Tuesday, 1 December 2009
Priyanka's twitter update could be security threat
[Ankit Fadia, India's uber hacking expert, appears to heavily promote Viagra, or been hacked by evil spammers that found a way to subtlety deface the web page. - http://attrition.org/errata/sec-co/fadia01.html - WK]
By Kumar Saurav
Mid Day
2009-11-23
Mumbai
Not just Priyanka Chopra, but any celebrity or public figure's Twitter updates can jeopardize national security, claims 24 year-old ethical hacker Ankit Fadia
Mumbai-based cyber security consultant Ankit Fadia, who claims that his website Hacking Truths was judged as the second best hacking site in the world by the FBI, says social networking sites are the latest threat to India's security. The potency and penetration of social networking in the country has made it possible for anyone to track and connect with film stars, politicians and other public figures who were once beyond reach.
Karan Johar, Priyanka Chopra, Aishwarya Rai, Shashi Tharoor and Barack Obama are just a few from a whole bunch of celebrities who update their Twitter status regularly. But "are they doing it wisely?" is what Fadia asks.
Why are you apprehensive about celeb tweeting?
If you follow celebs, you'll observe that they disclose information on where they are shooting, what their shooting schedule looks like and the hotel they are put up at. Unintentionally, they are inviting trouble, because troublemakers are hungry for such information.
Any instances?
Singer Britney Spears' account on Twitter is hacked almost once every two months. One of the hackers even claimed on her wall, that he's her public relation officer and that Britney is dead, with details about the date and venue of her funeral.
Indian politico Shashi Tharoor's account has been hacked several times too. Even Big B and Aamir Khan's blog were hacked. Once a blog, website, social networking account is hacked, a hacker has full control over it.
He can spread rumours, communicate with fellow criminals, and indirectly make you a partner in their crime.
How would you rate the technical stylishness of terrorists?
They are far ahead. When I was asked by the US intelligence to decode some scripts after the 9/11 attacks, I was stunned to see the kind of technology they used to communicate. The agencies had tracked some emails where a few individuals were frequently exchanging photographs of Canadian rockstar Avril Lavigne. Hidden text messages that aren't visible to the naked eye, were being exchanged through these pictures.
What about Mumbai's 26/11 terror attacks?
For 26/11, they had used highly secured Voice Over Internet Protocol
(VOIP) like Skype to communicate with each other. The data on VOIPs'
servers is so huge that by the time you track them, the damage has been done and criminals are out of reach. The 26/11 terrorists had used the "proxy bouncing" technique, where in they were sending messages through a Saudi Arabia based server, while they were actually sitting in Pakistan.
Why is tracking such messages so difficult?
They know the loopholes, and how to use them affectively. Suppose three terrorists A, B and C want to communicate with each other, what they do is create a Twitter account and follow each other, thus forming a closed group. So if A posts a message saying "Plant Bomb at Parliament at 11 am", just B and C will be able to see the message. And since Twitter is based in the US, Indian authorities wouldn't have control over this exchange of messages.
Tracking messages is another problem. I will track a suspicious mail only if it's sent. If A wants to communicate with B, he will type an email and save it as a draft instead of sending it. Now B, whose has A's password will log in to A's account, read the mail in the "Draft"
folder. Since the mail hasn't been sent, it becomes almost impossible to track it.
How do spammers and hackers operate in social networking sphere?
There are viruses, worms, spyware and malware that spread through social networking websites. One day, you receive a private message from one of your friends (who is already infected) containing a link to a Youtube video. Halfway through the video, it will prompt you to download some video plugin. Since the message comes from your friend, you trust it, but the moment you click it, you get infected. Get rich quick schemes, earn money online scams and various money laundering attacks now come through social networking sites.
