Ethical hackers battle to prevent 'information security apocalypse'

(CNN) -- Barely a day passes without news of another major computer security breach. Last week a hacking network named "Hollywood Leaks" began their attack on the personal data of celebrities, officially adding the glitterati to a roll of shame that already includes targets as diffuse as Sony, the Church of Scientology and PayPal.

However only a few days before the emergence of this latest hacking outfit, a far less conspicuous but similarly-skilled group met at a London hotel to discuss the other side of all matters of information security, otherwise known as "infosec".

The inaugural 44Con was Britain's first major conference for the good guys of infosec. Among the 300 delegates and speakers were a number of so-called "white hats", programmers and penetration testers specifically employed to discover businesses' weak spots.

Using information from these ethical hackers, manufacturers can remedy or "patch" the problem before its release and companies can take measures to safeguard their data.

Everybody had a look at the Sony thing and thought, 'Oh God, I hope I'm not next.'
Steve Lord, foudner 44Con

Although their more destructive brethren might continue to grab headlines, 44Con demonstrated that the fight against hackers, and other more traditional threats to information security, is also strong.

"The way people use and consume media and share information has drastically changed over the past ten years," said Steve Lord, a security professional and co-founder of 44Con.

"The information that we used to think would stay on a computer, in an increasingly networked world, it goes everywhere. So there is an increasing demand for people to secure that information because otherwise people won't put it there."

44Con attracted representatives from governments and members of the military, alongside risk managers, consultants and students. According to Lord, the roll call included "hackers, freaks, geeks, spooks and kooks," none of whom was required to identify themselves further than a first name.

"It's everyone around the table all looking at the same problems and hopefully coming up with some solutions," Lord said.

High-profile hacking is only one strand of the ongoing battle to protect electronic information from damage or infiltration.

Events at 44Con ran the gamut from workshops demonstrating old-fashioned lock-picking with a paperclip, through discussions of threats to iPads and smart phones and even a presentation of how NASA's transmissions to astronauts have recently been intercepted.

"We've got a serious problem here... like the global financial crisis," said Haroon Meer, a researcher at the infosec consultancy, Thinkst. But although Meer also referred to "our upcoming security apocalypse", others were focused on how intelligence can be used to predict attacks before they occur and, crucially, how to acquire boardroom backing for improved security measures.

We've got a serious problem here... like the global financial crisis.
Haroon Meer, infosec consultant

Infosec professionals often converse in a language that is not always immediately accessible to a layman (executives included), but the result of their endeavors can often be startlingly clear.

"Every single guy at boardroom level that I speak to says, 'Are we going to be the next Sony?'" said Lord, referring to the recent devastating hack on the electronics giant. "Everybody had a look at the Sony thing and thought, 'Oh God, I hope I'm not next.'"

Sony given 'epic fail' award from hackers

Several presentations at 44Con offered chilling demonstrations of the vulnerabilities of common business devices. Alex Plaskett, a consultant at MWR InfoSecurity, who described himself as someone who has been "professionally breaking things" for many years, performed a so-called "drive-by" exploit on a Windows 7 smart phone.

Independent security consultant, Neil Kettle, performed a take-down of the much garlanded online banking security software Trusteer Rapport, running a key-logging program that replicated on screen anything a user might be entering into supposedly secure password fields.

Another security expert Roelof Temmingh showcased the most recent version of Maltego, software that analyzes and compares freely available information from numerous social networking sites.

Using the website of the Executive Office of the President as an example, Temmingh was able to extract specific information such as favored restaurants among White House staffers, as well as other behavioral trends.

"Even if we don't want to attack, what can we learn?" Temmingh asked, before revealing that at least one member of the Bush administration was a fan of Moody's Diner, visited a psychic medium named "Rosemary the Celtic Lady" and was a keen editor of Wikipedia pages.

The examples were deliberately banal and outdated, but the implication was clear. Through similar paths, hackers of more nefarious intentions could determine what versions of browsers are being used in the White House, for instance, and probe specific vulnerabilities. "If you can exploit the browser of a leader, then you've exploited the PC of a president," Temmingh warned.

However it was left to Alexis Conran, a former confidence trickster who appeared in a British TV show called "The Real Hustle", to sum up the challenges still faced by the infosec sector.

"The general public will only take steps to protect themselves if they know what the dangers are," he said.

