Thursday, 17 December 2009

Texas company lays out 'hacking' case against Minnesota Public Radio

By David Brauer
minnpost.com
Dec 15 2009

Do Minnesota Public Radio and reporter Sasha Aslanian realistically face
civil and criminal penalties after uncovering a Texas firm’s security
breaches involving state of Minnesota job-seeker data?

Lookout Services - which acknowledges an October security breach and
subsequent security weaknesses - claimed in a Dec. 14 statement that
their data was "illegally compromised." The company - which notes "only
the Minnesota Public Radio reporter viewed" some data and wants MPR to
disclose what was viewed - will "aggressively seek prosecution for this
egregious act," according to the statement.

In a Dec. 11 report, Aslanian said she was able to see "employee names,
birth dates, Social Security numbers and hire dates" on Lookout's web
site "without using a password or encryption software."

Lookout CEO Elaine Morley says that’s not the whole truth. She contends
Aslanian did use a password and ID to penetrate Lookout's security - and
told Morley so during a Dec. 7 phone call. Later, Morley asserts,
Aslanian used information from that penetration to view the state data,
even though she didn’t need a password or encryption that time.

Spymaster sees Israel as world cyberwar leader

By Dan Williams
TEL AVIV
Reuters
Dec 15, 2009

TEL AVIV (Reuters) - Israel is using its civilian technological advances
to enhance cyberwarfare capabilities, the senior Israeli spymaster said
on Tuesday in a rare public disclosure about the secret program.

Using computer networks for espionage -- by hacking into databases -- or
to carry out sabotage through so-called "malicious software" planted in
sensitive control systems has been quietly weighed in Israel against
arch-foes like Iran.

In a policy address, Major-General Amos Yadlin, chief of military
intelligence, listed vulnerability to hacking among national threats
that also included the Iranian nuclear project, Syria and Islamist
guerrillas along the Jewish state's borders.

Yadlin said Israeli armed forces had the means to provide network
security and launch cyber attacks of their own.

"I would like to point out in this esteemed forum that the cyberwarfare
field fits well with the state of Israel's defense doctrine," he told
the Institute for National Security Studies (INSS), a Tel Aviv
University think tank.

Five things you need to know about Social Engineering

By Robert McMillan
IDG News Service
December 16, 2009

SOCIAL ENGINEERING IS GROWING UP. Social engineering, the act of
tricking people into giving up sensitive information, is nothing new.
Convicted hacker Kevin Mitnick made a name for himself by cold-calling
staffers at major U.S. companies and talking them into giving him
information. But today's criminals are having a heyday using e-mail and
social networks. A well-written phishing message or virus-laden spam
campaign is a cheap, effective way for criminals to get the data they
need.

TARGETED ATTACKS ARE ON THE RISE. Northrop Grumman recently reported
that China was "likely" stealing data from the United States in a "long-
term, sophisticated network exploitation campaign." Security experts
have noticed criminals were "spear phishing"--getting Trojan horse
programs to run on a victim's computer by using carefully crafted e-mail
messages. Used to steal intellectual property and state secrets, spear
phishing is now everywhere.

CASTING A BROAD NET PAYS OFF TOO. Less discriminating criminals cast a
wider net with their attacks. They pick e-mail subjects everybody's
interested in: a message from the IRS, or even "a photo of you." The
more victims who click links and install the bad guy's software, the
more money the criminals make. Right now, "they're doing it with
messaging that is extremely broad," says Gary Warner, director of
research in computer forensics at the University of Alabama at
Birmingham.
FREE STUFF CAN BE COSTLY. Attackers love to tempt people with freebies, security experts say. "The bait that works best is a popular device," says Sherri Davidoff, a penetration tester hired to see if she can break into corporate networks. One of Davidoff's most successful techniques: a fake employee survey. Victims fill it out thinking they'll qualify to win an iPod if they hand over sensitive information. "Thirty to 35 percent will enter their usernames and passwords to get the iPhone," she says.

PEOPLE TRUST THEIR (HACKED) FRIENDS. That trust allowed the Koobface worm to spread throughout Facebook and led to a rash of direct-message attacks on Twitter too. It's all part of the next round of socially-engineered attacks, says Steve Santorelli, formerly a Scotland Yard detective and now director of global outreach at Team Cymru. A few years ago hackers were more focused on the quality of their code. Now, he says, "they are putting an equal effort into social engineering."

Botnet Operators Infecting Servers, Not Just PCs

By Kelly Jackson Higgins
DarkReading
Dec 16, 2009

Botnet operators have always been able to easily infect and convert PCs
into bots, but they also are increasingly going after servers -- even
building networks of compromised servers.

Web servers, FTP servers, and even SSL servers are becoming prime
targets for botnet operators, not as command and control servers or as
pure zombies, but more as a place to host their malicious code and
files, or in some cases to execute high-powered spam runs.

"FTP servers are a hot commodity in the underground. They are regularly
used by drive-by download malware as well as a downloading component for
regular bots," says Mikko Hypponen, chief research officer at F-Secure.
"Another thing we've noticed is the use of SSL servers. Sites with a
valid SSL certificate get hacked and are used by drive-by-downloads."

Why SSL servers? "If a drive-by download gets the malware file through
an HTTPS connection, proxy and gateway scanners won't be able to scan
for the malware in transit, making it easier to sneak in," Hypponen
explains.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News