FOX employee data leaked “for the lulz”

Following last week's release of the X Factor 2011 contestant database on BitTorrent, The Lulz Boat (LulzSec on Twitter) has today released the passwords and email addresses of dozens of FOX employees.

Other files uploaded by LulzSec today suggest that the data may have been obtained through a hidden PHP script planted on fox.com, which allowed unauthorised access to a live production database. The attackers also listed the locations and partial content of several PHP configuration files on the server.

Earlier this week, two FOX Twitter accounts were also compromised. Both FOX UP and Fox 15 were hacked, presumably by LulzSec:

LulzSec also claimed to have hacked into 14 LinkedIn accounts belonging to FOX staff. The addresses of the affected accounts were posted on Pastebin.com on Monday, but the profiles have since been taken down.

LulzSec deny being vigilantes, cyberterrorists, or having any political motives. They say "we do it for the lulz" – an expression made popular by a FOX11 news report from 2007, which is often mocked for its inaccurate portrayal of the group Anonymous. Sven Slootweg, owner of AnonNews.org, described the FOX11 report as "complete nonsense" and told Netcraft that it had "spawned a ton of memes".

Sony PlayStation Store back online

Parts of the Sony PlayStation Network are coming back online after more than two weeks of continuous downtime.

The PlayStation Store website went online around 02:00 UTC today, although online gaming services through the PlayStation Network are still undergoing maintenance.

Sony yesterday began the final stages of testing the new PlayStation Network and Qriocity services, making sure they are secure before the services are relaunched.

Six days after the PlayStation Network was taken offline, Sony revealed that 77 million users' names, addresses, email addresses, birth dates, logins and passwords had been compromised by hackers. Although the passwords were transformed with a cryptographic hashing function, weak passwords may nonetheless be vulnerable to offline brute-force attacks. Accordingly, Sony recommended that users change their passwords if they use the same credentials for other, unrelated services.

Although credit card details were stored in an encrypted format, these could also be at risk if the decryption key was stored on, or made available to, any of the compromised servers. However, as of Wednesday, the major credit card companies have not reported any fraudulent transactions resulting directly from the Sony security breach.

Possible security breach at LastPass forces master password changes

LastPass is forcing its users to change their master passwords following a possible security breach. The free, multiplatform password manager software allows individuals to store passwords for many different websites, all of which can then be accessed using a single master password.


LastPass users only need to remember their master password to log into any website.

Users were notified of the issue after LastPass identified anomalous outbound network traffic. Although this traffic could not be accounted for, the amount of data transferred was big enough to include people's email addresses, the server salt and salted password hashes. This would provide enough information for a hacker to carry out an offline brute-force attack against the hashes, possibly allowing plaintext passwords to be recovered from many users.

LastPass remains unsure of what has actually happened, but prudently assumed the worst, noting that, "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

Extended Validation SSL certificates: 4 years of growth

After more than 4 years of continued growth, Extended Validation SSL certificates still only account for 2.3% of all valid third party certificates found in the Netcraft SSL Survey. The majority of sites use the cheapest type of certificate – domain validated – although these are less common amongst high-traffic websites.

Netcraft's April 2011 survey found a total of 38,966 valid EV certificates:

Extended Validation SSL certificates typically cost more than both domain and organisation validated certificates. The vetting process for EV certificates cannot always be automated to the same degree as for domain validated certificates – for example, the current guidelines may in some circumstances require the certificate authority to arrange a site visit in order to verify an applicant's business address. Such checks ultimately ensure that EV certificates are only issued to legally established businesses or organisations.

Because simpler domain validation checks can be performed automatically, CAs can enjoy a very fast and low cost issuance process for domain validated certificates. Eddy Nigg's StartSSL is perhaps a prime example of this – they offer free domain validated certificates for one year, in addition to their range of other paid-for certificates.

