.

Indian Cyber Space Under Attack


The Indian cyberspace is under attack and is being increasingly targeted by hackers and cyber criminals from neighbouring countries.

ICERT (Indian Computer Emergency Response Team) statistics show a rise in defacement cases. In January, 466 cases were reported whereas in January 2008 the number was 81.

Defacement of a website means changing the original content on the website by editing or adding fake information about people, organisation, or issues.

"Defacement can lead to serious problems for an organisation or a government body owning a website," Vijay Mukhi of the Foundation for Information Security and Technology (FIST) said.

"If some fake information is added on a website, it can lead to huge monetary as well as other losses for the owner. Defacement can be done by hacking into a website or by using some flaws in the software."

The ICERT report has divided the cases of defacement into two sections -- defacement cases in TLD (Top Level Domain) websites and CCTLD (Country Code Top Level Domain). Websites that fall in the TLD category have extension codes such as com, org, net, and edu whereas CCTLD websites have extension codes such as in, ac.in, gov.in, or edu.in.

"Cases reported to ICERT deal with mostly government websites that have been defaced," a cyber crime expert said. "On most occasions, the person defacing the website is traced to foreign countries. This makes it difficult to take any action against them."

Mukhi said several cases of defacement were not reported to ICERT. "This is another reason why no action can be taken against culprits," he said. "People should register complaints. One should keep upgrading the operating and other softwares to prevent websites being defaced."
 

Over 280 Million Records Compromised Last Year

Category: , By PK

Damning Report Finds Simple Steps Still Being Ignored

More than 280 million records were compromised in 2008, according to a new Data Breach Investigations Report from global comms and IT provider Verizon Business.

The report was written by the Verizon Business Risk team using first-hand evidence collected from the firm's data breach investigations over 2008.

Three-quarters of breaches resulted from external threats, the report found, while just 20 per cent were caused by insiders. This is despite the message from most security firms that the inside threat is more dangerous than that posed from the outside.

The sheer number of credit card and other details being compromised has driven their price down on the underground economy, forcing criminals into new tactics, explained Matthijs van der Wel, managing principal of forensics at Verizon Business.

The average price for a piece of stolen card information has dropped from around $10 (£6.70) in 2007 to 50 cents (33p) today.

"For the criminals it's becoming less profitable so they're looking for new ways to make money, which means targeting financial institutions much more, looking for richer data," said van der Wel.

"Attackers have to do a lot more work to get their information now. They're intercepting the PINs, which has been theorised before but now we're seeing it. "

To this end, criminals are creating customised 'memory scraping' malware to harvest customer PINs entered at ATMs from banks' servers.

Yet despite the increasingly creative ways some criminals are compromising customer data for sale on the black market, the majority of incidents appear to have been preventable, according to the report. For example, 81 per cent of affected organisations subject to the Payment Card Industry Data Security Standard were found to be non-compliant prior to being breached.

Some 53 per cent of stolen data records came from organisations using shared or default credentials, and 83 per cent of hacks were considered avoidable through simple or intermediate controls.

Van der Wel recommended firms to check access controls regularly, change default credentials, keep up to date with patches, and test applications for vulnerabilities.

"You need to ask yourself 'Do I need to store this data?'" he said. "Many organisations today are data hungry, but if you don't store the data you'll reduce your risk."
 

Some of Her Best Friends Are Terrorists


Shannon Rossmiller, a Montana mom who befriends and betrays online jihadists -- while she gets her kids ready for school. Her social networking has helped bust a half-dozen terror rings, authorities say.

Rossmiller succeeds by exploiting a fundamental flaw in al Qaeda's famously decentralized organization. The absence of a strict hierarchy makes it pretty easy for a cunning person to mix among the terrorists. So she poses as a potential al Qaeda soldier looking for like-minded comers. She creates multiple characters and uses her older and more respected personae to invite the new ones into private forums. There are other self-taught counterterrorists like her, but they tend to translate and discuss, lurk and report. Rossmiller works the terrorism boards as if she were playing a complex videogame. Her characters come complete with distinct personalities and detailed biographies that are as richly conceived as any protagonist on an HBO series. She keeps copies of everything, time-stamps files, and takes screenshots. She has an Excel spreadsheet that details the 640 people with whom she has had contact on these boards since 2002...

In May 2002, [for instance,] Rossmiller saw a post from a man in Pakistan who said he had access to Stinger missiles he wanted to sell. She wrote back to the person she now identifies in her files as Rocket Man, posing as someone interested in purchasing his wares. After a few exchanges, she abruptly threatened to cut off contact unless he provided proof he was who he said he was. "And I'll be gol-danged if a few days later, a nice little zip file appears with pictures of him sitting on some crates." The inventory numbers of the Stingers were clearly visible. Rossmiller then realized that her hobby had turned into something that needed attention from the FBI.

Rossmiller's not the only private citizen that's tangling with Islamic extremists online, of course. Earlier this month, terror-hunted Rita Katz made headlines when she accused the Bush Administration of blowing her surveillance of Al-Qaeda's "intranet."

Then there's Joseph G. Shahda, a Boston engineer who's "happily claiming credit" for knocking offline "40 militant Islamist Web sites," including "some of the world’s most active jihadi sites, with forums full of extremist chatter."

“These sites are very, very dangerous,” Shahda tells the New York Times. “And I think we should keep going after them. They are used as recruiting tools for terrorists, arousing emotions, teaching how to hate.”
 

