The Indian cyberspace is under attack and is being increasingly targeted by hackers and cyber criminals from neighbouring countries.

ICERT (Indian Computer Emergency Response Team) statistics show a rise in defacement cases. In January, 466 cases were reported whereas in January 2008 the number was 81.

Defacement of a website means changing the original content on the website by editing or adding fake information about people, organisation, or issues.

"Defacement can lead to serious problems for an organisation or a government body owning a website," Vijay Mukhi of the Foundation for Information Security and Technology (FIST) said.

"If some fake information is added on a website, it can lead to huge monetary as well as other losses for the owner. Defacement can be done by hacking into a website or by using some flaws in the software."

The ICERT report has divided the cases of defacement into two sections -- defacement cases in TLD (Top Level Domain) websites and CCTLD (Country Code Top Level Domain). Websites that fall in the TLD category have extension codes such as com, org, net, and edu whereas CCTLD websites have extension codes such as in, ac.in, gov.in, or edu.in.

"Cases reported to ICERT deal with mostly government websites that have been defaced," a cyber crime expert said. "On most occasions, the person defacing the website is traced to foreign countries. This makes it difficult to take any action against them."

Mukhi said several cases of defacement were not reported to ICERT. "This is another reason why no action can be taken against culprits," he said. "People should register complaints. One should keep upgrading the operating and other softwares to prevent websites being defaced."

Al Qaeda may have been a pioneer in exploiting new media to spread propaganda and recruit members. But now, many experts feel the terror group is falling behind. Despite all the hand-wringing in U.S. intelligence circles, Osama & Co. don't seem to be comfortable with Web 2.0-style applications. Marc Lynch explains why, in a must-read post. Here's a snip:

Social networking: one of the biggest problems for a virtual network like AQ today is that it needs to build connections between its members while protecting itself from its enemies. That's a filtering problem: how do you get your people in, and keep intelligence agents out? An AQMonster.com database would be easy pickings - an online list of all the 'explosives experts' would be a gift to intelligence, no? An AQFacebook or AQSpace might create an identifiable universe of jihadist sympathizers, but again would probably help intelligence agencies as much as AQ. Perhaps an AQLinkedIn model, where members need to be recommended by a current member would reproduce the low-tech approach of allowing in trusted members and keeping out unknown quantities. This could potentially strengthen the 'organization' part... but at the expense of a greater distance from the pool of potential recruits who would not be sufficiently trusted to join. Overall it's hard to see how AQ could adapt social networking without creating such vulnerabilities. Its rivals, on the other hand, have no such problems - Muslim Brotherhood youth are all over Facebook.

Could Twitter become terrorists' newest killer app? A draft Army intelligence report, making its way through spy circles, thinks the miniature messaging software could be used as an effective tool for coordinating militant attacks.

For years, American analysts have been concerned that militants would take advantage of commercial hardware and software to help plan and carry out their strikes. Everything from online games to remote-controlled toys to social network sites to garage door openers has been fingered as possible tools for mayhem.

This recent presentation -- put together on the Army's 304th Military Intelligence Battalion and found on the Federation of the American Scientists website -- focuses on some of the newer applications for mobile phones: digital maps, GPS locators, photo swappers, and Twitter mash-ups of it all.

The report is roughly divided into two halves. The first is based mostly on chatter from Al-Qaeda-affiliated online forums. One Islamic extremist site discusses, for example, the benefits of "using a mobile phone camera to monitor the enemy and its mechanisms." Another focuses on the benefits of the Nokia 6210 Navigator, and how its GPS utilities could be used for "marksmanship, border crossings, and in concealment of supplies." Such software could allow jihadists to pick their way across multiple routes, identifying terrain features as they go. A third extremist forum recommends the installation of voice-modification software to conceal one's identity when making calls. Excerpts from a fourth site show cell phone wallpapers that wannabe jihadists can use to express their affinity for radicalism:

Then the presentation launches into an even-more theoretical discussion of how militants might pair some of these mobile applications with Twitter, to magnify their impact. After all, "Twitter was recently used as a countersurveillance, command and control, and movement tool by activists at the Republican National Convention," the report notes."The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near real time."

Terrorists haven't done anything similar, the Army report concedes - although it does note that there are "multiple pro and anti Hezbollah Tweets." Instead, the presentation lays out three possible scenarios in which Twitter could become a militant's friend:

Scenario 1: Terrorist operative “A” uses Twitter with… a cell phone camera/video function to send back messages, and to receive messages, from the rest of his [group]... Other members of his [group] receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow ”B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario… has already been discussed for other social networking sites, such as My Space and/or Face Book.

Steven Aftergood, a veteran intelligence analyst at the Federation of the American Scientists, doesn't dismiss the Army presentation out of hand. But nor does he think it's tackling a terribly seriously threat. "Red-teaming exercises to anticipate adversary operations are fundamental. But they need to be informed by a sense of what's realistic and important and what's not," he tells Danger Room. "If we have time to worry about 'Twitter threats' then we're in good shape. I mean, it's important to keep some sense of proportion."

Online jihadists have already used YouTube, blogs and other social media to spread their propaganda. Now, a group of internet Islamic extremists is putting together a plan for "invading Facebook."

