Malware writers are notorious for being flexible and oftentimes ahead-of-the-curve when it comes to exploits. According to a post by Dan Raywood at SC Magazine, the latest victims of malware writers are the users of RSA SecurID, which was breached by hackers in February 2009, and who were told they were in "safe" hands by none other than RSA. Well the nefarious and multifaceted Zeus has started to target RSA users as well. Victims receive a link with what's purported to be a security scanner for exploits of the RSA securid breach. This then installs a variant of the Zeus trojan. The RSA Securid related hack saga continues.
According to a WSJ piece, hackers are targeting small firms who are often unaware that they are even victims - the "unknown unknowns." While all the large companies like Sony and Lockheed Martin make the headlines, many small businesses are targeted because they are easy picks for cyber criminals and have little defenses put in place. Most do not even have an IT team and are thus vulnerable and oftentimes unaware of the hacks:With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.......................
..........In the time it takes to break into a major company like Citigroup Inc., a hacker could steal data from dozens of small businesses and not get detected, says Bryce Case Jr., a former hacker who broke into several government and corporate websites a decade ago and now runs an online message board for hackers called Digital Gangster. Now that small companies use computers, "the juice has become worth the squeeze," he says. "Even a pizza place has addresses, names and credit-card information."
The Man-in-the-Middle attack class seems to have had a brand new addition. Former NSA employee Charlie Miller, and currently a researcher at consultancy Accuvant, has identified a firmware exploit in Apple Macs that allows you take control of the computer through the microcontrollers of the battery by taking root control through the default passwords. He told Andy Greenberg of Forbes magazine:
We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.For now, we recommend concerned users and corporations seriously consider deploying Microsoft's temporary Fixit to block this attack until an official patch is available.To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.
Sites like JailBreakMe make the process much simpler.
But if visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone.
If they exploited the same vulnerability in a copy-cat manoeuvre, cybercriminals could create booby-trapped webpages that could - if visited by an unsuspecting iPhone, iPod Touch or iPad owner - run code on visiting devices.
A website like JailBreakMe is making it easy to jailbreak your iPhone or iPad - but it could also be said to be giving a blueprint to malicious hackers on how to infect such devices with malware.
Kenneth Lucas II, 27, of Los Angeles who led the U.S. arm of a global phishing operation that resulted in more than 100 arrests in 2009, previously pleaded guilty to 49 counts of bank and wire fraud, aggravated identity theft, computer fraud and money laundering conspiracy.....About 50 individuals from California, Nevada and North Carolina, in addition to another 50 Egyptian citizens, were charged.
- While offering improved security over traditional desktop-based operating systems, both iOS and Android are still vulnerable to many existing categories of attacks.
- iOS’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers.
- Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware.
- Users of both Android and iOS devices regularly synchronize their devices with 3rd-party cloud services (e.g., web-based calendars) and with their home desktop computers. This can potentially expose sensitive enterprise data stored on these devices to systems outside the governance of the enterprise..
- So-called “jailbroken” devices, or devices whose security has been disabled, offer attractive targets for attackers since these devices are every bit as vulnerable as traditional PCs.
Gannett, the publisher DefenseNews, the highly regarded military and defense news website, was hacked into. Hackers stole contact information of current and retired defense contractors and military personnel:On June 7, 2011, the Gannett Government Media family of websites suffered a cyber attack that resulted in some users being unable to access parts or all of the websites. We also discovered that the attacker gained unauthorized access to files containing information of some of our users. The information in those files included first and last name, userID, password, email address, the internal number we assigned to the account, and, if provided, ZIP code, duty status, paygrade, and branch of service.
....Innovative Marketing had some 600 employees and 34 servers disseminating malware, most of them operating from a traditional office complex in Kiev. The corporate empire included divisions that handled credit card payments, the call center in Ohio, and several adult websites that did double duty as vectors for the fake antivirus software. McAfee noted that Innovative Marketing logged 4.5 million orders during an 11-month period in 2008; at $35 per order, the annual revenue apparently neared $180 million. That's better than the $150 million that Twitter will pull in this year, according to an estimate by the market research firm eMarketer.
One distributor, Avprofit.com, promised on its website that it would pay between $300 and $750 for every 1,000 installations in the United States, Canada, Great Britain, or Australia, where the chance is higher of encountering victims who can afford to pay what the fake warnings demand. Experience required: Avprofit sought hackers with "minimum average 250 installs per day."
