Sunday, December 11, 2011

A Quest for the Truth

by Justin Dwyer

During a 13-month period between February 2001 and March 2002, Gary McKinnon carried out what is now being called by some US prosecutors as the "Biggest military computer hack of all time." On 27 different occasions, McKinnon hacked into unprotected networks owned by the United States Air Force, Army, Navy; and the Department of Defense; as well as NASA, through a 56k dialup connection and unearthed what many are now calling hard evidence of extraterrestrial life. Finally arrested in 2002 by the UK's national high-crimes unit, he is accused of hacking into United States government computer networks, and now faces sentences of 70 years in prison and 2 million dollars in fines.

Gary McKinnon, born February 10th 1966, is a UK born systems administrator and hacker who believes that the United States government, in particular, NASA and various military organizations, are keeping extraterrestrial evidence and UFO-related technologies from the public - technologies that could spark enormous breakthroughs for free-energy technology. He believes that in a time where many people are unable to pay for their fuel bills, it is a crime for governments to hold on out such valuable technology.

Interestingly enough, McKinnon also claims that hacking into these networks was surprisingly easy - especially for the technology he was using at the time. As mentioned above, through only a 56k dialup connection, he searched for computers owned by high-ranking officials and administrators, which had no password set, and easily gained access to virtually any information he desired - and the things he discovered were quite unbelievable.

McKinnon unearthed a group known as the Disclosure Project, which had published a book containing 400 expert witnesses ranging from air traffic controllers, military radar operators and nuclear missile operators, all confirming the existence of alien technology, such as anti-gravity and free energy. As well, thanks to his searches through NASA networks, McKinnon also unearthed a photograph that depicts what seems to be a satellite image of a long, silver, cigar-shaped spaceship, with geodesic domes on each end - McKinnon claims it is an alien spaceship. Unfortunately, because of the timely nature of what he was doing, and the equipment he possessed, McKinnon was unable to save the image, as he was finally cut off from his hacking activity midway through the download.

If convicted, Gary McKinnon will be in a world of trouble. The United States government is looking to charge him with deleting critical files, shutting down a network of 2,000 computers for 24 hours, deleting US Navy weapon logs, and copying files, passwords and information from these servers onto his own computer - all things that he denies doing. According to McKinnon, he has done the world a favour by attempting to disclose valuable information that the global population deserves to know. He goes on to fervently state that he caused no damage by accessing insecure networks with no passwords put in place. It seems like it will only be a matter of time for what looks like punishment to befall on someone desperate to learn the truth, and expose it for what it is.

Posted by at No comments:

Saturday, December 10, 2011

The Leveson Inquiry: A Look at Phone Hacking in the UK Media

by Patrick Edmonds

The News International phone-hacking scandal, now known as the "Leveson Inquiry" involves an ongoing controversy involving the UK tabloid newspaper News of the World as well as other tabloid newspapers published by News International, which is a subsidiary of the larger News Corporation. This global news conglomerate is popularly known in North America as the parent company of Fox News. Employees of this news group have been accused, and some convicted of hacking into phones, as well as police bribery, in order to get information for news stories. Investigations from 2005-2007 found several employees guilty of hacking the cell phones of celebrities, politicians and members of the Royal Family. The story again dominated news stories in July of 2011, when it was revealed that the phones of deceased soldiers, victims of the 7/7 London bombings, and a 13-year-old girl that died in 2002 had also been hacked.

Milly Dowler, the 13-year-old, disappeared in March of 2002, and her body was found six months later. In this time, journalists hacked into Dowler's voicemail in order to find information on the story. It was discovered that they deleted a few messages, which in addition to the crime of deleting evidence, gave false hope to Dowler's parents that she may have deleted them herself, and was alive. Dowler was another victim among up to 5,800 others who where alleged to have been targeted by the best-selling newspaper in search of stories. The services of private investigator Glenn Mulicare were used by at least 28 people on 2,266 occasions to hack into phone messages, according to his notebook. Mulicare and Clive Goodman, a reporter, went to prison in 2007 after admitting hacking into royal family staff messages. Detectives are now using Mulicare's notebook in order to identify other reporters that may have used his services.

With the new leads in the story, Prime Minister David Cameron announced a public government inquiry to investigate the issue further. Cameron named Lord Justice Leveson as Chairman of the inquiry. The inquiry consists on looking into phone hacking at News of the World, police bribery, and a general review into culture and ethics of the British media. Ironically this story has been extremely popular in the UK media, with the Leveson Inquiry hearing from celebrities including Hugh Grant, J.K. Rowling, and others who believe they may have been victims of phone hacking. For two weeks, starting November 21st the Leveson Inquiry will be hearing from these high-profile witnesses on phone hacking and other forms of media intrusion into people's privacy. Public trust in the media has declined significantly with these events, and the Leveson Inquiry is attempting to find all of those at fault, and to rebuild the culture and ethics of the UK media as a whole.





