A group of Israeli students and would-be cyberwarriors have developed a program that makes it easy for just about anyone to start pounding on pro-Hamas websites. But using this "Patriot" software, to join in the online fight, means handing over control of your computer to the Israeli hacker group.

"While you're running their program, they can do whatever they want with your computer," Mike La Pilla, manager of malicious code operations at Verisign iDefense, the electronic security firm.

The online collective "Help Israel Win" formed in late December, as the current conflict in Gaza erupted. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," "Liri," one the group's organizers, told Danger Room.

So they created a simple program, supposedly designed to overload Hamas-friendly sites like qudsnews.net and palestine-info.info. In recent years, such online struggles have become key components in the information warfare that accompanies traditional bomb-and-bullets conflicts. Each side tries to recruit more and more people -- and more and more computers -- to help in the network assaults. Help Israel Win says that more than 8,000 people have already downloaded and installed its Patriot software. It's a small part of a larger, increasingly sophisticated propaganda fight between supporters of Israel and Hamas that's being waged over the airwaves and online.

Help Israel Win, which has websites in Hebrew, English, Spanish, French, Russian and Portugese, doesn't say much about how the program functions -- only that it "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."

Analysis from iDefense and the SANS Institute, however, reveals that computer users put their PCs at risk when they run the Patriot software. The program connects a computer to one of a number of Internet Relay Chat (IRC) servers. Once the machine is linked up, Help Israel Win can order it to do just about anything.

The Patriot program does something "fishy," SANS Institute security specialist Bojan Zdrnja said, by retrieving "a remote file and sav[ing] it on the local machine as TmpUpdateFile.exe." That could easily be a "trojan," Zdrnja said, referring to a program that sneaks malicious code onto a computer.

"While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there -- there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," Zdrnja wrote.

Liri, with Help Israel Win, conceded that "the Patriot code could be used as a trojan. However, "practically it is not used as such, and will never be."

"The update option is used to fix bugs in the client, and not to upload any malicious code... never have and never will," Liri said. "The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application."

It's also unclear how much the Patriot program is really helping the Israeli side in the online information war.

La Pilla has been monitoring Help Israel Win's IRC servers for days. "They didn't make us download and install anything. Didn't make us [attack] anybody. I was basically just sitting idle on their network." The group claims to have shut down sarayaalquds.org and qudsvoice.net. But, as of now, the rest of the group's pro-Hamas targets remain online. Meanwhile, Help Israel Win has had to shift from website to website, as they come under attack from unknown assailants.

Open wi-fi is a terrorist tool and has to be shut down, right this second. That's the conclusion, at least, of the Mumbai police. Starting today, the Times of India reports, "several police teams, armed with laptops and internet-enabled mobile phones, will randomly visit homes to detect unprotected networks."

"If a particular place's wi-fi is not password-protected or secured then the policemen at the spot has the authority to issue notice to the owner of the wi-fi connection directing him to secure the connection," deputy commissioner of police Sanjay Mohite tells The Hindu. Repeat wi-fi offenders may receive "notices under the Criminal Procedure Code," another senior officer warns the Times.

Mohite notes that e-mails taking credit for terror attacks in New Delhi and Ahmedabad were sent through open wireless networks. "Unprotected IP addresses can be misused for cyber crimes,'' he says. Other Indian cities now require cyber cafes to install surveillance cameras, and to collect identification from all customers.

But plugging up all those perceived security sieves in Mumbai is going to take some work. A quick Sheriff's Brigade survey on Sunday showed that 80 percent of wi-fi networks in South Mumbai were left unlocked. And it's not like terrorists are all that 802.11-dependent, of course. An e-mail also took credit for December's massacre in Mumbai. Whether that came from an open wi-fi connection or not is unclear -- the mailer used an anonymizer service, to cover his electronic tracks.

A university student in Florida on Tuesday was sentenced to 22 months in prison for his role in a bungled scheme to hack into his school's computer system and make hundreds of grade changes.

Christopher Jacquette, 29, of Tallahassee was also ordered to serve three years of supervised release for his part in the plot, which used keyloggers to access protected computers at Florida A & M University, according to federal prosecutors. Along with cohorts Lawrence Secrease and Marcus Barrington, his caper reads like a modern-day episode of The Three Stooges.

The tale begins in August 2007, when Jacquette installed keyloggers onto several of the university's computers after sneaking into a locked ballroom where student registration was taking place. In short order, the trio had access to the school's PeopleSoft accounts. They promptly used it to change dozens of grades belonging to them and their friends, in many cases from Fs to As.

