DDoS Attacks Shut Down Online Gaming Servers

Sony Playstation LogoWas your favorite online video game difficult to access over the weekend? There is a reason for that. A group decided to use a DDoS attack against several of the big gaming companies servers. I’ve no idea what the motivation of this group was, and choose not to speculate as to what they may have been thinking. If you were on Twitter this weekend you may have seen a lot of confused and frustrated tweets from gamers who were just trying to have fun playing some online video games.

The group targeted Blizzard Entertainment’s servers. This caused difficulties for those trying to access Battle Net, World of Warcraft, Diablo III, Hearthstone and other Blizzard games. Riot Games’ League of Legends was attacked and so was Grinding Gear Game’s Path of Exile.

Blizzard was keeping people informed about the outage through their @BlizzardCS account on Twitter. They did not directly mention a DDos attack, and instead tweeted things like “We’re investigating issues where players are unable to connect or log into their characters.” Updates about the situation were provided through that Twitter account.

Sony’s PlayStation Network (PSN) was attacked, too. The PlayStation Blog has a post that gives some details.

The original post started with Like other major networks around the world, the PlayStation Network and Sony Entertainment Network have been impacted by an attempt to overwhelm our network with artificially high traffic. The blog was later updated to say: The PlayStation Network and Sony Entertainment Network are back online and people can now enjoy the services on their PlayStation devices. The networks were taken offline due to a distributed denial of service attack.

Grinding Gear Games sent out a Tweet on their @PathofExile Twitter account about it.

From what I saw via Twitter, it appeared that some of these gaming companies had their servers go down more than once. I am of the impression that stability has been restored to the affected servers now. Hopefully, that is the end of the problem.

Is There a “WarKitteh” in Your Yard?

Not a WarKittehThe innocent looking cat that is wandering through your backyard might be up to something sneaky. Instead of hunting mice, he or she could be hunting for Wi-Fi networks. Of course, the cat probably just thinks it is out for its usual “wander around the neighborhood”.

Gene Bransfield gave a talk at DefCon titled “How to Weaponize Your Pets”. In it, he described how to turn your cat into a “WarKitteh”. Gene Bransfield works for the security company Tenacity, and he created the “WarKitteh” idea because it amused him. The “WarKitteh” name is a reference to an activity called “wardriving”. In short, it is an activity in which a person drives around looking for weak or unprotected Wi-Fi networks. Now, your cat can go do that all by itself, no driving required.

Bransfield put together a specialized collar that contained mini-computers and an antenna (which were sewn into a collar that could be worn by a pet).

The collar was placed on a Siamese cat named Coco, who belonged to Brandsfield’s wife’s grandmother. Coco turned out to be pretty good at wandering the neighborhood. Coco spent three hours exploring some of the backyards nearby.

At the same time, the cat was mapping out dozens of the neighbor’s Wi-Fi networks and was able to gather enough data to determine which would be easy to get into. The “WarKitteh” identified four routers that were using an old form of encryption that could be easily hacked into and four more routers that had no security protection on them at all.

The primary inspiration behind the “WarKitteh” was entertainment. The results, however, showed that the “WarKitteh” could be an effective way to teach people about how to better protect their Wi-Fi networks. The “internet” is in love with cats, so I can see where this has potential.

The photo you see at the top of this blog is one I took of a cat that was wandering through my backyard a few years ago. That was before “WarKitteh” technology existed. The next cat that wanders through your backyard could be a “WarKitteh”, and you would probably not even know it had been there!

Two Million Passwords Stolen by Hackers

Trustwave logoOn November 24, 2013, researchers at Trustwave discovered that hackers have obtained up to 2 million passwords for websites like Facebook, Google, Yahoo!, Twitter (and others). Researchers learned this after digging into source code from Pony bonnet. It appears that information about this has only been made public very recently.

Here’s some quick stats about some of the domains from which the passwords were stolen:

* Facebook – 318,121 (or 57%)
* Yahoo! – 60,000
* Google Accounts – 54,437
* Twitter – 21,708
* Google.com – 16,095
* LinkedIn – 8,490
* ADP (a payroll provider) – 7,978

In total, Pony botnet stole credentials for: 1.58 million websites, 320,000 email accounts, 41,000 FTB accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

According to Trustwave, around 16,000 accounts used the password “123456”, 2,221 used “password” and 1,991 used “admin”. Now is a good time to go change your passwords into something strong and secure.

Doing so won’t make it entirely impossible for hackers to crack it, but it could make it more difficult. Trustwave noted that only 5% of the 2 million passwords that were stolen had excellent passwords (meaning the passwords had all four character types and were longer than 8 characters).

SIM Card Security Flaw Exposing 750 Million Cell Phones

SIM Card

SIM Card

Outdated encryption is to blame for a new risk on your cellular device. According to a report by SRLabs and research which will be presented at BlackHat on July 31st, the Subscriber Identity Module (SIM) card can be hacked in a few ways, including through SMS messages.