Posted by at No comments:

The 2006 Los Angeles Traffic System Hack

by Patrick Shannon

One of my favorite movies of all time has to be “The Italian Job” (both new and old), and there was one scene in particular from the new movie that I found intriguing. It was the scene where they were able to hack into the traffic system and basically change the lights at the intersections that they specified. This allowed them to maneuver the truck loaded with gold into position for the next part of the planned theft. I always thought to myself “is this really possible?”, it turns out that a similar event happened on August 21st, 2006 in Los Angeles, California. The crime occurred between 9:10am and 9:30am, during this period a computer command was entered to initialize the disconnection of several signal control boxes that control the lights at the intersections. The hackers knew what they were doing and they knew which intersections to alter to cause the most havoc. The intersections involved were Sky Way and World Way near LAX airport, a major junction in Studio City, a spot in Little Tokyo and near the LA Civic Center. Although no accidents were reported it took four days to bring systems back to normal. The hackers were found because of the fact that the attack occurred hours before a job action by members of the Engineers and Architects Association, the association that represents the engineers involved in maintaining the Los Angeles City traffic center. The suspects identified as Gabriel Murillo aged 37 and Kartik Patel aged 34, both Los Angeles traffic system engineers. Both were charged with one count of unauthorized access of a computer. Mutillo also faced an identity theft charge while Patel had been accused of four disruptions of service offences. Prosecutors alleged the pair used purloined supervisor credentials to send commands to reprogram signal control boxes at four critical intersections. In November, 2008 both plead guilty of illegally disrupted the computer system that controls traffic lights. Murillo allegedly accessed codes so that only he and Patel could make changes to the system, blocking other workers from sorting out the escalating chaos. The hack succeeded despite plans by managers to temporarily prevent any engineers making changes to the city's traffic control systems. There sentencing was either to serve 120 days in jail or complete 240 hours of community service such as Caltrans and they had both their home and work computers monitored. Both Murillo and Patel are considered outstanding citizens and have devoted their professional careers to transportation safety in Los Angeles therefore; the engineers were not fired from their jobs. Oftentimes you’ll read about computer hackers and your worry is that they’re stealing company secrets, customer records, social security numbers or other confidential information, but this story brings out another form of hacking. This type of hacking like a virus has the ability to affect thousands of individuals but in a much more real physical way. I now know that the stunt that was performed in the movie “The Italian Job” can and has been replicated and can have similar effects on the traffic like they showed in the movie.


Posted by at No comments:

Getting Jobs From Illegal Practices

by Laura Salisbury

Many hackers who pull illegal computer-related pranks leave their life of cybercrime to work at big companies where their computer skills are highly valued. Two examples of hackers who were offered jobs after their pranks are Johnny Chung Lee and Chris Putnam.

Johnny Chung Lee

Johnny Chung Lee received his doctorate from the Carnegie Melon University's Human-Computer Interaction Institute. In 2008, Lee hacked into the Nintendo Wii Remote using ballpoint pens and infrared lights. He demonstrated the uses of these hacks in Youtube videos, allowing schools and workplaces to make their own interactive whiteboard for hundreds of dollars less than buying a commercial interactive whiteboard. This feat helped to name him one of the World's top 35 innovators under the age of 35.

His work on enhancing the functionality of the Wii Remote controller is quite an accomplishment, as well as his work in Microsoft's Applied Sciences Department developing human tracking algorithms for the Kinect gaming device. Lee worked on the project for three years, from back when it was called Project Natal, to its outstanding release to the public, where it sold 8 million units in its first 60 days of release. Later, Google hired Lee as an evaluator of their experimental applications, much to the disappointment of Microsoft. His role as a Rapid Evaluator is unclear, but there are speculations that it may involve Google's rumoured Gaming portal.

Lee believes that technology has the power to touch millions, if only the technologists understand that they must create beautiful technology for the public, not just for other technologists. On his personal blog, Lee has stated: "As an engineer, as a technologist, as a researcher, or inventor... I encourage you understand the power of stories. A story isn't merely the sequence of events in a book or film. It can be a story about you, and how your life or the lives of the people around you could be a bit different... or how the world could be different than it is today."

Chris Putnam

Three undergraduate students: Marcel Laverdet, Kyle Stoneman, and Chris Putnam at Georgia Southern University created a worm in 2005 that would change their lives forever. This XSS-based worm infected Facebook profiles by way of an unsanitized profile field (websites), and changed them to look exactly like the profiles found on MySpace. The worm silently and rapidly copied itself while friends viewed each other's profiles.

As the worm made more and more damages, Facebook co-founder Dustin Moskovitz contacted Chris Putnam, one of the students involved. The message said: "Hey, this was funny but it looks like you are deleting contact information from users' profiles when you go to replicate the worm again. That's so not cool."

Putnam and Moskovitz continued to correspond, and when Putnam quit college, he was offered an interview with Facebook. Initially, Putnam was wary of heading out to Silicon Valley, as he was worried that they would have him arrested as soon as he stepped on company property. It turned out that the interview wasn't a set up, and Kyle was offered the job. This was quite an accomplishment, as most engineers aren't hired without a professional degree. Laverdet, Pudnam's fellow hacker, was convinced to drop out of school and started working at Facebook as well. The last hacker, Stoneman, graduated from school and continues to work on tech projects in the political world. Pudnam has stated that he is "forever grateful that the company was so sympathetic toward people like myself. It's one of the things that really sets Facebook apart with its passion for scrappy, hacker-type engineers."


Posted by at No comments:

Google Yet Again Targeted by Hackers in China

by Justin Pauley

Google has once again become the target for hackers in China, this time seeking to monitor the email accounts of many high-profile US government officials. Google has been able to trace said attacks back to Jinan, China, which just so happens to be the location of a technical reconnaissance bureau for the People’s Liberation Army. This has led many to believe that perhaps the Chinese government has been sponsoring these attacks.

