The premise for the “Get Rich or Die Trying” presentation was looking forward at the next 3-5 years considering that we’re probably going to see less fertile ground for XSS/SQLi/CSRF to be taken advantage of – that is if the good guys do their job well. So the bad guys will likely focus more attention on business logic flaws, which QA overlooks, scanners can’t identify, IDS/IPS can’t defend, and more importantly issues potentially generating 4, 5, 6 or even figures a month in illicit revenue.
In many ways though this is sort of like predicting the present since just about every example we gave was grounded with a real-world public reference and backed by statistics. We also wanted this presentation was very different than what most are used to at BlackHat that tend to be deeply technical, hard to follow, and often dry. And while everyone in webappsec is transfixed on JavaScript malware issues, we chose another direction.
Content yanksploitation against royalty collectors
YouTube is blocking most of its music videos from UK viewers after negotiations with British royalty collectors turned sour.
The Performing Rights Society (PRS) for Music, a group representing artists and publishers, and YouTube both blame each other entirely for the impasse, of course.
Patrick Walker, YouTube's top pact-maker in Europe said in a blog post today that the site will block all "premium" music videos in the UK until it can strike up a new contract with PRS that is "economically sustainable."
"But PRS is now asking us to pay many, many times more for our license than before," he wrote. "The costs are simply prohibitive for us - under PRS's proposed terms we would lose significant amounts of money with every playback."
He also claims PRS is unwilling to even tell the video streaming site what songs are included in the licensing renewal being negotiated. Walker claims the deal is "like asking a consumer to buy an unmarked CD without knowing what musicians are on it."
PRS appears to have been taken off guard by YouTube's sudden yanking of content. Shortly after the site said it's pulling UK music videos, PRS chief Steve Porter announced he was "shocked and disappointed" to receive a call late in the afternoon informing him of YouTube's drastic action.
The music group claims YouTube wants to pay "significantly less than at present to the writers of the music on which their service relies, despite the massive increase in YouTube viewing."
PRS said YouTube's decision to block music videos in the UK was done in the middle of licensing negotiations, and urged the site to reconsider "as a matter of urgency." As a jab — apparently to show that YouTube should have plenty of money to spend on fees — PRS noted the site's parent company Google made $5.7bn in revenues in the last quarter of 2008.
The situation draws obvious parallels to how the automated streaming music service Pandora decided to block UK listeners in early 2008 because it couldn't afford a license with PRS and music labels. Pandora had attempted to work with copyright holders from the outset, as opposed to YouTube, which only more recently has been scoring licensing deals in an effort to generate more revenue.
But YouTube is the most popular online video streaming site out there — so it certainly begs the question of who can earn enough money in the biz if YouTube can't?
Yanking content off streaming sites appears to be an increasingly common negotiating ploy for both sides of the table. In December 2008, Warner Music Group began removing its videos from YouTube after claiming it wasn't getting enough cut of the profit. Apparently companies are betting customer outrage will spur the other side to bend to their demands. But when customers can get their content elsewhere easier (and often illegally, where nobody gets paid) the licensing e-tantrum can certainly backfire on both.
Whether you're a business traveler touching base with the home office or a vacationer catching up on some last-minute Christmas shopping during holiday travel, airport wireless networks are a welcome distraction during a layover.
But beware...
According to a recent article in Forbes, anyone who logs on using an airport wireless connection is instantly exposed to data and identity theft.
How Bad Are They?
Forbes interviewed a so-called "white-hat hacker," working for AirTight Networks (which makes wireless security software and hardware,) and found that during AirTight's survey of 20 American airports, agents had identified serious security flaws in nearly every network. Some airports even allowed critical baggage handling and ticketing data to pass through their network unencrypted---a potential security risk in more than just the digital sense.