Why Osama Doesn't Have a Facebook Account


Al Qaeda may have been a pioneer in exploiting new media to spread propaganda and recruit members. But now, many experts feel the terror group is falling behind. Despite all the hand-wringing in U.S. intelligence circles, Osama & Co. don't seem to be comfortable with Web 2.0-style applications. Marc Lynch explains why, in a must-read post. Here's a snip:

Social networking: one of the biggest problems for a virtual network like AQ today is that it needs to build connections between its members while protecting itself from its enemies. That's a filtering problem: how do you get your people in, and keep intelligence agents out? An AQMonster.com database would be easy pickings - an online list of all the 'explosives experts' would be a gift to intelligence, no? An AQFacebook or AQSpace might create an identifiable universe of jihadist sympathizers, but again would probably help intelligence agencies as much as AQ. Perhaps an AQLinkedIn model, where members need to be recommended by a current member would reproduce the low-tech approach of allowing in trusted members and keeping out unknown quantities. This could potentially strengthen the 'organization' part... but at the expense of a greater distance from the pool of potential recruits who would not be sufficiently trusted to join. Overall it's hard to see how AQ could adapt social networking without creating such vulnerabilities. Its rivals, on the other hand, have no such problems - Muslim Brotherhood youth are all over Facebook.
 

Spy Fears: Twitter Terrorists, Cell Phone Jihadists


Could Twitter become terrorists' newest killer app? A draft Army intelligence report, making its way through spy circles, thinks the miniature messaging software could be used as an effective tool for coordinating militant attacks.

For years, American analysts have been concerned that militants would take advantage of commercial hardware and software to help plan and carry out their strikes. Everything from online games to remote-controlled toys to social network sites to garage door openers has been fingered as possible tools for mayhem.

This recent presentation -- put together on the Army's 304th Military Intelligence Battalion and found on the Federation of the American Scientists website -- focuses on some of the newer applications for mobile phones: digital maps, GPS locators, photo swappers, and Twitter mash-ups of it all.

The report is roughly divided into two halves. The first is based mostly on chatter from Al-Qaeda-affiliated online forums. One Islamic extremist site discusses, for example, the benefits of "using a mobile phone camera to monitor the enemy and its mechanisms." Another focuses on the benefits of the Nokia 6210 Navigator, and how its GPS utilities could be used for "marksmanship, border crossings, and in concealment of supplies." Such software could allow jihadists to pick their way across multiple routes, identifying terrain features as they go. A third extremist forum recommends the installation of voice-modification software to conceal one's identity when making calls. Excerpts from a fourth site show cell phone wallpapers that wannabe jihadists can use to express their affinity for radicalism:

Then the presentation launches into an even-more theoretical discussion of how militants might pair some of these mobile applications with Twitter, to magnify their impact. After all, "Twitter was recently used as a countersurveillance, command and control, and movement tool by activists at the Republican National Convention," the report notes."The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near real time."

Terrorists haven't done anything similar, the Army report concedes - although it does note that there are "multiple pro and anti Hezbollah Tweets." Instead, the presentation lays out three possible scenarios in which Twitter could become a militant's friend:

Scenario 1: Terrorist operative “A” uses Twitter with… a cell phone camera/video function to send back messages, and to receive messages, from the rest of his [group]... Other members of his [group] receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow ”B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario… has already been discussed for other social networking sites, such as My Space and/or Face Book.

Steven Aftergood, a veteran intelligence analyst at the Federation of the American Scientists, doesn't dismiss the Army presentation out of hand. But nor does he think it's tackling a terribly seriously threat. "Red-teaming exercises to anticipate adversary operations are fundamental. But they need to be informed by a sense of what's realistic and important and what's not," he tells Danger Room. "If we have time to worry about 'Twitter threats' then we're in good shape. I mean, it's important to keep some sense of proportion."
 

Al-Qaida's Propaganda Sites Smacked Down


Al-Qaida's once-robust online propaganda network has taken a hit. The release of a 9/11 anniversary video was delayed by nearly a week. And one of the most popular video-distribution sites is offline.

For years, the al-Ekhlaas network of sites has been a primary distributor of videos from al-Sahab, Qaida's propaganda arm. Then, on September 11, al-Ekhlaas.net was suddenly re-registered. Its domain name now belongs to the joker.com hosting service. All of its content vanished. Related and mirrored pages also went down. Even al-Ekhlaas' YouTube account was suspended.

It's not the first time this has happened; hosting companies have dumped al-Ekhlaas sites before, in response to Western pressures. But the breadth of this effort points to a coordinated attack on a major nerve center of al-Qaida's information warfare effort. "Al Ekhlaas fans are beginning to lose hope of being able to log onto what was once the number one militant Islamist forum on the web," reports CBS' online Internet Terror Monitor.

The strikes against the propaganda network appear to be ongoing. A much-hyped al-Sahab video, commemorating the 9/11 attacks, was only released today -- six days late. And some online al-Qaida sympathizers are complaining that they've been unable to use their normal passwords, to download the video.

The Hindustani Times credits two bloggers with the disruption: Aaron Weisburd from Internet Haganah and "Rusty Shackleford" from The Jawa Report. Shackleford was quick to laugh off the accusation. "News of my ability to thwart al Qaida's online activities have been greatly exaggerated," he writes. Internet jihadists, on the other hand, are blaming American intelligence agencies for the takedown.
 

Online Jihadists Plan for 'Invading Facebook'


Online jihadists have already used YouTube, blogs and other social media to spread their propaganda. Now, a group of internet Islamic extremists is putting together a plan for "invading Facebook."