"We can use Facebook to fight the media," notes a recent posting on the extremist al-Faloja forum, translated by Jihadica.com. "We can post media on Facebook that shows the Crusader losses."

"We have already had great success in raiding YouTube," the poster adds. "American politicians have used Facebook to get votes, like the house slave Obama."

Groups like al-Qaida were pioneering users of the internet — to train, share ideas and organize. But some observers, like George Washington University professor Marc Lynch, see a reluctance to embrace Web 2.0 tools like Facebook. "One of the biggest problems for a virtual network like AQ today is that it needs to build connections between its members while protecting itself from its enemies. That's a filtering problem: How do you get your people in, and keep intelligence agents out?" he asks.

But as Jihadica.com author and West Point Combating Terrorism Center fellow William McCants notes, the proposed Facebook invasion "is not an attempt to replicate [existing] social networks." Instead, "the members of the campaign want to exploit existing networks of people who are hostile to them and presumably they will adopt new identities once they have posted their material."

The al-Faloja poster suggests seven "brigades" work together within Facebook. One will distribute videos and writing of so-called "martyrs." Another will spread military training material. Most of them will work in Arabic, presumably. But one of the units will focus just on spread English-language propaganda through Facebook.

A group of Israeli students and would-be cyberwarriors have developed a program that makes it easy for just about anyone to start pounding on pro-Hamas websites. But using this "Patriot" software, to join in the online fight, means handing over control of your computer to the Israeli hacker group.

"While you're running their program, they can do whatever they want with your computer," Mike La Pilla, manager of malicious code operations at Verisign iDefense, the electronic security firm.

The online collective "Help Israel Win" formed in late December, as the current conflict in Gaza erupted. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," "Liri," one the group's organizers, told Danger Room.

So they created a simple program, supposedly designed to overload Hamas-friendly sites like qudsnews.net and palestine-info.info. In recent years, such online struggles have become key components in the information warfare that accompanies traditional bomb-and-bullets conflicts. Each side tries to recruit more and more people -- and more and more computers -- to help in the network assaults. Help Israel Win says that more than 8,000 people have already downloaded and installed its Patriot software. It's a small part of a larger, increasingly sophisticated propaganda fight between supporters of Israel and Hamas that's being waged over the airwaves and online.

Help Israel Win, which has websites in Hebrew, English, Spanish, French, Russian and Portugese, doesn't say much about how the program functions -- only that it "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."

Analysis from iDefense and the SANS Institute, however, reveals that computer users put their PCs at risk when they run the Patriot software. The program connects a computer to one of a number of Internet Relay Chat (IRC) servers. Once the machine is linked up, Help Israel Win can order it to do just about anything.

The Patriot program does something "fishy," SANS Institute security specialist Bojan Zdrnja said, by retrieving "a remote file and sav[ing] it on the local machine as TmpUpdateFile.exe." That could easily be a "trojan," Zdrnja said, referring to a program that sneaks malicious code onto a computer.

"While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there -- there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," Zdrnja wrote.

Liri, with Help Israel Win, conceded that "the Patriot code could be used as a trojan. However, "practically it is not used as such, and will never be."

"The update option is used to fix bugs in the client, and not to upload any malicious code... never have and never will," Liri said. "The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application."

It's also unclear how much the Patriot program is really helping the Israeli side in the online information war.

La Pilla has been monitoring Help Israel Win's IRC servers for days. "They didn't make us download and install anything. Didn't make us [attack] anybody. I was basically just sitting idle on their network." The group claims to have shut down sarayaalquds.org and qudsvoice.net. But, as of now, the rest of the group's pro-Hamas targets remain online. Meanwhile, Help Israel Win has had to shift from website to website, as they come under attack from unknown assailants.

Open wi-fi is a terrorist tool and has to be shut down, right this second. That's the conclusion, at least, of the Mumbai police. Starting today, the Times of India reports, "several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks."

"If a particular place's wi-fi is not password-protected or secured then the policemen at the spot has the authority to issue notice to the owner of the wi-fi connection directing him to secure the connection," deputy commissioner of police Sanjay Mohite tells The Hindu. Repeat wi-fi offenders may receive "notices under the Criminal Procedure Code," another senior officer warns the Times.

Mohite notes that e-mails taking credit for terror attacks in New Delhi and Ahmedabad were sent through open wireless networks. "Unprotected IP addresses can be misused for cyber crimes,'' he says. Other Indian cities now require cyber cafes to install surveillance cameras, and to collect identification from all customers.

But plugging up all those perceived security sieves in Mumbai is going to take some work. A quick Sheriff's Brigade survey on Sunday showed that 80 percent of wi-fi networks in South Mumbai were left unlocked. And it's not like terrorists are all that 802.11-dependent, of course. An e-mail also took credit for December's massacre in Mumbai. Whether that came from an open wi-fi connection or not is unclear -- the mailer used an anonymizer service, to cover his electronic tracks.

A university student in Florida on Tuesday was sentenced to 22 months in prison for his role in a bungled scheme to hack into his school's computer system and make hundreds of grade changes.

Christopher Jacquette, 29, of Tallahassee was also ordered to serve three years of supervised release for his part in the plot, which used keyloggers to access protected computers at Florida A & M University, according to federal prosecutors. Along with cohorts Lawrence Secrease and Marcus Barrington, his caper reads like a modern-day episode of The Three Stooges.