Naturally, these under-achieving students weren't the sharpest tools in the shed, and they made some mistakes along the way. A university audit quickly revealed the presence of the keyloggers, and the discovery gave up several email addresses under the control of the students. University logs also showed that the grade changes were made using internet accounts from the students' homes.

When police questioned Barrington's sister about changes made to her grades, she said she believed they were an act of God.

Then, within hours of being interrogated, Barrington convened a meeting where the trio would plan how to sneak keylogging software on university computers a second time. The university had reversed the altered grades, it seems, and the students were intent on changing them back. According to court documents, they did just that, boosting 16 grades belonging to Jacquette and 12 belonging to Barrington.

The students also used their unauthorized access to change the residency status of several students so they wouldn't have to pay out-of-state fees that were more expensive. After Jacquette received $600 apiece from two students, he used his cell phone to send a text message instructing Barrington to change the students' residence. After Jacquette gave consent to have his cell phone searched, investigators found several passwords belonging to university employees.

Court documents charged all three students with four felonies in connection with the alleged scheme. The status of Barrington and Secrease wasn't immediately known. Prosecutors weren't available late Tuesday to clarify.

In all, the trio changed some 650 grades belonging to 90 students. About 114 of the grades were Fs that were converted to As. Because the changes to grades and residency status would have allowed students to receive lower tuition fees, it could have had thee effect of costing the university hundreds of thousands of dollars, prosecutors alleged.

Twelve Students Arrested For Taking Part In A Major Phishing Operation
The Romanian Direction for Investigating Organized Crime and Terrorism (DIICOT) along with local authorities have descended on multiple locations in several cities and arrested 20 persons suspected of being members of a cybercriminal gang. The seven-year-long operation, which involved phishing and fake eBay auctions, is said to have brought the cybercrooks illegal gains of over 500,000 euros.

According to the investigators, the network was very well structured, with its members operating out of Romania, Italy, Spain and the UK. The Romanian branch was co-ordinating the operation and its members were moving from city to city in order to avoid being caught.

However, an important nucleus was formed in Iasi, because it is one of the largest cities in the country and, most importantly, a big university center. This allowed the leaders of the gang to recruit students from the specialized universities here, who were willing to earn some extra cash.

A judge has decided that twelve of the individuals will be detained under temporary arrest for 29 days, while another seven have been released, but are not allowed to leave the country. All of them were studying in Iasi, at the Faculty of Automatic Control and Computer Engineering from the "Gh. Asachi" Technical University, or at the Faculty of Computer Science from the "A. I. Cuza" University. The oldest of the arrested students is 25 years old.

"The DIICOT prosecutors have coordinated an operation to dismantle an organized criminal group, which between 2002 and 2009 has organized fictitious auctions on the Internet, especially on the www.ebay.com, www.ebay.it and www.ebay.ca websites, the cloning of the websites of several banks from UK and Italy, such as www.poste.it, www.ubibanca.it, www.cartasi.it, www.hsbc.co.uk and have used, without authorization, the credit card details obtained through phishing, in order to transfer sums of money into other accounts under the control of the group's members," Daniel Horodniceanu, one of the prosecutors, announced.

He also noted that, given the current evidence, the prosecution could legally prove only a fraud of 280,000 euros, but that the real amount was likely to be much bigger.

The members of the network living in other countries were withdrawing money from the targeted banks and were wiring the cash to the leaders in Romania, through Western Union. One interesting aspect is that the students, who were actually doing all the work, did not earn too much, compared with the heads of the operation.

For example, one of the arrested individuals was living in a student dorm, because he couldn't afford to pay rent for an apartment in the city. The parents of most of the students were still sending them food and money every month. Meanwhile, the ringleaders were living in luxury flats and had expensive cars.

"A total of 22 raids were performed in different locations across the counties of Iasi, Valcea, Mehedinti and the municipality of Bucharest, at the homes of the group's members. Three luxury cars, gold jewels weighing 100 grams, 2065 euros, 2150 British pounds, 2200 Romanian lei, 20 notebooks and desktop computers, 30 memory cards, hundreds of CDs and DVDs and two plasma TVs were seized," Chief Commissioner Gheorghe Zbarnea, the head of the Brigade for Fighting Organized Crime, Iasi branch, informed.


