HTC PHONES GIVE UP PERSONAL INFORMATION

A security hole found in some HTC Android phones could give apps with Internet permissions access to information like a user’s location and their text messages, Android Police reported today. The vulnerability is part of HTC’s Sense UI and affects a subset of the brand’s most popular phones, including the HTC Thunderbolt and the EVO 4G.

The affected HTC phones have an application package titled HTCLoggers.apk installed with root-level access. Apps with Internet permissions can access HTCLoggers.apk, which provides access to information like GPS data, WiFi network data, memory info, running processes, SMS data (including phone numbers and encoded text), and system logs that can include information like e-mail addresses and phone numbers. When called upon, the logging program opens a local port that will provide this data to any app that asks for it. Apps can send the data off to a remote server for safekeeping, as shown by a proof-of-concept app that Android Police researchers developed.

The authors note that the flaw can’t be fixed in the stock Sense UI without an update or patch from HTC. The owners of the relevant phones (a partial list: Thunderbolt, EVO 3D, EVO 4G, EVO Shift 4G) can delete HTCLoggers from their devices if they root the phones. While the report doesn’t note any concrete examples of nefarious use of the HTCLogger data, this is far more access than Google allows via Android by default—typically, the OS doesn’t let information of this type off a device without direct consent. HTC has made no official reply to inquiries from the researchers, and has not commented on this issue.

GROUP PLANNING ANOTHER ROUND OF SONY HACKS

A group of hackers says it is planning another wave of cyberattacks against Sony in retaliation for its handling of the PlayStation Network breach. An observer of the Internet Relay Chat channel used by the hackers told CNET today that a third major attack is planned this weekend against Sony's Web site. The people involved plan to publicize all or some of the information they are able to copy from Sony's servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony's servers.

Should the planned attack succeed, it would be the latest blow in a series of devastating security breaches of Sony's servers over the past month. The failure of Sony's server security has ignited investigations by the FBI, the Department of Justice, Congress, and the New York State Attorney General, a well as data security and privacy authorities in the U.K., Canada, and Taiwan.

Several weeks ago the hacker group known as Anonymous targeted several Sony Web sites, including Sony.com and SonyStyle.com, with a distributed denial-of-service (DDoS) attack in retaliation for what its members saw as Sony's unfair legal action against hacker George Hotz. Two weeks ago Sony's PlayStation Network, along with its Qriocity service and Sony Online, were the target of an attack that exposed the personal information of more than 100 million Sony customers. Sony was forced to shut down PSN, Qriocity, and Sony Online, and is currently working to bring them back online after rebuilding the security of its servers.

Sony says it doesn't know who orchestrated what it's calling a "highly sophisticated, planned" attack, but it has dropped hints that the group Anonymous is involved. Kazuo Hirai, chairman of Sony Computer Entertainment, told a Congressional subcommittee in a letter yesterday that the intruders on its servers planted a file named "Anonymous" containing the statement "We are Legion," part of the group's tagline.

Anonymous issued a statement yesterday denying it was involved in the PSN breach. "While we are a distributed and decentralized group, our 'leadership' does not condone credit card theft," the statement said.

Now it seems the same group of hackers that was able to infiltrate the PSN servers is planning to hit back against Sony.

Sony has not responded to a request for comment.

SONY'S PROBLEMS CONTINUE; SOE CONFIRMS DATA BREACH

Sony Online Entertainment has, apparently, been the victim of another breach that has, according to Nikkei.com, resulted in the release of 12,700 credit card numbers -- and presumably some other information as well. 4,300 of those credit card numbers are said to be Japanese, but no saying how many are American.

According to the Wall Street Journal, Sony has also confirmed that the latest attack accessed personal information for a staggering 24.6 million accounts. Such info includes names, addresses, telephone numbers, email addresses, gender, date of birth, login ID, and hashed passwords.

Thankfully, data is said to be from 2007, minimizing the number of still-valid credit cards exposed making us wonder if perhaps this wasn't some sort of backup that was exposed. Regardless, SOE's online services were taken offline earlier today and, well, now we know why. We're presently expecting further information from the company but, until then, feel free to continue cowering in the corner and quietly sobbing onto your compromised credit cards.

