Online jihadists have already used YouTube, blogs and other social media to spread their propaganda. Now, a group of internet Islamic extremists is putting together a plan for "invading Facebook."

"We can use Facebook to fight the media," notes a recent posting on the extremist al-Faloja forum, translated by Jihadica.com. "We can post media on Facebook that shows the Crusader losses."

"We have already had great success in raiding YouTube," the poster adds. "American politicians have used Facebook to get votes, like the house slave Obama."

Groups like al-Qaida were pioneering users of the internet — to train, share ideas and organize. But some observers, like George Washington University professor Marc Lynch, see a reluctance to embrace Web 2.0 tools like Facebook. "One of the biggest problems for a virtual network like AQ today is that it needs to build connections between its members while protecting itself from its enemies. That's a filtering problem: How do you get your people in, and keep intelligence agents out?" he asks.

But as Jihadica.com author and West Point Combating Terrorism Center fellow William McCants notes, the proposed Facebook invasion "is not an attempt to replicate [existing] social networks." Instead, "the members of the campaign want to exploit existing networks of people who are hostile to them and presumably they will adopt new identities once they have posted their material."

The al-Faloja poster suggests seven "brigades" work together within Facebook. One will distribute videos and writing of so-called "martyrs." Another will spread military training material. Most of them will work in Arabic, presumably. But one of the units will focus just on spread English-language propaganda through Facebook.

A group of Israeli students and would-be cyberwarriors have developed a program that makes it easy for just about anyone to start pounding on pro-Hamas websites. But using this "Patriot" software, to join in the online fight, means handing over control of your computer to the Israeli hacker group.

"While you're running their program, they can do whatever they want with your computer," Mike La Pilla, manager of malicious code operations at Verisign iDefense, the electronic security firm.

The online collective "Help Israel Win" formed in late December, as the current conflict in Gaza erupted. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," "Liri," one the group's organizers, told Danger Room.

So they created a simple program, supposedly designed to overload Hamas-friendly sites like qudsnews.net and palestine-info.info. In recent years, such online struggles have become key components in the information warfare that accompanies traditional bomb-and-bullets conflicts. Each side tries to recruit more and more people -- and more and more computers -- to help in the network assaults. Help Israel Win says that more than 8,000 people have already downloaded and installed its Patriot software. It's a small part of a larger, increasingly sophisticated propaganda fight between supporters of Israel and Hamas that's being waged over the airwaves and online.

Help Israel Win, which has websites in Hebrew, English, Spanish, French, Russian and Portugese, doesn't say much about how the program functions -- only that it "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."

Analysis from iDefense and the SANS Institute, however, reveals that computer users put their PCs at risk when they run the Patriot software. The program connects a computer to one of a number of Internet Relay Chat (IRC) servers. Once the machine is linked up, Help Israel Win can order it to do just about anything.

The Patriot program does something "fishy," SANS Institute security specialist Bojan Zdrnja said, by retrieving "a remote file and sav[ing] it on the local machine as TmpUpdateFile.exe." That could easily be a "trojan," Zdrnja said, referring to a program that sneaks malicious code onto a computer.

"While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there -- there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," Zdrnja wrote.

Liri, with Help Israel Win, conceded that "the Patriot code could be used as a trojan. However, "practically it is not used as such, and will never be."

"The update option is used to fix bugs in the client, and not to upload any malicious code... never have and never will," Liri said. "The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application."

It's also unclear how much the Patriot program is really helping the Israeli side in the online information war.

La Pilla has been monitoring Help Israel Win's IRC servers for days. "They didn't make us download and install anything. Didn't make us [attack] anybody. I was basically just sitting idle on their network." The group claims to have shut down sarayaalquds.org and qudsvoice.net. But, as of now, the rest of the group's pro-Hamas targets remain online. Meanwhile, Help Israel Win has had to shift from website to website, as they come under attack from unknown assailants.

Open wi-fi is a terrorist tool and has to be shut down, right this second. That's the conclusion, at least, of the Mumbai police. Starting today, the Times of India reports, "several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks."