"We can use Facebook to fight the media," notes a recent posting on the extremist al-Faloja forum, translated by Jihadica.com. "We can post media on Facebook that shows the Crusader losses."

"We have already had great success in raiding YouTube," the poster adds. "American politicians have used Facebook to get votes, like the house slave Obama."

Groups like al-Qaida were pioneering users of the internet — to train, share ideas and organize. But some observers, like George Washington University professor Marc Lynch, see a reluctance to embrace Web 2.0 tools like Facebook. "One of the biggest problems for a virtual network like AQ today is that it needs to build connections between its members while protecting itself from its enemies. That's a filtering problem: How do you get your people in, and keep intelligence agents out?" he asks.

But as Jihadica.com author and West Point Combating Terrorism Center fellow William McCants notes, the proposed Facebook invasion "is not an attempt to replicate [existing] social networks." Instead, "the members of the campaign want to exploit existing networks of people who are hostile to them and presumably they will adopt new identities once they have posted their material."

The al-Faloja poster suggests seven "brigades" work together within Facebook. One will distribute videos and writing of so-called "martyrs." Another will spread military training material. Most of them will work in Arabic, presumably. But one of the units will focus just on spread English-language propaganda through Facebook.
 

Wage Cyberwar Against Hamas, Surrender Your PC


A group of Israeli students and would-be cyberwarriors have developed a program that makes it easy for just about anyone to start pounding on pro-Hamas websites. But using this "Patriot" software, to join in the online fight, means handing over control of your computer to the Israeli hacker group.

"While you're running their program, they can do whatever they want with your computer," Mike La Pilla, manager of malicious code operations at Verisign iDefense, the electronic security firm.

The online collective "Help Israel Win" formed in late December, as the current conflict in Gaza erupted. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," "Liri," one the group's organizers, told Danger Room.

So they created a simple program, supposedly designed to overload Hamas-friendly sites like qudsnews.net and palestine-info.info. In recent years, such online struggles have become key components in the information warfare that accompanies traditional bomb-and-bullets conflicts. Each side tries to recruit more and more people -- and more and more computers -- to help in the network assaults. Help Israel Win says that more than 8,000 people have already downloaded and installed its Patriot software. It's a small part of a larger, increasingly sophisticated propaganda fight between supporters of Israel and Hamas that's being waged over the airwaves and online.

Help Israel Win, which has websites in Hebrew, English, Spanish, French, Russian and Portugese, doesn't say much about how the program functions -- only that it "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."

Analysis from iDefense and the SANS Institute, however, reveals that computer users put their PCs at risk when they run the Patriot software. The program connects a computer to one of a number of Internet Relay Chat (IRC) servers. Once the machine is linked up, Help Israel Win can order it to do just about anything.

The Patriot program does something "fishy," SANS Institute security specialist Bojan Zdrnja said, by retrieving "a remote file and sav[ing] it on the local machine as TmpUpdateFile.exe." That could easily be a "trojan," Zdrnja said, referring to a program that sneaks malicious code onto a computer.

"While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there -- there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," Zdrnja wrote.

Liri, with Help Israel Win, conceded that "the Patriot code could be used as a trojan. However, "practically it is not used as such, and will never be."

"The update option is used to fix bugs in the client, and not to upload any malicious code... never have and never will," Liri said. "The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application."

It's also unclear how much the Patriot program is really helping the Israeli side in the online information war.

La Pilla has been monitoring Help Israel Win's IRC servers for days. "They didn't make us download and install anything. Didn't make us [attack] anybody. I was basically just sitting idle on their network." The group claims to have shut down sarayaalquds.org and qudsvoice.net. But, as of now, the rest of the group's pro-Hamas targets remain online. Meanwhile, Help Israel Win has had to shift from website to website, as they come under attack from unknown assailants.
 

Open Wi-Fi Aids Terrorists, Mumbai Cops Say


Open wi-fi is a terrorist tool and has to be shut down, right this second. That's the conclusion, at least, of the Mumbai police. Starting today, the Times of India reports, "several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks."

"If a particular place's wi-fi is not password-protected or secured then the policemen at the spot has the authority to issue notice to the owner of the wi-fi connection directing him to secure the connection," deputy commissioner of police Sanjay Mohite tells The Hindu. Repeat wi-fi offenders may receive "notices under the Criminal Procedure Code," another senior officer warns the Times.

Mohite notes that e-mails taking credit for terror attacks in New Delhi and Ahmedabad were sent through open wireless networks. "Unprotected IP addresses can be misused for cyber crimes,'' he says. Other Indian cities now require cyber cafes to install surveillance cameras, and to collect identification from all customers.

But plugging up all those perceived security sieves in Mumbai is going to take some work. A quick Sheriff's Brigade survey on Sunday showed that 80 percent of wi-fi networks in South Mumbai were left unlocked. And it's not like terrorists are all that 802.11-dependent, of course. An e-mail also took credit for December's massacre in Mumbai. Whether that came from an open wi-fi connection or not is unclear -- the mailer used an anonymizer service, to cover his electronic tracks.
 

Top Georgian Official: Moscow Cyber Attacked Us – We Just Can't Prove It


Last summer, three weeks before the shooting war between Georgia and Russia began, online attackers started assaulting Georgia's websites. Since then, researchers have tried to find out who masterminded the network strikes -- military electronic warriors, patriotic hackers, cyber-crooks -- without finding anything definitive.