Google has publicly been bashing China in recent months for the continuing attacks in its vast network. They have been tracing attacks back to China every since 2009. They did however decline to state how they were able to trace the current attack specifically back to Jinan. Rather than physically hacking into Google owned computers and servers, the attackers have been tricking users into handing over login information, and thus gaining access to accounts. Google won’t release the names of the people who’s accounts were hacked, or even the number of accounts affected. They have however locked down any and all affected accounts and contacted their respective users.

The US government is concerned over the allegations being made by Google, particularly because the events involve US officials. The Federal Bureau of Investigation has agreed to investigate the attacks to aid in determining who exactly may have been behind it, and what may have been viewed or stolen. It appears as though the attackers were attempting to monitor the activity of foreign nationals. Why they may want to know such things has not yet been determined.

The current events add to the already long list of disputes between Google and China, which started as soon as the company began offering their search service to the Chinese people. Google, in order to be allowed to operate search services within China, had been forced to filter all search results being offered to the residents of mainland China. This, of course, drew criticism from the rest of the world, as citizens of other countries felt that Google should help pave the way for the right to freedom of speech within China. Critics of Google did however get their wish in 2010 when, in response to the 2009 attacks, Google removed all servers from mainland China and moved their offices to Hong Kong. At that time, Google also stopped filtering the search results being offered to the Chinese people. The Chinese government quickly revoked their operating license, thus preventing Google from offering search services within China. There has been much debate ever since whether Google should push to offer search services again within China, either filtered or unfiltered, or simply abandon the idea altogether.

The current situation is still under investigation, and will require more time before there are any definite answers. Until then, Google wishes to further educate the public on how such tricks are used to gather personal login information. Legitimate organizations, including Google, will never ask you to divulge login information. Such emails are known as “phishing” emails, and although they may appear to be real, they are not. Always remember to exercise caution when providing personal information over the internet.



Posted by at No comments:

Playstation Network Outage

by Ish Patel

Playstation Network - a free to access service which allows users to play online games, surf the web, download media content was infiltrated by an anonymous hacker. Causing an outage of the network which prevented Playstation 3 and Playstation Portable consoles from playing online through the service. The attack occurred somewhere in a timeframe of April 16, 2011 to April 17, 2011 forcing Sony to shut down the network on April 20. Six days later, Sony then issues a public statement admitting that the PSN has been hacked and an FBI investigation is taking place. They confirm that the customer details of approximately 77 million accounts were compromised. This included personally identifiable information such as account username, password, home address, email and the possibility of credit card data. With a total count of 77 million customers affected, the theft would make this one of the largest data breaches in history.

On May 14, 2011, which is 24 days after the PSN was shut down, Sony released a software update that required all users to change their password when signing into the network. Many users believe that sony took too tong to notify them that their information has been exposed and that did not allow customers to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other actions. A lawsuit was filed against Sony asking for monetary compensation and free credit card monitoring. Sony then explained on Playstation Blog why it took so long to inform PSN users of the theft.

"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."

According to some it was suggested that Sony had failed to encrypt passwords. They pointed out that if the provider stores passwords unencrypted, then it is very easy for somebody else, not just an external attacker, but members of the staff to get access and discover the passwords. Sony then admits that although most user information was not encrypted at the time of the intrusion, the passwords were stored using a cryptographic hash function and not in cleartext form.

At the Tokyo press conference on May 1, 2011, Sony reveals its "Welcome Back" program designed to reward customers affected by the outage. Sony offered "selected Playstation entertainment content" for free download on a region by region basis once the service was restored. All existing PSN customers also 30 days free membership of the Playstation Plus service.

To provide greater protection of personal information, Sony has now implemented a variety of new security measures. Tests were conducted with 3rd party experts to test the strength of the network. The new security measures included:

- Automated software monitoring and configuration management to help defend against new attacks.
- Enhanced levels of data protection and encryption.
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
- Implementation of additional firewalls.



Posted by at No comments:

The Melissa Mass-Mailing Virus

by Casey Losier

Internet viruses have been around almost as long as the internet itself. Today, much of this malicious software is designed purposely to crash systems, to collect data or to cause some degree of harm. However, in the earlier days of the internet many viruses and computer crime were not for any kind of gain or destruction, but for the thrill of the challenge, to “beat the system”, for fame or even just to cause mischief.

The Melissa virus, discovered on March 26th 1999 is a perfect example of such a virus. Over the course of several days, it managed to clog email services with infected emails and overloaded servers all around the world. Though its creator David Smith did not intend to cause any harm, damages caused by the virus were estimated to be over 80 million dollars.

Smith introduced the virus to the internet by posting an infected file on the website of “Alt.Sex”. To entice internet to download the document, it was disguised as a file containing the passwords for adult-content sites. However opening the document also caused the virus to be downloaded to the user’s computer. From there, it spread over email using Microsoft Outlook. Once a computer was infected, it would automatically email the first 50 contacts in the user’s outlook address book. The email contained the following message: “Here is that document you asked for ... don’t show anyone else;-).” It also came with an attached document which, when opened, spread the virus to the email recipient’s computer. The Melissa virus was the first to propagate itself using a mass-mailing system, this contributed to its rapid spread since a single computer could infect 50 computers which could in turn each infect 50 more. Melissa was spread at an exponential rate, what started as a small set of infected computers quickly grew into a problem that spanned the globe.

