Italy's specialist police unit responsible for combating cybercrime suffered an embarrassing hack Monday by members of the loosely knit Anonymous hacktivist galaxy.
In a communique posted on Twitter, the hacker group claimed to have obtained more than 8GB of internal data from what it called the "Homeland Security Cyber Operation Unit in Europe" and said it would publish all the material it had obtained from its Italian branch.
The group said it had "owned" the server of the National Center for Computer Crime and the Protection of Critical Infrastructure (CNAIPIC) of the Italian police and would be publishing the material via the LulzSec and Anonymous communities under its #AntiSec campaign.
The hackers said the information came from computer hard drives seized in the course of police investigations. Rather than using it to facilitate the investigations, the hackers claimed, "this corrupt organization" had used the information illegally "to further the desire for power and money of various oligarchies."
"Many people are in prison awaiting trial while CNAIPIC used some of the data in the great game of international espionage," the hackers said.
The LulzSec statement said it had information on the Ministry of Transport in Egypt, the Ministry of Defense in Australia, and a number of companies in Russia including Atomstroyexport, Sibneft and Gazprom. It was not clear whether all the material originated with the CNAIPIC hack, however.
The group said it had commercial information on companies based in Gibraltar, Cyprus and the Cayman Islands, among them Line Holdings, Dugsberry Inc., Alpha Prime and Alpha Minerals.
U.S. entities identified included the Department of Justice and the Department of Agriculture as well as corporations and contractors "that were receiving public funding, though we can't understand why."
Other documents identified by the newspaper La Repubblica as having been hacked concerned the Madoff financial scandal in the U.S., Exxon Corp., the identity documents of Middle Eastern individuals and official documents written in Russian and Arabic.
There was even a chart showing CNAIPIC's telecom architecture and a photograph of uniformed officers who presumably work for the unit included in the hackers' information dump.
CNAIPIC's website says the unit is tasked with combating computer crime and protecting the nation's critical IT infrastructure. It employs highly specialized staff with experience in the sectors of cyberterrorism and industrial espionage, the site says.
Earlier this month police raided premises in Italy as part of an ongoing investigation into the activities of the Anonymous group and denounced three alleged members for possible prosecution, while in the U.S. the FBI arrested 14 of its alleged members for a series of DDoS (distributed denial-of-service) attacks against PayPal.
The latest hacking operation was pre-announced on Twitter on Friday: "The recent attacks by the international Anonymous and LulzSec movements are just a warning that this thought cannot be stopped. With this text we inform you that Opitaly is in a phase of renewal."
The Italian police said Monday it was investigating the scope of the alleged security breach. "Content has been published online that appears to come from the Communication Police's CNAIPIC unit and inquiries are under way into its authenticity," the police statement said.
A police spokeswoman said it was "only human" for the police to feel embarrassed over the affair
Thursday, July 28, 2011
Spyeye anti hacking
SpyEye is a particularly nasty piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second.
In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions, said Mickey Boodai, Trusteer's CEO.
Banks are now analyzing how a person uses their site, looking at parameters such as how many pages a person looks at on the site, the amount of time a person spends on a page and the time it takes a person to execute a transaction. Other indicators include IP address, such as if a person who normally logs in from the Miami area suddenly logs in from St. Petersburg, Russia.
SpyEye works fast, and can automatically and quickly initiate a transaction much faster than an average person manually on the website. That's a key trigger for banks to block a transaction. So SpyEye's authors are now trying to mimic -- albeit in an automated way -- how a real person would navigate a website.
"They used to pay less attention to the way they execute transactions on the bank's website and now they are really trying to show normal user patterns," Boodai said. "
Boodai said he has little idea of how successful SpyEye's new evasion code is, although Trusteer does collect intelligence from banks that have distributed its browser security tool, Rapport, to their customers. Trusteer has also noticed that SpyEye in recent months has expanded the number of financial institutions it is able to target in an increasing number of countries.
New target countries include Russia, Saudi Arabia, Bahrain, Oman, Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru. What that means is that more criminal groups around the world are purchasing the SpyEye toolkit, Boodai said.
Financial institutions continue to increase their security spending to protect online transactions, said Avivah Litan, an analyst at Gartner who regularly consults banks on security issues.
Even to her, financial institutions are coy about revealing how hard they've been hit, but "everyone refers to Zeus or SpyEye -- some as common as the word 'teller'" Litan said.
Police have had some limited successes. In April, a 26-year-old Lithuanian and a 45-year-old Latvian were charged with conspiracy to cause unauthorized modifications to computers, conspiracy to defraud and concealing proceeds from crime for allegedly using SpyEye. A third, 26-year-old man whose nationality was not revealed was bailed pending further questioning.
SpyEye is actually a botnet with a network of command-and-control servers hosted around the world. As of Tuesday, some 46 command-and-control servers were online, according to the SpyEye Tracker, a website dedicated to gathering statistics about the malicious software.
That is sharply up. In May, there were just 20 or so active servers responding to computers that were infected with SpyEye, said Roman Hüssy, who runs the site.