By Kumar Saurav
Mid Day
2009-11-23
Mumbai
Not just Priyanka Chopra, but any celebrity or public figure's Twitter updates can jeopardize national security, claims 24 year-old ethical hacker Ankit Fadia
Mumbai-based cyber security consultant Ankit Fadia, who claims that his website Hacking Truths was judged as the second best hacking site in the world by the FBI, says social networking sites are the latest threat to India's security. The potency and penetration of social networking in the country has made it possible for anyone to track and connect with film stars, politicians and other public figures who were once beyond reach.
Karan Johar, Priyanka Chopra, Aishwarya Rai, Shashi Tharoor and Barack Obama are just a few from a whole bunch of celebrities who update their Twitter status regularly. But "are they doing it wisely?" is what Fadia asks.
Why are you apprehensive about celeb tweeting?
If you follow celebs, you'll observe that they disclose information on where they are shooting, what their shooting schedule looks like and the hotel they are put up at. Unintentionally, they are inviting trouble, because troublemakers are hungry for such information.
Any instances?
Singer Britney Spears' account on Twitter is hacked almost once every two months. One of the hackers even claimed on her wall, that he's her public relation officer and that Britney is dead, with details about the date and venue of her funeral.
Indian politico Shashi Tharoor's account has been hacked several times too. Even Big B and Aamir Khan's blog were hacked. Once a blog, website, social networking account is hacked, a hacker has full control over it.
He can spread rumours, communicate with fellow criminals, and indirectly make you a partner in their crime.
How would you rate the technical stylishness of terrorists?
They are far ahead. When I was asked by the US intelligence to decode some scripts after the 9/11 attacks, I was stunned to see the kind of technology they used to communicate. The agencies had tracked some emails where a few individuals were frequently exchanging photographs of Canadian rockstar Avril Lavigne. Hidden text messages that aren't visible to the naked eye, were being exchanged through these pictures.
What about Mumbai's 26/11 terror attacks?
For 26/11, they had used highly secured Voice Over Internet Protocol
(VOIP) like Skype to communicate with each other. The data on VOIPs'
servers is so huge that by the time you track them, the damage has been done and criminals are out of reach. The 26/11 terrorists had used the "proxy bouncing" technique, where in they were sending messages through a Saudi Arabia based server, while they were actually sitting in Pakistan.
Why is tracking such messages so difficult?
They know the loopholes, and how to use them affectively. Suppose three terrorists A, B and C want to communicate with each other, what they do is create a Twitter account and follow each other, thus forming a closed group. So if A posts a message saying "Plant Bomb at Parliament at 11 am", just B and C will be able to see the message. And since Twitter is based in the US, Indian authorities wouldn't have control over this exchange of messages.
Tracking messages is another problem. I will track a suspicious mail only if it's sent. If A wants to communicate with B, he will type an email and save it as a draft instead of sending it. Now B, whose has A's password will log in to A's account, read the mail in the "Draft"
folder. Since the mail hasn't been sent, it becomes almost impossible to track it.
How do spammers and hackers operate in social networking sphere?
There are viruses, worms, spyware and malware that spread through social networking websites. One day, you receive a private message from one of your friends (who is already infected) containing a link to a Youtube video. Halfway through the video, it will prompt you to download some video plugin. Since the message comes from your friend, you trust it, but the moment you click it, you get infected. Get rich quick schemes, earn money online scams and various money laundering attacks now come through social networking sites.
Cyber crime danger
THE Police Force has forecast cyber crimes to increase by 40 to 50 per cent from 2010 to 2012.
Jemesa Lave of the police cyber crime unit said in these two years, it was anticipated that more complicated technological crimes would be perpetrated in Fiji.
Coupled with this, he said was the anticipated shift from conventional criminal operations to cybercrime.
"We need legislation, we need to ensure that standards are put in place to address computer crime issues," Mr Lave said.
He said people needed to be aware that computer crimes knew no borders.
Mr Lave said the major challenge for Fiji was having implemented legislations to cover this.
He said at present, the police had some degree of capability to detect and investigate recently enacted decrees to ensure offenders were brought to decide.