PLAYSTATION NETWORK HACKED, PERSONAL INFORMATION STOLEN

On Tuesday, Sony issued an update explaining the recent PlayStation Network and Qriocity outages. The company said it has discovered that between April 17th and April 19th, someone broke into its network and stole user information. In an effort to stop the security breach, Sony temporarily killed access to its PlayStation Network and Qriocity services, hired a security firm to investigate, and started beefing up its security measures. However, the leaked information may be alarming to PlayStation network users. Here’s part of Sony’s statement:

We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

Sony said that it doesn’t think credit card data was taken, but that it will not rule out the possibility, and says that it’s possible credit card numbers – excluding the security codes – may have been obtained by the intruders. The firm advises that its customers “remain vigilant” by closely monitoring credit statements. Sony says the services will be reactivated as soon as possible and that customers can dial 1-800-345-7669 with any questions.

SKYPE ACKNOWLEDGES ANDROID VULNERABILITY, WORKING ON FIX

Skype has come forward and acknowledged that there is indeed a rather serious vulnerability in Skype for Android that could let malicious third-party applications access your personal information. Unfortunately, it's not offering much else in the way of help just yet, with it saying only that it is "working quickly" to protect folks from the vulnerability, and that they should simply be cautious of third-party apps in the meantime.

SKYPE FOR ANDROID LEAVES PERSONAL INFORMATION VULNERABLE TO HACK

Android Police discovered that Skype's Android client leaves your personal data wide open to assault. The publication reports that the app has SQLite3 databases where all your info and chat logs are stored, and that Skype forgot to encrypt the files or enforce permissions, which seems to be a decision akin to leaving keys hanging out of the door.

Basically, that means a rogue app could grab all your data and phone home -- an app much like Skypwned. That's a test program Android Police built to prove the vulnerability exists, and boy, oh boy does it work -- despite only asking for basic Android storage and phone permissions, it instantly displayed our full name, phone number, email addresses and a list of all our contacts without requiring so much as a username to figure it out. Android Police says Skype is investigating the issue now

PANDORA APP SENDS GENDER, BIRTH DATE AND LOCATION INFO TO AD SERVERS

According to an analysis done by the folks at Veracode, Pandora seems to be sharing more information about you then it lets on. More specifically, they found that the Android app (they haven't yet gotten around to the iOS version) "appears" to be sending information about users' birth date, gender, Android ID and GPS location to various advertising companies -- bits of information that the firm notes could be combined to determine who someone is, what they do for a living, and even who they associate with. For its part, Pandora is simply declining to to comment at the moment, and we're guessing that's unlikely to change anytime soon given the federal grand jury investigation into privacy issues with apps.

SONY PLAYSTATION 3 TRANSMITS CREDIT CARD INFORMATION IN THE CLEAR

Sony has just officially announced that anyone who hacks their PlayStation 3 will find themselves (and not merely the hacked PS3) banned for life from the PlayStation Network. How does Sony know that you’ve hacked your console, though? After all, a PS3 hacked with the released master key should be virtually indistinguishable from a non-hacked machine, at least from a systems perspective.

The answer, at least according to one hacker, is that Sony collects a lot of data about users when they log into the PlayStation Network. Even worse than the volume of data collected — which is all automatically transferred to Sony when your PS3 connects to your WiFi network — is the way it is transmitted: in plain-text, with absolutely zero encryption.

“Sony is the biggest spy ever… they collect so much data. All connected devices return values sent to Sony’s servers,” the hacker said. According to him, Sony knows literally everything about your PlayStation 3, including which controllers you’re using, what USB devices are plugged in, what television is hooked up to it, everything.

Most alarming? This is the way Sony transmits your credit card information for every purchase:

creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=45581234567812345678&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.

That’s not unencrypted. That’s literally how the PS3 transmits your credit card information to its servers. That means that if you’re on an uncompromised network, literally anyone can pluck your credit card information from the air and use it for whatever he wants.

The hacker also states that the reason Sony is going on the offense when it comes to the PlayStation Network is because the release of the PS3 master key now makes it possible for anyone with a hacked PS3 to download as much content from the PSN Store as they want, all for free.

Perhaps this explains why Sony has been going to such lengths to sue, silence or hide all details of the PS3 jailbreak: they know their system is a security liability and now that it’s been blown wide open, they fear massive fraud and class-action lawsuits from the defrauded.