The purpose of the tests was to alert airports to the problem in the hopes that they would choose to hire AirTight as their security provider, but in the short term, let it stand as a warning to travelers: You are nowhere near as safe logging in at an airport hub as you are even at home. Even shopping malls and many universities provide more network protection to their users, and since there are currently no laws on the books that require airports to try any harder, don't expect any of this to change overnight.
This video from Forbes provides more details on what you should watch out for:
Here's a quote from Forbes on how bad things are:
They found rampant phony Wi-Fi hot spots created by phishers and, at several large airports, plenty of open or insecure networks run by critical operations such as baggage handling and ticketing. Almost all public networks allowed data such as user names and passwords to pass through the air unencrypted. Only 3% of people used something more secure.
How Do I Stay Safe?
Most security experts would recommend these four steps to relative safety on public wireless networks like those found in airports:
1. Be sure that you're connected to a legit network. Phishers sometimes set up bogus hotspots in airports, waiting for unsuspecting travelers to log on. 2. Use a firewall. 3. Don't type in any credit card information or critical passwords while connected to these networks. 4. Disconnect from the network when you're not using it.
These steps won't guarantee you 100 percent safety, but it's a good start if you decide that uploading those Christmas photos to Flickr can't wait until tomorrow.
Remember when the McCain campaign had that garage sale a few months back and sold two Blackberries with hundreds of GOP contacts still saved on them? It may have seemed like a silly blunder to those who heard about it at the time, but it turns out that most of us are just as careless with our mobile phones and hand held devices as the McCain staffers were with theirs.
99% of Cell Phone Recyclers Neglect to Erase Data
According to a study by Regenersis, one of the leading electronics recycling firms in the world, 99 percent of recycled cellular phones are handed over with their owners personal information and contact lists completely intact. The company did a random sampling of 2000 devices in the month of December, and found that only a handful of consumers had bothered to delete information like emails, banking data, or addresses.
How to Remove Data Before Handing Over An Old Cell Phone
Very few recyclers offer the service of wiping devices before they pass them along, but even if they did, you'd still be handing over an extensive catalog of personal information to a perfect stranger and trusting them to do the right thing.
To take matters into your own hands:
* Remove the SIM card from your phone. It's a little plastic memory card usually located behind the back cover underneath the battery.
* Call your service provider and ask them to disconnect the phone from your account.
That's it! That wasn't hard, was it?
Unfortunately, if you own an iPhone or BlackBerry, it can be a little more complicated but these videos should help:
If you've got national security secrets on your phone or maybe mission briefings and data from U.S. soldiers in Iraq and Afghanistan, it's important to remember that there's no way to completely erase a hand held device. Sophisticated forensic recovery methods are capable of reversing pretty much any data-destroying trick that doesn't involve a hammer or a blowtorch, so for highly sensitive data, you should probably contact a specialist. For the rest of us though, the above methods should do the trick.
This movie represent the locations of the targets of HTTP botnet command and control DDoS attack commands we have seen between 29th of February 2008 and the 5th of May 2008. HTTP C&Cs may be newer than IRC, but they can still pack a significant punch!
An 18-year-old hacker with a history of celebrity pranks has admitted to Monday's hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama's, and the official feed for Fox News.
The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter's administrative control panel by pointing an automated password-guesser at a popular user's account. The user turned out to be a member of Twitter's support staff, who'd chosen the weak password "happiness."
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
"I feel it's another case of administrators not putting forth effort toward one of the most obvious and overused security flaws," he wrote in an IM interview. "I'm sure they find it difficult to admit it."
The hacker identified himself only as an 18-year-old student on the East Coast. He agreed to an interview with Threat Level on Tuesday after other hackers implicated him in the attack.
The intrusion began unfolding Sunday night, when GMZ randomly targeted the Twitter account belonging to a woman identified as "Crystal." He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. "I thought she was just a really popular member," he said.
Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal's account.
