Tag Archives: Hacker

Patriot Hacker The Jester’s Libyan Psyops Campaign

Media_httpswwwinfosec_jhnei

Is the Jester, a patriotic hacker better known for bringing down allegedly jihadist websites, injecting fake news strories about Libya to demoralize Gaddafi’s forces? Anthony Freed of infosec reckons so. Very good piece, and opens up all sorts of interesting avenues for dark hacktivism.

Puppy Love, Army Trojans and Perfecting the Phone Call

I make an appearance on the excellent Breakfast Club show on Radio Australia each Friday at about 01:15 GMT and some listeners have asked me post links to the stuff I talk about, so here they are.

Love on the net

Teenage social networking isn’t so bad, according to the MacArthur Foundation. According to the lead researcher on the project, called the Digital Youth Project, “their participation is giving them the technological skills and literacy they need to succeed in the contemporary world. They’re learning how to get along with others, how to manage a public identity, how to create a home page.”

The study, part of a $50 million project on digital and media learning, used several teams of researchers to interview more than 800 young people and their parents and to observe teenagers online for more than 5,000 hours.

The bit I like in the NYT report is the shameless flirting that goes on, cleverly disguised:

First, the girl posted a message saying, “hey … hm. wut to say? iono lol/well I left you a comment … u sud feel SPECIAL haha.” A day later, the boy replied, “hello there … umm I don’t know what to say, but at least I wrote something …”

U.S. Military Under Attack

Spooked by the rapid spread of a worm called Agent.btz, the U.S. military has banned everything from external hard drives to “floppy disks.”

USBs are a problem: Lenovo this week offered a software package to XP users with a Trojan dropper called Meredrop, found in one of the drivers.

And Telstra earlier this year handed out USB drives at a security conference that were infected with malware.

Could it be China?  The conclusions reached in this year’s US-China Economic and Security Review are far more dramatic than before. In 2007, it says, about 5m computers in the US were the targets of 43,880 incidents of malicious activity — a rise of almost a third on the previous year.

Much of the activity is likely to emanate from groups of hackers, but the lines between private espionage and government-sponsored operations are blurred. Some 250 hacker groups are tolerated, and may even be encouraged, by Beijing to invade computer networks. Individual hackers are also being trained in cyber operations at Chinese military bases.

 

How to Make the Perfect Phone Call

According to the UK Post Office, the perfect phone call should last nine minutes, 36 seconds and contain a mix of chat about family news, current affairs, personal problems and the weather.

Three minutes of that should be spent catching up with news about family and friends, one minute on personal problems, a minute on work/school, 42 seconds on current affairs and 24 seconds on the weather. Chat about the opposite sex should last 24 seconds. 12 seconds of every call should be set aside for a little quiet contemplation.

One in five people said they spent most time on the phone to their mother. The research, by the Post Office, revealed that the phrase “I’ll get your mother” is common. Only three per cent of people named their father as the person they spent most time on the phone with.

Susan042764

“Please help!,” she writes. “I took my husband’s iPhone and found a raunchy picture of him attached to an email to a woman in his sent email file. When I approached him about this, he admitted that he took the picture, but says that he never sent it to anyone.

“He claims that he went to the Genius Bar at the local Apple store and they told him it is an iPhone glitch – that photos sometimes automatically attach themselves to an email address and appear in the sent folder, even though no email was ever sent.

“Has anyone ever heard of this happening?,” she asks. “The future of my marriage depends on this answer!” Read more here.

The First U.S.-China Cyberwar?

There’s growing coverage of China’s Internet ‘cyberwar’ against the U.S., which seems to have been going on for more than two years with neither side wanting to go public. The U.S. is calling the attack Titan Rain, and as Bruce Schneier points out, the attackers are very well organized. This from AFP:

A systematic effort by hackers to penetrate US government and industry computer networks stems most likely from the Chinese military, the head of a leading security institute said. The attacks have been traced to the Chinese province of Guangdong, and the techniques used make it appear unlikely to come from any other source than the military, said Alan Paller, the director of the SANS Institute, an education and research organization focusing on cybersecurity. “These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization,” Paller said in a conference call to announced a new cybersecurity education program. In the attacks, Paller said, the perpetrators “were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?”