"If a particular place's wi-fi is not password-protected or secured then the policemen at the spot has the authority to issue notice to the owner of the wi-fi connection directing him to secure the connection," deputy commissioner of police Sanjay Mohite tells The Hindu. Repeat wi-fi offenders may receive "notices under the Criminal Procedure Code," another senior officer warns the Times.

Mohite notes that e-mails taking credit for terror attacks in New Delhi and Ahmedabad were sent through open wireless networks. "Unprotected IP addresses can be misused for cyber crimes,'' he says. Other Indian cities now require cyber cafes to install surveillance cameras, and to collect identification from all customers.

But plugging up all those perceived security sieves in Mumbai is going to take some work. A quick Sheriff's Brigade survey on Sunday showed that 80 percent of wi-fi networks in South Mumbai were left unlocked. And it's not like terrorists are all that 802.11-dependent, of course. An e-mail also took credit for December's massacre in Mumbai. Whether that came from an open wi-fi connection or not is unclear -- the mailer used an anonymizer service, to cover his electronic tracks.

The website of the world renowned magazine has been subject of an SQL injection attack

BusinessWeek has just joined a group of highly rated and visited websites that fell victims to SQL injection attacks. Graham Cluley, Senior Technology Consultant for the security company Sophos, disclosed that parts of the website of the popular weekly magazine were attempting to serve malware from a Russian server.

SQL Injection has been at the top of vulnerability trends in recent years along with XSS (cross-site scripting). The SQL Injection name comes from the end-result of the exploitation of such a vulnerability, which is to inject malicious code into the web application's SQL database. This code is generally used to spread malware from third-party servers.

The new BusinessWeek incident adds to the other 16,000 pages affected by SQL Injection discovered daily (according to a Sophos report). Mr. Cluley points out that hundreds of individual BusinessWeek pages from a section of the website were affected. What's even worse is that the particular section was addressed to MBA students looking for career opportunities.

The injected malicious code was trying to serve malware from a .ru website, but the server in question was offline at the time when the attack was discovered. According to Cluley, this wasn't necessarily permanent and the status of the website could have changed, which would have posed a serious security risk to the personal or financial information of the users. A BusinessWeek spokesman commented for The Register that, following their investigation, it was determined that no sensitive information had been compromised and that the particular web application affected had been removed from their website.

BusinessWeek website infected by malware from Sophos Labs on Vimeo.
Even so, Mr. Cluely pointed out that BusinessWeek had been notified about that last week and two days ago the malicious code was still online. All companies should work to fix these problems as soon as possible as time is essential with these attacks, the longer the code remains online, the higher the chances of more people getting infected are.

In a short video, Cluely outlines the basic steps companies should take in order to prevent such incidents. They include adopting development best practices, ensuring web applications run with lowest possible database privileges, constantly checking server logs for suspicious activity as well as using programs designed to tighten the security of web applications.

The Antivirus Vendor Claims That No Customer Data Has Been Compromised

After a SQL injection attack against the US support website belonging to Kaspersky Labs was published on the Romanian Hackers Blog, the company disclosed details of the security breach. The investigation established that no sensitive data was accessed, but the antivirus vendor hired a database security expert to audit all of its websites.

During the past weekend, the Romanian Hackers Blog published information regarding a successful attack on http://usa.kaspersky.com/support/. According to the attacker, full access to the database containing customer information, support tickets, and even product activation codes had been obtained through SQL injection techniques.

The alleged ethical hacker who is calling himself "unu," did not post any sensitive information stored in the database, which was confirmed to contain around 2,500 customer e-mail addresses and 25,000 software activation keys. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," he said.

However, Vitaly Kamluk, chief malware expert at Kaspersky Lab, who has been involved in the investigation into this incident, claims there were several attackers, not one, and dismisses their good intentions. "After collecting field names, the attackers made a few attempts to extract the data from tables," he writes on the Kaspersky Analyst's Diary Weblog.

Apparently, only a simple mistake prevented them from hitting the jackpot. "Those queries failed because the attackers specified the wrong database," Kamluk explains. "There were several attackers with IP addresses from Romanian ISPs," the analyst also notes.