Authorities eventually traced the email and IP address attached to the initial posting of the infected file on “Alt.Sex” to David Smith’s computer. For releasing a virus onto the internet and causing over 80 million dollars worth of damage, Smith was charged with 20 months in prison, a 5000$ fine and was on parole for three years after his release. The condition of his release also stipulated that, unless he received court approval, he must not access the internet, internet discussion boards or computer networks. Finally, he was also ordered to do 100 hours of community service, preferably in the domain of information technology.

When compared to some viruses today that are created specifically to crash entire networks and cause billions of dollars worth of damage, the Melissa virus seems like a small threat. Even so, the Melissa mass-mailing virus was the fastest-spreading computer virus of its time, inspiring many copycat versions and earning a page in the history of computer crime.



Posted by at No comments:

Microsoft Blaster Worm

by Greg Legere

The computer Blaster Worm was a computer virus that infected users on Windows XP, and 2000. The Blaster Worm also called Lovesan or MSBlast depending on the variation began spreading on August 11th of 2003. The number of total infections peaked only 2 days later, ISP filtering and publicity about the computer worm slowed the spread of Blaster. Only a short while later on August 29th, Jeffrey Lee Parson was arrested for creating a variant of the Blaster Worm. He took responsibility for the attack and was sentenced to 18 months in prison.

Court papers show that the original Blaster was created by a Chinese cracking collective known as Xfocus. After they reverse engineered the Microsoft patch that allowed for the attack to happen.

The worm was spread by taking advantage of a buffer overflow in the DCOM RPC service. This allowed the worm to spread itself without getting users to open an attachment, but by spamming itself to random IP addresses, it would fill up a buffer that did not correctly have bounds checking. This allowed someone to write past a buffer in memory and add their own code. When the program came back, a pointer called the malicious code, and the code began executing it's commands. Four separate versions of the worm have been detected.

The worm also created an entery in the Windows registry that caused the program to execute on startup.

In addition to attacking other users the worm was programmed to perfom a Distributed Denial of Service (DDoS) attack against windowsupdate.com of Microsoft. The damage was minimal to Microsoft since, windowsupdate.com simply redirected a user to windowsupdate.microsoft.com. Microsoft shut down windowsupdate.com for a short period of time to minimize the effects.

The source code of Blaster had two separate messages. The first message was "I just want to say LOVE YOU SAN!!" which is why the worm was also called 'Lovesan'. A second message was a message to Bill Gates and said "bill gates why do you make this possible ? Stop making money and fix your software!!".

Although this worm can only spread on systems that are running Windows 2000 and XP (32 bit), it can cause Windows NT, Windows XP (64 bit version), and Windows Server 2003 to crash. The wrom can not spread on a Windows Server 2003 because it was compiled with the /GS switch which allows the system to detect buffer overflows and terminate the process. But because of this, when infection occurs this causes the system to terminate the RPC service. The system can not function without this service, and will restart to fix the problem. This would happen only a few minutes after starting up the machine.


Posted by at No comments:

Manipulating the System: A Glimpse at Albert Gonzalez

by Thomas Hebb

In March of 2010 Albert Gonzalez was sentenced to 20 years in prison for what many argue to be the largest cybercrime of its kind. With mild assistance from associates in the US, Turkey and Russia, Gonzalez hacked into the servers of several major companies and farmed them for sensitive credit and debit card information from the comfort of his Miami home. Gonzalez targeted US companies TJX, DSW, Dave and Buster's, and Office Max, illegally accessing the information of over 90 million credit and debit cards from the servers. Gonzalez didn’t stop there; he went on to hack into the servers of Heartland Payment Systems, a company which handles the transactions of Visa and American Express. He also added a string of 7-Eleven stores and a few supermarkets to his list of victims.

After Gonzalez created a large database of the card information he wasted no time turning the bits of data into a new BMW, a large Miami condominium, and a multimillion dollar “rainy day” fund. Not only did Gonzalez sell the credit card information to eager buyers across the globe, but he also manufactured his own credit cards and encoded them with the stolen information. He then sold the “clone cards” for increased profit. While financial institutions felt the security of the debit cards could be maintained through the requirement of a PIN number, this proved to be a small obstacle to Gonzalez. With the help of one of his co-conspirators Gonzalez created an algorithm to identify the PIN number within the associated debit card’s information and began selling them off as a packaged deal.

It is evident through the execution of such a large scale operation that Gonzalez was hardly a novice cybercriminal. Gonzalez was arrested and convicted in 2003 for making fraudulent banking transactions after stealing similar data. After seeing the “error in his ways” he was offered a job with the United States Secret Service as a paid informant. In this position he earned $75 000 annually and assisted the Secret Service in the apprehension of criminals who were conducting similar crimes to his own. Ironically enough he was stealing the credit card information from TJX and the other companies throughout the entire course of his employment with the Secret Service. He used the information and techniques he was privy to as a result of his new crime fighting position to ensure that his co-conspirators were not caught during their transactions. Gonzalez took on an alias, “segvec,” while conducting his extra-curricular activities. Segvec was committing crimes of a far greater calibre than any that Gonzalez had been convicted for. It took the Secret Service over a year to realize that the assailant they were looking for had been working for them the entire time.