But Georgian National Security Council chief Eka Tkeshelashvili says she knows exactly who's behind the network assault. "There's plenty of evidence that the attacks were directly organized by the government in Russia," she tells Danger Room. It's perhaps the boldest, most direct accusation of blame to come from a senior government official in the Russia-Georgia cyber war.

But, in conversations with Danger Room, neither Tkeshelashvili nor her advisers offered any new evidence that conclusively linked Moscow to the attacks on Georgian cyberspace. "I'm not saying it's enough for a criminal court, to prove a case beyond a reasonable doubt," Tkeshelashvili conceded.

Nevertheless, Tkeshelashvili is scheduled to tell the GovSec conference in Washington, D.C. later today that "Russia invaded Georgia on four fronts. Three of them were conventional — on the ground, through the air, and by sea. The fourth was new — their attacks via cyberspace... It is, quite simply, implausible that the parallel attacks by land and by cyberspace were a coincidence — official denials by Moscow notwithstanding."

And she may not be wrong. But the maddening thing about network attacks is that it's all too easy to cloak identities, work through third-parties, and route attacks through far-flung servers. Which makes it next-to-impossible to definitively pin blame. Russian hackers have claimed key roles in the cyber war. Ordinary citizens were encouraged to pile on. One member of Russia's parliament recently said the whole thing was started out of his office.

"You'll never be able to establish, through in-band technical means, who was sitting in front of a computer from which an attack originates, nor can you discern their motivations," Bill Woodcock, research director at the Packet Clearing House, told Danger Room, when the attacks began. "Instead, one has to look at who the political beneficiary is, one has to look at who's claiming responsibility for the attack, and whether that claim is contested."

In her speech, Tkeshelashvili lays out a three-part hierarchy to the attacks:

"At the top of the hierarchy are the "Soldiers": the professional planners, computer scientists, engineers, and other implementers, including the military itself. Next are what some call the "Mercenaries." These are criminal organizations paid to carry out certain elements of the attacks. In this case, there are strong signs implicating an outfit known as the Russian Business Network (RBN). And, finally, there are the "Volunteers." These are individuals with PC’s who are recruited to carry out attacks. They are provided with access to all the necessary software tools, as well as to detailed instructions for carrying out the attacks. In other words, they don’t have to be skilled and “educated” hackers. This is literally a mobilization of the masses."

Jeffrey Carr, principal of hacker-tracker firm GreyLogic, LLC, says Tkeshelashvili is "definitely in the ballpark." But key details are off. The Russian Business Network, as a group of individuals, has been largely disbanded, for instance. Their infrastructure of shell companies and shady servers and botnets-for-hire remains. It's yet another complicating factor, when online investigators try to find who's behind a network attack.
 

Student Sentenced For F-ucked Up Grade Hack


A university student in Florida on Tuesday was sentenced to 22 months in prison for his role in a bungled scheme to hack into his school's computer system and make hundreds of grade changes.

Christopher Jacquette, 29, of Tallahassee was also ordered to serve three years of supervised release for his part in the plot, which used keyloggers to access protected computers at Florida A & M University, according to federal prosecutors. Along with cohorts Lawrence Secrease and Marcus Barrington, his caper reads like a modern-day episode of The Three Stooges.

The tale begins in August 2007, when Jacquette installed keyloggers onto several of the university's computers after sneaking into a locked ballroom where student registration was taking place. In short order, the trio had access to the school's PeopleSoft accounts. They promptly used it to change dozens of grades belonging to them and their friends, in many cases from Fs to As.

Naturally, these under-achieving students weren't the sharpest tools in the shed, and they made some mistakes along the way. A university audit quickly revealed the presence of the keyloggers, and the discovery gave up several email addresses under the control of the students. University logs also showed that the grade changes were made using internet accounts from the students' homes.

When police questioned Barrington's sister about changes made to her grades, she said she believed they were an act of God.

Then, within hours of being interrogated, Barrington convened a meeting where the trio would plan how to sneak keylogging software on university computers a second time. The university had reversed the altered grades, it seems, and the students were intent on changing them back. According to court documents, they did just that, boosting 16 grades belonging to Jacquette and 12 belonging to Barrington.

The students also used their unauthorized access to change the residency status of several students so they wouldn't have to pay out-of-state fees that were more expensive. After Jacquette received $600 apiece from two students, he used his cell phone to send a text message instructing Barrington to change the students' residence. After Jacquette gave consent to have his cell phone searched, investigators found several passwords belonging to university employees.

Court documents charged all three students with four felonies in connection with the alleged scheme. The status of Barrington and Secrease wasn't immediately known. Prosecutors weren't available late Tuesday to clarify.

In all, the trio changed some 650 grades belonging to 90 students. About 114 of the grades were Fs that were converted to As. Because the changes to grades and residency status would have allowed students to receive lower tuition fees, it could have had thee effect of costing the university hundreds of thousands of dollars, prosecutors alleged.
 

Romanian Cybercriminal Gang Dismantled


Twelve Students Arrested For Taking Part In A Major Phishing Operation
The Romanian Direction for Investigating Organized Crime and Terrorism (DIICOT) along with local authorities have descended on multiple locations in several cities and arrested 20 persons suspected of being members of a cybercriminal gang. The seven-year-long operation, which involved phishing and fake eBay auctions, is said to have brought the cybercrooks illegal gains of over 500,000 euros.

According to the investigators, the network was very well structured, with its members operating out of Romania, Italy, Spain and the UK. The Romanian branch was co-ordinating the operation and its members were moving from city to city in order to avoid being caught.