Meanwhile, during a conference call with reporters, Kaspersky Senior Research Engineer Roel Schouwenberg explained that the vulnerability was introduced along with a new update on the support site on January 28. He also pointed out that a Romanian Kaspersky employee came across the blog entry explaining the attack and immediately alerted his U.S. colleagues, who in turn rolled back the website to its stable state before the vulnerable update was deployed.

Vitaly Kamluk shares that the attackers used a free version of an automated probing tool from Acunetix to determine that the site was vulnerable to SQL injection, and then proceeded with manual exploitation. "The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE, INSERT, DELETE... were logged," he adds.

Both Kamluk and Schowenberg challenge the hackers' claim that they published the attack only after e-mails sent to the antivirus vendor went unanswered. "After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email – on a Saturday to several public email boxes. They gave us exactly 1 hour to respond," Kamluk mentions, while Schowenberg concludes that " They gave us little if any chance to respond."

When asked by the reporters if the company's image might suffer as a result of this security breach, Roel Schouwenberg said that "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened." However, he stressed that "We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again." In this respect, the company has hired world-renowned database security expert David Litchfield to perform an independent security audit of websites belonging to Kaspersky Labs.

"Secure development MUST be a key priority for web development - anywhere, anytime and all the time. It is a lesson to us all - check, check and re-check your processes and your code," Vitaly Kamluk advises. "We are lucky the hackers proved to be more interested in fame than in causing damage," the software engineer concludes.

Note: This article has been updated as to correctly attribute the cited material from the Kaspersky weblog, signed VitalyK, to Vitaly Kamluk, chief malware expert at Kaspersky Lab, as opposed to Vitaly Kouzin, software engineer at Kaspersky Lab, whom it originaly credited.

The Romanian HackersBlog Makes a New Victim

After previously compromising websites belonging or related to Kaspersky and Bitdefender, the Romanian hackers from the HackersBlog crew launched a new successful SQL injection attack against the website of an antivirus vendor. This time around, it was F-Secure, however, the security breach did not have the potential of disclosing sensitive information.

In a new post published on the HackersBlog, one of the website's admins, Tocsixu, discloses a SQL injection attack against the statistics section of the website belonging to Finnish security company F-Secure. In addition to being vulnerable to SQL injection, the http://stats.f-secure.com website also allowed for code injection through cross-site scripting (XSS).

Successful poisoning of SQL SELECT statements through URL manipulation exposed the tables of what it looked like a Microsoft SQL Server 2000 database running on a Windows Server 2003 with Service Pack 2.

The compromised tables were: MailboxInfo, VirusUpdated, dtproperties, Country, sysconstraints, VirusTrends, Virus_Top50_24h, Virus_Top50_30days, Virus_Top50_7days, Virus_Top50_90days, Virus_Top50_Month, Virus_Top50_Week, VirusDateTotal, VirusDate, VirusMonthTotal, VirusReports, VirusReportsTemp, VirusTrends.

F-Secure confirmed the security breach, but pointed out that the compromised database contained information about malware statistics that had been made publicly available anyway. "The malware statistics is something we publish anyway at F-Secure Worldmap and, because of our IT security strategy, the impact was minimal," Patrik Runald, senior security specialist at F-Secure, writes on the company's weblog. This is also mentioned by Tocsixu, who points out that "Fortunately, F-Secure doesn’t leak sensitive data, just some statistics regarding past virus activity."

The F-Secure analyst explains that the attack was possible because a page on their statistics website didn't properly sanitize the input. He also maintains that no information altering SQL commands was executed against the database, and that other details on the server could not be reached by the hackers, because the SQL username used by that section of the F-Secure website only had access to the statistics database. "While the attack is something we have to learn from and look at things we need to improve, it's not the end of the world," Patrik Runald concludes.

This is the third strike in less than a week when the HackersBlog team launched a successful SQL infection attack against the website of a security vendor. The first was the U.S. support website of Kaspersky Labs, developer of Kaspersky Antivirus. This was followed by a similar breach on the website of a Bitdefender Antivirus partner in Portugal, http://www.bitdefender.pt.