Many of the affiliates do extremely well. SecureWorks, a unit of Dell, analyzed the distribution of a fake antivirus program called Antivirus XP 2008 via an outfit called Bakasoftware, which was based in Russia. According to documents provided by the hacker behind Bakasoftware, who went by the nickname Krab, one of his top affiliates was able to fool 154,825 people into installing copies of malware on their computers in 10 days, with 2,772 victims going on to enter their credit card numbers. If the documents are accurate, Krab's affiliate scuttled away with $146,524 in that brief period
These malware vendors are very innovative and have been employing multiple vectors to "sell" their wares including poisoning search engines like Bing and Google and are now going after social networks like Facebook and Twitter as well:
....search engines might be the predominant vector now, says Stefan Savage, a computer scientist at the University of California, San Diego. The scam artists play a variety of search optimization tricks to fool the algorithms that Google, Bing, and other engines use to determine which Web links to show in response to search requests. Generally, a page on an infected site (such as Kiwiblitz.com) is quietly stuffed with trendy search terms and links to images. Then the malicious players interlink pages—hundreds or thousands of them—so that the search engines' Web-crawling programs rank the infected page near the top for apparent popularity and relevance. Denis Sinegubko, a malware researcher in Russia, believes that criminals "have managed to hijack search results on the first pages of Google Image search for millions of keywords." As a result, he estimates, people clicked on poisoned image-search results 15 million times a month this past spring. Google says it has since reduced the number of malicious links in image searches by 90 percent from peak levels, and a spokesman emphasized that it continues to plug holes in its algorithms to head off new methods of attack. Google says that 0.5 percent of searches bring back returns that include at least one known malicious website. This might sound low, but given that Google handles more than a billion searches daily, it means that five million search returns every day bear a malicious link.
As long as the economics are so compelling we will see these scammers continue to innovate as we buffer our defenses. It seems like it will be one long slog with lots of collateral damage like the never ending War on Drugs.
A former Citigroup Inc. employee was arrested and charged with allegedly embezzling more than $19 million from the bank in "the ultimate inside job," federal prosecutors said on Monday.
[snip]
The case shows how management of increasingly complex derivatives transactions may create more illicit opportunities for staffers involved in their administration. Robert Jossen, a partner in the white-collar securities litigation practice at Dechert LLP, said such transactions involve "increasing use of sophisticated computer programs, electronic access and speed, none of which involves face-to-face interaction. This combination of factors may increase the temptation to seek personal gain."
[snip]
Mr. Foster allegedly put a phony contract or deal numbers in the reference lines for his wire transfers to make them look like they were for legitimate contracts.Yet another (and another) inside job. While not exactly an attack, it remains an example of a company with poor security monitoring. Citigroup is lucky Mr. Foster just took money, and that they didn't lose face and valuable market capitalization, as well. This should be a cakewalk for Citigroup, compared to their previous mishaps; it's not that they have no experience with these things...
You wanna know how to get Capone? They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. *That's* the *Chicago* way! And that's how you get Capone. Now do you want to do that? Are you ready to do that? I'm offering you a deal. Do you want this deal? - Malone (Sean Connery) from The Untouchables
The Department of Justice issued a press release stating that Khalid Shaikh, one of the founding members and former CEO of YouSendIt, a popular file-sharing site, pleaded guilty to launching DDoS (Distributed Denial-of-Service) attacks from December 2008 to June 2009 on the company's servers located in San Jose, California:Mr. Shaikh sent an ApacheBench computer code to YouSendIt’s servers. ApacheBench is a benchmarking program used for measuring the performance of computers known as web servers. ApacheBench was designed to determine the number of requests per second a server is capable of serving. By intentionally transmitting the ApacheBench program to YouSendIt’s servers, Mr. Shaikh was able to overwhelm the servers’ capabilities and render it unable to handle legitimate network traffic.This is again one of the more insidious type of cybercrimes, the inside job, that companies and enterprises have to keep their guards up for at all times. It's a tough crime to...ahem, "Shaikh"... as the former employees (in this case founder/former CEO/CTO) have intricate knowledge of the inner workings of most IT infrastructures compared to outside attackers. Let's hope less former employees go rogue. After all, the DoJ just pulled off a "YouJailIt."
There are two kinds of spurs, my friend. Those that come in by the door; those that come in by the window. - Tuco (The UGLY)LulzSec, aka Lulz Security, announced that they were retiring after a 50 day rampage through the digital world. Many have speculated that the digital noose was tightening around them and their high profile antics and brags were coming to an end. So better leave the party before the punch is finished? Or were they forced to leave the party by the bouncers or other digital attendants who were one better than them?
Over 177 thousand emails from Sony Pictures France have been compromised using the standard ploy of SQL injections as most of the previous hacks of Sony Fame (hence the Sony Effect). For a change this was not carried out by LulzSec or Anonymous, but by self-identified Lebanese Idahc and French Auth3ntiq. They claim to be NOT Black Hats and that it is just a POC (proof-of- concept). Why a proof-of-concept was necessary for Sony after receiving a battering of 20 hacks in the span of two months, as we all have probably figured out that Sony's CSO has been on holiday for a while, and Idahc had already penetrated Sony Europe's and Sony Ericcson's defenses before.
