature that is even better hidden. To enable this functionality, you need to click the Sprocket -> Safety -> Tracking Protection -> Your Personalized List -> Enable.

Chrome users are on their own and don’t have an integrated option to enable do-not-track. Keith Enright, Google’s senior privacy counsel, said to the Wall Street Journal, “I don’t know what a do-not-track header is, I don’t know what it means.”

Mozilla announced that the new beta version of Firefox for Google Android will support do-not-track, making it the first mobile browser to support the option. The question is, does it matter?

Currently less than ten percent of ads are displaying an icon indicating to users that their personal information is being collected. Very few advertising companies seem to be voluntarily honoring the do-not-track headers, which may stymie the industry’s efforts to avoid government regulation.

Senators Kerry and McCain are co-sponsoring a bill in the US Senate titled “Commercial Privacy Bill of Rights Act of 2011” which would require advertisers to respect users’ privacy or find themselves in violation of the law.

Beware Memorial Day Pharmacy Spam and Websites

With Memorial Day just around the corner, we at McAfee Labs are already seeing the expected spams coming in. It is a common practice of spammers and cybercriminals to use holidays as a lure in their schemes; Memorial Day is no different. In reality, many spamming campaigns lead to the same websites, such as the one pictured below:

You will quickly notice a few things on this particular “Canadian” pharmacy website. Notice the well-placed Memorial Day branding in the upper-right corner. This can be easily adjusted for the holiday at hand and hence is very reusable and timely. Also notice that this site is caught by our SiteAdvisor technology, which gives the following warning:

I happened to arrive at this site via a fake YouTube email, but we see this link and the associated Memorial Day labeling used by quite a few campaigns:

This lure comes disguised as a warning from YouTube about an illegal video that has been posted. As should be obvious, this is not from YouTube! The links are fake and if you were to hover a mouse over them, you would see the links to the pharmacy websites. Make sure you stay vigilant around the holidays and expect to see these types of social engineering tactics. Use safe browsing technologies and keep all your security software up to date.

Stay educated. Stay updated. Stay safe.

Android Threat Set to Trigger On the End of Days, or the Day’s End

Symantec has discovered a Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation.

Once the threat is installed, it waits for the device to reboot. After the reboot, it starts a service called 'theword'. At regular intervals, it attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location. These same actions are carried out in a loop, in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively.

There are multiple suggestions in the threat that indicate that it was aimed at users in North America. One obvious element is that the threat was checking the US date format (MMDDYYYY) and will only trigger activation if the date is “05222011”, as opposed to “22052011” etc.

Another hint includes the cultural (borderline bizarre) reference in the threat, which is geared more towards an audience in the North American region. Additionally, it attempts to register users as members of a US-based political action committee called ColbertPAC. Lastly, and most evidently, is that the ‘End of the World’ occurring on May 21 is a phenomenon largely limited to North America.

And then on the 21 day of May 2011 AD….

As soon as the threat recognizes the date is May 21, 2011, it creates a database called “mydb.db”:

It then writes the string “endoftheworld” to the table ‘myTable'. (This is used as a trigger to tell the 'SMSsmack' class to automatically reply back to any SMS sent to the device with the message below.) Next, it randomly picks one of several pre-defined messages and proceeds to send the spam to the entire contact list:

Lastly, the wallpaper is changed to the following image:

When the threats detects that the date has rolled over to May 22, it changes the wallpaper again and spams the contact list with a new message:

Symantec has added detection for this threat, which is known as Android.Smspacem.

To avoid becoming a victim of such malicious Android applications, we recommend that you only use regulated Android marketplaces for downloading and installing Android applications. By default, an Android device does not allow the installation of applications from unknown sources (i.e. non-Market). This default configuration helps protect against rogue, pirated apps that may be malicious. The user must manually change this setting to allow the installation of unofficial (non-Market) applications, also known as side-loading. Checking user comments on the marketplace can also assist in determining if the application is safe. Lastly, always check the access permissions being requested during the installation of any Android applications. If they seem excessive for what the application is designed to do, it would be wise to stop installing the application.

A special thanks to Kaoru Hayashi for the in-depth analysis of this threat.