The tale begins in August 2007, when Jacquette installed keyloggers onto several of the university's computers after sneaking into a locked ballroom where student registration was taking place. In short order, the trio had access to the school's PeopleSoft accounts. They promptly used it to change dozens of grades belonging to them and their friends, in many cases from Fs to As.

Naturally, these under-achieving students weren't the sharpest tools in the shed, and they made some mistakes along the way. A university audit quickly revealed the presence of the keyloggers, and the discovery gave up several email addresses under the control of the students. University logs also showed that the grade changes were made using internet accounts from the students' homes.

When police questioned Barrington's sister about changes made to her grades, she said she believed they were an act of God.

Then, within hours of being interrogated, Barrington convened a meeting where the trio would plan how to sneak keylogging software on university computers a second time. The university had reversed the altered grades, it seems, and the students were intent on changing them back. According to court documents, they did just that, boosting 16 grades belonging to Jacquette and 12 belonging to Barrington.

The students also used their unauthorized access to change the residency status of several students so they wouldn't have to pay out-of-state fees that were more expensive. After Jacquette received $600 apiece from two students, he used his cell phone to send a text message instructing Barrington to change the students' residence. After Jacquette gave consent to have his cell phone searched, investigators found several passwords belonging to university employees.

Court documents charged all three students with four felonies in connection with the alleged scheme. The status of Barrington and Secrease wasn't immediately known. Prosecutors weren't available late Tuesday to clarify.

In all, the trio changed some 650 grades belonging to 90 students. About 114 of the grades were Fs that were converted to As. Because the changes to grades and residency status would have allowed students to receive lower tuition fees, it could have had thee effect of costing the university hundreds of thousands of dollars, prosecutors alleged.

Twelve Students Arrested For Taking Part In A Major Phishing Operation
The Romanian Direction for Investigating Organized Crime and Terrorism (DIICOT) along with local authorities have descended on multiple locations in several cities and arrested 20 persons suspected of being members of a cybercriminal gang. The seven-year-long operation, which involved phishing and fake eBay auctions, is said to have brought the cybercrooks illegal gains of over 500,000 euros.

According to the investigators, the network was very well structured, with its members operating out of Romania, Italy, Spain and the UK. The Romanian branch was co-ordinating the operation and its members were moving from city to city in order to avoid being caught.

However, an important nucleus was formed in Iasi, because it is one of the largest cities in the country and, most importantly, a big university center. This allowed the leaders of the gang to recruit students from the specialized universities here, who were willing to earn some extra cash.

A judge has decided that twelve of the individuals will be detained under temporary arrest for 29 days, while another seven have been released, but are not allowed to leave the country. All of them were studying in Iasi, at the Faculty of Automatic Control and Computer Engineering from the "Gh. Asachi" Technical University, or at the Faculty of Computer Science from the "A. I. Cuza" University. The oldest of the arrested students is 25 years old.

"The DIICOT prosecutors have coordinated an operation to dismantle an organized criminal group, which between 2002 and 2009 has organized fictitious auctions on the Internet, especially on the www.ebay.com, www.ebay.it and www.ebay.ca websites, the cloning of the websites of several banks from UK and Italy, such as www.poste.it, www.ubibanca.it, www.cartasi.it, www.hsbc.co.uk and have used, without authorization, the credit card details obtained through phishing, in order to transfer sums of money into other accounts under the control of the group's members," Daniel Horodniceanu, one of the prosecutors, announced.

He also noted that, given the current evidence, the prosecution could legally prove only a fraud of 280,000 euros, but that the real amount was likely to be much bigger.

The members of the network living in other countries were withdrawing money from the targeted banks and were wiring the cash to the leaders in Romania, through Western Union. One interesting aspect is that the students, who were actually doing all the work, did not earn too much, compared with the heads of the operation.

For example, one of the arrested individuals was living in a student dorm, because he couldn't afford to pay rent for an apartment in the city. The parents of most of the students were still sending them food and money every month. Meanwhile, the ringleaders were living in luxury flats and had expensive cars.

"A total of 22 raids were performed in different locations across the counties of Iasi, Valcea, Mehedinti and the municipality of Bucharest, at the homes of the group's members. Three luxury cars, gold jewels weighing 100 grams, 2065 euros, 2150 British pounds, 2200 Romanian lei, 20 notebooks and desktop computers, 30 memory cards, hundreds of CDs and DVDs and two plasma TVs were seized," Chief Commissioner Gheorghe Zbarnea, the head of the Brigade for Fighting Organized Crime, Iasi branch, informed.


The names of the individuals brought before the judge are: the brothers Andrei and Ciprian Ilasoaia, Valentin Pintiliasa, Mihai Adrian Slatineanu, Paul Andrei Chiriac, Catalin Muraru, Ciprian Micutaru, Bogdan Tirpescu, George Duduman, Andrei Corneliu Ciubotariu, Ionut Baraganescu and Florian Martin. All of them stand accusations of constituting and associating themselves in an organized criminal group, adhering to or supporting in any way an organized criminal group, committing computer infractions, gaining access to a computer system without authorization, unauthorized possession and utilization of a password, access code in order to commit computer crimes, and two have already admitted to their actions.