The names of the individuals brought before the judge are: the brothers Andrei and Ciprian Ilasoaia, Valentin Pintiliasa, Mihai Adrian Slatineanu, Paul Andrei Chiriac, Catalin Muraru, Ciprian Micutaru, Bogdan Tirpescu, George Duduman, Andrei Corneliu Ciubotariu, Ionut Baraganescu and Florian Martin. All of them stand accusations of constituting and associating themselves in an organized criminal group, adhering to or supporting in any way an organized criminal group, committing computer infractions, gaining access to a computer system without authorization, unauthorized possession and utilization of a password, access code in order to commit computer crimes, and two have already admitted to their actions.

China has gained capability to shut down Britain by crippling its telecoms and utilities, a report claimed on Sunday.

Intelligence chiefs have told the government that equipment installed by Huawei, the Chinese telecoms giant, in BT's new communications network could be used to halt critical services such as power, food and water supplies.

According to a report in The Sunday Times, the warnings coincide with growing cyber warfare attacks on Britain by foreign governments, particularly Russia and China.

While BT has taken steps to reduce the risk of attacks by hackers or organised crime, the government believed that the mitigating measures are not effective against deliberate attack by China.

According to the report, Alex Allan, chairman of the Joint Intelligence Committee (JIC), briefed members of the ministerial committee on national security about the threat from China at a top-secret official meeting in January.

Home Secretary Ms Jacqui Smith chaired the meeting.

A media report on Sunday said vast cyber spy network controlled from China has infiltrated government and private computers in 103 countries, including those of Indian embassy in Washington and the Tibetan spiritual leader Dalai Lama.

Canadian researchers, the New York Times reported, have concluded that the computers based almost exclusively in China are controlling the network and stealing documents, but stopped short of saying that the Chinese government was involved.

A China-based cyber spy network has hacked into government and private systems in 103 countries, including those of many Indian embassies and the Dalai Lama, an Internet research group said on Saturday.

The Information Warfare Monitor (IWM), which carried out an extensive 10-month research on cyber spy activities emanating from China, said the hacked systems include the computers of Indian embassies and offices of the Dalai Lama.

Without identifying Indian embassies, the group said all evidence points to China as the source of this spy espionage.

The group said it has evidence that the hackers managed to install a software called malware on the compromised computers to steal sensitive documents, including those from the Dalai Lama's offices.

The group began its research after Tibetan exiles made allegations of cyber spying by the Chinese.

After initial investigations when the group widened it research it found that the China-based cyber espionage had hacked computer systems of embassies of India, Pakistan, Germany, Indonesia, Thailand, South Korea and many other countries.

In all, the hackers had gained access to 1,295 computer systems of foreign ministries of many countries, including Bhutan, Bangladesh, Latvia, Indonesia, Iran, and the Philippines, the researchers said.

After gaining access to foreign government and private computer systems, the hackers installed malware to exercise control over these computer systems to access any documents.

"We have been told by the researchers that the Chinese hackers have gained access to our computers systems all over the world, and taken sensitive documents from the office of His Holiness (the Dalai Lama)," Toronto-based Tibetan student leader Bhutila Karpoche told IANS.

She said, "Our website (studentsforafreetibet.org) has been repeated hacked, and we keep getting all kinds of viruses in our emails. This trend has increased in recent months, and we have become very wary about opening

our emails."

The findings of the 10-month investigation titled 'Tracking GhostNet:

Investigating a Cyber Espionage Network,' can be found here,

Tracking GhostNet: Investigating a Cyber Espionage Network

Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.

Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.

"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain."

Whether anything will actually be offered for download, much less what the payload might be, is unclear. No particular function or payload currently within the malicious code is due to activate on 1 April. It's also possible that a payload will only be offered up for download days or week after the new call-home routine comes into effect.

If updates are successfully made, infected machines are programmed to suspend call-home activity for 72 hours, as an analysis by Sophos explains.

Lessons from the call back routines of previous variants of the worm provide few clues as to what might happen. Sophos said it never observed the previous Conficker-B variant ever downloading malicious payloads, other than updates to Conficker-B++ and Conficker-C. As a result, there isn't much history to draw upon for any speculation as to the eventual goal of the Conficker botnet.

Anti-virus firms are keeping a close eye on what Conficker might do early next month while downplaying concerns that Downadup will either "erupt" or "explode" on 1 April, deluging us with spam or swamping websites with junk traffic in the process.

"Let's not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib," notes Graham Cluley, senior technology consultant, at Sophos.


Although nothing might happen it's never a bad time for sys admins to check for infection by Conficker on their network. Such infections have already caused widespread problems.

Symantec said that the worm, which had initially focused solely on spreading "has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer protocol".