Even though slow to respond at first, Kaspersky eventually assumed responsibility for the security incident and revealed extensive details about the attack. In addition, the company hired a renowned database security expert to perform a security audit on its websites. Bitdefender, however, only kept it short by saying that the website belonged to a reseller and was not controlled by it. Even so, the site was using the Bitdefender name, logo, a very similar website layout and was selling Bitdefender products. It's unlikely that the Bitdefender users who have had their personal information put at risk care too much about who's website that is.

The databases were compromised through SQL injection attacks

Both Kaspersky and Bitdefender antivirus vendors have been left with red faces by a Romanian hacker who obtained access to the SQL databases of two of their websites. The data stored in the databases includes customer information, e-mails, support tickets, and even activation codes.

A hacker going by the nickname of "unu," meaning "one" in Romanian, has reported on Saturday that he compromised the security of the Kaspersky website in USA. In a posting made on HackersBlog, unu published screenshots as well as a list of the tables found in the site's SQL database.

The hacker explained that he obtained full access to the database through SQL injection. SQL injection is a form of URL manipulation that allows passing SQL commands through a URL. It is usually used by hackers to insert rogue data into the database for various purposes. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc," the Romanian writes.

Image comment: Kaspersky USA database information screenshot

However, unu's intensions were not malicious. According to The Register, he only decided to go public after he sent messages to several Kaspersky official e-mails and got no response. This is also reflected by the evidence he presented, like the malformed URLs being blurred in the screenshots.

Also, he did not publish any customer information, although he claims to have had complete access to it. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," unu explains.

Image comment: Bitdefender Portugal adminstrator login credentials screenshot

Kaspersky has partially confirmed the security breach. "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," the company claims in a statement.

Tocsixu, one of the admins of HackersBlog, has told The Register that unu hacked the website days before going public, which seems to come into conflict with Kaspersky's account. According to him, the reason why no data has been compromised is only due to the good will of the hacker. "Indeed, no data was compromised from the site because that is not Unu's (our) intention. No sensitive information from the site was stored, legit Kaspersky users can rest assured," he states.

However, after being done with Kaspersky, the hacker turned his attention to another big player on the antivirus market, Bitdefender. In a new post published today, the hacker documents a similar successful SQL injection attack against the website of Bitdefender Portugal. "It seems Kaspersky aren’t the only ones who need to secure their database. Bitdefender has the same problems," unu adds.

He goes on to describe the attack that provided him with access to the database containing administrators' usernames and passwords, the personal details of thousands of customers and sales data. In addition, one table in the database contains a large number of e-mail addresses belonging to people who subscribed to the company's newsletter. "And last a part of the data from the table inscricoes(Newsletter)… thousands of email addresses, candy for possible spammers," the attacker points out.

Like in the case of the Kaspersky incident, unu did not publish any sensitive information and also blacked out the compromising details of the attack in the provided screenshots. Bitdefender has still to confirm and comment on this attack. Stay tuned, we will return with updates if it does.

Blind SQL Injection Vulnerability Disclosed

The Romanian ethical hacking outfit HackersBlog shames yet another antivirus vendor – Symantec. A SQL injection vulnerability in a section of the Symantec website allows unauthorized access to the database.

Symantec is one of the biggest IT security companies in the world, developing a wide range of products for both home and enterprise consumers. It is a veteran on the antivirus market, its flagship product being Norton Antivirus.

According to “unu,” a Romanian hacker associated with HackersBlog, the Document Download Centre section of the Symantec website contains a poorly-sanitized parameter, which facilitates SQL injection attacks. Successful exploitation results in giving an attacker access to the database.

Image comment: TRUE condition AND 1=1 - Page loads normally

“The irony of the situation is that it’s done on https, on a login page, a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY,” the hacker, who doesn't specify what sensitive information, if any, is stored in that particular database, notes.

Image comment: FALSE condition AND 1=2 - Text disappears

The documented attack is actually a “blind” SQL injection. As opposed to regular SQL injections, such attacks are harder to instrument, because the website does not respond back with useful error information that would give the hacker an idea of how to proceed.

Image comment: SELECT function, AND (SELECT 1)=1 returns true - Text doesn't disappear

According to the few items of information “unu” has provided, the website runs on an Apache Web server with PHP 5.2.6 and a MySQL 5.0.22 backend. The published screenshots demonstrate how executing SQL commands through URL manipulation alters the content of the page.

