LulzSec Releases Over 62.000 Hacked Passwords

Hacker group LulzSec published the accounts of over 62,000 emails and passwords for free for download.

Mikko H. Hypponen from F-secure believes that the emails and passwords were from a database kept by website Writerspace.com, according to the Hacker News.

Gizmodo took the database and has made a script for users to input their email address to check it against the release from LulzSec. Unless you were a member of Writerspace, you're probably not affected, but this is a good way to confirm.

Related articles

• LulzSec Hack Exposes 62,000+ Passwords: How to See If Yours Is Out There (techland.time.com)
• LulzSec Leaks 62,000 Passwords, Usernames For Unknown Sites (fastcompany.com)
• LulzSec Releases 62,000 Email Addresses and Passwords (linearfix.wordpress.com)

Citigroup Hack Hit 360,000 Credit Cards

Citigroup's said that about one percent of customers had been affected, implying that around 200,000 had been affected.

Citigroup released a letter to its customers implying that around 360,083 card accounts had been affected.

Citigroup now says it's replaced the cards of about 217,000 customers.

It seems California was the hardest-hit state, with about 80,000 affected accounts.

Citigroup has reiterated that the information taken won't allow hackers to access funds directly.

Related articles

• Citigroup Says 360,000 Credit Cards Were Hacked (techland.time.com)
• Citigroup Hack Was "Easy" and More Hacks Are Expected (inquisitr.com)
• Citigroup Says Hacking Affected 360,000 Cards (online.wsj.com)
• Citigroup 'hack' was simple enough for a child to exploit (theinformativereport.com)
• Citigroup Reveals Breach Affected Over 360,000 Cards (pcworld.com)

Chinese Gmail Attack Targets 'Senior' U.S. Officials

Google revealed the suspected source of a hacking attack on Gmail accounts: users originating in China.

Eric Grosse, engineering director on the Google Security Team, said in a blog post Wednesday that specific user account credentials were targeted.

Targets included government officials from the U.S. and "several Asian countries" as well as political activists, journalists, and military personnel, Google said.

"The goal of this effort seems to have been to monitor the contents of these users' e-mails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings,"

"It's important to stress that our internal systems have not been affected--these account hijackings were not the result of a security problem with Gmail itself. But we believe that being open about these security issues helps users better protect their information online," Grosse continued.

Google says it's notified those with affected accounts and has also secured the accounts. The company is encouraging users to add extra layers of security including designing more complex passwords, turning on two-step account verification, and only going through the company's secured "https://www.google.com" domain when logging on from a Web browser.

Google's blog post notes that "internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself."

Related articles

• Google says "hundreds" of Gmail accounts hijacked (marketwatch.com)
• Google: Chinese attackers monitoring Gmail of activists, journalists, officials (arstechnica.com)
• Chinese Hackers Targeted U.S. Officials in Gmail Phishing Attack (mashable.com)
• Google: Gmail Attack from China Affects 'Senior U.S. Government Officials' (techland.time.com)
• Gmail Hit by Phishing Hack (money.cnn.com)

White Hat Hackers Find Skype Security Hole For Mac

Skype has issued an update for all Mac users, due to security concerns in Skype version 5.x for Mac which allows a malicious user to activate code on the victim’s computer.

A security researcher said today that he found a serious hole in the Mac version of Skype and proving that it was possible to send a specific message to a user of Skype and it would crash Skype and make it unusable.

Gordon Maddern, says he discovered the vulnerability about a month ago. He was chatting on Skype to a colleague about a payload when the payload executed in the colleague's Skype client accidentally.

He created a proof of concept that can be used in an attack but is not releasing details on it until Skype fixes the issue. He could not find the vulnerability in the Skype client for Windows and Linux, he said.

Related articles

• Skype pushes update to Mac client for security flaw (tuaw.com)
• Skype bug gives attackers root access to Mac OS X (theregister.co.uk)
• A bug in Skype for Mac could give hackers root access to OS X (thenextweb.com)
• Skype for Mac Has Unpatched Security Flaw [ALERT] (fakeiitian.com)
• Skype for Mac Has Unpatched Security Flaw [ALERT] (mashable.com)
• Skype security flaw already patched, but you have to download manually (tuaw.com)
• Skype Security Blog: Security Vulnerability in Mac Client Has Been Addressed (blogs.skype.com)
• Expert: Skype for Mac hole can be used in remote attack (news.cnet.com)
• Skype vulnerability discovered by Pure Hacking (purehacking.com)
• Expert: Skype for Mac hole can be used in remote attack (news.cnet.com)
• Skype Bug Leaves Mac Users Vulnerable to Exploit (macstories.net)
• Skype to Fix Wormable Bug in Mac Software (pcworld.com)

Sony Knew Software Was Outdated Three Months Ago

In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using seriously outdated software on its servers and knew about it approximately three months before, the company was informed by security experts monitoring open Internet forums that its version of Apache Web Server was out of date.

This version was unpatched and had no firewall protection of any kind.

Read the congessional testimony here (PDF)

Possible Security Breach At LastPass

Users who manage and store their passwords through password management service LastPass are being forced to change their master passwords after the site noticed an issue this week that raised the spectre of a possible security breach.

LastPass wrote on their blog yesterday that because they can't account for the anomaly they detected in one of the databases, the company made the decision to assume the worst that some of its data had been hacked, even though they say you shouldn't be impacted by this issue if you have a strong, non-dictionary-based password.

LastPass hasn't identified a specific breach, it's erring on the site of caution by now forcing its members to change their master passwords.

LastPass let users create and manage passwords to more easily log in to the vast array of secure Web sites they visit.
Those passwords can be stored on a PC or mobile device as well as online. As one means of protection, LastPass typically urge users to create a single complex master password that can unlock the key to accessing their passwords.
Of course, if that master password is compromised, hackers potentially can gain access to all the individual passwords, one reason why these companies advise users to employ complex master passwords.

In the meantime, LastPass have moved services to other servers for now. They also compared the code on the live servers with code from their repositories to make sure it was not tampered with.
The company is also enhancing the encryption used to protect its data.

Related articles

• LastPass potentially hacked, users urged to change master passwords (thenextweb.com)
• LastPass hacked, users warned to change master passwords (slashgear.com)
• LastPass Users Urged to Change Their Last Password (techland.time.com)

Sony Details PlayStation Network Revival

Within a week Sony will turn on most features of the PlayStation Network and offer its customers a selection of free downloads.

The PlayStation maker’s online service for its PlayStation 3 and PSP consoles will come back online this week following a massive security breach in which the personal information of over 70 million accounts, possibly including credit card numbers, was obtained by hackers.

Here's what's going to be coming back, as well as details on the new security measures that they hope will prevent events like this from happening again:

• Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems
  -This includes titles requiring online verification and downloaded games
• Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
• Access to account management and password reset
• Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
• PlayStation®Home
• Friends List
• Chat Functionality

• Added automated software monitoring and configuration management to help defend against new attacks
• Enhanced levels of data protection and encryption
• Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
• Implementation of additional firewalls

All PlayStation 3 owners will have to download a system update and change their passwords before they will be allowed to sign in to the service again; all password changes must take place on the PlayStation 3 console on which the password was originally registered. This, says Sony, is an additional security

Sony has issued a press release read it here.

PSN: Credit Card Details For Sale

This just keeps getting worse by the day, hackers responsible for the PSN breach last week are attempting to sell users' credit card details online.

They claim to have the details of 2.2m Sony PlayStation Network users, including Credit card security numbers.

They are hoping to sell the credit card list for upwards of $100,000.

Read more here