Windows PCs infected with Conficker (Downadup) are programmed to dial home for updates through a list of pseudo-random domains. Microsoft is heading a group, dubbed the anti-cabal alliance, to block unregistered domains on this list. The more complex call-home routine deployed by Conficker-C comes in apparent response to this move.

Rik Ferguson, a security researcher at Trend Micro, added that blocking call-back domains associated with the latest variant of the worm will be "almost impossible" not only because of the daily volume, but also because there is a possibility that legitimate domains might be hit as a result. Even earlier versions of the worm, calling far fewer domains every day, used algorithms that threw up addresses that coincided with legitimate domains.

Birth of a superworm

Variants of the Conficker worm, which first appeared back in November, spread using a variety of tricks. All strains of the superworm exploit a vulnerability in the Microsoft Windows server service (MS08-067) patched by Redmond in October.

Once it infects one machine on a network, the worm spreads across network shares. Infection can also spread via contaminated USB sticks. This combined approach, in particular the worm's attempts to hammer across corporate LANs, have made Conficker the biggest malware problem for years, since the default activation of the Windows firewall put the brakes on previous network worms such as Nimda and Sasser.

Compromised Windows PCs, however the infection happens, become drones in a botnet, which is yet to be activated. It's unclear who created or now controls this huge resource.

Estimates of the number of machines infected by Conficker vary, from barely over a million to 12 or even 15 million. More reliable estimated suggest that between 3-4 million compromised systems at any one time might be closer to the mark.

SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

Estimates of how many machines are infected by the Conficker-C variant are even harder to come by.

But however you slice and dice the figure its clear that the zombie network created by Conficker dwarfs the undead army created by the infamous Storm worm, which reached a comparatively lowly 1 million at its peak in September 2007. Activation of this resource may not come next week or even next month but the zombie army established by the malware nonetheless hangs over internet security like a latter-day Sword of Damocles.

Some security watchers are sure it will get used eventually, if not on 1 April. Sam Masiello, a security analyst at MX Logic, said: "Why go through all of this effort to create such a huge botnet then not utilize it for something?"

UK & US IDs Exposed to World

A reported 22,000 card records have been exposed through cached copies of data stored on a defunct cybercrime server.

iTnews in Australia reports that 19,000 of the 22,000 exposed details referred to US and UK cards and that data came from Google cache records of a disused internet payment gateway, a line picked up by Slashdot.

However, a security expert told us the information was actually from either a dump or attack site used for credit card fraud. This cybercrime site, registered by someone in Vietnam, is no longer operational.

The data - viewable through Google cache - includes credit card numbers, expiry dates, names and addresses for accounts held with Visa, Mastercard, American Express, Solo and Delta. The information remains available at the time of writing for anyone with the wit to formulate the correct search term.

First spotted by an anonymous Australian, details were posted on a now deleted thread on whirlpool.net.au. Reg readers have since independently located the sensitive information in Google's cache.

"Google can sometimes be a victim of its own effectiveness, having indexed all available content from the criminal's dump server in Vietnam they inadvertently made thousands of UK credit card details available to the casual browser by serving them up from their own cache," explained Rik Ferguson, a security consultant at Trend Micro. "From the moment this content was made public Trend Micro have been working to help Google, over the course of the weekend, to identify and remove all the offending information," he added.

It's not the first time Google's spiders have indexed such sensitive data. In May 2008 net security firm Finjan reported a similar case, where banking login credentials and other data was stored on a crimeware server accessible though Google search queries.

A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man.

The seller denied any wrongdoing and Symantec corporation, from whom three victims bought a product via a call centre, called the incident "isolated".

Card fraud totalled £609m during 2008, according to payments group Apacs.

Symantec said it requires rigorous security measures of any third-party call centre agents and it believed the breach had been limited to a single agent.

The BBC team went to India on a tip off after being put in touch with a man offering to sell stolen credit and debit card details.

Two undercover reporters met the broker in a Delhi coffee shop for an encounter that was filmed secretly.

Secret filming exposes frauster selling stolen credit card details
http://news.bbc.co.uk/1/hi/uk/7952419.stm

He told the pair he could supply them with hundreds of credit and debit card details each week at a cost of $10 dollars a card.

After the reporters agreed to initially buy the details of 50 cards, the man handed over a list of 14. He said the remainder would be sent later by e-mail.

The man claimed some of the numbers had been obtained from call centres handling mobile phone sales, or payments for phone bills.

Back in the UK, the broker continued to supply card details to one of the undercover reporters by email.

Nearly all of the names, addresses and post codes sold to the BBC team were valid. But most of the numbers attached to them were invalid - often out by a single digit.