So what are they after? Paller says they’re after sensitive information, and may have gotten it, including military flight planning software from its Redstone Arsenal. Here’s a bit more detail about how these guys work, from a TIME story quoting Shawn Carpenter, the hacker who uncovered the attacks:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.

More on Carpenter in a Wikipedia entry here, and on his whistleblowing experience here. There’s an interesting piece by SearchSecurity’s Bill Brenner which looks at an August report by LURHQ dissecting the Myfip worm which appears to have been used by Chinese hackers to ferret around and grab PDF files. The worm has been around since August 2004. Later variants looked for Word documents, AutoCAD drawings, templates, Microsoft Database files, etc:

[Joe] Stewart [senior security researcher with Chicago-based security management firm LURHQ Corp] said his team was easily able to trace the source of Myfip and its variants. “They barely make any effort to cover their tracks,” he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the “document collector” hosts, are all based there, mostly in the Tianjin province.

China, according to AFP, yesterday denied its military was involved in hacking:

“We have clear stipulations against hacking. No one can use the internet to engage in illegal activities,” foreign ministry spokesman Qin Gang told a regular briefing on Tuesday. “The Chinese police will deal with hacking and other activities disturbing social order in accordance with law.”

Doesn’t make a lot of sense as a denial. Is he saying no one is doing it? Or no one official? Or that it’s going on and the police will deal with it? Not the first time a Chinese spokesman has uttered something meaningless. But I guess so long as the U.S. doesn’t make any official, public complaint this guerrilla war will remain unacknowledged by both sides. I guess the obvious lesson here is that security is not just against sleazeballs after your money, but after your PDF files too. And don’t think that because you’re not military you’re not affected. If you’re any kind of company you might have something that is valuable in the corporate and government espionage world.

The world’s biggest phishing attack?

This London bank raid seems impressive:

The investigation was started last October after it was discovered that computer hackers had gained access to Sumitomo Mitsui bank’s computer system in London.

They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards.

Of course, it’s likely that there are lots more cases like this we don’t hear about. As Computerworld reports:

[Security experts] Cluley and Barnes said keylogging hacks are more common than thought, and they said the $423 million plot was probably the largest corporate case that had been made public. Both experts said it’s unclear what kind of keylogging was used.

The two speculate it could have been a physical keylogger dongle, installed by a cleaner (although that would mean the dongle would probably have to be retrieved somehow since any traffic through the company’s servers would be noticed. At least, one would hope so.)

Cyberwar On The World SMS Capital?

I don’t know how often this happens, but if true, it must be a worry. It’s either a hoax, a script kiddie adventure, or the first bit of post-US election cyberwar.

According to Filipino news website INQ7.net (no live URL available), a group of hackers today “breached the short messaging service (SMS) servers of both Smart Communications and Globe Telecom”. It quoted a posting on the blog of a concerned hacker, Hacker PI_Flashbulb, who appears to be a regular commentator on security issues and claims to have alerted the government to several holes in their security.

What’s intriguing is that the story has since been removed: A message on the link says “temporarily unavailable or has been taken down from our server”. The same hacker, PI_Flashbulb, was quoted earlier this month by the same publication as warning of “a group of hackers who said that they will soon launch coordinated attacks against Philippine websites. Their main reason: “their government is supporting Bush.” Akala nila Singaporean ako (they thought I was a Singaporean)”.

Today’s article, since removed, says that to see “the hacker group’s message, one has to create a new SMS message, key in “FLT RB9” on the message body, and send it to 2333 for Globe and 211 for Smart subscribers. After sending the cryptic text message to 211 or 2333, the subscriber will receive this message: “Greetz to PATz, Luvchris, Verum, Fed-X, hEps, ch1m3ra, TriSha22, powerb0xx, clown AFeD-XA, Bryle, royX, Crayden at sa mga wanabee hacker groups ng masang Pilipino!”” The article says that as of Wednesday evening, “the Smart service was still sending this same message to subscribers, while the Globe number gave an error message.”