However, an important nucleus was formed in Iasi, because it is one of the largest cities in the country and, most importantly, a big university center. This allowed the leaders of the gang to recruit students from the specialized universities here, who were willing to earn some extra cash.

A judge has decided that twelve of the individuals will be detained under temporary arrest for 29 days, while another seven have been released, but are not allowed to leave the country. All of them were studying in Iasi, at the Faculty of Automatic Control and Computer Engineering from the "Gh. Asachi" Technical University, or at the Faculty of Computer Science from the "A. I. Cuza" University. The oldest of the arrested students is 25 years old.

"The DIICOT prosecutors have coordinated an operation to dismantle an organized criminal group, which between 2002 and 2009 has organized fictitious auctions on the Internet, especially on the www.ebay.com, www.ebay.it and www.ebay.ca websites, the cloning of the websites of several banks from UK and Italy, such as www.poste.it, www.ubibanca.it, www.cartasi.it, www.hsbc.co.uk and have used, without authorization, the credit card details obtained through phishing, in order to transfer sums of money into other accounts under the control of the group's members," Daniel Horodniceanu, one of the prosecutors, announced.

He also noted that, given the current evidence, the prosecution could legally prove only a fraud of 280,000 euros, but that the real amount was likely to be much bigger.

The members of the network living in other countries were withdrawing money from the targeted banks and were wiring the cash to the leaders in Romania, through Western Union. One interesting aspect is that the students, who were actually doing all the work, did not earn too much, compared with the heads of the operation.

For example, one of the arrested individuals was living in a student dorm, because he couldn't afford to pay rent for an apartment in the city. The parents of most of the students were still sending them food and money every month. Meanwhile, the ringleaders were living in luxury flats and had expensive cars.

"A total of 22 raids were performed in different locations across the counties of Iasi, Valcea, Mehedinti and the municipality of Bucharest, at the homes of the group's members. Three luxury cars, gold jewels weighing 100 grams, 2065 euros, 2150 British pounds, 2200 Romanian lei, 20 notebooks and desktop computers, 30 memory cards, hundreds of CDs and DVDs and two plasma TVs were seized," Chief Commissioner Gheorghe Zbarnea, the head of the Brigade for Fighting Organized Crime, Iasi branch, informed.


The names of the individuals brought before the judge are: the brothers Andrei and Ciprian Ilasoaia, Valentin Pintiliasa, Mihai Adrian Slatineanu, Paul Andrei Chiriac, Catalin Muraru, Ciprian Micutaru, Bogdan Tirpescu, George Duduman, Andrei Corneliu Ciubotariu, Ionut Baraganescu and Florian Martin. All of them stand accusations of constituting and associating themselves in an organized criminal group, adhering to or supporting in any way an organized criminal group, committing computer infractions, gaining access to a computer system without authorization, unauthorized possession and utilization of a password, access code in order to commit computer crimes, and two have already admitted to their actions.
 

Hackers Infect BusinessWeek Website via SQL Injection Attack


The website of the world renowned magazine has been subject of an SQL injection attack

BusinessWeek has just joined a group of highly rated and visited websites that fell victims to SQL injection attacks. Graham Cluley, Senior Technology Consultant for the security company Sophos, disclosed that parts of the website of the popular weekly magazine were attempting to serve malware from a Russian server.

SQL Injection has been at the top of vulnerability trends in recent years along with XSS (cross-site scripting). The SQL Injection name comes from the end-result of the exploitation of such a vulnerability, which is to inject malicious code into the web application's SQL database. This code is generally used to spread malware from third-party servers.

The new BusinessWeek incident adds to the other 16,000 pages affected by SQL Injection discovered daily (according to a Sophos report). Mr. Cluley points out that hundreds of individual BusinessWeek pages from a section of the website were affected. What's even worse is that the particular section was addressed to MBA students looking for career opportunities.

The injected malicious code was trying to serve malware from a .ru website, but the server in question was offline at the time when the attack was discovered. According to Cluley, this wasn't necessarily permanent and the status of the website could have changed, which would have posed a serious security risk to the personal or financial information of the users. A BusinessWeek spokesman commented for The Register that, following their investigation, it was determined that no sensitive information had been compromised and that the particular web application affected had been removed from their website.

BusinessWeek website infected by malware from Sophos Labs on Vimeo.
Even so, Mr. Cluely pointed out that BusinessWeek had been notified about that last week and two days ago the malicious code was still online. All companies should work to fix these problems as soon as possible as time is essential with these attacks, the longer the code remains online, the higher the chances of more people getting infected are.

In a short video, Cluely outlines the basic steps companies should take in order to prevent such incidents. They include adopting development best practices, ensuring web applications run with lowest possible database privileges, constantly checking server logs for suspicious activity as well as using programs designed to tighten the security of web applications.
 

Kaspersky Reveals Details of Attack on Its Website


The Antivirus Vendor Claims That No Customer Data Has Been Compromised

After a SQL injection attack against the US support website belonging to Kaspersky Labs was published on the Romanian Hackers Blog, the company disclosed details of the security breach. The investigation established that no sensitive data was accessed, but the antivirus vendor hired a database security expert to audit all of its websites.

During the past weekend, the Romanian Hackers Blog published information regarding a successful attack on http://usa.kaspersky.com/support/. According to the attacker, full access to the database containing customer information, support tickets, and even product activation codes had been obtained through SQL injection techniques.

The alleged ethical hacker who is calling himself "unu," did not post any sensitive information stored in the database, which was confirmed to contain around 2,500 customer e-mail addresses and 25,000 software activation keys. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," he said.