The website of the world renowned magazine has been subject of an SQL injection attack

BusinessWeek has just joined a group of highly rated and visited websites that fell victims to SQL injection attacks. Graham Cluley, Senior Technology Consultant for the security company Sophos, disclosed that parts of the website of the popular weekly magazine were attempting to serve malware from a Russian server.

SQL Injection has been at the top of vulnerability trends in recent years along with XSS (cross-site scripting). The SQL Injection name comes from the end-result of the exploitation of such a vulnerability, which is to inject malicious code into the web application's SQL database. This code is generally used to spread malware from third-party servers.

The new BusinessWeek incident adds to the other 16,000 pages affected by SQL Injection discovered daily (according to a Sophos report). Mr. Cluley points out that hundreds of individual BusinessWeek pages from a section of the website were affected. What's even worse is that the particular section was addressed to MBA students looking for career opportunities.

The injected malicious code was trying to serve malware from a .ru website, but the server in question was offline at the time when the attack was discovered. According to Cluley, this wasn't necessarily permanent and the status of the website could have changed, which would have posed a serious security risk to the personal or financial information of the users. A BusinessWeek spokesman commented for The Register that, following their investigation, it was determined that no sensitive information had been compromised and that the particular web application affected had been removed from their website.

BusinessWeek website infected by malware from Sophos Labs on Vimeo.
Even so, Mr. Cluely pointed out that BusinessWeek had been notified about that last week and two days ago the malicious code was still online. All companies should work to fix these problems as soon as possible as time is essential with these attacks, the longer the code remains online, the higher the chances of more people getting infected are.

In a short video, Cluely outlines the basic steps companies should take in order to prevent such incidents. They include adopting development best practices, ensuring web applications run with lowest possible database privileges, constantly checking server logs for suspicious activity as well as using programs designed to tighten the security of web applications.

The Antivirus Vendor Claims That No Customer Data Has Been Compromised

After a SQL injection attack against the US support website belonging to Kaspersky Labs was published on the Romanian Hackers Blog, the company disclosed details of the security breach. The investigation established that no sensitive data was accessed, but the antivirus vendor hired a database security expert to audit all of its websites.

During the past weekend, the Romanian Hackers Blog published information regarding a successful attack on http://usa.kaspersky.com/support/. According to the attacker, full access to the database containing customer information, support tickets, and even product activation codes had been obtained through SQL injection techniques.

The alleged ethical hacker who is calling himself "unu," did not post any sensitive information stored in the database, which was confirmed to contain around 2,500 customer e-mail addresses and 25,000 software activation keys. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," he said.

However, Vitaly Kamluk, chief malware expert at Kaspersky Lab, who has been involved in the investigation into this incident, claims there were several attackers, not one, and dismisses their good intentions. "After collecting field names, the attackers made a few attempts to extract the data from tables," he writes on the Kaspersky Analyst's Diary Weblog.

Apparently, only a simple mistake prevented them from hitting the jackpot. "Those queries failed because the attackers specified the wrong database," Kamluk explains. "There were several attackers with IP addresses from Romanian ISPs," the analyst also notes.

Meanwhile, during a conference call with reporters, Kaspersky Senior Research Engineer Roel Schouwenberg explained that the vulnerability was introduced along with a new update on the support site on January 28. He also pointed out that a Romanian Kaspersky employee came across the blog entry explaining the attack and immediately alerted his U.S. colleagues, who in turn rolled back the website to its stable state before the vulnerable update was deployed.

Vitaly Kamluk shares that the attackers used a free version of an automated probing tool from Acunetix to determine that the site was vulnerable to SQL injection, and then proceeded with manual exploitation. "The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE, INSERT, DELETE... were logged," he adds.

Both Kamluk and Schowenberg challenge the hackers' claim that they published the attack only after e-mails sent to the antivirus vendor went unanswered. "After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email – on a Saturday to several public email boxes. They gave us exactly 1 hour to respond," Kamluk mentions, while Schowenberg concludes that " They gave us little if any chance to respond."

When asked by the reporters if the company's image might suffer as a result of this security breach, Roel Schouwenberg said that "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened." However, he stressed that "We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again." In this respect, the company has hired world-renowned database security expert David Litchfield to perform an independent security audit of websites belonging to Kaspersky Labs.

"Secure development MUST be a key priority for web development - anywhere, anytime and all the time. It is a lesson to us all - check, check and re-check your processes and your code," Vitaly Kamluk advises. "We are lucky the hackers proved to be more interested in fame than in causing damage," the software engineer concludes.

Note: This article has been updated as to correctly attribute the cited material from the Kaspersky weblog, signed VitalyK, to Vitaly Kamluk, chief malware expert at Kaspersky Lab, as opposed to Vitaly Kouzin, software engineer at Kaspersky Lab, whom it originaly credited.

The Romanian HackersBlog Makes a New Victim

After previously compromising websites belonging or related to Kaspersky and Bitdefender, the Romanian hackers from the HackersBlog crew launched a new successful SQL injection attack against the website of an antivirus vendor. This time around, it was F-Secure, however, the security breach did not have the potential of disclosing sensitive information.

