Web Security

Anonymous To Sony PSN Users: It Wasn’t Us!

In the midst of an apparent civil war, the online hacking collective, Anonymous, has issued yet another public statement denying responsibility for a damaging hack of Sony’s PlayStation Network (PSN) and claiming that Sony is trying to shift blame for “internal problems” onto Anonymous.

The source code to the infamous Zeus crimeware kit, which has been sold on underground forums for years, has been leaked and is now available for anyone to see if they know where to look.

Online scammers are recycling video and images released in the wake of the U.S. special forces raid on Osama bin Laden’s Pakistani compound to fuel Web based attacks that have been linked to rogue anti virus installations and botnets, according to Kaspersky Lab.

ED: LastPass Asks Users To Change Password After Probable BreachDEK: The Web based password management firm says it detected what it thinks is a breach that could have exposed some customer passwords. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. In a blog post on May 4, LastPass said it noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning and that a subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed.” However, its unlikely – given the amount of data believed to have been transferred – that much user encrypted data was transferred, the company said. The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. As a result, the company is forcing all its customers to change the master password used to access their account. LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site (http://threatpost.com/en_us/blogs/password-management-site-lastpass-sports-security-hole-022811) that he said could have been used to expose user e-mails and a list of sites beloning to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 

The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn’t pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.

“Failure is only the opportunity to begin again, only this time more wisely,” is a quote attributed to legendary automaker Henry Ford. While it seemingly has nothing to do with secure application development, all you need to do is talk to a handful of enterprises who have tried to implement a secure development lifecycle – and you’ll certainly see how it applies.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.