At the cyber crime unit, there are 13 INTERPOL trainers in IT crime investigation, two certified computer forensics specialist, computer forensics specialists, one certified application forensics speciality, and one certified mobile forensics specialist.
Mr Lave said 70 per cent of the reports they received had been investigated by CID headquarters.
Jemesa Lave of the police cyber crime unit said in these two years, it was anticipated that more complicated technological crimes would be perpetrated in Fiji.
Coupled with this, he said was the anticipated shift from conventional criminal operations to cybercrime.
"We need legislation, we need to ensure that standards are put in place to address computer crime issues," Mr Lave said.
He said people needed to be aware that computer crimes knew no borders.
Mr Lave said the major challenge for Fiji was having implemented legislations to cover this.
He said at present, the police had some degree of capability to detect and investigate recently enacted decrees to ensure offenders were brought to decide.
At the cyber crime unit, there are 13 INTERPOL trainers in IT crime investigation, two certified computer forensics specialist, computer forensics specialists, one certified application forensics speciality, and one certified mobile forensics specialist.
Mr Lave said 70 per cent of the reports they received had been investigated by CID headquarters.
The nation needs a clear cyber war doctrine
By William Jackson
GCN.com
Nov 30, 2009
A recent study from McAfee on cyber crime and cyber warfare concluded that, like it or not, the world.s information infrastructures are becoming theaters of war, as nations develop offensive and defensive capabilities to wage cyber warfare.
"Cyber weapons exist, and we should expect that adversaries might use them," said James Lewis, director of the Technology and Public Policy program at the Center for Strategic and International studies. Lewis is one of 2,000 national and cybersecurity experts who were interviewed for the study.
The threat of cyber war is not comforting, but more disturbing is the fact that we do not know how to use the weapons we are developing. Our ability to defend ourselves and to take the struggle to our enemies is hindered by the difficulty in understanding the sources and motives behind what might be considered hostile action against our networks and systems. Unlike attacks by conventional and nuclear military weapons, cyber attacks tend to be asymmetrical, remote and hidden. It is difficult to tell who is behind an attack and what its objective is.
It is easy to blame North Korea or China for intrusions that seem to be launched from computers in those countries, but the location of a computer or network launching an attack says little about who is behind it.
GCN.com
Nov 30, 2009
A recent study from McAfee on cyber crime and cyber warfare concluded that, like it or not, the world.s information infrastructures are becoming theaters of war, as nations develop offensive and defensive capabilities to wage cyber warfare.
"Cyber weapons exist, and we should expect that adversaries might use them," said James Lewis, director of the Technology and Public Policy program at the Center for Strategic and International studies. Lewis is one of 2,000 national and cybersecurity experts who were interviewed for the study.
The threat of cyber war is not comforting, but more disturbing is the fact that we do not know how to use the weapons we are developing. Our ability to defend ourselves and to take the struggle to our enemies is hindered by the difficulty in understanding the sources and motives behind what might be considered hostile action against our networks and systems. Unlike attacks by conventional and nuclear military weapons, cyber attacks tend to be asymmetrical, remote and hidden. It is difficult to tell who is behind an attack and what its objective is.
It is easy to blame North Korea or China for intrusions that seem to be launched from computers in those countries, but the location of a computer or network launching an attack says little about who is behind it.
CERT Australia pushes on network security
By Karen Dearne
The Australian
December 01, 2009
The new computer emergency response team, CERT Australia, will expect internet service providers to be more active in cleaning up infected computers operating on their networks.
Following the federal government's e-security review last year, the Internet Industry Association has been hammering out a voluntary ISP code of practice aimed at identifying botnet activity and alerting customers to security breaches.
Attorney-General's Department national security resiliency division head Mike Rothery said CERT Australia would be a two-way clearing house for notifications from local and international authorities, with responsibility for tracking down compromised machines in Australian domains.