In a new post published on the HackersBlog, one of the website's admins, Tocsixu, discloses a SQL injection attack against the statistics section of the website belonging to Finnish security company F-Secure. In addition to being vulnerable to SQL injection, the http://stats.f-secure.com website also allowed for code injection through cross-site scripting (XSS).

Successful poisoning of SQL SELECT statements through URL manipulation exposed the tables of what it looked like a Microsoft SQL Server 2000 database running on a Windows Server 2003 with Service Pack 2.

The compromised tables were: MailboxInfo, VirusUpdated, dtproperties, Country, sysconstraints, VirusTrends, Virus_Top50_24h, Virus_Top50_30days, Virus_Top50_7days, Virus_Top50_90days, Virus_Top50_Month, Virus_Top50_Week, VirusDateTotal, VirusDate, VirusMonthTotal, VirusReports, VirusReportsTemp, VirusTrends.

F-Secure confirmed the security breach, but pointed out that the compromised database contained information about malware statistics that had been made publicly available anyway. "The malware statistics is something we publish anyway at F-Secure Worldmap and, because of our IT security strategy, the impact was minimal," Patrik Runald, senior security specialist at F-Secure, writes on the company's weblog. This is also mentioned by Tocsixu, who points out that "Fortunately, F-Secure doesn’t leak sensitive data, just some statistics regarding past virus activity."

The F-Secure analyst explains that the attack was possible because a page on their statistics website didn't properly sanitize the input. He also maintains that no information altering SQL commands was executed against the database, and that other details on the server could not be reached by the hackers, because the SQL username used by that section of the F-Secure website only had access to the statistics database. "While the attack is something we have to learn from and look at things we need to improve, it's not the end of the world," Patrik Runald concludes.

This is the third strike in less than a week when the HackersBlog team launched a successful SQL infection attack against the website of a security vendor. The first was the U.S. support website of Kaspersky Labs, developer of Kaspersky Antivirus. This was followed by a similar breach on the website of a Bitdefender Antivirus partner in Portugal, http://www.bitdefender.pt.

Even though slow to respond at first, Kaspersky eventually assumed responsibility for the security incident and revealed extensive details about the attack. In addition, the company hired a renowned database security expert to perform a security audit on its websites. Bitdefender, however, only kept it short by saying that the website belonged to a reseller and was not controlled by it. Even so, the site was using the Bitdefender name, logo, a very similar website layout and was selling Bitdefender products. It's unlikely that the Bitdefender users who have had their personal information put at risk care too much about who's website that is.

The databases were compromised through SQL injection attacks

Both Kaspersky and Bitdefender antivirus vendors have been left with red faces by a Romanian hacker who obtained access to the SQL databases of two of their websites. The data stored in the databases includes customer information, e-mails, support tickets, and even activation codes.

A hacker going by the nickname of "unu," meaning "one" in Romanian, has reported on Saturday that he compromised the security of the Kaspersky website in USA. In a posting made on HackersBlog, unu published screenshots as well as a list of the tables found in the site's SQL database.

The hacker explained that he obtained full access to the database through SQL injection. SQL injection is a form of URL manipulation that allows passing SQL commands through a URL. It is usually used by hackers to insert rogue data into the database for various purposes. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc," the Romanian writes.

Image comment: Kaspersky USA database information screenshot

However, unu's intensions were not malicious. According to The Register, he only decided to go public after he sent messages to several Kaspersky official e-mails and got no response. This is also reflected by the evidence he presented, like the malformed URLs being blurred in the screenshots.

Also, he did not publish any customer information, although he claims to have had complete access to it. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," unu explains.

Image comment: Bitdefender Portugal adminstrator login credentials screenshot

Kaspersky has partially confirmed the security breach. "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," the company claims in a statement.

Tocsixu, one of the admins of HackersBlog, has told The Register that unu hacked the website days before going public, which seems to come into conflict with Kaspersky's account. According to him, the reason why no data has been compromised is only due to the good will of the hacker. "Indeed, no data was compromised from the site because that is not Unu's (our) intention. No sensitive information from the site was stored, legit Kaspersky users can rest assured," he states.

However, after being done with Kaspersky, the hacker turned his attention to another big player on the antivirus market, Bitdefender. In a new post published today, the hacker documents a similar successful SQL injection attack against the website of Bitdefender Portugal. "It seems Kaspersky aren’t the only ones who need to secure their database. Bitdefender has the same problems," unu adds.

He goes on to describe the attack that provided him with access to the database containing administrators' usernames and passwords, the personal details of thousands of customers and sales data. In addition, one table in the database contains a large number of e-mail addresses belonging to people who subscribed to the company's newsletter. "And last a part of the data from the table inscricoes(Newsletter)… thousands of email addresses, candy for possible spammers," the attacker points out.

Like in the case of the Kaspersky incident, unu did not publish any sensitive information and also blacked out the compromising details of the attack in the provided screenshots. Bitdefender has still to confirm and comment on this attack. Stay tuned, we will return with updates if it does.

Blind SQL Injection Vulnerability Disclosed

The Romanian ethical hacking outfit HackersBlog shames yet another antivirus vendor – Symantec. A SQL injection vulnerability in a section of the Symantec website allows unauthorized access to the database.

