It turns out that there’s a nasty security hole a mile wide in Skype that allows anyone who knows your email address (and only your email address) to hijack your Skype account, allowing a hacker to take over your account and even download your private chat logs; all with ridiculous ease.

The vulnerability turns out to be a real face-palm for Skype too. The hijack is just this easy:

Step 1 – Create a new account using your intended target’s email address.

Step 2 – Request a password reset.

… And that’s it!

Apparently even though Skype warns you that email address is already associated with another account, it doesn’t actually stop the creation of the account at that point. So having re-created the account you can merrily request a password reset and take over anyone’s account. The only piece of information that you need is knowing – or guessing – their email address!

Oops!

Security holes don’t get much worse than that!  It’s big, like mile-wide big.  It’s easy, like Easy-Bake Oven easy.  …No, even that’s not right.  More like 123 abc easy.  And it was being abused for months before anyone at Skype looked into it.

But if you’re wanting to try this hack for yourself, sorry, you’re too late. Skype turned off their password reset feature as a temporary workaround to plugging this nasty security hole. And then they fixed the bug allowing them to turn the password reset back on.

But please do try to stop laughing so hard. You might run out of breath or do yourself an injury.

Someone has finally managed to make Facebook look positively secure!

Citibank was just hacked and hundreds of thousands of customer accounts were exposed. Of their 21 million credit and debit card holders, one per cent, or approximately 210,000 accounts had their details stolen in this breach of security. Give or take.

Which sounds bad.

And is … to an extent.

But it could have been much worse. The damage done from the security violation was mitigated greatly by Citibank’s good security practices.

First, the unauthorized access to Citi’s Account Online was discovered during routine monitoring. Already a good start, that the access is monitored. The next mitigating factor, only 1% of accounts were exposed. Even better. Further, Citibank is contacting customers whose information was impacted. Good. Citi has already implemented enhanced procedures to prevent a recurrence of this type of event. Great! But best of all? THE most important mitigating factor? Only names, email addresses, contact information, and account numbers were exposed. Birth dates, PINs, SSNs, card expiration dates, card CVV security codes, and the likes of the truly sensitive part of the account details were NOT compromised because THAT information was held on a separate and even more secure server.

(Sony, are you listening?!)

That is how security should be done.

Because, let’s face it, hacks will happen. Security will be breached. It’s not a matter of if, it’s a matter of when, how often, and how bad is it. Good security to prevent being hacked is a great start. But just as important are good policies and practices to mitigate the damage when the inevitable happens. Hackers are determined souls, and let’s face it, computers, having been created by humanity, are just as fallible in hardware and software as we fleshy creatures ourselves are. We might like to pretend otherwise, but nobody is perfect, including the folks who wrote your bestest-of-the-best grade-A number-one security software. We all make mistakes. But we don’t have to all pay through the nose for them if we take security seriously.

Well, it looks like yet another Sony website has been hacked as the “Sownage” campaign continues. This time it was Sony’s Brazilian music website that was taken down temporarily to clean up a defacement. Which makes this Hackers 11, Sony 0.

You’d really think that Sony would be doing more to improve their security right now…

For those of you who even care at this point, Sony has been hacked, yet again. The parts that are of no surprise whatsoever is that it was a simple SQL injection vulnerability that breached their security, that it was done by LulzSec, and that it wasn’t the PSN: it was the Sony Pictures website.

What is a surprise however is that in the over 1 million user accounts exposed by the hack, not a single password was hashed. They were ALL stored as plain text. Which, really, is incredibly bad security and especially for Sony, by this point, a horrible disgrace. So if you’re a Sony Pictures website user, well, sorry.

Sony has failed you.

In multiple ways.

Again.

Poor Sony just can’t get a break. Or, maybe the opposite, a rest from being broken into. Whichever, hackers from all over continue to jump onto the Make Sony Look Bad Bandwagon by penetrating various Sony networks and websites.

From the Sony-Ericsson mobile Canadian store through an SQL injection attack to steal details of approximately 2000 accounts… To the release of a cleansed dump of Sony Music’s Japanese website database after exploiting a similar SQL-injection vulnerability, with personal information intentionally avoided to render the data mostly harmless because it was done just for fun… To yet again a similar SQL-injection vuln used to nail Sony BMG Greece and some 8385 accounts with proof of data including email addresses and password hashes… To a relatively harmless defacing of Sony Music Indonesia’s website… To a hack of Sony’s subsidiary, So-Net Entertainment where 128 accounts had approximately $1,200 worth of virtual points stolen and some 90-odd accounts had their privacy violated through the reading of their emails… To Sony’s HD World site in Thailand being used to host a phishing scam aimed at an Italian credit card company… To the updated PlayStation Network vulnerability allowing evil-doers to change anyone’s password merely by knowing the user account name and their date of birth, both pieces of information stolen in the original PSN hack… Oh, right, to the original PlayStation Network hack exposing the details of some 77 million PSN gamers and an additional 25 million Sony Online Entertainment customers.

And breathe!

So that makes, what, 9 successful attacks on Sony now?

Sony executives have already admitted that the PSN hack alone will cost them at least $171 million. Mind you, the rest are certainly small potatoes by comparison, but I sure wouldn’t want to be a Sony executive right now. Nor a Sony shareholder. Nor a Sony customer! Ouch.

Meanwhile, we still wait for the full assortment of PSN services to be brought back up.

And we still don’t have any real answers as to how this happened, went on undetected for as long as it did, etc.

But honestly, one of the things that actually disturbs me aside from that, is the frequency in which the phrase, “SQL injection attack” is used in these reports. Do Sony’s various website administrators not communicate with each other? One would have thought that as soon as one security hole was discovered, all of Sony’s websites would respond by patching that vulnerability. And yet…

So nine hacks now. Is this party over? Or has it only just begun?

Admittedly, with as many people as there are trying to make a fool of Sony right now, it’s really no surprise that the hackers are winning this war. But I’m far from convinced that Sony isn’t perhaps making it a little easier for the hackers than perhaps it should. For a name as big as Sony you would have perhaps expected better.

And the thing is, Sony really brought this upon themselves.  I mean it started because they took away one of the big selling points of the PS3, it’s ability to run Linux, to be used as a micro-PC.  And they did it all so … insultingly.  But then, then, when a hackers try to break Sony’s locks so that this feature can be re-opened, what does Sony do but wig out and arm their army of lawyers against the hackers that were simply trying to restore the feature Sony wrongfully took away.  So while I must re-state my still firm stance that I do not in any way condone illegal activities, I also have to point out that Sony really was asking for this mess by pissing off quasi-legal security experts / hackers.  Just one of those moments where if you can’t stand up, don’t step up.  Sony made of themselves a rather large and obvious target for a lot of angry people with dangerous skills.  Clearly, Sony wasn’t up to their own challenge.