[CNN]

Cybercrooks prey on 9/11 anniversary

Malware, 'commemorative coin' auctions and fake charity donation



Cybercrooks are gearing up for the 10th anniversary of the 9/11 attacks with a range of malware traps and hacking attempts both on social networks and the wider internet, net security firm BitDefender warns.

The first wave of these attacks comes in the form of the newly established websites offering supposed content such as "Bin Laden alive", "in depth details about the terrorist attack", "police investigation results" and "towers going down" to attract the curious.

The sites are filed with links to scareware and phishing sites. Others have created fraudulent charity donation sites that serve only to line their greedy pockets at the expense of genuine gift-giving sites.

In addition, fraudsters are running fake auctions and sales of items supposedly linked to the devastating attacks such as shards of metal from the twin tower or even "commemorative coins" supposedly minted from silver collected at the attack site.

More scam, perhaps involving malware, can be expected to follow over the coming days.

“Because of the advancement of hacking and spamming technology over the past decade, plus the significance of the anniversary and increased media coverage, Sept 11 this year may prove hectic on the malware front,” said Catalin Cosoi, head of the Online Threats Lab at Bitdefender.

BitDefender says many of the scams likely to be on show are similar to those seen during anniversaries of the London bombings of July 2005.

Cybercrooks marked remembrances of the 7/7 attacks with fake donation requests, spamming of viruses disguised as supposed videos of the assaults and advanced fee fraud email scams. ®

[TheRegister]

People Who Get Malware Also Get Mugged More Than Usual

Our Lifehacker AU comrades point out this interesting fact from Norton's latest Cybercrime report: People who fall victim to malware are statistically more likely to be mugged in real life too. Interesting.

The obvious caveat is that correlation doesn't imply causation, but it is a bit telling to see that these two statistics are linked. Could it be that people who aren't careful online—because honestly, that's what falling victim to malware is—aren't careful in meatspace either?

Norton's internet safety advocate agrees, and says "Clearly these people aren't taking enough care in their real-world interactions and it carries over in their online world." Just think about people you know and how careful they are in their everyday dealings with other people. The more guarded or suspicious you are, the less likely you are to hand over your personal information to a shady site or click a link or open an attachment you're not sure about.

Norton Cybercrime Report (PDF) via [Lifehacker]

Massive Hack Attack Plunges Netherlands Into the Stone Age

An attack on a company that certifies secure websites has forced the Dutch government to abandon email for faxes and snail mail. How long before frustrated citizens take to the streets and smash windows with postal scales and rolls of thermal paper?

A recent hack of the Dutch-based security company Diginotar has rendered many of the Dutch government's website's insecure and unusable for official business. According to the Wall Street Journal

In what is shaping up as one of the most damaging hacking cases for a single country, courts have advised lawyers to switch to fax and old-fashioned paper mail instead of email.

Lawyers can't access the Dutch Bar Association's Intranet, and have been told by courts to switch to fax machines and mail until the problems are solved.

So what's going on? While most of the world has been too bored by the details to really care, a huge hacking attack has rocked the system of certification many important websites rely on to assure their authenticity. A hacker broke into Digitnotar, one of the largest issuers of these certificates, and stole certificates allowing them to set up fraudulent websites and snoop on user's personal information and communication. For more than a week in July, fake certificates for sites like Google, Twitter—even the CIA—were in circulation.

According to a report by the security firm Fox-IT, the certificates were likely used to intercept communications in Iran. A notorious Iranian hacker named Comodohacker has claimed responsibility for the hack, hiding this understated message in the script he used to bust into Digitnotar.

"THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS
MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE"

As far as hacking attacks go, the Diginotar attack wasn't as obviously spectacular as, say, a massive dump of user names and passwords. But Dutch people now have to remember how to attach a stamp to a letter! And now that the U.S. postal service is going out of business at any moment, such an attack would basically send the U.S. back to the mid-1800s, all gas-lit lamps and Pony Express.

[Gawker]

Cyber crime now bigger than the drugs trade

The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine, which is estimated at $388bn, a new headline-grabbing study reported.

The Norton Cybercrime Report puts the straight-up financial costs of cyberattacks worldwide at $114bn, with time lost dealing with the crime adding the remaining $274bn, while the global black market in the three drugs costs $288bn.

Every second, 14 adults become the victim of some sort of cybercaper, adding up to over a million victims every day, the report from Norton-maker Symantec said, with young men who access the web on their mobiles the most likely victims.