Intriguingly, the earlier article, published Nov 6, said anonymous readers had posted messages on PI_Flashbulb’s blog saying that “that the digital subscriber line (DSL) service of both Digital Telecommunications Philippines Inc.(Digitel) and Globe Telecom were open to possible attacks”. One comment appeared to suggest the hackers PI_Flashbulb were referring to are Indonesian. Many Indonesians — the world’s largest Muslim population — are opposed to George W Bush’s administration for his war on terror.

I’m trying to reach PI_Flashbulb to learn more about this. His website is usually given as phackers.org but that has not been reachable, although there’s a separate blog to which he contributes here. I could find no mention of the attack there.

More On Korgo

More on the phishing worm I mentioned in a previous post.

Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.

He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.

Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?

News: Tougher Sentences For Hackers?

 It’s about to get tougher for hackers and virus writers, or at least for those who get caught. TechNews.com  reports that those convicted will soon will face significantly harsher penalties under new guidelines which focus on the harm caused. Hackers, for example, will face up to a 25 percent increase in their sentences if they hijack e-mail accounts or steal personal data — including financial and medical records and digital photographs. Convicted virus and worm authors face a 50 percent increase.
 
While this may be welcome to those who have suffered at the hands of such folk, there are worries. TechNews quotes Internet security experts as saying the number of computer-related prosecutions could rise as federal prosecutors try to tie them into otherwise unrelated crimes. The government reckons not: the piece quotes John G. Malcolm, the Justice Department’s computer crimes chief, as saying: “whether they’re drug dealers, embezzlers, hackers or software pirates… people who commit crimes use computers more than they used to.”

Update: Sobig’s 9/11

 Here’s some more evidence that the Sobig worms may be part of something more sinister: Central Command, a provider of PC anti-virus software and services, says its latest incarnation, Sobig.F, “is estimated to have infected millions of systems worldwide and may draw on them to be part of a cyber army focusing a digital assault against major online services”.
 
Here’s how it may work: When particular conditions are met, Worm/Sobig.F will attempt to download additional components of the attackers choice. The pre-configured conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7PM) and 22:00 (10PM) UTC time. When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a backdoor hacker program. Backdoors can allow someone with malicious intent to gain full control of the infected computer.
 
“The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself,” said Steven Sundermeier, VP Products and Services at Central Command, Inc. “If the past repeats itself we could be looking at a newly constructed creation shortly after September 10th. A potential risk is that the massive army created by Worm/Sobig.F could be used to launch an all out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack (DDoS).”
 
This may not happen, like the LovSan worm’s planned attack on Microsoft. But to make sure you’re safe check you’ve not got the Sobig worm aboard and if you have, remove it.

News: Man Blames Trojan For Porn, Acquitted

   Sophos reports that a British man has been cleared of storing child pornography on his computer after Trojans — malicious bits of code, a kind of virus — were found on his computer. The man had been arrested after 172 indecent pictures of children were found on his hard drive (the report doesn’t say how). A computer forensics consultant identified 11 Trojan horses on the man’s computer, capable of carrying out actions without the user’s knowledge or permission. The acquittal follows the case of another British man who was cleared in April under similar circumstances.
 
 
Seems, according to Sophos, that all these images could have been put there by someone remotely. Know anyone who might do that to you? “Some Trojan horses have the ability to take ‘remote control’ of your PC,” explains Graham Cluley, senior technology consultant at Sophos Anti-Virus. “A remote hacker can view what you are doing, take over your keyboard, steal information and even upload files to your computer if they wish. There can be no excuse for home users surfing the internet not to be running up-to-date anti-virus software and a personal firewall to keep their systems protected.”