However, about one in seven of the numbers purchased were valid - active cards still in use by UK customers. Their owners could have been subjected to fraud if these cards had fallen into the hands of criminals.


The BBC team contacted the owners of these cards and warned them that their details were now being bought and sold in India.

Three of those customers had, within hours of each other, bought a computer software package by giving their credit card details to a call centre over the phone.

Within hours of making the purchase, their details were fraudulently sent on to the reporters.

One of the victims said he was "disturbed" at what had happened.

Allan Little telephones the fraudster to confront him about what we found
http://news.bbc.co.uk/1/hi/uk/7952423.stm

The software was made by Norton, which is part of the Symantec corporation.

Symantec, which launched an investigation after being informed of the the undercover probe, said the leak had come from a single source which has now been removed.

In a statement it said: "We are investigating how this incident happened and will take any appropriate steps to address any opportunities for improvement in our processes.

"We have engaged with the local law enforcement officials in India and will cooperate fully with that investigation. We are in the process of reviewing all possible options to manage this third party call centre, including moving away from it."

A spokeswoman stressed that "rigorous security measures" are put in place at call centres. For example, staff are not allowed to take electronic devices, memory sticks, pens or pencils to their desks. Internet and email access is also banned.

Wrongdoing denied

Saurabh Sachar, the seller, denied any wrongdoing or illegal activity.

When told that he had been filmed taking money from undercover reporters, he said they had borrowed that money from him and were paying it back.

He said the piece of paper handed over to undercover reporters contained "some directions" and a "kind of balance sheet".

And, when accused of providing credit card details he said they were "not correct". Mr Sachar also denied sending more details by e-mail.

Credit and debit card fraud cost the UK banking industry £609 million in 2008 - a rise of 14% on 2007.

Much of that fraud comes from transactions where the card is not physically present, such as telephone or internet sales.

The UK and the EU have stringent Data Protection laws. India has recently tightened up its rules governing the use of Information technology, but it has no data protection legislation.

"India is only paying lip service to data protection," the Data Protection lawyer Pavan Duggal told BBC News.


"We don't yet have a dedicated legislation on data protection. Until such times as India comes across with strong stringent provisions on data security we will have instances like this keep on happening."

The huge expansion in credit card use in recent years has produced a new kind of fraudster - one that will try to exploit any opportunity to reach into almost any credit or debit account that is used to make telephone purchases.

Computer hackers suspected of working from Russia successfully penetrated Pentagon computer systems in one of the most severe cyber attacks on US military networks.

The electronic attack was so serious that Adm Michael Mullen, the chairman of the joint chiefs of staff, briefed President George W Bush and Robert Gates, the defence secretary.

Defence officials told the Los Angeles Times that the attack struck computers within the US Central Command, which oversees Iraq and Afghanistan, and involved malicious software - known as "malware" - that permeates a network.

"This one was significant, this one got our attention," said an official, speaking anonymously.

Officials did not disclose the extent of the damage and would not elaborate on the reasons for believing the assault originated in Russia.

The Pentagon and other US government departments face repeated cyber attacks, especially from Russia and China, either from individuals or indirectly from those countries' governments.

Within the past 18 months Russia has been accused of orchestrating major electronic attacks on neighbours Estonia and Georgia.

Source: telegraph.co.uk

Careers website Monster.com and USAJobs.gov, the official job site of the US Federal Government, have published security alerts to their customers warning of a serious hacking attack.

Feeling a sense of deja vu? Well, you should be as this has happened before.

It appears that Monster.com's database and USAJobs.gov's database were compromised and contact and account information was stolen. Data stolen included users' login names, passwords, email addresses, names, phone numbers and some demographic data.

Here is a short video I have made, explaining the possible impact of this security breach - and explaining why you should take this opportunity to think long and hard about whether you are acting securely with your website passwords:


What the Monster.com security breach teaches us about passwords from Sophos Labs on Vimeo.

Monster has published a warning for its users, advising them to change their passwords. A similar alert has appeared on the USAJobs.gov website, whose database is run by Monster.



Although the warnings are keen to emphasis what information has not been breached during the attack (for instance, social security numbers), it is important to understand the serious risks that Monster and USAJobs customers may be placed in because of this incident.

One very real risk is that hackers will use the email addresses and personal information they have received to mount a realistic phishing campaign, attempting to gather more sensitive information about victims. Phishing emails which attempt to look more legitimate by using the recipient's real name and other personal information (such as user id, phone number or location) are always more successful at social engineering further details that could be used for indentity theft out of people.

