Is the Jester, a patriotic hacker better known for bringing down allegedly jihadist websites, injecting fake news strories about Libya to demoralize Gaddafi’s forces? Anthony Freed of infosec reckons so. Very good piece, and opens up all sorts of interesting avenues for dark hacktivism.
Love on the net
Teenage social networking isn’t so bad, according to the MacArthur Foundation. According to the lead researcher on the project, called the Digital Youth Project, “their participation is giving them the technological skills and literacy they need to succeed in the contemporary world. They’re learning how to get along with others, how to manage a public identity, how to create a home page.”
The study, part of a $50 million project on digital and media learning, used several teams of researchers to interview more than 800 young people and their parents and to observe teenagers online for more than 5,000 hours.
The bit I like in the NYT report is the shameless flirting that goes on, cleverly disguised:
First, the girl posted a message saying, “hey … hm. wut to say? iono lol/well I left you a comment … u sud feel SPECIAL haha.” A day later, the boy replied, “hello there … umm I don’t know what to say, but at least I wrote something …”
U.S. Military Under Attack
Spooked by the rapid spread of a worm called Agent.btz, the U.S. military has banned everything from external hard drives to “floppy disks.”
USBs are a problem: Lenovo this week offered a software package to XP users with a Trojan dropper called Meredrop, found in one of the drivers.
And Telstra earlier this year handed out USB drives at a security conference that were infected with malware.
Could it be China? The conclusions reached in this year’s US-China Economic and Security Review are far more dramatic than before. In 2007, it says, about 5m computers in the US were the targets of 43,880 incidents of malicious activity — a rise of almost a third on the previous year.
Much of the activity is likely to emanate from groups of hackers, but the lines between private espionage and government-sponsored operations are blurred. Some 250 hacker groups are tolerated, and may even be encouraged, by Beijing to invade computer networks. Individual hackers are also being trained in cyber operations at Chinese military bases.
How to Make the Perfect Phone Call
According to the UK Post Office, the perfect phone call should last nine minutes, 36 seconds and contain a mix of chat about family news, current affairs, personal problems and the weather.
Three minutes of that should be spent catching up with news about family and friends, one minute on personal problems, a minute on work/school, 42 seconds on current affairs and 24 seconds on the weather. Chat about the opposite sex should last 24 seconds. 12 seconds of every call should be set aside for a little quiet contemplation.
One in five people said they spent most time on the phone to their mother. The research, by the Post Office, revealed that the phrase “I’ll get your mother” is common. Only three per cent of people named their father as the person they spent most time on the phone with.
“Please help!,” she writes. “I took my husband’s iPhone and found a raunchy picture of him attached to an email to a woman in his sent email file. When I approached him about this, he admitted that he took the picture, but says that he never sent it to anyone.
“He claims that he went to the Genius Bar at the local Apple store and they told him it is an iPhone glitch – that photos sometimes automatically attach themselves to an email address and appear in the sent folder, even though no email was ever sent.
“Has anyone ever heard of this happening?,” she asks. “The future of my marriage depends on this answer!” Read more here.
A good piece in The Washington Post about an anonymous young American hacker is coming under scrutiny (thanks, Techdirt) for possibly revealing, inadvertently, the location of the hacker. This may have been done by what is called metadata, or extra information, in the photograph that accompanied the article. The hacker’s face in the photo is only partially in view, but some individuals have studied the metadata which seems to identify the photograph as having been taken in small town in Oklahoma.
Using other information in the article, which gives a pretty complete description of the hacker — “tall and lanky, with hair that falls down to his eyebrows… lives with his folks in a small town in Middle America .. nearest businesses are a used-car lot, a gas station / convenience store and a strip club…” some other commenters have tried to narrow down his home even further. Armed with such apparent detail, has The Washington Post inadvertently blown the cover of someone who asked them not to?
Actually, it’s not yet clear. The author has made it clear he is aware of the comments, and, according to one article, said he doesn’t want to comment about speculation. Someone claiming to be the hacker in question says on a discussion on the Washington Post reporter’s blog, that his location according to the metadata is “way off from where i reside”, adding that according to the reporter “it was old metadata”. The picture itself has been withdrawn, raising another commenter on the same blog to ask: “If those photos had old metadata, then why were they removed from the WP article and from the WP servers? It’s suspicious at best, and looks like destruction of evidence and interference with an official investigation at worst.”
I don’t know enough about how these kind of fields are entered into cameras to be able to offer any useful comment on this. It would appear that the fields in question are from the International Press Telecommunications Council’s list of NewsCodes, which sets a standard of fields for news organisations for better retrieval and database compatibility. So should the fields be trustworthy? I assume unless the data is automatically generated — technical information such as device model, focal length, exposure time etc, or location data by a GPS unit linked to the camera, say — the metadata itself should not be relied on too heavily, in or outside court. If the data is entered into the camera manually by the photograher it’s hard to imagine that being done conscientiously with each location change; if it’s done when the photos are moved to a laptop or desktop, then perhaps it might be more reliable but still could hardly be considered firm evidence.
Whichever way around, it raises one or two interesting questions. If the data is accurate, what other news photographs might throw up interesting secrets if we looked hard enough? If the data wasn’t accurate, what does that tell us about the usefulness of NewsCodes and other such metadata?