According to SRLabs, SIM cards use 56-bit DES encryption – a technology created in the 70s. Using what is called FPGA clusters, a SIM can be crackable. SRLabs is looking to make aware these issues, then recommend a better SIM card technology, SMS firewall and SMS filtering so simple hacking techniques cannot access SIM card data.

It is reported that over 750 million SIM cards are vulnerable to this hack. That is 1 in 8 SIM cards, according to Karsten Nohl of SRLabs. An improperly encrypted SMS message – along with use of a custom Java program – can open the SIM to the malware. A hacker can do anything from change your voicemail to access your personal information on the SIM card.

In some phones, most information is stored on the phone and not the SIM. In some phones, SIM data can also include bank information, passwords to websites and programs and more. However, as we move to mobile and wearable devices, more SIM cards will be used to connect people to cellular networks.

 

 

 

Twitter Adds Two Step Verification System

Twitter logoWhen Burger King got hacked, we all laughed at the idea McDonalds might have bought it. When the Associated Press got hacked, we noticed. But it took the Onion in getting hacked for Twitter to finally do something…

Twitter rolled out a two-step verification system for users to get extra protection against would-be hackers. The verification method includes a special code that is sent via phone when they try to log in. With this extra step using a cell phone, hackers can become thwarted in trying to access an account.

This is not a new process – Facebook and Google both give this second verification step in your security features. Its better than a password because you don’t need to remember one. Its also better than a “name your pet” verification because in some cases (like Sarah Palin) people know that information.

“Today we’re introducing a new security feature to better protect your Twitter account: login verification,” says Jimio from the Twitter Product Security Team on the Twitter blog. “With login verification enabled, your existing applications will continue to work without disruption. If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application.

If you choose not to opt in you run risk of getting hacked. Of course, you also need to keep your phone numbers up-to-date. If that changes, you might have problems getting into your accounts.

If your Twitter Gets Hacked

First, attempt to change your password. If you still can’t log in, contact Twitter through a Support request. (choosing “Hacked account” from the list of options).

LivingSocial has been Hacked

LivingSocialAre you using LivingSocial? At the top of their website today is an important notice for customers that says “if you haven’t already updated your LivingSocial password, please update it now”. According to CNN the LivingSocial website, which people use to get daily deals, suffered a cyberattack on some of its servers. Data for more than 50 million users may have been accessed. LivingSocial says that credit card data was not affected by the cyberattack.

AllThingsD has posted the entire email from CEO Tim O’Shaughnessy that was sent to employees of LivingSocial. The email states:

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The same paragraph was in an email sent to users of LivingSocial, along with instructions about how to change their password. Users are encouraged to also change passwords on any other sites in which they used the same, or similar, password as the one they were using on LivingSocial.

I am not a user of LivingSocial, but I know that it is a website that offers people daily deals on a variety of things. There are many other websites, and apps, that also offer special deals to users. When people sign up for these types of things, they are doing it because they want to save money.

Nobody thinks about the potential for their favorite deals website to get hacked. It makes me wonder if the ability to get good deals through services like LivingSocial is really worth the risk of having your personal information out there (potentially accessible to hackers).

55,000 Twitter Accounts Have Been Hacked

An anonymous source, (but not the hacker group that goes by the name “Anonymous”) has hacked more than 55,000 Twitter accounts. This includes the username and password of each of the compromised Twitter accounts.

Was yours one of the thousands that were hacked? There is a huge list of the Twitter accounts that were affected that you can sort through. Someone put them onto Pastebin. There are so many of them that the list had to be split into five separate lists.

They are: Page One, Page Two, Page Three, Page Four, and Page Five. According to AirDemon.net You can find your account by using the find feature in your browser (CTRL + F) and typing in your email ID.

At this time, it appears that Twitter has disabled many of the accounts that were hacked. A spokesperson from Twitter said:

“We’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked – that is, the password and username are not actually associated with each other”.

It sounds to me like perhaps, some anonymous hacker decided to take action against the plethora of spam accounts that keep popping up on Twitter, (since Twitter doesn’t seem to do a whole lot to get rid of them or prevent new spammers from appearing). We are all tired of being followed by spam Twitter accounts. Perhaps the anonymous hacker is sort of acting like a modern day “Robin Hood”, only, instead of taking money from the rich and redistributing it to the poor, he or she is taking spam accounts from Twitter, and making Twitter do something about them.

If you are concerned that your Twitter account is among the thousands that were hacked, you might want to go ahead and change your password. Those of you that connected your Twitter account to your Facebook account, or other forms of social media, might want to check to see if those connected accounts have been affected as a result of the hacked Twitter accounts.