There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.

That means that if hackers have managed to extract your Monster.com or USAJobs.gov password in this attack, they might be able to use it to break into your email accounts, or the likes of eBay, PayPal, Amazon, and indeed any other website that you have used the same password for.

So, if you use Monster.com or USAJobs.gov you should change your password now. Choose a sensible password that is not a dictionary word and that is hard to guess. And *then* change your passwords at any other site where you might be using the same password. Make sure, of course, that it's not the same password as the one you are using at Monster - you don't want to make that mistake again.

Worryingly, this isn't the first time that Monster and USAJobs have been targeted by hackers who have stolen data about their users. 18 months ago, as this 2007 report from Reuters reveals, hackers used the Monstres Trojan horse to steal details of jobseekers via recruiter accounts. That hack was unsurprisingly followed up by a widespread phishing email campaign.

Hundreds of Twitter users have been hit by another attack on the popular micro-blogging site, with messages being sent from compromised accounts trying to drive traffic to a pornographic website.

The messages which say

hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com

are being spammed out as Tweets.



However, the index page of that website serves up obfuscated JavaScript that loads a variety of pornographic adverts and contains a web form directed to a site called eroticgateway.com.



Clearly, if a hacker has managed to ascertain your Twitter password there is a chance that they may have also compromised your system in other ways too.

Any Twitter users who find that they have unwittingly posted the message would be wise to change their Twitter password immediately. Furthermore, if you use that password on any other non-Twitter account then you must also change those passwords too (please *don't* make it the same as your new Twitter password.

As we don't yet know how the hackers compromised accounts, it wouldn't do any harm to scan your computer with an up-to-date anti-virus product either.

Twitter has confirmed that approximately 750 accounts were hijacked by criminals during the course of this attack, and says that they have reset the passwords of all compromised accounts. That should stop the tidalwave of spam messages advertising adult webcam websites for now.

But there is still a lack of clarity of how the accounts were compromised in the first place.

Finally, one extra thing to throw into the mix. Last month, Facebook users reported seeing a very similar message.



You don't have to be Albert Einstein to put two and two together, and deduce that these attacks must be related.

We're seeing more and more attacks from spammers, phishers, malware authors, scammers and identity thieves against the users of social networks like Twitter and Facebook. These aren't just proof-of-concept attacks in controlled conditions - they're full-blooded assaults seen in the wild every day, making money out of real people.

Source: Sophos.com

A company worth billions of dollars which is supposed to have the best programmers, the kind of company that won’t leave any security wholes in the system. Yahoo! system that is!

XSS bugs are already yesterday’s news when we talk about Yahoo! They are all over the place on the *.yahoo.com subdomains.But we are not talking here about minor XSS bugs. We mean serious business. We are talking about the kind of security which exposes the privacy of millions of users of the “trustable” Yahoo! services.

We are talking about SQL Injection. One of the worst kinds of security breach.

Here you have one of the pages vulnerable to SQL Injection:

http://in.jagran.yahoo.com/article/index.php?choice=homepage_getnews&state=1&city=87%20union%20all%20select%201,concat_ws(0x203a20,version(),user()),3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18

What do we find here? Information about the SQL server, its version and the current user SQL user:



A list with SQL users and passwords:


And of course, much more information available at the hand of an attacker.

Moreover, this SQL Injection can be used as an XSS, especially for session hijacking:



The sad part is that Yahoo! didn’t adopt any policy whatsoever regarding this kind of problems. They dont admit they have a problem, nor do they give any credits to those who find them.

Following in the footsteps of other sites, Yahoo! could learn to gain from this. Vast majority of those who find bugs don’t disclose them anymore precisely for the fact that Yahoo! is in total denial. By coming out clean, Yahoo! would also reduce the amount of hacked/stolen accounts and other shameful security breaches like the one we present here.

Content yanksploitation against royalty collectors

YouTube is blocking most of its music videos from UK viewers after negotiations with British royalty collectors turned sour.

The Performing Rights Society (PRS) for Music, a group representing artists and publishers, and YouTube both blame each other entirely for the impasse, of course.

Patrick Walker, YouTube's top pact-maker in Europe said in a blog post today that the site will block all "premium" music videos in the UK until it can strike up a new contract with PRS that is "economically sustainable."

"But PRS is now asking us to pay many, many times more for our license than before," he wrote. "The costs are simply prohibitive for us - under PRS's proposed terms we would lose significant amounts of money with every playback."

