Sony Europe hacked by Lebanese hacker… Again

Updated with information on 14th attack against SonyPictures.RU. Sony was hacked for the 13th time, this time exposing usernames, passwords, work emails, mobile phones and web site information on 120 Sony Europe users. Read more…

Story updated 5-June-2011: Information on the SonyPictures.RU attack can be found at the end of the post.

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

Snapshot of database dump on pastebin

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.

Idahc tweet about Sony hackIdahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

A great resource with detailed information on how to protect against SQL injection attacks is available at codeproject.com.

You can also download our free technical paper Securing Websites.

Update: In addition to the attack detailed above, the hacking group known as LulzSec has compromised SonyPictures.RU through another SQL injection flaw. No personal information was disclosed in the attack; it appears to have been designed just to continue to point out security flaws in Sony’s infrastructure to create PR problems for the media giant. In the note, LulzSec left a message: “In Soviet Russia, SQL injects you…”

Pastebin of sonypictures.ru

W32.Qakbot – What You Should Know

 
W32.Qakbot is a pretty serious piece of malware that’s been doing the rounds since mid-2009. It is one of a family of threats that are consistently causing trouble, constantly being updated whenever new attack techniques or developmen…

 

W32.Qakbot is a pretty serious piece of malware that’s been doing the rounds since mid-2009. It is one of a family of threats that are consistently causing trouble, constantly being updated whenever new attack techniques or developments arise.  
 
The threat itself spreads through a number methods; in particular, we have seen it being spread from various websites using old vulnerabilities. Once inside a network, it employs other methods to propagate itself to other computers within the network such as copying itself to removal drives. Qakbot is notorious for stealing information, it collects a wide range of data from infected computers and then uploads it to various FTP accounts. 
 
We recently published a detailed whitepaper on W32.Qakbot but if you don’t have the time to read that, the following infographic tells you what you need to know about Qakbot in a snap.
 

Facebook phishing: Can you spot the difference?

Would you be able to tell a Facebook phishing page from the real thing? Why not try your luck as we examine a scam that has been circulating in the last 24 hours on the social network. Read more…

We’ve seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.

Here’s a typical message:

Facebook phishing message

hello have you seen this recent video on the president? What is he doing in it?! LOL

or

What's the president doing in this video. OMG LOL!

Some versions of the message give away that the link will ultimately take you to a website ending with .co.cc. Almost all of the links we see in SophosLabs which end with “.co.cc” contain “bad stuff”. Perhaps it would be simplest if everyone simply avoided .co.cc links (and close cousins such as .cz.cc) as they are tainted by association.

And what sort of name is hzjqorbbmdnf anyway?

Regardless of the dodgy-looking nature of the link – what happens if you click on it?

Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it’s a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they’ll type in their credentials without thinking.

Here’s the fake login page:

The fake Facebook login page

And here’s Facebook’s genuine login page:

The real Facebook login page

Did you spot all the differences?

Here’s the ones I found – well done if you spotted even more!

Differences

Starting at the very top –

1. The genuine login page calls itself “Log in” in its title bar. Amusingly, the real Facebook is inconsistent as to whether you “Log in” or “Login” to Facebook as later in the page it refers to “Facebook Login”. It’s odd to see a phishing page be more professional than the real thing.

2. That’s clearly not Facebook’s genuine URL. Interestingly, other pages on the domain contain clickjacking scams.

3. The real page gives me more language options – including UK English and Welsh which aren’t available on the phishing page. It’s possible that the real Facebook is doing some GEO-IP lookups and determined that I’m visiting from the UK – maybe users in other countries don’t see those options.

4. The phishers have the copyright date incorrect, believing it to be 2010 rather than 2011.

5. There are many more link options made available to me in the footer of the real login page, including “Badges”, “Mobile”, “People”, etc.

There’s bound to be more differences than the ones I spotted though. So, leave a comment below if you find any more.

If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Update: Wow! I can always rely on the eagle-eyed Naked Security readers who spotted some other differences.

More differences

Skype protocol cracked – what happens next?

A chap by the name of Efim Bushmanov has just published a claim that he has reverse-engineered the Skype protocol.

But how did he do it? And will the lawyers take it from here? Read more…

A chap by the name of Efim Bushmanov has just published a claim that he has reverse-engineered the Skype protocol.

He hasn’t reversed it completely, and he hasn’t yet created any Skype-compatible alternative software, but that’s the stated goal of his work so far:

While "Wall Street Journal" makes politics and skype today's trend, i want to publish my research on this. My aim is to make skype open source. And find friends who can spend many hours for completely reverse it.

Skype was big news recently when it was acquired by Microsoft for US$8,500,000,000 – despite having a billion dollars of debt and having recorded a financial loss last year. An open source project to create a Skype-alike software product would therefore be an interesting beast.

In fact, open-source Skype implementations for Linux and OS X would probably be in Microsoft’s overall interest – Microsoft could simply give up on the existing Linux and OS X code bases without creating any bitterness amongst those communities. They’d be able to take up the software development reins – just as gung-ho open sourcers are supposed to if they don’t like what’s already on offer.

And if Microsoft can build an attractive-enough back-end service for Skype, it will be able to convert Skype from a loss-making peer-to-peer pseudo-telephone company into yet another handy reason to sign up for a Microsoft LiveID and to join the fun in the Cloud According to Redmond.

If that were to happen, an open-source Skype would probably distract from any open-source projects aimed at creating a genuine alternative. We’d just end up with multiple choices of client for the Skype service, rather than a complete competitive service.

And an open-source Skype clone would provide at least some sort of technical reference for the long-secret and carefully-hidden internals of Skype and its protocols. That, too, would probably be in Microsoft’s favour – by reducing the objections of those security practitioners who don’t like secret cryptographic implementations.

What we can’t guess, however, is how Redmond will respond.

Will Bushmanov get a cease-and-desist letter? Will anyone who looks at his reverse-engineering efforts be tainted when it later comes to implementing Skype-compatible code?

When Andrew Tridgell set about understanding Microsoft’s SMB protocol – eventually giving us SAMBA, an open-source interoperability suite letting Linux and UNIX computers talk to Windows networks – he didn’t decompile any of Microsoft’s code.

He simply watched the traffic generated by SMB implementations until he understood it well enough to produce an alternative implementation. (I once played pool against Tridge. He flogged me mercilessly.)

If Bushmanov hasn’t taken this “clean” approach – and the presence of IDB files (IDA Pro disassembly databases) amongst his published downloads suggests that he has not – then this could end up in an interesting legal battle.

Sony, for example – which recently wanted to take vigorous legal action against George Hotz, a US hacker who worked out how to jailbreak the PS3 – ended up with a civil court judgement against Hotz’s web hosting company, Bluehost. Bluehost was forced to give Sony a list of IP numbers and account details of anyone who had looked at any of Hotz’s webpages.

This time, Microsoft is in Sony’s place. Bushmanov takes over from Hotz. And Bluehost is replaced by Google – because Bushmanov is using a recently-created Blogspot account to publish his results.

For all we know, this could end up as Microsoft versus Google in court over access to logs and account details. That would certainly be a case to watch! (Of course, only the lawyers would actually benefit in the end. So let’s hope it doesn’t turn out that way.)