Symantec is one of the biggest IT security companies in the world, developing a wide range of products for both home and enterprise consumers. It is a veteran on the antivirus market, its flagship product being Norton Antivirus.

According to “unu,” a Romanian hacker associated with HackersBlog, the Document Download Centre section of the Symantec website contains a poorly-sanitized parameter, which facilitates SQL injection attacks. Successful exploitation results in giving an attacker access to the database.

Image comment: TRUE condition AND 1=1 - Page loads normally

“The irony of the situation is that it’s done on https, on a login page, a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY,” the hacker, who doesn't specify what sensitive information, if any, is stored in that particular database, notes.

Image comment: FALSE condition AND 1=2 - Text disappears

The documented attack is actually a “blind” SQL injection. As opposed to regular SQL injections, such attacks are harder to instrument, because the website does not respond back with useful error information that would give the hacker an idea of how to proceed.

Image comment: SELECT function, AND (SELECT 1)=1 returns true - Text doesn't disappear

According to the few items of information “unu” has provided, the website runs on an Apache Web server with PHP 5.2.6 and a MySQL 5.0.22 backend. The published screenshots demonstrate how executing SQL commands through URL manipulation alters the content of the page.

“Unu” claims to have contacted Symantec regarding the problem, or at least attempted to. “[...] On the website there is no contact email address for cases such as this, I’ve sent an email to webmaster@symantec.com and security@symantec.com. The email didn’t bounce, so someone must have received it. No answer as of yet,” he writes, while pointing out that more detailed info could be revealed after the company fixes the issue.

During the past two weeks, hackers from the HackersBlog crew have been disclosing various SQL injection vulnerabilities on websites belonging to no less than four antivirus vendors: Kaspersky, F-Secure, Bitdefender, and now Symantec. The site operated by the Bitdefender business partner in Portugal has also been compromised by the same group through SQL injection.

Antivirus vendors are not the only targets of the Romanian group of hackers. Yahoo! has also made the subject of attacks from them more than once, while “unu” has just recently disclosed a similar vulnerability on the website of the International Herald Tribune, the global edition of the New York Times.

China has gained capability to shut down Britain by crippling its telecoms and utilities, a report claimed on Sunday.

Intelligence chiefs have told the government that equipment installed by Huawei, the Chinese telecoms giant, in BT's new communications network could be used to halt critical services such as power, food and water supplies.

According to a report in The Sunday Times, the warnings coincide with growing cyber warfare attacks on Britain by foreign governments, particularly Russia and China.

While BT has taken steps to reduce the risk of attacks by hackers or organised crime, the government believed that the mitigating measures are not effective against deliberate attack by China.

According to the report, Alex Allan, chairman of the Joint Intelligence Committee (JIC), briefed members of the ministerial committee on national security about the threat from China at a top-secret official meeting in January.

Home Secretary Ms Jacqui Smith chaired the meeting.

A media report on Sunday said vast cyber spy network controlled from China has infiltrated government and private computers in 103 countries, including those of Indian embassy in Washington and the Tibetan spiritual leader Dalai Lama.

Canadian researchers, the New York Times reported, have concluded that the computers based almost exclusively in China are controlling the network and stealing documents, but stopped short of saying that the Chinese government was involved.

A China-based cyber spy network has hacked into government and private systems in 103 countries, including those of many Indian embassies and the Dalai Lama, an Internet research group said on Saturday.

The Information Warfare Monitor (IWM), which carried out an extensive 10-month research on cyber spy activities emanating from China, said the hacked systems include the computers of Indian embassies and offices of the Dalai Lama.

Without identifying Indian embassies, the group said all evidence points to China as the source of this spy espionage.

The group said it has evidence that the hackers managed to install a software called malware on the compromised computers to steal sensitive documents, including those from the Dalai Lama's offices.

The group began its research after Tibetan exiles made allegations of cyber spying by the Chinese.

After initial investigations when the group widened it research it found that the China-based cyber espionage had hacked computer systems of embassies of India, Pakistan, Germany, Indonesia, Thailand, South Korea and many other countries.

In all, the hackers had gained access to 1,295 computer systems of foreign ministries of many countries, including Bhutan, Bangladesh, Latvia, Indonesia, Iran, and the Philippines, the researchers said.

After gaining access to foreign government and private computer systems, the hackers installed malware to exercise control over these computer systems to access any documents.

"We have been told by the researchers that the Chinese hackers have gained access to our computers systems all over the world, and taken sensitive documents from the office of His Holiness (the Dalai Lama)," Toronto-based Tibetan student leader Bhutila Karpoche told IANS.

She said, "Our website (studentsforafreetibet.org) has been repeated hacked, and we keep getting all kinds of viruses in our emails. This trend has increased in recent months, and we have become very wary about opening

our emails."

The findings of the 10-month investigation titled 'Tracking GhostNet:

Investigating a Cyber Espionage Network,' can be found here,

Tracking GhostNet: Investigating a Cyber Espionage Network

Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.

Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.

"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain."

Whether anything will actually be offered for download, much less what the payload might be, is unclear. No particular function or payload currently within the malicious code is due to activate on 1 April. It's also possible that a payload will only be offered up for download days or week after the new call-home routine comes into effect.