He also claims PRS is unwilling to even tell the video streaming site what songs are included in the licensing renewal being negotiated. Walker claims the deal is "like asking a consumer to buy an unmarked CD without knowing what musicians are on it."

PRS appears to have been taken off guard by YouTube's sudden yanking of content. Shortly after the site said it's pulling UK music videos, PRS chief Steve Porter announced he was "shocked and disappointed" to receive a call late in the afternoon informing him of YouTube's drastic action.

The music group claims YouTube wants to pay "significantly less than at present to the writers of the music on which their service relies, despite the massive increase in YouTube viewing."

PRS said YouTube's decision to block music videos in the UK was done in the middle of licensing negotiations, and urged the site to reconsider "as a matter of urgency." As a jab — apparently to show that YouTube should have plenty of money to spend on fees — PRS noted the site's parent company Google made $5.7bn in revenues in the last quarter of 2008.

The situation draws obvious parallels to how the automated streaming music service Pandora decided to block UK listeners in early 2008 because it couldn't afford a license with PRS and music labels. Pandora had attempted to work with copyright holders from the outset, as opposed to YouTube, which only more recently has been scoring licensing deals in an effort to generate more revenue.

But YouTube is the most popular online video streaming site out there — so it certainly begs the question of who can earn enough money in the biz if YouTube can't?

Yanking content off streaming sites appears to be an increasingly common negotiating ploy for both sides of the table. In December 2008, Warner Music Group began removing its videos from YouTube after claiming it wasn't getting enough cut of the profit. Apparently companies are betting customer outrage will spur the other side to bend to their demands. But when customers can get their content elsewhere easier (and often illegally, where nobody gets paid) the licensing e-tantrum can certainly backfire on both.

Waiting in Wings of Pirate Bay Trial

Swedish police raided a location near Stockholm last month where computer equipment containing a huge bounty of alleged pirated material was seized by authorities.

The raid was carried out on 9 February, but private copyright advocacy outfit Antpiratbyrån only revealed that the bust had taken place late on Friday.

A server said to belong to a Nordic file-sharing ring known as Sunnydale was seized from a location in the Brandbergen neighbourhood, south of Stockholm, according to the anti-piracy agency.

It’s understood the server contained data equivalent to 16,000 movies.

"The well-organised pirates on the scene seem to have an inflated sense of their own ability to conceal themselves, but this raid shows that we can get to them,” said anti-piracy lawyer Henrik Pontén in a statement.

“Copyright applies to the internet too and we will continue to prioritise efforts to counteract these well-organised groups."

He claimed the Sunnydale ring, which consists of ten servers that contain some 65 terabytes of copyrighted material, had collapsed following the raid.

Pontén also claimed that the Sunnydale operation was the source of all pirated material found on The Pirate Bay.

However, The Pirate Bay co-founder, Peter Sunde dismissed some of the lawyer’s claims.

"More than 800,000 people have uploaded to The Pirate Bay, so I don't believe it's the source of everything. But it is possible that it's a major source," he told Swedish newspaper Svenska Dagbladet.

Sunde was the main spokesman during the now infamous entertainment industry versus The Pirate Bay trial that drew to a close last week. A judgment isn't expected until 17 April.

Source: TheRegister

According to investigative reporters for WirtschaftsWoche, 21 million Germans have had their personal information stolen along with their bank account and bank code numbers. The thieves are offering to sell the data for 12 million euros (about 15.3 million dollars). It is believed the scammers gathered the data by using employees at financial institution call centers.

Could this happen in the U.S.?

It certainly could. Privacy laws throughout Europe are generally tighter than U.S. laws and Germany is among the tightest. Low employee morale, caused by a deteriorating job market and chaos within the financial sector makes crimes like this more likely. I'm sure it's tempting for employees to grab whatever data they can as they're shown the door or maybe they're just looking to add to a mediocre salary. Whatever the reason, it may be time to buckle up and prepare for a bumpy ride.

What could criminals do with this data? Make bank withdrawals.

Criminals can use the bank account info to make withdrawals - either big or small. A .57 cent bank withdrawal from 21 million accounts still ads up to... ummm... let me get my calculator out... $11.97 million dollars. And that's this month, and next month, and the next month, etc. until they're caught or they decide to make a big withdrawal and run.

Here's their strategy, detailed in an IT World article:

Although banking passwords were apparently not included on the CD, criminals would be able to use this data to withdraw funds from a victim's account, said Thierry Zoller, an independent security consultant based in Luxembourg.

Scammers could use this type of information to initiate a large number of debits from German banks, making each withdrawal small in hopes that it would not be noticed by the victim, he said.