“Unu” claims to have contacted Symantec regarding the problem, or at least attempted to. “[...] On the website there is no contact email address for cases such as this, I’ve sent an email to webmaster@symantec.com and security@symantec.com. The email didn’t bounce, so someone must have received it. No answer as of yet,” he writes, while pointing out that more detailed info could be revealed after the company fixes the issue.

During the past two weeks, hackers from the HackersBlog crew have been disclosing various SQL injection vulnerabilities on websites belonging to no less than four antivirus vendors: Kaspersky, F-Secure, Bitdefender, and now Symantec. The site operated by the Bitdefender business partner in Portugal has also been compromised by the same group through SQL injection.

Antivirus vendors are not the only targets of the Romanian group of hackers. Yahoo! has also made the subject of attacks from them more than once, while “unu” has just recently disclosed a similar vulnerability on the website of the International Herald Tribune, the global edition of the New York Times.

Foreign spies have infiltrated the US electrical grid, leaving behind software programs that could disrupt the system in a time of war, American national security officials have claimed.

The intruders, who came from countries including China and Russia, were believed to be attempting to map the US electrical system and work out how it was controlled, according to reports in the Wall Street Journal.

Officials said the cyberspies had not tried to damage the grid, but warned they could during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," a senior intelligence official told the paper. "So have the Russians."

The intrusion spread across the country and didn't target any specific companies or regions, a former Department of Homeland Security official said. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Several of the intrusions were detected by US intelligence agencies and not by the companies in charge of the infrastructure, the officials said.

The breaches come as concern grows among the intelligence community over cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the internet.

More worrying was the discovery that the cyberspies had left behind software tools that could be used to destroy infrastructure components, the senior intelligence official said. He told the Wall Street Journal: "If we go to war with them, they will try to turn them on."

Water, sewage and other infrastructure systems were also believed to be at risk.

"Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told politicians. "A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure."

An Israeli network security company brought down a Hizbullah-run Web site last week using hacking technology developed in China, Haaretz reported Tuesday. According to the daily, the Israeli company Applicure employed relatively cheap, accessible and easy to use software to bring down the site, english.hizbollah.tv, with only 10 computers.

Nevertheless, in the wake of the report, commentators were already questioning the ways in which privately waged cyber-warfare could affect the tense relationship between avowed enemies like Israel and Hizbullah.

The term used to describe the use of a singular or coordinated assault on a Web site to prevent it from properly functioning is "denial of service" (DOS) or distributed denial of service (DDOS). DOS or DDOS attacks utilize a number of computers, infected by viruses or Trojan horses and grouped into networks, to bombard a Web site with an overwhelming number of illegitimate requests, preventing it from servicing legitimate requests.

DOS is only one of many way to bring down a Web site or network, but it is often considered the most popular method because it does not require the advanced software used in other forms of Web sabotage.

Computers used by and often hijacked (without the knowledge of the primary user) by hackers are known as bots. Only ten of these bots, according to Haaretz were needed to interrupt the Hizbullah site.

Haaretz reported that Applicure was "trying out breaking-in tools developed by Chinese hackers," when it brought down the site. The report added that the software used was intended for "laymen," not hackers well-versed in programming.

In addition, the article noted that this particular software is relatively cheap, as little as $260 a year with a limited number of bots, and that it use to disrupt services can earn a user a six figure salary, primarily through blackmail.

Applicure has partners in South Korea, which is reportedly a popular place for Chinese hackers to disrupt Web-based services, especially gaming sites, which are quite popular. China's Computer Emergency Response Team increased its risk assessment to China's internal network twenty fold in 2007.

In the United States, DOS attacks often target online gambling sites where the private information of users, like credit card information can be mined, by infecting the largest number possible of personal computers with Trojan horses.

Citing technology and security experts, the report said this kind of virus infects an entire site and tires to "download" itself on to as many users computers as possible.

A China-based cyber spy network has hacked into government and private systems in 103 countries, including those of many Indian embassies and the Dalai Lama, an Internet research group said on Saturday.

