We have another entry on the growing list of hacks – Blizzard Entertainment, publisher of popular games such as World of Warcraft and the Diablo and Starcraft series, reported last week that a large amount of user account data for Battle.net gamers was compromised.
“This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened,” wrote Blizzard President Mike Morhaime. “We take the security of your personal information very seriously, and we are truly sorry that this has happened.”
Stolen data includes email addresses, answers to security questions, a database of “cryptographically scrambled” passwords, and data related to dial-in and smartphone app-based two-factor authentication. Battle.net users should change their account passwords immediately. You can do that here.
Jindrich Kubrec, Avast Virus Lab senior analyst gives some tips for securing your passwords:
1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
2. Avoid overly complex passwords as you don’t want to write them down
3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
4. Longer passwords are always better
5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
6. If you can’t be bothered with steps 1 – 5, try avast! EasyPass to generate strong, unique passwords for every site you visit. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords.
Yesterday, LinkedIn started investigating a password leak, followed by online dating site eHarmony, and now online music streaming site LastFM has announced on their blog that they too are investigating the leak of user passwords. As a precautionary measure, they are advising all their users to change their passwords immediately. You can do that here.
Yesterday, a Russian hacker reportedly stole 6.5 million LinkedIn passwords and 1.5 million passwords from eHarmony. It is not yet known if the hacking incidents are related.
It’s worth repeating the password tips my colleague Jindrich Kubec wrote in an earlier blog post.
A simple 5 step procedure for creating new passwords:
- 1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
- 2. Avoid overly complex passwords as you don’t want to write them down
- 3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
- 4. Longer passwords are always better
- 5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
Turns out that the popular online shoe and clothing retailer was attacked by cybercriminals who gained access to parts of the internal network through one of the servers in Kentucky. One Sunday, Tony Hsieh, CEO of Amazon-owned Zappos wrote on the company blog that 24+ million customers were affected, but critical credit card and other payment data was not affected or accessed. The hackers failed to get payment card numbers, because that data is encrypted, as required by the Payment Card Industry Data Security Standard.
The company sent an email to every one of their customers explaining the situation including what information was stolen: Customer name, email address, billing and shipping addresses, phone number, the last four digits of customers’ credit card number, and/or cryptographically scrambled passwords.
Zappos took swift action by expiring and resetting passwords, and they set up a password change webpage for customers to create new ones. “We also recommend that you change your password on any other web site where you use the same or a similar password,” the email sent to affected customers states.
As a result of stolen credentials, phishing attacks that try to steal sensitive information like social security numbers or lead you to a website that attempts to install a virus, are more likely. “As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail,” the blog statement says. “Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.”
avast! EasyPass is a fast, easy way to manage all your passwords. avast! EasyPass generates strong, unique passwords for every site you visit – with just one click. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords. Learn more about avast! EasyPass.
It’s no surprise that conversation at Avast is focused on computer security. The Tuesday release of the new film, The Girl with the Dragon Tattoo, has sparked even more talk, because of the tortured heroine, hacker Lisbeth Salander. The movie is based on the first of the best-selling “Millennium Trilogy” crime novels by the late Swedish author Stieg Larsson. It revolves around journalist Mikael Blomkvist who hires the mysterious Lisbeth to help solve a cold case of a missing teenager from decades ago.
Lisbeth works as an investigator from her ordinary laptop. She gains access, and complete control in some cases, to the contents of whomever’s computer she wants and uses information from emails, work documents, bank statements, and browsing history, to satisfy her curiosity, advance the case, and ultimately to loot bank accounts.
I sat down with Jindrich Kubec, senior virus analyst at the AVAST Virus Lab, to talk about hacking, finding information on the internet, and literary license.
(Spoiler alert: elements of the story are about to be revealed) Read more…
T minus 8 hours until we see if the threats of the hacktivist group Anonymous are fulfilled. November 5 is the scheduled demise of Facebook, according to a YouTube “press release” published months ago, and since removed. Last August a rally cry went out to willing hacktivists or guys who want “to protect the freedom of information” to “join the cause and kill facebook for the sake of your own privacy.” It seems that this group has the technical chops to do it too – these are the same folks who brought us publicized attacks on the IMF, Sony and the Iranian government.
However, there is an indication that the big take-down won’t happen. The OP_Facebook account which was fairly active in the beginning has been pretty dead since last month. And the larger group has distanced themselves from the threat. Earlier today on AnonOps, one of the Twitter accounts regularly used by the Anonymous group, they tweeted, “We told you many times ddosing Facebook was a fake operation.”
So the world’s most popular social networking site will probably live to see another day. But maybe the threat of attack issued by Anonymous was designed to make us think about Facebook and their dalliances with individuals’ privacy. Facebook admitted this September that they had been tracking their 750 million users, even after they logged out of Facebook, using browsing monitoring cookies. The stated reasons were for security and fraud prevention.
We hope to see Facebook survive, if only for our thriving avast! antivirus page. It’s a great way to interact with like-minded people and learn a thing or two from you and share things about avast!. If Facebook is still around tomorrow, please share http://www.facebook.com/avast with a friend.
I read an interesting article today: http://news.yahoo.com/s/ap/20090818/ap_on_bi_ge/us_hacker_charges
It is about the leader of a hacking ring being indicted for stealing the details of 130 million credit and debit cards in the US. This is not necessarily a new development as he was actually already in jail on similar previous charges dating back to 2006. But the sheer size is astounding. Some of the highlights and lessons for us: Read more…