This is why carefully checking your bank records is important. If you see a unexplained entry - even if it's small - you should track it down until you understand where it came from. Otherwise you might unexpectedly see a much bigger withdrawal from the same source somewhere down the line.

The underground economy is booming even as the rest of the economy lurches towards recession, according to a new study by Symantec.

The net security giant reports that the cybercrime economy has grown into an efficient, global marketplace to handle the trade in stolen goods and fraud-related services. It estimates the combined value of goods in underground forums at $276m for the 12 months prior to the end of June 2008.

Credit card data made up nearly a third (31 per cent) of the advertised sales logged, recorded the Symantec study. Purloined credit card numbers sold for between $0.10 to $25 per card, with the average advertised stolen credit card limit coming in at around $4,000. Credit card information is often sold to fraudsters in job lots, with discounts for large purchases.

Login details for online accounts were the subject of one in five sales and the second most commonly offered commodity in underground crooks bazaars. Stolen login details were offered for anything between $10 and $1,000, depending on the balance and location of compromised accounts. The average balance of these accounts was around 40,000.

Other items up for sale included email accounts and pirated computer games or application software.

Online currency accounts were by far most popular method of payment, used to settle 63 percent of the sales monitored by Symantec.

During the 12 month period it spied on underground forums, Symantec spotted 69,130 advertisers. Between these sellers and buyers a total 44,321,095 messages were posted to underground forums. The 10 most active advertisers collectively offered up stolen $16.3m worth of stolen credit card details and $2m in purloined login credentials. A mixture of loosely connected individuals and organised groups are involved in the illicit trade, Symantec reports.

Advertisers use techniques such as multi-coloured text, capitalising certain words and repeated sales pitches to help their sales offers to stand out from the crowd. Sometimes sellers post requests for particular goods and services, such as credit cards from a named country, Symantec adds. Crooks, who drain millions from the legitimate economy, commonly reinvest the profits from successful scams into other ever-more elaborate grifts.

Underground forums provide a thriving marketplace for all forms of hacking tools and service. Botnets - networks of compromised PCs - sold for an average of $225. Phishing scam hosting services cost anything between $2 and $80. Keystroke logger prices came in at around $23.

Site-specific exploits of financial sites fetched far more money, with an average price tag of $740, and prices ranging from $100 to $2,999.

Cybercrooks have developed sophisticated business models such that recognised job roles and specialisms have evolved in the "recession proof" digital underground. These roles, and job descriptions as defined by Syamntec, include:

* Trojan creators – high quality malicious code writers wanted
* Web exploiters – talented infectors sought
* Exploit experts - tech geeks, programmers and researchers required
* Traffic sellers - confident sales people required to market traffic
* Fraudsters – ambitious, well connected crooks required to steal data
* Outsourced rogue hosting companies – industry knowledge essential, must appear legitimate

Online fraudsters are making more use of outsourcing. Symantec found that organised crooks based in north America are using supplier in eastern Europe for goods and service including malware creation and ATM skimming kit.

The geographical location of cybercrime servers is constantly changed as crooks attempt to stay one step ahead of law enforcement efforts to shut them down. North America played host to 45 per cent of cybercrime servers, with Europe putting in a strong second place performance with 38 per cent of the total. Other crook-serving systems were scattered around the Asia-Pacific region (12 per cent) and Latin America (five per cent).

The Guardian had an article recently about Britain's leading civil liberties groups No2ID and Privacy International planning to offer a £1,000 reward for the lawfully obtained fingerprints of the Prime Minister Gordon Brown's or Home Secretary Jacqui Smith.

The two groups who are opposed to the UK government's planned ID card scheme, have launched the campaign to show the dangers of the collection of fingerprints into central government database, according to their websites. The article says that the groups are creating 10,000 pseudo 'Wanted' posters to be placed in tube stations and pub lavatories offering the cash for the fingerprints, saying that Brown and Smith are wanted for "planning to steal the fingerprints of the entire British population."

The groups stipulate on the poster that "the fingerprint must be obtained lawfully and can be located on a beer glass, doorknob or any object with a hard surface. Corroborating evidence is required to ascertain the identity of these thieves. The fingerprints will then be made publicly available."

The poster continues, "As fingerprint technology spreads, this government will essentially have back-door access to your computers, files, wallets and even cars and homes. We are offering this bounty to teach these individuals a lesson about personal information security."

Both No2ID and Privacy International are fully expecting to be prosecuted by the government for incitement.

Source: spectrum.ieee.org