[IS&T Security-FYI] SFYI Newsletter, May 16, 2011

Monique Yeaton myeaton at MIT.EDU
Mon May 16 14:38:15 EDT 2011 

In this issue:


1. The Sony PlayStation Network Attack

2. White House Reveals Cyber Security Plan

3. Combatting Phishing Attacks



---------------------------------------------------

1. The Sony PlayStation Network Attack

---------------------------------------------------


As you may have heard, last month the Sony PlayStation Network -- the network that gives PS3 and PSP system owners access to games, movies, music and TV programs -- experienced an unauthorized intrusion of its system, possibly exposing personal data and credit card information.


A criminal investigation is currently underway to find the perpetrators and determine if sensitive information was accessed or is being sold on the black market. The network currently has 77 million registered accounts.


Sony says that the credit card data was encrypted and did not include the 3-digit security codes, so it is unlikely the attackers can use the information in the database to their advantage. But discussions on hackers forums indicate that the attackers are selling the credit card data for $100,000, and are even offering to sell it back to Sony.


For those affected, Sony encourages you to be especially aware of email, telephone and postal mail scams that ask for personal or sensitive information. Sony will not contact you for this information. They recommend that you change your PlayStation Network and Qriocity password as soon as possible (network access has finally been restored for some users). If you used the old password in other places, you should change it there as well. As a good habit, it is always recommended to monitor your card's account statements and your credit reports for any suspicious activity.


Sony provides a Q&A for their users here:

<http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/>


A run down of the story has been posted by NPR here:

<http://www.npr.org/blogs/thetwo-way/2011/04/29/135844004/playstation-aftermath-hackers-claim-to-have-credit-card-data>



--------------------------------------------------------

2. White House Reveals Cyber Security Plan

--------------------------------------------------------


A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure.  The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the country's critical infrastructure.  It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments.


[Article source: SANS.org]


Read the full story in the news:

<http://www.informationweek.com/news/government/security/229500148>



----------------------------------------

3. Combatting Phishing Attacks

----------------------------------------


An article recently posted on TechRepublic.com states, "Plain and simple, phishing attacks work." They depend on people not knowing how and when to do the right thing. So how does an organization, company or university make sure its employees understand what is required?


According to the same article, the answer is training. Employees should be consistently briefed on what would qualify as "suspicious" email and what to do with it. This keeps them informed and prevents them from getting comfortable with sloppy security practices, because with these social engineering attacks, the goal is to lure you into a false sense of comfort.


IS&T has always been consistent with its message about dubious emails: no one at MIT will EVER ask you through email to reply with your personal information, much less ask for your user name and passwords, or to click on a link to update your user name and password for, for instance, your email account.


If you have not done so already, learn more about phishing attacks, examples of phishy emails that appear to be coming from MIT, and how to hone your skills for recognizing phishing emails with this Hermes article: <http://kb.mit.edu/confluence/x/SBhB>.



====================================================================

Read all Security FYI Newsletter articles online at http://securityfyi.wordpress.com/.

====================================================================



Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110516/d51ca22d/attachment.htm

More information about the ist-security-fyi mailing list