"We'll be establishing relationships with our CERT counterparts so that if we identify (attacks coming from) compromised machines overseas, we can ask those authorities to trace the actual owners and seek that those be cleaned up," Mr Rothery said.
"Where identified machines appear to be in Australia -- and the notification may come from overseas or from a local ISP or web hosting company -- we will track down the owners through their ISP or web host and tell them their machines have been compromised.
The Australian
December 01, 2009
The new computer emergency response team, CERT Australia, will expect internet service providers to be more active in cleaning up infected computers operating on their networks.
Following the federal government's e-security review last year, the Internet Industry Association has been hammering out a voluntary ISP code of practice aimed at identifying botnet activity and alerting customers to security breaches.
Attorney-General's Department national security resiliency division head Mike Rothery said CERT Australia would be a two-way clearing house for notifications from local and international authorities, with responsibility for tracking down compromised machines in Australian domains.
"We'll be establishing relationships with our CERT counterparts so that if we identify (attacks coming from) compromised machines overseas, we can ask those authorities to trace the actual owners and seek that those be cleaned up," Mr Rothery said.
"Where identified machines appear to be in Australia -- and the notification may come from overseas or from a local ISP or web hosting company -- we will track down the owners through their ISP or web host and tell them their machines have been compromised.
I Was Wrong: There Probably Will Be an Electronic Pearl Harbor
By Ira Winkler
CSO
November 29, 2009
For 15 years now, I have been publicly lambasting all of those people who have made their careers, or at least made fleeting news headlines, based on their declaration of an imminent Electronic Pearl Harbor. My disdain is based on several factors, but predominantly the lack of accountability for such statements. One industry analyst, for example, stated that there will be such an event by the end of 2003. Six years later, I didn't see anyone revisit the utter lack of such an event.
However, I now see things developing to the point where there can be a strategic attack on computer infrastructures. The key word is Strategic.
Another major issue I have with the people who stake their fame in information warfare is the lack of apparent understanding in the concept of military and geopolitical issues. Specifically, strategy implies long term impacts, generally at least 3-6 months. Tactical attacks have short term impacts. Yes, we have had many tactical attacks against different infrastructures. However, comparing these attacks to Pearl Harbor is insulting.
Pearl Harbor was a preemptive strike against the US Pacific Fleet. It significantly degraded the US Naval capability for several years. If the aircraft carriers were in Pearl Harbor as the Japanese expected, it could have been a complete knockout blow. So the question becomes, what can make a computer attack strategic?
[...]
CSO
November 29, 2009
For 15 years now, I have been publicly lambasting all of those people who have made their careers, or at least made fleeting news headlines, based on their declaration of an imminent Electronic Pearl Harbor. My disdain is based on several factors, but predominantly the lack of accountability for such statements. One industry analyst, for example, stated that there will be such an event by the end of 2003. Six years later, I didn't see anyone revisit the utter lack of such an event.
However, I now see things developing to the point where there can be a strategic attack on computer infrastructures. The key word is Strategic.
Another major issue I have with the people who stake their fame in information warfare is the lack of apparent understanding in the concept of military and geopolitical issues. Specifically, strategy implies long term impacts, generally at least 3-6 months. Tactical attacks have short term impacts. Yes, we have had many tactical attacks against different infrastructures. However, comparing these attacks to Pearl Harbor is insulting.
Pearl Harbor was a preemptive strike against the US Pacific Fleet. It significantly degraded the US Naval capability for several years. If the aircraft carriers were in Pearl Harbor as the Japanese expected, it could have been a complete knockout blow. So the question becomes, what can make a computer attack strategic?
[...]
Gilbert man loses job in case tied to alien-search software
By Emily Gersema
The Arizona Republic
Nov. 30, 2009
The search for intelligent life apparently has stopped for Brad Niesluchowski.