If updates are successfully made, infected machines are programmed to suspend call-home activity for 72 hours, as an analysis by Sophos explains.

Lessons from the call back routines of previous variants of the worm provide few clues as to what might happen. Sophos said it never observed the previous Conficker-B variant ever downloading malicious payloads, other than updates to Conficker-B++ and Conficker-C. As a result, there isn't much history to draw upon for any speculation as to the eventual goal of the Conficker botnet.

Anti-virus firms are keeping a close eye on what Conficker might do early next month while downplaying concerns that Downadup will either "erupt" or "explode" on 1 April, deluging us with spam or swamping websites with junk traffic in the process.

"Let's not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib," notes Graham Cluley, senior technology consultant, at Sophos.


Although nothing might happen it's never a bad time for sys admins to check for infection by Conficker on their network. Such infections have already caused widespread problems.

Symantec said that the worm, which had initially focused solely on spreading "has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer protocol".

Windows PCs infected with Conficker (Downadup) are programmed to dial home for updates through a list of pseudo-random domains. Microsoft is heading a group, dubbed the anti-cabal alliance, to block unregistered domains on this list. The more complex call-home routine deployed by Conficker-C comes in apparent response to this move.

Rik Ferguson, a security researcher at Trend Micro, added that blocking call-back domains associated with the latest variant of the worm will be "almost impossible" not only because of the daily volume, but also because there is a possibility that legitimate domains might be hit as a result. Even earlier versions of the worm, calling far fewer domains every day, used algorithms that threw up addresses that coincided with legitimate domains.

Birth of a superworm

Variants of the Conficker worm, which first appeared back in November, spread using a variety of tricks. All strains of the superworm exploit a vulnerability in the Microsoft Windows server service (MS08-067) patched by Redmond in October.

Once it infects one machine on a network, the worm spreads across network shares. Infection can also spread via contaminated USB sticks. This combined approach, in particular the worm's attempts to hammer across corporate LANs, have made Conficker the biggest malware problem for years, since the default activation of the Windows firewall put the brakes on previous network worms such as Nimda and Sasser.

Compromised Windows PCs, however the infection happens, become drones in a botnet, which is yet to be activated. It's unclear who created or now controls this huge resource.

Estimates of the number of machines infected by Conficker vary, from barely over a million to 12 or even 15 million. More reliable estimated suggest that between 3-4 million compromised systems at any one time might be closer to the mark.

SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

Estimates of how many machines are infected by the Conficker-C variant are even harder to come by.

But however you slice and dice the figure its clear that the zombie network created by Conficker dwarfs the undead army created by the infamous Storm worm, which reached a comparatively lowly 1 million at its peak in September 2007. Activation of this resource may not come next week or even next month but the zombie army established by the malware nonetheless hangs over internet security like a latter-day Sword of Damocles.

Some security watchers are sure it will get used eventually, if not on 1 April. Sam Masiello, a security analyst at MX Logic, said: "Why go through all of this effort to create such a huge botnet then not utilize it for something?"

UK & US IDs Exposed to World

A reported 22,000 card records have been exposed through cached copies of data stored on a defunct cybercrime server.

iTnews in Australia reports that 19,000 of the 22,000 exposed details referred to US and UK cards and that data came from Google cache records of a disused internet payment gateway, a line picked up by Slashdot.

However, a security expert told us the information was actually from either a dump or attack site used for credit card fraud. This cybercrime site, registered by someone in Vietnam, is no longer operational.

The data - viewable through Google cache - includes credit card numbers, expiry dates, names and addresses for accounts held with Visa, Mastercard, American Express, Solo and Delta. The information remains available at the time of writing for anyone with the wit to formulate the correct search term.

First spotted by an anonymous Australian, details were posted on a now deleted thread on whirlpool.net.au. Reg readers have since independently located the sensitive information in Google's cache.

"Google can sometimes be a victim of its own effectiveness, having indexed all available content from the criminal's dump server in Vietnam they inadvertently made thousands of UK credit card details available to the casual browser by serving them up from their own cache," explained Rik Ferguson, a security consultant at Trend Micro. "From the moment this content was made public Trend Micro have been working to help Google, over the course of the weekend, to identify and remove all the offending information," he added.

It's not the first time Google's spiders have indexed such sensitive data. In May 2008 net security firm Finjan reported a similar case, where banking login credentials and other data was stored on a crimeware server accessible though Google search queries.

A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man.

The seller denied any wrongdoing and Symantec corporation, from whom three victims bought a product via a call centre, called the incident "isolated".

Card fraud totalled £609m during 2008, according to payments group Apacs.

Symantec said it requires rigorous security measures of any third-party call centre agents and it believed the breach had been limited to a single agent.

The BBC team went to India on a tip off after being put in touch with a man offering to sell stolen credit and debit card details.

Two undercover reporters met the broker in a Delhi coffee shop for an encounter that was filmed secretly.

Secret filming exposes frauster selling stolen credit card details
http://news.bbc.co.uk/1/hi/uk/7952419.stm

He told the pair he could supply them with hundreds of credit and debit card details each week at a cost of $10 dollars a card.

After the reporters agreed to initially buy the details of 50 cards, the man handed over a list of 14. He said the remainder would be sent later by e-mail.