Gonzalez is currently serving his sentence in the US. His attorneys attempted to get him a lighter sentence based on a diagnosis of Aspergers Syndrome and Gonzalez’s addiction and use of narcotics. Doctors for the prosecution disputed the diagnosis and the judge did not see his addiction as an excuse. Most recently Gonzalez has filed a protest stating that he wanted to change his plea to not-guilty on grounds of “public authority.” This means that he was given government permission to conduct the crimes; in his initial trial he was unaware that he could use this argument to his defence. He alleges that he believed the Secret Service wanted him to conduct the crimes in order to seek out and apprehend other cybercriminals.


Posted by at No comments:

Seven Charged in 14 Million Dollar Click Fraud Operation

by Ben Halpern

A group organized to defraud a massive amount of individuals through a click fraud ring have been charged for their crimes. The group of seven infected more than four million computers on their way to earning over 14 million in revenues through the scheme. By infecting these computers, they were able to remotely affect the destination displayed to the user of the infected computer, leading to millions of ill-advised clicks being placed through pay-per0click ad networks that would pay out in exchange for the clicks generated.

Ad networks run by Google, Yahoo and other web-based firms pay out billions annually to web-publishers and monitor very strictly for fraudulent activity. It requires great sophistication to dupe the system and great sophistication is exactly what this group used in their clickjacking ring. The group used malware known as DSNChanger to redirect web searches to fraudulent IP addresses for over 15,000 domains.

Those charged include six Estonians and one Russian who remains at large. They have been charged by the United States Attorney for the Southern District of New York. About one eighth of the four million computers taken over were located within the United States. Computers of all kinds were attacked, Macs and PCs alike, including even computers belonging to high level government organizations such as NASA. It is thought that NASA may have been the first to discover the scheme. The Federal Bureau of Investigation in the United States was finally able to crack down on the operation after an official two year investigation. It is believed also that the FBI may have been aware of the ring up to three years before the investigation began officially.

It is believed that click fraud may account for a significant amount of internet ad clicks. An independent click forensics organization claimed in 2010 that anywhere from 17 to 29 percent of clicks are fraudulent. While ad networks dispute this claim, it is certainly reasonable to believe that the Estonian clickfraud scheme was only one of many schemes initiated to take advantage of this system. As displayed by the lengthy and resource heavy investigation required to take down the Estonian ring, ridding the internet of click fraud is a large and costly undertaking.

Because of the scale of these operations and the resources needed to take them down, they may always exist on some level. It is, however, important that busts like this one occur to deter the practice in general. For the online advertising industry relies on a certain amount of trust that the advertiser will not have a significant amount of revenue lost on account of fraud. This high profile arrest will help insure some of that necessary trust.




Posted by at No comments:

Chip and Pin Fraud Costs Shoppers Millions

by Mitch Gallant

Organized crime has pilfered millions of dollars out of the bank accounts of European shoppers through a scam involving the new "chip and pin" validation system. The carefully planned scheme involved tampering with possibly hundreds of credit card machines before the machines even reached retailers. These machines, virtually identical to the originals, are then used to relay credit card information stored on chips in the customer's credit card to the criminals overseas. These foreign fiends are believed to have tampered with the machines in China, fresh off the production line, where they are then sent onwards to the unsuspecting retailer. These exports reached as far as Britain, Ireland, the Netherlands, Denmark, and Belgium. Credit card information was then harvested over a period as long as nine months, and subsequently transmitted over mobile phone networks to Pakistan.

This activity comes at a time when many are beginning to question the supposedly advanced security technology protecting these cards. The technology, known as EMV (an acronym for Europay, MasterCard, and VISA), is claimed to be "broken" by University of Cambridge researcher Ross Anderson. It suffers from a "protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card's PIN." This security flaw was successfully demonstrated by Anderson's research team by having a volunteer enter multiple stores with a backpack containing a laptop computer. This computer was then used to interface wirelessly with a fake card (representing a stolen card), and allowed the volunteer to purchase any amount of items at any cost within the card's limit without knowing the card's PIN.

Concerns have also been voiced that the introduction of the cards has more to do with the transfer of liability for fraud from the credit card company to the cardholder than it does with safety or security. Some countries have gone as far as to enact legislation to ensure that the issuing company remains liable for consumer protection services in the event of EMV fraud. Despite these concerns, it seems chip and pin is here to stay, as it continues to be introduced to new markets, gradually being phased in throughout Europe and North America.


Posted by at 1 comment:

China attacks Canada????

by Chris Forbes

In January 2011 a cyberattack on the Canadian government was detected. Defence Research and Development Canada and the Finance and Treasury boards were targeted. The attacks were traced back to servers in China but it is still unclear if the attacks were directly from China or if they were being routed through China by someone else. The government has been quiet about the incident only saying that there was an "attempt to access" fedral networks.

The attack gained control of senior government official's computers and is believed to be part of a plan to steal passwords to unlock data systems. A security analyst and former CSIS officer believed that China was where the attacks started from. When the attack was first detected internet service was stopped at the Finance Department and also at the Treasury Board. The security analyst believes that the hackers have a connection to the Chinese government, that is known to promote 'patriotic hackers', people who attack based on percieved threats to their own government. The Chinese government has denied that the attacks were their responsibility.

Many government employees, some say into the thousands, have been without internet access. In some cases, such as Defence research and Development, internet access was down for two months. As of now service has slowly started to return to the affected departments.

A group calling themselves the Information Warfare Monitor says that a spy network based in China has hacked into 1300 government computers throughout 103 countries. They believe that the attacks started in 2009 but it wasn't until late 2011 that Canada started to improve it's security and then in early 2011 found the security breach. The group responsible for the original 2009 attacks was labeled 'Ghostnet' by the Information Warfare Monitor and the Ghostnet methods of comprimising other computers was the same as the methods used on the Finance and Treasury Board of Canada.