Higley Unified School District records obtained by The Arizona Republic show that Niesluchowski, of Gilbert, resigned in October after an investigation into suspicious activity, including the use of a program that searches satellite signals for extraterrestrial life.
According to the documents, district officials said they found Niesluchowski had abused his authority in purchasing and oversight of district technology and equipment, and downloaded to every district computer a University of California-Berkeley program that relies on volunteers and their personal computers to search satellite-collected data for signs of intelligent life in outer space.
Higley officials so far estimate the damages, energy usage and equipment losses linked to Niesluchowski at $1.2 million to $1.6 million.
District administrators hand-delivered a notice of termination of contract for cause to Niesluchowski on Oct. 7, which he refused to sign.
He instead consulted an attorney, and then resigned at the attorney's advice.
According to the termination letter, Niesluchowski faces several allegations that he violated the terms and responsibilities of his contract and ethics policies - and is the focus of a criminal investigation. Documents show:
* During a warranted search of his home earlier this fall, Gilbert
police found 18 computers and other equipment stolen from the
district.
* District officials said they learned Niesluchowski never installed
firewalls that would protect students' and staff members' personal
information from hackers, exposing district computer and data to
potential tampering or damage.
* District officials also say he failed to train and supervise other
tech staff.
* Officials allege he downloaded to every district computer a University
of California-Berkeley program known as "SETI@home." SETI is short for
the "Search for Extra Terrestrial Intelligence."
The Arizona Republic
Nov. 30, 2009
The search for intelligent life apparently has stopped for Brad Niesluchowski.
Higley Unified School District records obtained by The Arizona Republic show that Niesluchowski, of Gilbert, resigned in October after an investigation into suspicious activity, including the use of a program that searches satellite signals for extraterrestrial life.
According to the documents, district officials said they found Niesluchowski had abused his authority in purchasing and oversight of district technology and equipment, and downloaded to every district computer a University of California-Berkeley program that relies on volunteers and their personal computers to search satellite-collected data for signs of intelligent life in outer space.
Higley officials so far estimate the damages, energy usage and equipment losses linked to Niesluchowski at $1.2 million to $1.6 million.
District administrators hand-delivered a notice of termination of contract for cause to Niesluchowski on Oct. 7, which he refused to sign.
He instead consulted an attorney, and then resigned at the attorney's advice.
According to the termination letter, Niesluchowski faces several allegations that he violated the terms and responsibilities of his contract and ethics policies - and is the focus of a criminal investigation. Documents show:
* During a warranted search of his home earlier this fall, Gilbert
police found 18 computers and other equipment stolen from the
district.
* District officials said they learned Niesluchowski never installed
firewalls that would protect students' and staff members' personal
information from hackers, exposing district computer and data to
potential tampering or damage.
* District officials also say he failed to train and supervise other
tech staff.
* Officials allege he downloaded to every district computer a University
of California-Berkeley program known as "SETI@home." SETI is short for
the "Search for Extra Terrestrial Intelligence."
Restaurants Sue Vendor for Unsecured Card Processor
By Kim Zetter
Threat Level
Wired.com
November 30, 2009
Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.
The restaurants, located in Louisiana and Mississippi, have filed a class-action suit against Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.
The suit alleges that the system stored all of the data embedded on the bank card magnetic stripe after the transaction was completed -- a violation of industry security standards that made the systems a high-risk target for hackers.
Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant's Aloha POS system.
According to plaintiffs, Computer World's technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote log-in and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was "administrator" and the password was "computer."
Threat Level
Wired.com
November 30, 2009
Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.
The restaurants, located in Louisiana and Mississippi, have filed a class-action suit against Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.
The suit alleges that the system stored all of the data embedded on the bank card magnetic stripe after the transaction was completed -- a violation of industry security standards that made the systems a high-risk target for hackers.
Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant's Aloha POS system.
According to plaintiffs, Computer World's technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote log-in and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was "administrator" and the password was "computer."
Subscribe to:
Posts (Atom)