SSCC 60 – Obama Proposals, Square Enix, Mac threats

Sophos Security Chet Chat logoWell it is bound to happen occasionally, and it did last week… I missed a Chet Chat. I was at the Sophos sales conference and did so much speaking and chatting with colleagues, that I lost my voice.

I’m back this week though, and I had my friend and co-worker Ben Jupp join me on Chet Chat 60. Ben works in our Global Escalation Support team and deals with all the thorny issues with non-Windows platforms. Ben’s specialty is Mac OS X and works closely with product development and SophosLabs on Apple related issues.

This week we began our discussion with Obama’s recent proposed changes to the Computer Fraud and Abuse Act (CFAA) and Racketeer Influenced and Corrupt Organizations Act (RICO). We talked about the latest data breach at Square Enix and Sony’s most recent stumble.

My primary reason for having Ben as my guest was to explore all the news surrounding the recent fake anti-virus attacks against the Mac platform. In addition to the malware for OS X we also talked a bit about the Apple Mac App Store and keeping applications patched against vulnerabilities.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(19 May 2011, duration 20:27 minutes, size 9.9MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 60 or subscribe to our RSS.

Square Enix confirms website hack, email addresses and resumes stolen

Deus Ex Human RevolutionResumes of job hunters and email addresses of video game fans have been stolen by hackers in an attack on the Eidos and “Deus Ex: Human Revolution” websites.

Square Enix, the parent company of Eidos, confirmed the hack in a PDF press release. (Why do companies publish their press releases as PDFs, anyway? That’s just daft.)

Here’s part of the statement from Square Enix:

Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again.

Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates.

There are two main risks here.

One threat is that if your email address is one of the 25,000 that has been stolen, you could receive a scam email (perhaps containing a malicious link or attached Trojan horse) that pretends to come from a video game company. After all, the hackers know that you’re interested enough in video games to give your email address to Eidos.

Secondly, the resumes from job hunters. This is a more serious problem. Just think of all the personal information you include on your CV: full name, date of birth, email and home address, telephone number, job history. This kind of information is a god-send to identity thieves interested in defrauding internet users.

So, it seems Sony is not the only video game company to be having problems with its computer security.

Lets hope the continuing stream of stories of companies having customer data stolen from them makes them take security more seriously in the future.

More information about the hack can be found on the KrebsOnSecurity blog.