The man claimed some of the numbers had been obtained from call centres handling mobile phone sales, or payments for phone bills.

Back in the UK, the broker continued to supply card details to one of the undercover reporters by email.

Nearly all of the names, addresses and post codes sold to the BBC team were valid. But most of the numbers attached to them were invalid - often out by a single digit.

However, about one in seven of the numbers purchased were valid - active cards still in use by UK customers. Their owners could have been subjected to fraud if these cards had fallen into the hands of criminals.


The BBC team contacted the owners of these cards and warned them that their details were now being bought and sold in India.

Three of those customers had, within hours of each other, bought a computer software package by giving their credit card details to a call centre over the phone.

Within hours of making the purchase, their details were fraudulently sent on to the reporters.

One of the victims said he was "disturbed" at what had happened.

Allan Little telephones the fraudster to confront him about what we found
http://news.bbc.co.uk/1/hi/uk/7952423.stm

The software was made by Norton, which is part of the Symantec corporation.

Symantec, which launched an investigation after being informed of the the undercover probe, said the leak had come from a single source which has now been removed.

In a statement it said: "We are investigating how this incident happened and will take any appropriate steps to address any opportunities for improvement in our processes.

"We have engaged with the local law enforcement officials in India and will cooperate fully with that investigation. We are in the process of reviewing all possible options to manage this third party call centre, including moving away from it."

A spokeswoman stressed that "rigorous security measures" are put in place at call centres. For example, staff are not allowed to take electronic devices, memory sticks, pens or pencils to their desks. Internet and email access is also banned.

Wrongdoing denied

Saurabh Sachar, the seller, denied any wrongdoing or illegal activity.

When told that he had been filmed taking money from undercover reporters, he said they had borrowed that money from him and were paying it back.

He said the piece of paper handed over to undercover reporters contained "some directions" and a "kind of balance sheet".

And, when accused of providing credit card details he said they were "not correct". Mr Sachar also denied sending more details by e-mail.

Credit and debit card fraud cost the UK banking industry £609 million in 2008 - a rise of 14% on 2007.

Much of that fraud comes from transactions where the card is not physically present, such as telephone or internet sales.

The UK and the EU have stringent Data Protection laws. India has recently tightened up its rules governing the use of Information technology, but it has no data protection legislation.

"India is only paying lip service to data protection," the Data Protection lawyer Pavan Duggal told BBC News.


"We don't yet have a dedicated legislation on data protection. Until such times as India comes across with strong stringent provisions on data security we will have instances like this keep on happening."

The huge expansion in credit card use in recent years has produced a new kind of fraudster - one that will try to exploit any opportunity to reach into almost any credit or debit account that is used to make telephone purchases.

Research Shows Economic Slump Prompting Surge In Online Criminality

Malware volumes grew by a huge 300 per cent during 2008, fuelled in part by continuing job uncertainty, according to new research from security-as-a-service provider ScanSafe.

The firm analysed more than 240 billion web requests in over 80 countries last year, and found a particular growth in exploits and iframe attacks, which rose 1,731 per cent, and data-theft Trojans, which increased by 1,559 per cent.

Mary Landesman, senior security researcher at ScanSafe, suggested that the rise in criminal activity could correspond to the decline in the global economy.

"We saw a continued acceleration of web-delivered malware in 2008, reaching significant peaks in October and November. The numbers are staggering," she said.

"It could be that the increasing job losses and uncertainty are fuelling the surge in criminal activity. It is also likely that cyber crime is a viable business opportunity in a climate where legitimate opportunities are becoming increasingly limited."

ScanSafe also warned that trusted sites are now statistically the most dangerous on the web, as they are frequently hacked using techniques such as SQL injection attacks. The firm recorded 780,000 malicious web pages in April alone as a result of a single SQL injection attack.

Reports Reveal Police Store Records on Protestors & Journalists

Just a day after the Information Commissioner raided a firm for possessing a covert database of construction workers’ personal information, it emerged that the police force is keeping a potentially illegal database listing the details of political activists and journalists.

In a Guardian newspaper investigation, the Metropolitan Police force, which is said to have pioneered surveillance techniques at demonstrations, was accused of storing details including names, photographs, political associations and video footage of protesters and reporters.

The information is stored on CrimInt, a centralised database used by all police to catalogue criminal intelligence, the report said.

The information was obtained by the paper via Freedom of Information requests, court testimony, an interview with a senior Met officer and police surveillance footage.

According to reports, the data is held by the police for up to seven years, and reviewed each year, so it is unclear whether the ICO will decide to investigate possible breaches of the Data Protection Act.

However, the storage of details belonging to people who have not been convicted or accused of a crime could contravene the Human Rights Act.

The news comes as the ICO seeks to harden its stance on organisations believed to be breaking the Data Protection Act. Last week it began proceedings against a Droitwich firm it accused of holding the details of over 3,000 building site workers without their knowledge.

Public confidence in the state’s policies on data handling is at an all time low after a string of high profile public sector data breach incidents, and widely criticised proposals for a centralised database of communications data.

The police and Home Office also came in for recent criticism after the police were given new powers to hack into individuals’ PCs without a warrant.

Source: vnunet