The attack itself was very simple. Hackers using servers in China took over government computers that belonged to high ranking government officials. Then posing as these officials sent emails to technical staffers that asked for passwords and information that would unlock government networks. Emails included seemingly innocent attachments that when opened released a virus that would search for sensitive information and then send that information back to the hackers using the internet.

According to Shelia Fraser, the Governor General in 2002, she warned that Canada's government had weaknesses in it's system. In 2005 not much had changed and in 2011 these attacks were noticed. Only then has something been done to increase the security of the system.

Posted by at No comments:

Russian Business Network

by Rachel Embree

The Russian Business Network (RBN) was an Internet service provider that hosted illegal and harmful activities, including malware circulation, phishing scams, and child pornography. When RBN was first established, it apparently hosted some legitimate action, but soon became entirely focussed on providing internet access for profitable criminality. One angle the network has seemed to centre on is identity theft; fake anti-malware and -spyware programs are delivered, which install viruses or keyloggers allowing personal information to be stolen. A significant amount of this so-called "rogue software" is hosted by RBN. Their website hosting is called bulletproof due to their ability to shirk law enforcement efforts to shut the network down.

RBN's activities are incredibly far-reaching. For example, in 2005, hackers exploited a then-unknown error in Internet Explorer that allowed them to install keyloggers when you visit a website that had been hacked; the sites that distributed this malicious code and collected the data were hosted by RBN. Some U.S. government sites apparently were compromised with SQL attacks that redirected them to virus-ridden RBN sites. The list goes on; in fact, some say that it is difficult to find a major cyber attack in the last several years that did not have some connection to RBN.

Why has the Russian Business Network been able to operate criminal activities on such a large scale? First of all, the network observes the typical criminal cautionary tactics: it only registers domains to anonymous addresses, never advertises its services, deals in electronic transactions that are difficult to track, and can only be contacted through obscure Russian forums or messaging services. Those seeking the services of RBN must prove their involvement in some type of data theft in order to demonstrate they are not law enforcement agents. Once you do engage the use of RBN, the criminal entrepreneur can expect to pay about $600 a month for their website, about ten times more than the fee at a legal provider; this extensive capital allows RBN to keep their service up and running. As well, companies operating out of RBN tend to avoid aiming for Russian citizens in order to lower the risk of involving local authorities.

It is also contended that this cyber mafia is linked with real Russian underground crime and the government itself. The Russian government has indeed put little effort forth to shut down this company (which mostly operates out of St. Petersburg). This type of organized crime in cyberspace can thrive in countries like Russia that do not even have the mechanisms or laws to adequately deal with this kind of technological threat. But even further, it is unclear if RBN could ever be successfully prosecuted for hosting these illegal activities. Although they clearly make money from providing this service, the actual crimes are committed by the parties who buy their service.

At some point in 2007, it appeared that the Russian Business Network dissolved: routing for their IP addresses no longer existed. Perhaps RBN grew wary of the unwanted attention from law enforcement. At any rate, it seems that RBN has expanded into a more distributed method for hosting. It is speculated that equivalents have popped up in Asian countries like Taiwan and Turkey, and experts still apply the RBN name to their former clients that continue to run scams out of Russia and Ukraine. The scale and longevity of this organization truly makes RBN one of the most formidable dangers in cyberspace.


Posted by at No comments:

Two Men Charged and Sentenced for Destructive Computer Attacks on Business Competitors

by C.J. Edgar

In 2006 19 year old Jason Salah Arabo, from Southfield, Michigan, was charged with conspiracy to cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer, and was sentenced to 30 months in prison and ordered to pay $504,495 in restitution to his victims. Involved in the same crime, Jasmine Singh (who plead guilty to two counts of computer theft in New Jersey State Superior Court) was sentenced to five years in prison, and ordered to pay $35,000 in restitution for damages.

In 2004 Arabo was running two web-based companies, www.customleader.com and www.jerseydomain.com, that specialized in selling sports related apparel when he met online Jasmine Singh, who went by the online name "Pherk". Arabo discovered that Singh was able to conduct distributed denial of service (or DDOS) attacks on computer servers and disable the websites those servers support. He asked Singh to take down the websites of some of his competitors in return for merchandise.

Arabo believed that once his competitors' websites were taken down his own business would improve, so from July to December 2004, he identified to Singh which websites he wanted disabled. Arabo pressed Singh to disable these sites for as long as possible and sent him merchandise, including designer sneakers, in exchange for successful attacks. The attacks stopped in December 2004 after Singh's computer was seized by FBI agents and New Jersey State Police investigators during a search of his home.

On March 18, 2005 Arabo was charged by criminal complaint, according to which the computer attacks were conducted by Singh from his personal computer. Singh had secretly infected thousands of computers with a "bot" program that enabled him to remotely access and control computers it infected. He would then order hundreds of these bot infected computers (sometimes known as "slaves" or "zombies") to access the targeted websites all at once, flooding the hosting server with information and overloading it, causing it to crash.