EV certificates are much more prevalent amongst high-traffic or financial websites, where it is often beneficial to demonstrate higher levels of assurance to visitors. For example, losses to phishing fraud can be reduced by educating online banking customers to look for the green indicator in the browser's address bar. Because this can only be activated by an EV certificate, a fraudster would be unable to replicate this behaviour on an HTTP website or by using a more easily obtainable type of certificate.

Of course, EV certificates cannot entirely prevent phishing attacks. If an attacker were to compromise a website which already uses a valid EV certificate, he can piggyback on the trust instilled by that site's certificate to present his fraudulent content. Such a problem was first demonstrated on SourceForge, and then on paypal.com a few years ago, when cross-site scripting (XSS) vulnerabilities allowed arbitrary content to be injected into webpages. PayPal was one of the first companies to use EV certificates, which they believe resulted in noticeably lower abandonment rates on signup flows.

Restricting our analysis to the busiest 1,000 websites in the world, 81 sites accepted HTTPS connections and presented a valid SSL certificate. Nearly a third of these certificates used Extended Validation – a far higher proportion than the 2.3% share of all certificates.

While domain validated certificates have the largest share of the entire market, this share starts to decline when the least visited sites are removed from the analysis. Organisation validated certificates take the largest share within the top million sites, and are still almost twice as popular as EV certificates in the top 1,000.

The future looks quite promising for both Extended Validation and domain validated certificates. Both types have shown continued growth in recent years, while the growth of organisation validated certificates has been relatively subdued. Organisation validated certificates do not offer the same level of assurance as an EV certificate, and typically cost more than a domain validated certificate, so it will be interesting to see whether these "middle of the road" certificates continue to grow – particularly in a market where many consumers may only be interested in either having the highest assurance or paying the lowest price.

Compromised GlobalTrust database is published online

In the aftermath of last month's successful attacks against three of Comodo's affiliate Registration Authorities, Cryptome has just published a database purportedly belonging to GlobalTrust and InstantSSL. It is likely that the database was obtained during last month's security breach, where an Iranian attacker caused fraudulent certificates to be issued for several high-value domains including www.google.com. Many GlobalTrust websites were subsequently taken offline for forensic investigation.

GlobalTrust.it is still up and running, but it appears that InstantSSL.it has quickly been taken down again, possibly to defend it against any unauthorised access which may result from this latest leak. The site currently responds with a 403 Forbidden message:

The ComodoHacker stated via Twitter that the comodo-db.rar file on cryptome.org contains the "entire database of GlobalTrust and InstantSSL Italy". ComodoHacker proved his involvement in last month's attack by publishing the private key for one of the fraudulently issued certificates, so it is likely that this file does indeed contain the compromised database.

Xbox LIVE director’s account hijacked over bans

The Director of Policy and Enforcement for Xbox LIVE, Stephen Toulouse, had his Xbox LIVE account hijacked yesterday. The attacker purportedly used social engineering to convince Network Solutions to transfer DNS control of Toulouse's stepto.com domain name, allowing the attacker to receive any email sent to that domain. The attacker most likely used this to reset Toulouse's Xbox LIVE password and gain unauthorised access to his account, where he goes by the gamertag of Stepto.

The excited attacker subsequently uploaded footage of the hijack to YouTube, where he changed Stepto's motto from "Behave" to "Jacked by Predator". The attacker also advertised his account hijacking services in Stepto's bio, offering his AOL Instant Messenger contact details and payment methods. In his description of the video, Predator proudly boasts "ANY ACCOUNT $100 - $250 PayPal or AlertPay!!".

Predator revealed that the attack was carried out in revenge for being banned from using Xbox LIVE. During the video, he appears to hold Stephen Toulouse personally responsible for this: "Stepto, this is for console banning me over 35 times. You had it coming, man. Like, I'm tired of getting the console ban; now let's see what I can do to your account."

Proud of hijacking the Director's account, Predator ends his video's description with "I rest my name as Xbox Live's greatest account jacker."

Predator later uploaded a second video, noting that Stepto's account had been locked out. Toulouse regained control of his email and his domain's nameserver settings several hours after the attack, and his Xbox LIVE profile now looks to be restored.