That's when he realized that Crystal was a Twitter staffer, and he now had the ability to access any other Twitter account by simply resetting an account holder's password through the administrative panel. He also realized he hadn't used a proxy to hide his IP address, potentially making him traceable. He said he hadn't used a proxy because he didn't think the intrusion was important enough to draw law-enforcement attention, and "didn't think it would make headlines."
He said he decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster, a forum for hackers and former hackers, offering access to any Twitter account by request.
"I ... threw the hack away by providing DG free accounts," he said.
He also posted a video he made of his hack to prove he had administrative access to Twitter.
President-Elect Barack Obama was among the most popular requests from Digital Gangster denizens, with around 20 members asking for access to the election campaign account. After resetting the password for the account, he gave the credentials to five people.
He also filled requests for access to Britney Spears' account, as well as the official feeds for Facebook, CBS News, Fox News and the accounts of CNN correspondent Rick Sanchez and Digg founder Kevin Rose. Other targets included additional news outlets and other celebrities. Fox won the hacker popularity contest, beating out even Obama and Spears. According to Twitter, 33 high-profile accounts were compromised in all.
GMZ doesn't know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.
On Monday morning, the Twitter accounts belonging to Obama, Britney Spears, FoxNews and others, began sending out bogus messages.
Someone used the Obama account to send out a message urging supporters to click on a link to take a survey about the president-elect, and be eligible to win $500 in gasoline. A fake message sent to followers of the Fox News Twitter feed announced that Fox host Bill O'Reilly "is gay," while a message from Britney Spears' feed made lewd comments about the singer.
It was initially believed that the Twitter account hijackings were related to two phishing scams that surfaced over the weekend. But GMZ's hack was unrelated.
Shortly after GMZ posted his original message to Digital Gangster, the site's administrator deleted it, along with the responses from members asking for access to other accounts. But a subsequent thread on the site supports GMZ's account of the hack.
GMZ said he didn't access any of the high-profile accounts himself, and didn't send out any of the bogus tweets. He thinks he was in Twitter a couple of hours before the company became aware of his access and locked him out.
Twitter co-founder Biz Stone confirmed for Threat Level that the intruder had used a dictionary attack to gain access to the administrative account, but wouldn't confirm the name of the employee who was hacked, or the password. He also wouldn't comment on how long the intruder was in the Twitter account resetting passwords before he was discovered.
"Regarding your other questions, I'd feel more comfortable addressing them once we've spoken to counsel because this is still ongoing," he wrote Threat Level in an e-mail.
Stone said that Twitter has already been contacted by the Barack Obama campaign about the hack and has been in touch with everyone whose account was accessed by the intruders. He said Twitter had not had contact with the FBI or any other law enforcement agency.
"We're waiting to hear back from our lawyer about what our responsibilities are about this and how to approach it," Stone said in a separate phone interview.
As for addressing the security issues that allowed the breach, he wrote in a follow-up e-mail that the company is doing "a full security review on all access points to Twitter. More immediately, we're strengthening the security surrounding sign-in. We're also further restricting access to the support tools for added security."
GMZ, who said he's been hacking for about three years and is currently studying game development, said he conducted the dictionary attack using a script he wrote and used last November to break into the YouTube account of teen queen Miley Cyrus.
That hack gained widespread attention when someone posted a video memorial to Cyrus on the account, claiming Cyrus had died in a car accident. GMZ said a friend of his was responsible for the hoax.
GMZ said he's used the same dictionary attack to breach the SayNow accounts of Disney star Selena Gomez and other celebrities.
After YouTube blocked his IP and patched some vulnerabilities he was exploiting, he decided "for the fun of it (curiosity and self-entertainment) I'll pen-test Twitter." He was "shocked to realize that there was no rate limit" to lock someone out after a specific number of failed password attempts.
He said he'd never even heard of Twitter until he saw someone mention it on YouTube.
An alert bank customer thought the speaker mounted over his bank's ATM looked suspicious, so he called the cops. It turned out to be a skimming device blamed for $300,000 in losses. NBC-10 has the report.