However, Vitaly Kamluk, chief malware expert at Kaspersky Lab, who has been involved in the investigation into this incident, claims there were several attackers, not one, and dismisses their good intentions. "After collecting field names, the attackers made a few attempts to extract the data from tables," he writes on the Kaspersky Analyst's Diary Weblog.

Apparently, only a simple mistake prevented them from hitting the jackpot. "Those queries failed because the attackers specified the wrong database," Kamluk explains. "There were several attackers with IP addresses from Romanian ISPs," the analyst also notes.

Meanwhile, during a conference call with reporters, Kaspersky Senior Research Engineer Roel Schouwenberg explained that the vulnerability was introduced along with a new update on the support site on January 28. He also pointed out that a Romanian Kaspersky employee came across the blog entry explaining the attack and immediately alerted his U.S. colleagues, who in turn rolled back the website to its stable state before the vulnerable update was deployed.

Vitaly Kamluk shares that the attackers used a free version of an automated probing tool from Acunetix to determine that the site was vulnerable to SQL injection, and then proceeded with manual exploitation. "The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE, INSERT, DELETE... were logged," he adds.

Both Kamluk and Schowenberg challenge the hackers' claim that they published the attack only after e-mails sent to the antivirus vendor went unanswered. "After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email – on a Saturday to several public email boxes. They gave us exactly 1 hour to respond," Kamluk mentions, while Schowenberg concludes that " They gave us little if any chance to respond."

When asked by the reporters if the company's image might suffer as a result of this security breach, Roel Schouwenberg said that "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened." However, he stressed that "We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again." In this respect, the company has hired world-renowned database security expert David Litchfield to perform an independent security audit of websites belonging to Kaspersky Labs.

"Secure development MUST be a key priority for web development - anywhere, anytime and all the time. It is a lesson to us all - check, check and re-check your processes and your code," Vitaly Kamluk advises. "We are lucky the hackers proved to be more interested in fame than in causing damage," the software engineer concludes.

Note: This article has been updated as to correctly attribute the cited material from the Kaspersky weblog, signed VitalyK, to Vitaly Kamluk, chief malware expert at Kaspersky Lab, as opposed to Vitaly Kouzin, software engineer at Kaspersky Lab, whom it originaly credited.
 

F-Secure Joins The List Of Compromised Antivirus Websites


The Romanian HackersBlog Makes a New Victim

After previously compromising websites belonging or related to Kaspersky and Bitdefender, the Romanian hackers from the HackersBlog crew launched a new successful SQL injection attack against the website of an antivirus vendor. This time around, it was F-Secure, however, the security breach did not have the potential of disclosing sensitive information.

In a new post published on the HackersBlog, one of the website's admins, Tocsixu, discloses a SQL injection attack against the statistics section of the website belonging to Finnish security company F-Secure. In addition to being vulnerable to SQL injection, the http://stats.f-secure.com website also allowed for code injection through cross-site scripting (XSS).

Successful poisoning of SQL SELECT statements through URL manipulation exposed the tables of what it looked like a Microsoft SQL Server 2000 database running on a Windows Server 2003 with Service Pack 2.

The compromised tables were: MailboxInfo, VirusUpdated, dtproperties, Country, sysconstraints, VirusTrends, Virus_Top50_24h, Virus_Top50_30days, Virus_Top50_7days, Virus_Top50_90days, Virus_Top50_Month, Virus_Top50_Week, VirusDateTotal, VirusDate, VirusMonthTotal, VirusReports, VirusReportsTemp, VirusTrends.

F-Secure confirmed the security breach, but pointed out that the compromised database contained information about malware statistics that had been made publicly available anyway. "The malware statistics is something we publish anyway at F-Secure Worldmap and, because of our IT security strategy, the impact was minimal," Patrik Runald, senior security specialist at F-Secure, writes on the company's weblog. This is also mentioned by Tocsixu, who points out that "Fortunately, F-Secure doesn’t leak sensitive data, just some statistics regarding past virus activity."

The F-Secure analyst explains that the attack was possible because a page on their statistics website didn't properly sanitize the input. He also maintains that no information altering SQL commands was executed against the database, and that other details on the server could not be reached by the hackers, because the SQL username used by that section of the F-Secure website only had access to the statistics database. "While the attack is something we have to learn from and look at things we need to improve, it's not the end of the world," Patrik Runald concludes.

This is the third strike in less than a week when the HackersBlog team launched a successful SQL infection attack against the website of a security vendor. The first was the U.S. support website of Kaspersky Labs, developer of Kaspersky Antivirus. This was followed by a similar breach on the website of a Bitdefender Antivirus partner in Portugal, http://www.bitdefender.pt.

Even though slow to respond at first, Kaspersky eventually assumed responsibility for the security incident and revealed extensive details about the attack. In addition, the company hired a renowned database security expert to perform a security audit on its websites. Bitdefender, however, only kept it short by saying that the website belonged to a reseller and was not controlled by it. Even so, the site was using the Bitdefender name, logo, a very similar website layout and was selling Bitdefender products. It's unlikely that the Bitdefender users who have had their personal information put at risk care too much about who's website that is.
 

Kaspersky & Bitdefender Websites Hacked


The databases were compromised through SQL injection attacks

Both Kaspersky and Bitdefender antivirus vendors have been left with red faces by a Romanian hacker who obtained access to the SQL databases of two of their websites. The data stored in the databases includes customer information, e-mails, support tickets, and even activation codes.