YouTube Hackers Invade Sesame Street, Replace with Porn

Sesame Street

Sesame Street Logo

Sunny Day, but the streets look different…

Visitors to the iconic children’s show “Sesame Street” on YouTube got a rude awakening on Sunday. All videos were deleted, and replaced with pornographic material. The header on the front page said “Sesame Street: It’s Where Porn Lives”. YouTube took instant action and brought down the site within the hour. At this moment, the page is still offline.

The blame has been running around as Reddit has a thread, blaming a person titled “MrEdxwx” . MrEdxwx has responded with a video stating his case that he did not hack Sesame Street.

Their Facebook Page has a public apology:

We apologize for any inconvenience our audience may have experienced today on ourSesame Street YouTube channel.  Our channel was compromised and we are presently working with YouTube/Google to restore our original content. We always strive to provide age-appropriate content for our viewers and hope to resolve this problem quickly.

This article was brought to you by the letters and numbers – H4cK0r.

 

Sony Issues Statement About the PlayStation Network

playstation network

2010 and 2011 have been rough years for Sony and for PS3 owners who use the popular PlayStation Network for online gaming.  The service has come under attack, and been taken down, on more than one occasion, and for extended time periods.  The latest attack began to hit the news yesterday, when it was learned that the service was again under attack.

Reports have ranged from DDOS attack to user account hacking, but earlier today Sony finally set the record straight about what is going on, how extensive the attack is, and what steps they are taking fix the problem.

According to Sony, the attack spanned three of their networks – the PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment.  A total of approximately 93,000 users have been affected, and those accounts have now been locked by Sony.  It appears to have been a hacking attack – the perpetrators attempted to gain log-in access to accounts, and succeeded on 93,000 of them, which is actually a relatively small percentage.  At this time, Sony says that those users’ credit card data is still safe.

If you have a PSN account, even if you don’t think you were affected, I would still recommend changing your password.  Use a long password that incorporates letters, numbers, and symbols.  Although, Sony says credit information wasn’t gained, it would still be prudent to monitor you account closely and report anything that seems suspicious.

Below is full text of Sony’s announcement.

“12 October 2011

Tokyo, October 12 – Sony Network Entertainment International LLC and Sony Online Entertainment (SOE) have detected a large amount of unauthorized sign-in attempts on PlayStation®Network (PSN), Sony Entertainment Network (SEN) and Sony Online Entertainment (SOE) services. We discovered these attempts and have taken steps to mitigate the activity.

Less than one tenth of one percent of our PSN, SEN and SOE consumers may have been affected. There were approximately 93,000 accounts (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. As a preventative measure, we will be sending email notifications to these account holders and will be requiring secure password resets or informing consumers of password reset procedures.

Credit card numbers associated with these accounts are not at risk as a result of these unauthorized attempts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are continuing to investigate the extent of unauthorized activity on any of these accounts.

These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources. These were unauthorized attempts to verify valid user accounts on our services using very large sets of sign-in IDs and passwords. Between October 7 – 10 US Pacific Daylight Time, we confirmed that these were unauthorized attempts, and took steps to thwart this activity.

For the latest updates please visit http://blog.eu.playstation.com/

How To Hack Mobile Phone Voicemail

As the fall-out from the News of the World scandal continues, many sources continue to inaccurately refer to “mobile phone hacking”. The truth (as far as is known) was that it was the voicemail of the mobile phone that was hacked rather than the phone itself. There are two ways to do this – the first is to simply guess the PIN of the voicemail and the second is to use Caller ID spoofing.

In the mid-2000s, most mobile phone voicemail systems were poorly protected as they typically came with a default PIN which was often easily guessed and only varied  according to the mobile phone company. Most users didn’t bother to change the PIN. Say the phone was on Orange, then the default PIN was 1234. If it was Vodafone, then 0000.  Typically, the villain then makes two simultaneous calls to the victim. One will be picked up, the other will go to voicemail.   By then pressing “*” or “#” while listening to the voicemail prompts, the individual can gain access to the voicemail system using the default PIN. Computeractive has article covering this scenario and how, in theory, it would be harder (but not impossible) to take this approach today.

As for Caller ID spoofing, this technique makes a call look like it’s coming from a different number than it actually is. It can be used legally to make someone calling from a mobile to actually appear to be coming from a company office, so that the person’s mobile number is not divulged. However, in some instances it has been used to gain access to voicemail boxes as many voicemail systems do not ask for further identification if the system recognises the inbound Caller ID as one of its own. PC Mag and c|net have short articles on how this is done and worryingly, this is still a threat. The Wall Street Journal covered the problem in 2010 before the current scandal broke.

It would appear that the best protection to both these attacks is (a) to change your PIN on your voicemail and (b) require your PIN even when calling from your own mobile phone. That way, even if your Caller ID is spoofed, the caller can’t get in without knowing your PIN.