Page 59 of 78
Interesting analysis:
the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.
It’s hard to know how serious this really is:
The screenshots appear as B-roll footage in the documentary for six secondsbetween 11:04 and 11:10 minutes—showing custom built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university. As of Aug. 22 at 1:30pm EDT, in addition to Youtube, the whole documentary is available on the CCTV website.
The screenshots show the name of the software and the Chinese university that built it, the Electrical Engineering University of China’s People’s Liberation Armydirect evidence that the PLA is involved in coding cyber-attack software directed against a Chinese dissident group.
The software window says “Choose Attack Target.” The computer operator selects an IP address from a listit happens to be 138.26.72.17and then selects a target. Encoded in the software are the words “Falun Gong website list,” showing that attacking Falun Gong websites was built into the software.
A drop-down list of dozens of Falun Gong websites appears. The computer operator chooses Minghui.org, the main website of the Falun Gong spiritual practice.
The IP address 138.26.72.17 belongs to the University of Alabama in Birmingham (UAB), according to an online trace.
The shots then show a big “Attack” button on the bottom left being pushed, before the camera cuts away.
Nick Helm won an award for the funniest joke at the Edinburgh Fringe Festival:
Nick Helm: “I needed a password with eight characters so I picked Snow White and the Seven Dwarves.”
Note that two other jokes were about security:
Tim Vine: “Crime in multi-storey car parks. That is wrong on so many different levels.”
Andrew Lawrence: “I admire these phone hackers. I think they have a lot of patience. I can’t even be bothered to check my OWN voicemails.”
Two items on hacking lotteries. The first is about someone who figured out how to spot winner in a scratch-off tic-tac-toe style game, and a daily draw style game where expcted payout can exceed the ticket price. The second is about someone who has won the lottery four times, with speculation that she had advance knowledge of where and when certain jackpot-winning scratch-off tickets would be sold.
EDITED TO ADD (8/13): The Boston Globe has a on how to make money on Massachusetts’ Cash WinFall.
Freakonomics asks: “Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?”
They posted five answers, including mine:
The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events—just more articles.
Hacking for fun—like LulzSec—has been around for decades. It’s where hacking started, before criminals discovered the Internet in the 1990s. Criminal hacking for profit—like the Citibank hack—has been around for over a decade. International espionage existed for millennia before the Internet, and has never taken a holiday.
The past several months have brought us a string of newsworthy hacking incidents. First there was the hacking group Anonymous, and its hacktivism attacks as a response to the pressure to interdict contributions to Julian Assange‘s legal defense fund and the torture of Bradley Manning. Then there was the probably espionage-related attack against RSA, Inc. and its authentication token—made more newsworthy because of the bungling of the disclosure by the company—and the subsequent attack against Lockheed Martin. And finally, there were the very public attacks against Sony, which became the company to attack simply because everyone else was attacking it, and the public hacktivism by LulzSec.
None of this is new. None of this is unprecedented. To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous—just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name.
It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.
Ross Anderson discusses the technical and policy details.
EDITED TO ADD (7/18): Yet again, my preoccupation with my book is making it harder for me to write timely and lengthy blog posts. So I thank Ross for writing about this issue, so I don’t have to.
Nice article on Firesheep in action.
I have no idea if this is true:
In some cases, popular illegal forums used by cyber criminals as marketplaces for stolen identities and credit card numbers have been run by hacker turncoats acting as FBI moles. In others, undercover FBI agents posing as “carders” —hackers specialising in ID theft —have themselves taken over the management of crime forums, using the intelligence gathered to put dozens of people behind bars.
So ubiquitous has the FBI informant network become that Eric Corley, who publishes the hacker quarterly, 2600, has estimated that 25% of hackers in the US may have been recruited by the federal authorities to be their eyes and ears. “Owing to the harsh penalties involved and the relative inexperience with the law that many hackers have, they are rather susceptible to intimidation,” Corley told the Guardian.
But if I were the FBI, I would want everyone to believe that it’s true.
Sidebar photo of Bruce Schneier by Joe MacInnis.