Law enforcement agencies in the UK, with the FBI in tow, have arrested a 19 year old as one of LulzSec gang of hackers (probably just an accessory to the crimes committed and not a perpetrator). Not much is known about the arrest, but it is clearly a day when Essex boys have started to make the news, and not just page 3 but the headlines nontheless. Maybe Essex girls can make page one if they brushed up on their hacking skills as well.
LulzSec The Lulz BoatSeems the glorious leader of LulzSec got arrested, it's all over now... wait... we're all still here! Which poor b*!x?!* did they take down?
For the span of roughly four hours any layman trying to access other people's accounts at Dropbox ould have felt the same thrill as a hacker. In a post on Pastebin, a user describes how he noticed that there was no password control at Dropbox:So I went to dropbox to change my password & the password change page looked flakey - I can't describe this in much more detail than so say that I clicked ok and nothing really seemed to happen. Did it work? Not sure, let's try the old password. Oh, it still works, so let's change it again. That appeared to work (I got a password updated message) - let's try the new password. Yup, good. Wait, I'm pretty sure I fat-fingered an extra character though -- etc. Which led to me realizing that any password at all was fine, at which point I logged into the accounts of two friends using 1-character passwords like 'q' and 'z'.In response, Arash Ferdowsi, CTO of Dropbox, posted on the corporate blog:
Hi Dropboxers,As more and more of us entrust our data jewels to the cloud, lets hope that services like Dropbox go on the offensive with regards to security practices and don't drop the ball. Let's hope they adopt stronger authentication methods than static username/passwords like one-time passwords or better yet challenge-response based logins.
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
"Let this be an example to take the security of your wallet.dat files very seriously. I never thought bitcoin would attract criminals so quickly but yet here it is." -allinvainWhile Bitcoin received undue publicity and attacks by politicians like Senator Charles Schumer, it has emerged as perhaps the world's first digital currency for physical goods and services (unlike digital currencies like Linden Dollars where you could only purchase virtual goods). Established in 2009 by Satoshi Nakamoto (assumed to be his nom-de-hack) it has taken a life of its own. Although it is not fiat currency and has no central banker, it has emerged as the new target of hackers as there is a real "tradable" value to it. While LulzSec, a prominent hacking group, accepted donations in Bitcoins (roughly 7000 dollars worth), new hacking groups have gone after Bitcoins as there is real money there. A new trojan/malware titled Infostealer.Coinbit has been identified as specifically going after Bitcoins. A Bitcoin user with the handle "allinvain" (quoted above) has claimed that he has been defrauded of 25,000 Bitcoins which is the equivalent of almost 500 thousand USD depending on the exchange rate of the day. Maybe the politicians should let the hackers do the attacks to undermine the digital currency and let Ben Bernnanke sleep well at night.
Sega has joined a glorious list of gaming industry titans and publisher that have been hacked. The hackers are clearly showing no remorse and it seems this new game of hacking is more enjoyable to the keyboard commandos than Counter Strike or Sonic the Hedgehog ever was as in Lulz Security's latest press release post:And that's all there is to it, that's what appeals to our Internet generation. We're attracted to fast-changing scenarios, and we can't stand repetitiveness, and we want our shot of entertainment or we just go and browse something else, like an unimpressed zombie. Nyan-nyan-nyan-nyan-nyan-nyan-nyan-nyan, anyway...This is the Internet, where we screw each other over for a jolt of satisfaction. There are peons and lulz lizards; trolls and victims.
Over the last 24 hours we have identified that unauthorised entry was gained to our SEGA Pass database.We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems....We have identified that a subset of SEGA Pass members emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text.Please note that no personal payment information was stored by SEGA as we use external payment providers, meaning your payment details were not at risk from this intrusion.
It has long been a mystery to many sociologists on why women (it rarely is men) return to abusive relationships. Oftentimes, manipulation of the battered spouse/partner is cited as a reason. Doublespeak of course predated RSA's announcements and seems to have served many regimes well over the course of decades. Well, according to a WSJ piece, a lot of RSA SecurID customers cannot wait for their brand new security tokens to be replaced even if it means that they are at the mercy of hackers out there:That means it could take at least six to eight months to replace all of the tokens, and at least two months to replace a third of them. The manufacturing bottleneck could be even greater given RSA tokens typically expire after three years and must be replaced.But this demonstrates that the Laws of Inertia apply beyond the realm of physics and couch potatoes to corporate and government IT departments as well. The latest round of hacks have clearly made headlines, but preventing current and future hacks require a clean break from past best practices and require an out-of-the-box mindset. Otherwise, we will see more and more prominent hacks and one day they may be relegated to the inner pages of our daily rags just like Iraq and Afghanistan hardly make the headlines anymore.