But despite the large number of victims, people aren't doing enough to stop it for themselves. Although 74 per cent of people say they're aware of cybercrime, 41 per cent of them don't have up-to-date security software and 61 per cent don't use complex, regularly-changing passwords.

“There is a serious disconnect in how people view the threat of cybercrime,” said Adam Palmer, Norton's lead cybersecurity advisor. "Over the past 12 months, three times as many adults surveyed have suffered from online crime versus offline crime, yet less than a third of respondents think they are more likely to become a victim of cybercrime than physical world crime in the next year."

The most common cybercrime issues are malware and viruses, which have affected 54 percent of those surveyed, with online scams second (11 per cent), and phishing catching 10 per cent of adults out.

Cyber-villainy is also on the up on phones, with 10 per cent of adults having been victims of an attack on their mobile, according to the study. The study surveyed almost 20,000 people in 24 countries. ®

[The Register]

Webcam sextortion perve gets 6 years

Hacked girls' PCs and blackmailed them to pose



A Peeping Tom webcam sextortionist has been jailed for six years after targeting several young women.
Luis Mijangos, 32, a resident of Santa Ana, California, was imprisoned on Thursday after he was convicted of hacking into more than 100 computers, using stolen personal information, to blackmail his young female victims into posing for sexually explicit videos and pictures.

Mijangos, a freelance computer consultant who is confined to a wheelchair, used malware to compromise victims' machines. In one case he posted naked photos of a woman on her friend's MySpace page. In another he posed as a victim's boyfriend in order to trick her into posing for revealing pictures.

Mijangos used modified versions of remote access tools, such as Poison Ivy or SpyNet, which he planted onto file-sharing networks or sent to victims disguised as video clips or songs so that he could gain compromised access to their PCs, Computerworld reports.

The case is the latest in a long list of prosecutions of voyeurs who used computing technology to abuse victims. For example, Adrian Ringland of Ilkeston, Derbyshire, was jailed for 10 years back in 2006 after he was convicted of using spyware to take explicit photos of kids using compromised access to computer webcams. In 2008, a 47-year-old Cypriot got four years for taking illicit snaps of a teenager after he planted Trojan horse spyware to gain remote control of the 17-year-old's webcam. More discussion on the issue and advice on possible countermeasures (use anti-malware and, if in doubt, disable webcams) can be found in a blog post by Sophos here. ®

[The Register]

Two UK suspects cuffed in Anonymous manhunt

British police have arrested two men as part of a continuing investigation with the FBI into computer attacks carried out under the flags of the Anonymous and Lulz Security hacking crews.

The men, aged 20 and 24, were arrested on Thursday in Mexborough, near Doncaster, South Yorkshire, and Warminster, Wiltshire, under suspicion of committing offenses under the Computer Misuse Act, an article published on Friday in The Guardian reported. The men were arrested separately, and computer equipment from a Doncaster address was confiscated for forensic examination.

“The arrests relate to our inquiries into a series of serious computer intrusions and online denial-of-service attacks recently suffered by a number of multi-national companies, public institutions and government and law enforcement agencies in Great Britain and the United States," said Detective Inspector Mark Raymond from the Metropolitan Police's Central e-Crime Unit, according to a separate article from the Associated Press.

Over the past 18 months, people claiming affiliation with Anonymous and the splinter group Lulz Security have take responsibility for breaching the security of Sony, the CIA, Britain's Serious Organized Crime Agency and multiple US law enforcement groups. The attacks continued Thursday with the reported leak of internal email and documents from 28 Texas police chiefs.

Thursday's arrests came the same day Scotland Yard charged two men with attacks also attributed to Anonymous. Christopher Weatherhead, 20, of Northampton, and Ashley Rhodes, 26, of Kennington, south London, were charged with conspiracy to carry out an unauthorized act in relation to a computer.

They are scheduled to in Westminster Magistrates' Court on September 7.

Two other suspects, including 22-year-old Peter David Gibson and a 17-year-old from Chester, have already been charged in the case, which relates to denial-of-service attacks on PayPal, Amazon, MasterCard, Bank of America, and Visa in December.

The arrests are part of a trans-Atlantic crackdown on Anonymous following an 18-month hacking spree by the loosely organized griefer group. In the past few months, dozens of people in North America and Europe have been snared in the probe, including 14 people in the US and five in the UK and the Netherlands. ®

[The Register]