There’s growing coverage of China’s Internet ‘cyberwar’ against the U.S., which seems to have been going on for more than two years with neither side wanting to go public. The U.S. is calling the attack Titan Rain, and as Bruce Schneier points out, the attackers are very well organized. This from AFP:
A systematic effort by hackers to penetrate US government and industry computer networks stems most likely from the Chinese military, the head of a leading security institute said. The attacks have been traced to the Chinese province of Guangdong, and the techniques used make it appear unlikely to come from any other source than the military, said Alan Paller, the director of the SANS Institute, an education and research organization focusing on cybersecurity. “These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization,” Paller said in a conference call to announced a new cybersecurity education program. In the attacks, Paller said, the perpetrators “were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?”
So what are they after? Paller says they’re after sensitive information, and may have gotten it, including military flight planning software from its Redstone Arsenal. Here’s a bit more detail about how these guys work, from a TIME story quoting Shawn Carpenter, the hacker who uncovered the attacks:
Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.
More on Carpenter in a Wikipedia entry here, and on his whistleblowing experience here. There’s an interesting piece by SearchSecurity’s Bill Brenner which looks at an August report by LURHQ dissecting the Myfip worm which appears to have been used by Chinese hackers to ferret around and grab PDF files. The worm has been around since August 2004. Later variants looked for Word documents, AutoCAD drawings, templates, Microsoft Database files, etc:
[Joe] Stewart [senior security researcher with Chicago-based security management firm LURHQ Corp] said his team was easily able to trace the source of Myfip and its variants. “They barely make any effort to cover their tracks,” he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the “document collector” hosts, are all based there, mostly in the Tianjin province.
China, according to AFP, yesterday denied its military was involved in hacking:
“We have clear stipulations against hacking. No one can use the internet to engage in illegal activities,” foreign ministry spokesman Qin Gang told a regular briefing on Tuesday. “The Chinese police will deal with hacking and other activities disturbing social order in accordance with law.”
Doesn’t make a lot of sense as a denial. Is he saying no one is doing it? Or no one official? Or that it’s going on and the police will deal with it? Not the first time a Chinese spokesman has uttered something meaningless. But I guess so long as the U.S. doesn’t make any official, public complaint this guerrilla war will remain unacknowledged by both sides. I guess the obvious lesson here is that security is not just against sleazeballs after your money, but after your PDF files too. And don’t think that because you’re not military you’re not affected. If you’re any kind of company you might have something that is valuable in the corporate and government espionage world.
This London bank raid seems impressive:
The investigation was started last October after it was discovered that computer hackers had gained access to Sumitomo Mitsui bank’s computer system in London.
They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards.
Of course, it’s likely that there are lots more cases like this we don’t hear about. As Computerworld reports:
[Security experts] Cluley and Barnes said keylogging hacks are more common than thought, and they said the $423 million plot was probably the largest corporate case that had been made public. Both experts said it’s unclear what kind of keylogging was used.
The two speculate it could have been a physical keylogger dongle, installed by a cleaner (although that would mean the dongle would probably have to be retrieved somehow since any traffic through the company’s servers would be noticed. At least, one would hope so.)
I don’t know how often this happens, but if true, it must be a worry. It’s either a hoax, a script kiddie adventure, or the first bit of post-US election cyberwar.
According to Filipino news website INQ7.net (no live URL available), a group of hackers today “breached the short messaging service (SMS) servers of both Smart Communications and Globe Telecom”. It quoted a posting on the blog of a concerned hacker, Hacker PI_Flashbulb, who appears to be a regular commentator on security issues and claims to have alerted the government to several holes in their security.
What’s intriguing is that the story has since been removed: A message on the link says “temporarily unavailable or has been taken down from our server”. The same hacker, PI_Flashbulb, was quoted earlier this month by the same publication as warning of “a group of hackers who said that they will soon launch coordinated attacks against Philippine websites. Their main reason: “their government is supporting Bush.” Akala nila Singaporean ako (they thought I was a Singaporean)”.
Today’s article, since removed, says that to see “the hacker group’s message, one has to create a new SMS message, key in “FLT RB9” on the message body, and send it to 2333 for Globe and 211 for Smart subscribers. After sending the cryptic text message to 211 or 2333, the subscriber will receive this message: “Greetz to PATz, Luvchris, Verum, Fed-X, hEps, ch1m3ra, TriSha22, powerb0xx, clown AFeD-XA, Bryle, royX, Crayden at sa mga wanabee hacker groups ng masang Pilipino!”” The article says that as of Wednesday evening, “the Smart service was still sending this same message to subscribers, while the Globe number gave an error message.”
Intriguingly, the earlier article, published Nov 6, said anonymous readers had posted messages on PI_Flashbulb’s blog saying that “that the digital subscriber line (DSL) service of both Digital Telecommunications Philippines Inc.(Digitel) and Globe Telecom were open to possible attacks”. One comment appeared to suggest the hackers PI_Flashbulb were referring to are Indonesian. Many Indonesians — the world’s largest Muslim population — are opposed to George W Bush’s administration for his war on terror.
I’m trying to reach PI_Flashbulb to learn more about this. His website is usually given as phackers.org but that has not been reachable, although there’s a separate blog to which he contributes here. I could find no mention of the attack there.
More on the phishing worm I mentioned in a previous post.
Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.
He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.
Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?