These attacks allegedly caused harm and disruption to internet and computer services beyond just the businesses Arabo targeted. A number of unrelated businesses (some allegedly as far away as Europe) were using the same internet servers and thus were also negatively affected by the attacks. The attacks disrupted the operations of major online retailers, banks, and companies that provide communications, data backup, and information services to the medical and pharmaceutical industries. The attacks disrupted crucial services including internet access, corporate websites, email, data storage, and disaster recovery systems. There was no estimate of the total financial losses due to the attacks.

Jason Salah Arabo plead guilty on April 12, 2006 before US District Judge Joseph E. Irenas. Jasmine Singh, who was 16 at the time of the attacks, plead guilty as an adult in August 2005.

Posted by at No comments:

Operation Payback

by Nicholas Dyke

Operation Payback also known as 'Operation: Payback is a B*tch' was a long series of DDoS (distributed denial-of-service) attack organized mostly by the users of the image board 4chan using the moniker Anonymous. This had two main sections to it, started during September 2010 and the other in December 2010.

A bit of background information of the source of all this first though, 4chan the website all this started on is an extremely well known image board, which works a lot like an internet forum. All users are anonymous which is also the name they typically give the users as a whole, due to this anonymity the website is known for being full of trolls, griefers, etc. who hold the general view that nothing is a taboo target for insults and attack (besides perhaps cats). This is especially true of /b/ the random board in the site who have also earned themselves a bit of a reputation as internet vigilantes.

The movement was in response to the DDos attack carried out by an Indian company by the name of Aiplex Software, hired by various large media companies to attempt to take down torrenting sites such as 'The Pirate Bay'. After learning of this attack 4chan users began to set up their own plans of attack, using the image board, IRC, twitter, and its own website with Aiplex itself and the 'Motion Picture Association of America' as targets. The attack on the sites was successful with both sites down for about a day.

After this first success the movement decided to continue, taking down websites they disagree with as well as other culprits attacking the Pirate Bay. Targets include; MPAA again, Aiplex again, RIAA, the 'British Phonographic Industry, MPAA yet again, and ACS Law. Early November they attacked the 'United States Copyright Office' as an attack against copyright in general, this move lead into an FBI investigation.

Operation Payback eventually lead into 'Operation Avenge Assange' after the US government crack down on wikileaks and pressureing several companies to stop all dealings with them, mostly major banks as well as Paypal and Amazon, who was hosting them. This lead to the December attacks on the various companies including some swiss banks, Visa, Mastercard, Paypal, Amazon, and Sarah Palin's website. This move was quickly followed by several arrests within the US and the Uk in January 2011 and again in July with some arrests and raids by the FBI towards those involved.

How distributed denial-of-service attacks work, well basically it works by trying to keep other people from reaching the site by sending an uncountable number of requests to the site, more than it can actually handle, forcing it to either reset or consume all its resources trying. This leads to the site itself being completly unviewable since it can't tell the attack from an actual request. How did the group manage to set up all this? Well it was really quite simple due to a program dubbed the 'Low Orbit Ion Cannon' which when given an IP address would cause the computer to churn out requests as quickly as it can. Images were sent around to give people their target during the attacks.







Posted by at No comments:

George Hotz versus Sony

by Ryan Downe

For most normal teenagers, keeping up with the latest social updates tends to encompass most of a typical day; but for George Hotz, now 22, a typical day consisted of taking apart iPhones and gaming consoles so that he could change them to fit his needs. In 2007, at the age of 17, Hotz became the first person to ‘crack’ Apple’s iPhone so that it was no longer locked to one mobile service carrier. This process, which is now universally known as “unlocking” or “jailbreaking”, first involved taking apart the smartphone and making minor hardware modifications but Hotz altered the process only months later to a software modification that made it much easier for the everyday user to do themselves. By 2008, Hotz was widely known by his alias “geohot” and his method of unlocking the iPhone was being used by thousands of people to change carriers and use custom firmware on their smartphone. Hotz didn’t stop there; Hotz moved onto Sony’s PlayStation 3 in late 2009, an effort that would result in Sony striking back in big way earlier this year.

The PlayStation 3, or PS3, is Sony’s version of the modern gaming console and was first released in November of 2006. One of the ways that made the PS3 unique was its “OtherOS” function, which allowed the console to have alternate operating systems, like Linux, installed on the system. It was also praised by the industry for having backwards compatibility, which allows games from Sony’s previous consoles to be played on the PS3, unfortunately this feature was removed in newer models due to production costs. In 2009, Hotz began his attempt to hack the PS3 through the OtherOS feature in order to bring back the removed backwards compatibility feature. On January 22, 2010, he announced on his blog that he was successful in this effort and proceeded to release it to the public. In response, Sony removed the OtherOS feature completely with its next firmware update, much to the dismay of its users. This provoked Hotz to create and release a custom firmware, or “homebrew” as he called it, which replaced the newer Sony firmware and brought back the ability to install Linux and other custom software applications.

Sony decided that is was time to take legal action and on January 11, 2011, they filed a lawsuit against Hotz and his accomplices. Within the suit, Sony claimed that Hotz had violated a number of laws of the DMCA and hired a well-known law firm to carry out the suit. Hotz had significant support from many free speech advocates and was able to afford a lawyer from the donations that he was receiving. During the trial, Sony was even granted the right to access all of the IP addresses that had access Hotz’s blog in order to prove that many of them resided in the Northern California region. This action was widely criticized as a significant breech in privacy and is said to have provoked the later attacks against Sony that would result in their online servers being down for a number of weeks. Despite the support for Hotz, the trial ended in a settlement out of court that required Hotz to never again alter Sony’s products or attempt any jailbreaking whatsoever.