The Information Warfare Monitor (IWM), which carried out an extensive 10-month research on cyber spy activities emanating from China, said the hacked systems include the computers of Indian embassies and offices of the Dalai Lama.

Without identifying Indian embassies, the group said all evidence points to China as the source of this spy espionage.

The group said it has evidence that the hackers managed to install a software called malware on the compromised computers to steal sensitive documents, including those from the Dalai Lama's offices.

The group began its research after Tibetan exiles made allegations of cyber spying by the Chinese.

After initial investigations when the group widened it research it found that the China-based cyber espionage had hacked computer systems of embassies of India, Pakistan, Germany, Indonesia, Thailand, South Korea and many other countries.

In all, the hackers had gained access to 1,295 computer systems of foreign ministries of many countries, including Bhutan, Bangladesh, Latvia, Indonesia, Iran, and the Philippines, the researchers said.

After gaining access to foreign government and private computer systems, the hackers installed malware to exercise control over these computer systems to access any documents.

"We have been told by the researchers that the Chinese hackers have gained access to our computers systems all over the world, and taken sensitive documents from the office of His Holiness (the Dalai Lama)," Toronto-based Tibetan student leader Bhutila Karpoche told IANS.

She said, "Our website (studentsforafreetibet.org) has been repeated hacked, and we keep getting all kinds of viruses in our emails. This trend has increased in recent months, and we have become very wary about opening

our emails."

The findings of the 10-month investigation titled 'Tracking GhostNet:

Investigating a Cyber Espionage Network,' can be found here,

Tracking GhostNet: Investigating a Cyber Espionage Network

UK & US IDs Exposed to World

A reported 22,000 card records have been exposed through cached copies of data stored on a defunct cybercrime server.

iTnews in Australia reports that 19,000 of the 22,000 exposed details referred to US and UK cards and that data came from Google cache records of a disused internet payment gateway, a line picked up by Slashdot.

However, a security expert told us the information was actually from either a dump or attack site used for credit card fraud. This cybercrime site, registered by someone in Vietnam, is no longer operational.

The data - viewable through Google cache - includes credit card numbers, expiry dates, names and addresses for accounts held with Visa, Mastercard, American Express, Solo and Delta. The information remains available at the time of writing for anyone with the wit to formulate the correct search term.

First spotted by an anonymous Australian, details were posted on a now deleted thread on whirlpool.net.au. Reg readers have since independently located the sensitive information in Google's cache.

"Google can sometimes be a victim of its own effectiveness, having indexed all available content from the criminal's dump server in Vietnam they inadvertently made thousands of UK credit card details available to the casual browser by serving them up from their own cache," explained Rik Ferguson, a security consultant at Trend Micro. "From the moment this content was made public Trend Micro have been working to help Google, over the course of the weekend, to identify and remove all the offending information," he added.

It's not the first time Google's spiders have indexed such sensitive data. In May 2008 net security firm Finjan reported a similar case, where banking login credentials and other data was stored on a crimeware server accessible though Google search queries.

Research Shows Economic Slump Prompting Surge In Online Criminality

Malware volumes grew by a huge 300 per cent during 2008, fuelled in part by continuing job uncertainty, according to new research from security-as-a-service provider ScanSafe.

The firm analysed more than 240 billion web requests in over 80 countries last year, and found a particular growth in exploits and iframe attacks, which rose 1,731 per cent, and data-theft Trojans, which increased by 1,559 per cent.

Mary Landesman, senior security researcher at ScanSafe, suggested that the rise in criminal activity could correspond to the decline in the global economy.

"We saw a continued acceleration of web-delivered malware in 2008, reaching significant peaks in October and November. The numbers are staggering," she said.

"It could be that the increasing job losses and uncertainty are fuelling the surge in criminal activity. It is also likely that cyber crime is a viable business opportunity in a climate where legitimate opportunities are becoming increasingly limited."

ScanSafe also warned that trusted sites are now statistically the most dangerous on the web, as they are frequently hacked using techniques such as SQL injection attacks. The firm recorded 780,000 malicious web pages in April alone as a result of a single SQL injection attack.