A hacker going by the nickname of "unu," meaning "one" in Romanian, has reported on Saturday that he compromised the security of the Kaspersky website in USA. In a posting made on HackersBlog, unu published screenshots as well as a list of the tables found in the site's SQL database.

The hacker explained that he obtained full access to the database through SQL injection. SQL injection is a form of URL manipulation that allows passing SQL commands through a URL. It is usually used by hackers to insert rogue data into the database for various purposes. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc," the Romanian writes.

Image comment: Kaspersky USA database information screenshot

However, unu's intensions were not malicious. According to The Register, he only decided to go public after he sent messages to several Kaspersky official e-mails and got no response. This is also reflected by the evidence he presented, like the malformed URLs being blurred in the screenshots.

Also, he did not publish any customer information, although he claims to have had complete access to it. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," unu explains.

Image comment: Bitdefender Portugal adminstrator login credentials screenshot

Kaspersky has partially confirmed the security breach. "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," the company claims in a statement.

Tocsixu, one of the admins of HackersBlog, has told The Register that unu hacked the website days before going public, which seems to come into conflict with Kaspersky's account. According to him, the reason why no data has been compromised is only due to the good will of the hacker. "Indeed, no data was compromised from the site because that is not Unu's (our) intention. No sensitive information from the site was stored, legit Kaspersky users can rest assured," he states.

However, after being done with Kaspersky, the hacker turned his attention to another big player on the antivirus market, Bitdefender. In a new post published today, the hacker documents a similar successful SQL injection attack against the website of Bitdefender Portugal. "It seems Kaspersky aren’t the only ones who need to secure their database. Bitdefender has the same problems," unu adds.

He goes on to describe the attack that provided him with access to the database containing administrators' usernames and passwords, the personal details of thousands of customers and sales data. In addition, one table in the database contains a large number of e-mail addresses belonging to people who subscribed to the company's newsletter. "And last a part of the data from the table inscricoes(Newsletter)… thousands of email addresses, candy for possible spammers," the attacker points out.

Like in the case of the Kaspersky incident, unu did not publish any sensitive information and also blacked out the compromising details of the attack in the provided screenshots. Bitdefender has still to confirm and comment on this attack. Stay tuned, we will return with updates if it does.
 

Symantec Website Hacked


Blind SQL Injection Vulnerability Disclosed

The Romanian ethical hacking outfit HackersBlog shames yet another antivirus vendor – Symantec. A SQL injection vulnerability in a section of the Symantec website allows unauthorized access to the database.

Symantec is one of the biggest IT security companies in the world, developing a wide range of products for both home and enterprise consumers. It is a veteran on the antivirus market, its flagship product being Norton Antivirus.

According to “unu,” a Romanian hacker associated with HackersBlog, the Document Download Centre section of the Symantec website contains a poorly-sanitized parameter, which facilitates SQL injection attacks. Successful exploitation results in giving an attacker access to the database.

Image comment: TRUE condition AND 1=1 - Page loads normally

“The irony of the situation is that it’s done on https, on a login page, a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY,” the hacker, who doesn't specify what sensitive information, if any, is stored in that particular database, notes.

Image comment: FALSE condition AND 1=2 - Text disappears

The documented attack is actually a “blind” SQL injection. As opposed to regular SQL injections, such attacks are harder to instrument, because the website does not respond back with useful error information that would give the hacker an idea of how to proceed.

Image comment: SELECT function, AND (SELECT 1)=1 returns true - Text doesn't disappear

According to the few items of information “unu” has provided, the website runs on an Apache Web server with PHP 5.2.6 and a MySQL 5.0.22 backend. The published screenshots demonstrate how executing SQL commands through URL manipulation alters the content of the page.

“Unu” claims to have contacted Symantec regarding the problem, or at least attempted to. “[...] On the website there is no contact email address for cases such as this, I’ve sent an email to webmaster@symantec.com and security@symantec.com. The email didn’t bounce, so someone must have received it. No answer as of yet,” he writes, while pointing out that more detailed info could be revealed after the company fixes the issue.

During the past two weeks, hackers from the HackersBlog crew have been disclosing various SQL injection vulnerabilities on websites belonging to no less than four antivirus vendors: Kaspersky, F-Secure, Bitdefender, and now Symantec. The site operated by the Bitdefender business partner in Portugal has also been compromised by the same group through SQL injection.

Antivirus vendors are not the only targets of the Romanian group of hackers. Yahoo! has also made the subject of attacks from them more than once, while “unu” has just recently disclosed a similar vulnerability on the website of the International Herald Tribune, the global edition of the New York Times.
 

Pentagon Spends $100 Million In Six Months On Cyber Defence

Category: , , By PK


The Pentagon has spent $100m (£68m) deflecting and cleaning up after online attacks in the past six months, according to the head of the US Strategic Command.

US Air Force general Kevin Chilton told a cyber security conference in Nebraska that the money was being spent on computer equipment, contractors and manpower to clean up after external attacks and internal mistakes.

"The important thing is that we recognise that we are under assault from the least sophisticated - what I would call the bored teenager - all the way up to the sophisticated nation state, with some pretty criminal elements sandwiched in between," Chilton told Associated Press. "This is indeed our big challenge as we think about how to defend it."

Chilton declined to say what percentage of the attacks came from outside the military's systems, or to comment on the likelihood that some attempts were being made by foreign governments.

Brigadier general John Davis, the US Army's deputy commander for network operations, said that investment needed to be made into hardening the defences of military systems, rather than spending funds fire-fighting after the event.