Hotz was hired by Facebook in May, 2011.



Posted by at No comments:

The Morris Worm

by Sarah Bell-Etkin

There may be a virus loose on the internet.
-Andy Sudduth, Nov 3. 1988

In the current technological society, we often hear talk of computers being infected by viruses - malicious programs put onto unsuspecting people's computers in order to gain access to information, to turn the computer into a zombie, etc. While we tend to think of viruses as being transmitted via the Internet, in reality, Internet-spread programs are called worms. In the strictest definition, viruses require physical transmission of code from one infected machine to another via CDs or portable drives. A worm, on the other hand, is fully transmissible online and can thus be much more widespread and dangerous than a virus. There are ways to protect against viruses, for instance only accepting disks from a reliable source, however with the interconnectivity we now experience through the Internet, the only surefire way to avoid a worm is to stay disconnected.

Worms have not always been destructive programs. Some of the earliest worms were designed to increase efficiency on networks or simplify processes. The first major malicious worm was released in 1988 by Robert Tappan Morris, the son of Robert Morris, who was a member of the NSA and co-developer of UNIX. Morris Jr. was a student at Cornell when he wrote the (very short) code that became known as the Morris worm. The original purpose of the worm was to see how large the Internet was, without deliberately causing any damage (see Ref 2. for a description of what the worm did and did not do). Theoretically, the worm should have been invisible and should not have negatively affected any infected computers, however Morris' code did not operate perfectly. The strain it put on servers and individual machines quickly became too large for the processors to handle. Entire systems were overloaded within hours, causing hundreds of thousands of dollars in lost revenue for Internet-based business models. Imagine how much more money that would have cost businesses had the worm been released in 2011 instead of 1988!

While the Morris worm was not the first malicious program (viruses had already been around for quite some time), it led to the first conviction of a person under the Computer Fraud and Abuse Act in the USA. In 1990, Morris was sentenced to three years of probation, 400 hours of community service, a hefty fine and had to pay out of pocket for the cost of supervision of his community service hours. In an interesting twist, Morris released the worm from an MIT server so that it could not be traced back to his actual position at Cornell; post-probation, Morris became a professor at MIT, where he now holds tenure. His other software enterprises have been far more above-board. For example, he cofounded Viaweb, which develops online stores - it was later sold to Yahoo! for $48 million. He also cowrote Arc with Paul Graham, which is a multi-paradigm programming language.

Even though the Morris worm caused quite a lot of damage to the early Internet, it also helped many companies realize how unsecure their networks were and led to the development of files accessible by password only (i.e. system administrator privileges). Furthermore, it initiated the creation of a Defense Advanced Research Projects Agency (DARPA) branch specifically to deal with future computer emergencies of a similar scale.

The Morris worm was both incredibly destructive and immensely constructive. It exploited weaknesses in the UNIX system that have since been remedied and drew attention to the future security of networked computing.



Posted by at No comments:

Hackers Attack Online Banking

by Conor Anson-Cartwright

Citibank is the third largest banking company in the United States, and can be found in more than 100 countries. Being the third largest bank in the U.S. it would naturally be assumed that its security systems would be adequate enough to block invaders from entering their systems. However, on May 10, 2011, hackers breached the Citi Account Online website. The hackers gained access to information such as names, and account numbers, but did not have access to people’s social security numbers, or security card codes. On June 9, Citibank released a statement saying that the intruders who hacked their systems had affected 200,000 accounts; which is 1% of their 21 million North American customers (The Wall Street Journal). However on June 16, Citibank released that the hackers actually affected more than 360,000 customers. Citibank started to re-issue about 217,000 cards to customers on June 3, each costing under $20. The hackers unofficially stole 2.7 million dollars (LiveEnsure Blog). It is interesting that Citibank released news of this attack to the public a month after it had occurred.

The Hackers retrieved information of accounts by using a technique called ‘parameter tampering’. “[Parameter tampering] involves typing various strings of data into the address bar of the browser to gain access. The attackers used an automated tool to type in repeated account numbers into the address bar, tens of thousands of times, to access the account data” (Wired). It was never released how long the hackers were performing this attack on Citibank, or if Citibank realized the attack was occurring and stopped it. Citibank claims that they have now implemented more ‘enhanced procedures’ but did not elaborate (Wired). Security experts state that banks need to upgrade their authentication procedures. This will improve the confirmation that the proper customer or employees are trying to gain access to the network or accounts; not an intruder. Improvements can and must be made to the system; however hackers are becoming more sophisticated and will continue to evolve with these improvements. When a new software and security system is enabled, it will eventually be cracked by hackers, a new system will not be implemented for quite some time.

The shift to online banking is great for banks because it cuts down costs on physical money handling (guards and armoured trucks); however it creates a new frontier for robbers to steal money and a lot of it at one time. There are plenty of ways that hackers can gain access to online bank accounts such as using online banking apps on phones. Jason Rouse, a security wireless expert with Citigal, states that “an infected application downloaded on a phone can be designed to take over a smartphone. When the user then logs on to his bank account with the phone, the hacker could steal the user’ bank credentials. Many mobile- banking apps don’t account for a phone being compromised” (The Wall Street Journal). Will the shift to online banking eventually lead to more attacks by hackers, and what will it take to finally put an end to it? Time can only tell.



Posted by at No comments:
Subscribe to: Posts (Atom)