Citibank admits to a security breach affecting over 210,000 customers. They admitted it one month after the cyberattack. Are there more damaging releases that have been withheld? Is this the drip water torture of Chinese fame? How do we know this is the truth, the whole truth and nothing but the truth? Is it like thedoublespeak of RSA fame? Is it one of a string of damning breaches of Sony fame?
While Wall Street has deemed security software vendors companies to be New New Thing, all entities with a digital footprint are probably looking for a higher authority out there to help them navigate these choppy waters while the Lulz Boat and others are sailing. Strong security procedures built from the ground-up coupled with the latest advancements in security software are prerequisites. Furthermore, entities have to cover up loopholes by institutionalizing security at every level of the corporate hierarchy. It cannot be looked at as a cost in your P/L statement, otherwise you run the risk of your brand being tar-and-feathered by keyboard commandos. Digital security has finally made it to the boardroom and cabinet/ministerial level just like ERP had in the 1980s and 1990s. ERP is now the boring part of enterprise applications due to its wide success and adoption and being institutionalized. Let's hope that digital security will also be a given, and no longer a daily touching/embarrassing/scandalous subject.
If Benjamin Franklin was around today, he might have written in his correspondence with Jean-Baptiste Leroy that "in this world nothing can be said to be certain, except death, taxes and hacks." Every day passes by, and another government curries favors with the "hacktivists." The list includes governments ranging from the United States to Uganda to Israel to Spain to Turkey and now Malaysia. Every upset kid spurned by society and armed with an Internet connection (preferably the Wi-Fi of neighbors) can launch a series of attacks. Of course not all attacks are created equal, and the more sinister types remain unmentioned and usually unnoticed. Oftentimes, the more insidious hackers go for the digital jugular and can remain parasitic on host systems till it's too late. Governments, enterprises and entities should adopt stronger security software and help prevent against such intrusions. CIOs and CSOs should not be lulled into complacency and should look proactively for robust security software. Hacks are the new Tax of the digital era, and if we adopt strong defenses we will avoid paying the highest price online: the Death of online business.
@LulzSec The Lulz BoatOhohhohawhaw, Pierre Dubois and Francois Deluxe are currently taking many phone calls!
That dude from Mythbusters is in our X-Factor database leak, true story.@LulzSec The Lulz Boat
LulzSec has made the headlines almost daily since their "Hacktivist" feats with Sony, hence the Sony Effect, put them on the map. I wonder if there will ever be a Strange Maps for their hacks like there was one for the rapper Christopher Brian Bridges, aka Ludacris. And I wonder if they are on the bombing radar of the Pentagon after the new updated bombs-for-hacks military doctrine. They pulled off a Senate hack and are now inviting suggestions for new hacks/victims. I am sure the folks at Sony, Nintendo and PBS News wish the callers don't suffer from Schadenfreude. Anyway, the Frenchmen Pierre Dubois and Francois Deluxe are all ears for the next Tupacalypse and they are apparently "laughing out loud" with a French cum Peter Sellers/Pink Panther accent. You can reach them at 1-614-LULZSEC.
The IMF has been in the news lately not for helping out failing States, but for attacks. The attacks have ranged from the alleged sexual assault of the recent head of the IMF Dominique Strauss-Kahn on a hotel maid to charges of incompetence/softness in bailing out the insolvent countries in the Euro-zone. According to a NY Times piece they have now suffered a major data breach as well. I suppose this is the Annus Horribilis of the IMF in its storied history. In fact, the World Bank has cut off its data link from the IMF after this breach and might have to distance itself in other respects as well. The IMF uses RSA SecurID security tokens and has apparently been offered to replace the old RSA SecurID tokens with new ones according to a Bloomberg piece:The fund told employees June 8 that it would replace their RSA SecurID tokens. EMC Corp.’s RSA security-systems unit offered to swap the tokens after a breach of its own network, disclosed in March, resulted in the theft of RSA data. A SecurID device is shaped like a key fob or a computer-memory stick and generates random-number passwords used to gain access to a computer network.
Citibank admits to a security breach affecting over 210,000 customers. They admitted it one month after the cyberattack. Are there more damaging releases that have been withheld? Is this the drip water torture of Chinese fame? How do we know this is the truth, the whole truth and nothing but the truth? Is it like the doublespeak of RSA fame? Is it one of a string of damning breaches of Sony fame?
RSA had issued a vaguely worded blogpost on the breach of SecurID and who knows what else. Today, after numerous disclosed RSA SecurID related breaches, they have come clean... Or have they? They have promised to finally replace InSecurIDs with (drum roll please) more StrongerSecurIDs. Or have they? (More on that later, stay with us, now.)"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."
