Security Watch

Anony-mess

There's speculation the hacker group Anonymous is behind the PlayStation Network and Qriocity services break-in and shutdown last month, Financial Times reported May 6.

Sony Corp., in an open letter to Congress, suggested the activist group might be responsible for the breach, but did not directly accuse Anonymous.

Anonymous has officially denied involvement in the attack, though the loosely affiliated group reportedly suggested that some of its members may have acted independently.

Two members of Anonymous told Financial Times they saw discussions of technical flaws in Sony's network in an Anonymous chat room before the break-in.

Sony reportedly will make the services operational by the end of the month, Bloomberg reported, though Financial Times reported rumors that further attacks against the Sony Network are possible this weekend.

Bad Call

A recent version of Skype Inc.'s free voice and chat service for Mac users has a huge security hole, ZDNet reported May 6.

The hole lets hackers launch an attack by sending victims a typed message via Skype. The exploit reportedly then lets hackers take over the computers of victims.

Gordon Maddern, researcher for the security firm Pure Hacking PTY Ltd., reported the vulnerability on Friday, according to ZDNet. Maddern discovered the flaw about a month ago, and he reportedly notified Skype. Pure Hacking is based in Sydney.

Maddern further reported that Windows and Linux Skype users were not vulnerable.

Microsoft Corp. this week announced it has agreed to buy Skype for $8.5 billion.

Scare Tactic

A scareware tactic reported May 3 by the security firm Appriver LLC of Gulf Breeze, Fla., attempts to intimidate consumers by sending them emails claiming to come from the Federal Bureau of Investigation.

The emails say the FBI has been monitoring a user's activities and has logged visits to more than 40 illegal websites. The email has a bogus questionnaire that consumers are urged to download, entitled "document.zip."

The document is really a virus that creates a permanent back door enabling hackers to download spyware and keystroke loggers, which can be used to steal information such as bank account logins and passwords.

All-Access Pass

Marvasol Inc.'s password storing service LastPass reported up to 1 million of its accounts may have been compromised, according to a May 5 story in The New York Times.

On its company blog, LastPass said it had logged traffic irregularities leaving the website.

This led company officials to suspect intruders may have made off with customer information. It urged customers to change their master passwords, which are used to guard the many other passwords stored with LastPass.

On its blog the Vienna, Va., company wrote: "We take a close look at our logs and try to explain every anomaly we see.

Tuesday morning we saw a network traffic anomaly for a few minutes from one of our noncritical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

"In this case, we couldn't find that root cause … we're going to be paranoid and assume the worst."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.