"You can either pay me now, or you can pay me later," he said. "It would be nice to spend that money proactively, rather than fixing things after the fact. "
 

Chinese & Russian Cyber Spies Hacked US Electrical Grid


Foreign spies have infiltrated the US electrical grid, leaving behind software programs that could disrupt the system in a time of war, American national security officials have claimed.

The intruders, who came from countries including China and Russia, were believed to be attempting to map the US electrical system and work out how it was controlled, according to reports in the Wall Street Journal.

Officials said the cyberspies had not tried to damage the grid, but warned they could during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," a senior intelligence official told the paper. "So have the Russians."

The intrusion spread across the country and didn't target any specific companies or regions, a former Department of Homeland Security official said. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Several of the intrusions were detected by US intelligence agencies and not by the companies in charge of the infrastructure, the officials said.

The breaches come as concern grows among the intelligence community over cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the internet.

More worrying was the discovery that the cyberspies had left behind software tools that could be used to destroy infrastructure components, the senior intelligence official said. He told the Wall Street Journal: "If we go to war with them, they will try to turn them on."

Water, sewage and other infrastructure systems were also believed to be at risk.

"Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told politicians. "A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure."
 

Get Rich or Die Trying (BlackHat USA)

Category: , , , By PK


The premise for the “Get Rich or Die Trying” presentation was looking forward at the next 3-5 years considering that we’re probably going to see less fertile ground for XSS/SQLi/CSRF to be taken advantage of – that is if the good guys do their job well. So the bad guys will likely focus more attention on business logic flaws, which QA overlooks, scanners can’t identify, IDS/IPS can’t defend, and more importantly issues potentially generating 4, 5, 6 or even figures a month in illicit revenue.

In many ways though this is sort of like predicting the present since just about every example we gave was grounded with a real-world public reference and backed by statistics. We also wanted this presentation was very different than what most are used to at BlackHat that tend to be deeply technical, hard to follow, and often dry. And while everyone in webappsec is transfixed on JavaScript malware issues, we chose another direction.
 

Indian Army fears China attack by 2017

Category: , , By PK


The Indian military fears a ‘Chinese aggression’ in less than a decade. A secret exercise, called ‘Divine Matrix’, by the army’s military operations directorate has visualised a war scenario with the nuclear-armed neighbour before 2017.

“A misadventure by China is very much within the realm of possibility with Beijing trying to position itself as the only power in the region. There will be no nuclear warfare but a short, swift war that could have menacing consequences for India,” said an army officer, who was part of the three-day war games that ended on Wednesday.

In the military’s assessment, based on a six-month study of various scenarios before the war games, China would rely on information warfare (IW) to bring India down on its knees before launching an offensive.

The war games saw generals raising concerns about the IW battalions of the People’s Liberation Army carrying out hacker attacks for military espionage, intelligence collection, paralysing communication systems, compromising airport security, inflicting damage on the banking system and disabling power grids. “We need to spend more on developing information warfare capability,” he said.

The war games dispelled the notion that China would take at least one season (one year) for a substantial military build-up across India’s northeastern frontiers. “The Tibetan infrastructure has been improved considerably. The PLA can now launch an assault very quickly, without any warning, the officer said.

The military believes that China would have swamped Tibet with sweeping demographic changes in the medium term. For the purposes of Divine Matrix, China would call Dalai Lama for rapprochement and neutralise him. The top brass also brainstormed over India’s options in case Pakistan joined the war to. Another apprehension was that Myanmar and Bangladesh would align with China in the future geostrategic environment.
 

Israelis Bring Down Hizbullah Website



An Israeli network security company brought down a Hizbullah-run Web site last week using hacking technology developed in China, Haaretz reported Tuesday. According to the daily, the Israeli company Applicure employed relatively cheap, accessible and easy to use software to bring down the site, english.hizbollah.tv, with only 10 computers.

Nevertheless, in the wake of the report, commentators were already questioning the ways in which privately waged cyber-warfare could affect the tense relationship between avowed enemies like Israel and Hizbullah.

The term used to describe the use of a singular or coordinated assault on a Web site to prevent it from properly functioning is "denial of service" (DOS) or distributed denial of service (DDOS). DOS or DDOS attacks utilize a number of computers, infected by viruses or Trojan horses and grouped into networks, to bombard a Web site with an overwhelming number of illegitimate requests, preventing it from servicing legitimate requests.

DOS is only one of many way to bring down a Web site or network, but it is often considered the most popular method because it does not require the advanced software used in other forms of Web sabotage.

Computers used by and often hijacked (without the knowledge of the primary user) by hackers are known as bots. Only ten of these bots, according to Haaretz were needed to interrupt the Hizbullah site.

Haaretz reported that Applicure was "trying out breaking-in tools developed by Chinese hackers," when it brought down the site. The report added that the software used was intended for "laymen," not hackers well-versed in programming.

In addition, the article noted that this particular software is relatively cheap, as little as $260 a year with a limited number of bots, and that it use to disrupt services can earn a user a six figure salary, primarily through blackmail.

Applicure has partners in South Korea, which is reportedly a popular place for Chinese hackers to disrupt Web-based services, especially gaming sites, which are quite popular. China's Computer Emergency Response Team increased its risk assessment to China's internal network twenty fold in 2007.

In the United States, DOS attacks often target online gambling sites where the private information of users, like credit card information can be mined, by infecting the largest number possible of personal computers with Trojan horses.

Citing technology and security experts, the report said this kind of virus infects an entire site and tires to "download" itself on to as many users computers as possible.