Wednesday, July 27, 2011
Black Hat
A demo at Black hat next week will remotely hack a car alarm, unlock the doors and start the vehicle, but that's just a parlor trick to call attention to a bigger problem that has the Department of Homeland Security on alert.
The same type of exploit could just as easily knock out power grids and water supplies, says Don Bailey, a security consultant with iSec Partners, which is presenting the research at the conference in Las Vegas.
The common thread is that the car alarm and certain devices on critical infrastructure networks are all connected to public phone networks in ways that are fairly simple to compromise, he says. That could enable unauthorized remote manipulation of supervisory control and data acquisition (SCADA)systems and potentially endanger assets like public utilities. "Now I can make your water undrinkable," says Bailey. "That's scary."
Black Hat notifies Homeland Security if research being presented could offer tools to terrorists, Bailey says, and he has briefed DHS on his talk with the aim of warning vendors about the vulnerabilities so they can close them.
Bailey and his fellow researchers took a look at devices that are attached to phone networks for the purpose of receiving control messages and discovered two types. Then they figured out how to distinguish these devices from all the less interesting devices connected to phone networks such as phones, modems and faxes.
By following clues in owner's manuals or with a little reverse engineering of some hardware, they were able to send control messages to individual devices. He says they were able to compromise the car alarm in about two hours.
He says he won't reveal the names of makers of vulnerable products, but that his team and the DHS are spreading the word to them so the threat can be minimized.
The devices in question are attached to phone networks to directly receive messages at specific phone numbers, via SMS or over IP networks. If they are controlled over IP networks, customers that own the devices access them via a network set up by the manufacturer of the product, he says.
He was able to tap into those networks by buying one of the devices and monitoring its output to determine how it called home, then use that type of message to access and give control messages to other similar devices, he says.
The problem is that these devices don't ensure confidentiality of the control messages being sent back and forth to the devices. A fix would be to integrate security into the development of the software controlling the devices, he says. It seems the firmware for the devices was designed for functionality but not security, leaving them vulnerable.
"We're not doing rocket science here," Bailey says about the hacks of the devices. "I shouldn't have been able to take that car alarm and own it in less than two hours."
Hackers on FBI jobs
"The FBI (Federal Bureau of Investigation) is seeking a senior security consultant for a permanent position." This is probably the next job offer that will appear on the FBI job site (fbijobs.gov) as they got defaced yesterday.
A turkish crew, known as turkguvenligi.info, managed to exploit a SQL injection flaw and insert a record that redirected the "events" page to an image with their site name.
Here is the screenshot of the defacement:
Hackers on US army website
Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.
"TinKode," a Romanian hacker who previously found holes in NASA's Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. "With this vulnerability I can see/extract all things from databases," he blogged.
TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site's name.
"Four-character passwords that are the same name as the database table names are inexcusable," says Robert "RSnake" Hansen, founder of SecTheory.
Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. "[This is] a good example of how terrible our security posture is, and he didn't even have to do anything tricky to find the exploit," he says.
TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker "unu" demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.
SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.
"Every organization has these problems," Hansen says. "They may not realize it, but they're just waiting for a smart kid to come along and copy off every critical piece of information they have."
Hackers on twitter offline
IDG News Service - Microblogging site Twitter went offline for a while Friday after hackers calling themselves the Iranian Cyber Army apparently managed to change DNS records, redirecting traffic to another Web page.
Instead of the usual Twitter Web site design, visitors to the site instead saw a black screen with an image of a green flag and Arabic writing. The defaced site also included a message that said, "This site has been hacked by Iranian Cyber Army," and an e-mail address.
Whether or not Iranian hackers are responsible for the attack wasn't immediately clear. However, Twitter and other Internet sites have been used by Iranian opposition groups and protestors to share details of anti-government protests in that country.
Twitter blamed the outage on changes made to the company's DNS (Domain Name System) records, which match the company's domain name with the IP addresses of its servers.
"Twitter's DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon," Twitter said on its Twitter Status page.
Based on Twitter's account of the attack, it's possible that the company's servers were never compromised. The actual attack may have instead targeted Dyn, the DNS service provider that manages Twitter's DNS records, according to whois records.
While the outage left Twitter users cut off from the service for about an hour, the type of attack wasn't serious, according to Dhillon Andrew Kannabhiran , founder and CEO of Hack In The Box, a Malaysian company that runs security conferences in Europe, the Middle East and Asia
Apples Hot news
New, Faster MacBook Air
July 20, 2011
Apple today updated the MacBook Air with next-generation Intel Core processors, high-speed Thunderbolt I/O technology, a backlit keyboard, and Mac OS X Lion, the world’s most advanced operating system. With up to 2.5x the performance of the previous generation, flash storage for instant-on responsiveness, and a compact design so portable you can take it everywhere, MacBook Air is the ultimate everyday notebook. MacBook Air starts at $999 (US) and is available for order today and in stores tomorrow
Subscribe to:
Posts (Atom)