Reports Reveal Police Store Records on Protestors & Journalists

Just a day after the Information Commissioner raided a firm for possessing a covert database of construction workers’ personal information, it emerged that the police force is keeping a potentially illegal database listing the details of political activists and journalists.

In a Guardian newspaper investigation, the Metropolitan Police force, which is said to have pioneered surveillance techniques at demonstrations, was accused of storing details including names, photographs, political associations and video footage of protesters and reporters.

The information is stored on CrimInt, a centralised database used by all police to catalogue criminal intelligence, the report said.

The information was obtained by the paper via Freedom of Information requests, court testimony, an interview with a senior Met officer and police surveillance footage.

According to reports, the data is held by the police for up to seven years, and reviewed each year, so it is unclear whether the ICO will decide to investigate possible breaches of the Data Protection Act.

However, the storage of details belonging to people who have not been convicted or accused of a crime could contravene the Human Rights Act.

The news comes as the ICO seeks to harden its stance on organisations believed to be breaking the Data Protection Act. Last week it began proceedings against a Droitwich firm it accused of holding the details of over 3,000 building site workers without their knowledge.

Public confidence in the state’s policies on data handling is at an all time low after a string of high profile public sector data breach incidents, and widely criticised proposals for a centralised database of communications data.

The police and Home Office also came in for recent criticism after the police were given new powers to hack into individuals’ PCs without a warrant.

Source: vnunet

BT has dismissed the significance of supposed vulnerabilities on its systems detailed by infamous hacker Unu on Tuesday.

The Romanian hacker posted screenshots illustrating what he claimed highlighted SQL injections in a posting at Hackersploit.org.

"A faulty parameter, improperly sanitized opens the vault to the pretious (sic) databases. One can gain access to such ordinary things as personal data, login data, and the like," Unu writes. A subsequent post explains that the issue involved blind SQL Injection vulnerabilities involving the site www.comparebroadband.bt.com.

But an investigation by BT concluded that the flaws (such as they are) involved only test systems.

A statement by the telecoms giant explains that its production systems and customer data remain safe.

BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time.

When sites are under test they do not contain live data and are often not included within our secure network until they become operational. BT has developed rigorous, world-leading protection against unauthorised computer access in order to protect customer details and commercial interests. Where a suspected intrusion has occurred BT will act swiftly to ensure our customer data is not at risk.

Our operational systems have not been affected in any way by this attempt to break through our security.

Romanian hacker Unu came to prominence a month ago when he poked the websites of security vendors, such as Kaspersky Lab and BitDefender, discovering some problems in the process. More recently he's moved onto scouring the websites of large UK businesses, such as those run by Camelot and the Daily Telegraph and now BT, scouring for database flaws. In all of the three latest cases the firms involved have said that Unu's postings suggest a more severe problem than was actually the case.

Unu's results are genuine but his analysis fails to explain that partner or test sites, rather than the main sites of the Daily Telegraph and BT, for example, have flaws.

Computer hackers suspected of working from Russia successfully penetrated Pentagon computer systems in one of the most severe cyber attacks on US military networks.

The electronic attack was so serious that Adm Michael Mullen, the chairman of the joint chiefs of staff, briefed President George W Bush and Robert Gates, the defence secretary.

Defence officials told the Los Angeles Times that the attack struck computers within the US Central Command, which oversees Iraq and Afghanistan, and involved malicious software - known as "malware" - that permeates a network.

"This one was significant, this one got our attention," said an official, speaking anonymously.

Officials did not disclose the extent of the damage and would not elaborate on the reasons for believing the assault originated in Russia.

The Pentagon and other US government departments face repeated cyber attacks, especially from Russia and China, either from individuals or indirectly from those countries' governments.

Within the past 18 months Russia has been accused of orchestrating major electronic attacks on neighbours Estonia and Georgia.

Source: telegraph.co.uk

Careers website Monster.com and USAJobs.gov, the official job site of the US Federal Government, have published security alerts to their customers warning of a serious hacking attack.

Feeling a sense of deja vu? Well, you should be as this has happened before.

It appears that Monster.com's database and USAJobs.gov's database were compromised and contact and account information was stolen. Data stolen included users' login names, passwords, email addresses, names, phone numbers and some demographic data.

Here is a short video I have made, explaining the possible impact of this security breach - and explaining why you should take this opportunity to think long and hard about whether you are acting securely with your website passwords:


What the Monster.com security breach teaches us about passwords from Sophos Labs on Vimeo.

Monster has published a warning for its users, advising them to change their passwords. A similar alert has appeared on the USAJobs.gov website, whose database is run by Monster.



Although the warnings are keen to emphasis what information has not been breached during the attack (for instance, social security numbers), it is important to understand the serious risks that Monster and USAJobs customers may be placed in because of this incident.

One very real risk is that hackers will use the email addresses and personal information they have received to mount a realistic phishing campaign, attempting to gather more sensitive information about victims. Phishing emails which attempt to look more legitimate by using the recipient's real name and other personal information (such as user id, phone number or location) are always more successful at social engineering further details that could be used for indentity theft out of people.

There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.

That means that if hackers have managed to extract your Monster.com or USAJobs.gov password in this attack, they might be able to use it to break into your email accounts, or the likes of eBay, PayPal, Amazon, and indeed any other website that you have used the same password for.

So, if you use Monster.com or USAJobs.gov you should change your password now. Choose a sensible password that is not a dictionary word and that is hard to guess. And *then* change your passwords at any other site where you might be using the same password. Make sure, of course, that it's not the same password as the one you are using at Monster - you don't want to make that mistake again.

Worryingly, this isn't the first time that Monster and USAJobs have been targeted by hackers who have stolen data about their users. 18 months ago, as this 2007 report from Reuters reveals, hackers used the Monstres Trojan horse to steal details of jobseekers via recruiter accounts. That hack was unsurprisingly followed up by a widespread phishing email campaign.

“BT is one of the world’s leading providers of communications solutions and services operating in 170 countries. Its principal activities include networked IT services, local, national and international telecommunications services, and higher-value broadband and internet products and services. BT consists principally of four lines of business: BT Global Services, Openreach, BT Retail and BT Wholesale.”

“The most complete UK broadband, phone lines and mobile products, digital TV, web hosting, online security and networked IT services for home”

The description says it all. One of the giants in IT, mobile, TV and internet services. A Giant Company with a huge database. You don’t need to be an internet whiz, not even a computer literate to understand the tremendous implications that result from such a database beeing vulnerable.

A faulty parameter, improperly sanitized opens the vault to the pretious databases. One can gain access to such ordinary things as personal data, login data, and the like. In the first syntax I concatenated the table names as well as the version and the user of the database.



Lets see some of the user login data for different data bases (among which, of course, the admins of the respective sections).



As well as the login data and personal data (email, active, lastloggedin, firstname, surname, address, town, postcode, level, randomkey, password) for some of the registered users.

Vulnerabilities on a Daily Telegraph website have been exposed by serial grey-hat hacker Unu.

In a posting on the hackersblog site Unu outlines a number of SQL injection security weaknesses on the newspaper's website. The entry, which includes screenshots to substantiate the claim, claims that subscriber email addresses were potentially left open to harvesting as a result of security shortcomings with the site.

More seriously, passwords in clear text were also reportedly exposed.

In a statement, Paul Cheesbrough, chief information officer for Telegraph Media Group, said the attack affected a partner site and not the main Telegraph website.

"The hack interrogated database tables behind one of our partner sites - search.property.telegraph.co.uk - and exposed a weakness in the way that particular site had been coded," Cheesbrough said.

"The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously. We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention."

The hacker first became famous for scouring the websites of security vendors, such as Kaspersky Lab and BitDefender, for problems. He's since moved on to looking for flaws on more mainstream websites, such as those run by Camelot and the Daily Telegraph.

Trend Micro notes recent research found that three in five (61 per cent) of people use the same password for multiple sites. The compromise of any one site - even if the information it holds isn't particularly sensitive - therefore poses an identity theft risk for those who fail to practice password security.

Here are some of the database names and their version:



Users passwords are in plain view:



Besides numerous interesting tables there is one that contains email addresses of those receivingt he newsletter. A real treasure for spammers. In the syntax you can see there quite a bunch of them. I concatanated the 700.000th email address.