Wednesday, August 03, 2011

Huge data volumes, hacking in a “Target rich environment” and the arrogance of hackers...

http://www.databreaches.net/?p=19985

Suspected Anonymous hacker ‘had 750,000 passwords’, court hears

Graham Cluley writes:

A London court heard this morning how 18-year-old Jake Davis allegedly had the login passwords of 750,000 people on his computer when he was arrested in the Shetland Islands last week.

Davis is suspected by the authorities of being “Topiary”, the public face of the Anonymous and LulzSec hacktivist groups.

According to a report in the Daily Telegraph, Westminster Magistrates’ Court heard that Davis was charged with five offences including unauthorised computer access and conspiracy to carry out a denial-of-service attack against the Serious Organised Crime Agency’s (SOCA) website, which overloaded the site with traffic.

Furthermore, prosecutors are reported to have claimed that Davis’s laptop was found to contain the fake article announcing Rupert Murdoch’s death that visitors to The Sun’s hacked website saw for a period of time earlier this month.

Read more on Naked Security. The link Graham had to the Daily Telegraph story is 404 and doesn’t seem to still exist on the paper’s site, so I’m not sure what’s going on with that.



Is it appropriate to withhold information that might alert the victims?

http://www.databreaches.net/?p=19987

TN: Gallatin Credit Card Fraud Linked To Computer Hacking

Here we go again – law enforcement decides that they can withhold information from consumers to protect a business.

The Secret Service said more than 100 cases of credit card fraud reported in Gallatin was the work of a criminal enterprise that hacked into a local business computer.

They are not releasing the name of business, but said that neither the business nor its employees were responsible for the fraud.

The Secret Service said the business was a targeted victim as were the citizens whose banking information was stolen.

Officials said measures have been taken to ensure the security of the computer and further credit card thefts related to this business are not expected.

Police advise citizens to continue to monitor their bank and credit card accounts frequently for unusual activity and contact their banking institution or credit card company immediately if any suspicious activity is noticed.

Source: NewsChannel5.com


(Related) Also, incomplete disclosure.

New River Health Association breach highlights a source of confusion in HHS breach tool

I love HHS’s breach tool, but it remains a source of frustration. Consider this newly added entry:

New River Health Association ,WV,,950,4/1/2011,Unauthorized Access/Disclosure,Paper,,”

We know who, we know how many, we know when, but we don’t know what data types were involved, and for those who try to analyze breach data, there’s a big difference between “unauthorized access” and “disclosure.” The latter could be a web exposure, it could be papers left lying in a public area, it could be an email attachment that wasn’t sent in encrypted form (although in this case, we are dealing with paper records). And “unauthorized access” could be employee snooping or an employee who was stealing information to use for fraudulent purposes, to name but two possible scenarios.

So what went wrong here? There’s no notice on the New River Health Association to tell us and no media coverage. In time, we will likely find out – if for no other reason than some of us file under Freedom of Information to obtain data that we use for statistical analyses. In the meantime, we can only scratch our heads.



Are hackers still finding low hanging fruit or have they matured to a point where any system is vulnerable?

http://news.cnet.com/8301-27080_3-20087268-245/global-cyber-espionage-operation-uncovered/

Global cyber-espionage operation uncovered

A widespread cyber-espionage campaign that stole government secrets, sensitive corporate documents and other intellectual property for five years from more than 70 public and private organizations in 14 countries has been uncovered by a McAfee researcher, Vanity Fair reported today.

The campaign, dubbed "Operation Shady RAT," was discovered by Dmitri Alperovitch, vice president of threat research at the cyber-security firm McAfee. It continues today, he said. Alperovitch has briefed senior White House officials, government agencies, and congressional staff and is working with U.S. law enforcement to shut down the operation's command-and-control server, according to the report.

"Operation Shady RAT ranks with Operation Aurora [the attack on Google and many other companies in 2010] as among the most significant and potentially damaging acts of cyber-espionage yet made public," Michael Joseph Gross writes in the article.


(Related)

http://www.databreaches.net/?p=19991

Korean national ID numbers spring up all over Chinese Web

Robert Lee reports:

The number of leaked Korean social security numbers available online is likely to skyrocket as a massive social network hacking attack left more than three quarters of the nation exposed.

A quick search using the keywords, “Korean social security numbers,” on Baidu, a Chinese Internet search engine, showed about 1.39 million results.

And sites like these offer stolen identities for as little as 100 won ($.09), complete with social security numbers, addresses, cell phone numbers and even when and what kind of credit card the owner registered for.

[...]

One link contained a document which included names and social security numbers of Korean residents here, and in just 10 days, the site was viewed over 2,200 times with the document downloaded more than 130 times. The only thing stopping certain disaster for the owners was a disclaimer on the site saying “Please only use for games, do not use it for other illegal purposes.”

Also being tossed around on these sites are Korean social security number generators, by which one can access numbers of more than 5,000 registered Korean residents.

Read more on The Korea Herald.


(Related) Turn out the lights!

http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipment-discoverable-via-google/

Researchers warn of SCADA equipment discoverable via Google

Not only are SCADA systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators sometimes practically advertise their wares on Google search, according to a demo today during a Black Hat conference workshop.



Ignorance of the law is one thing, making it up as you go is quite another...

http://www.wired.com/dangerroom/2011/08/senate-panel-keeps-secret-patriot-act-under-wraps/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Senate Panel Keeps ‘Secret Patriot Act’ Under Wraps

Two Senators have been warning for months that the government has a secret legal interpretation of the Patriot Act so broad that it amounts to an entirely different law — one that gives the feds massive domestic surveillance powers, and keeps the rest of us in the dark about the snooping.

There is a significant discrepancy between what most Americans – including many members of Congress – think the Patriot Act allows the government to do and how government officials interpret that same law,” wrote the Senators, Ron Wyden and Mark Udall. “We believe that most members of the American public would be very surprised to learn how federal surveillance law is being interpreted in secret. ”

The Senators tried to get the government to reveal some of the law’s contents, by forcing the Director of National Intelligence and the Attorney General to produce a report outlining when this secret surveillance has gone overboard. Yesterday, the effort failed. The Senate Select Committee on Intelligence said no to the report by rejecting Wyden and Udall’s amendment to the FY2012 Intelligence Authorization Act.



Not very “Social”

Facebook Exec: Online Anonymity Must Go Away

"The EFF has a blog post about what appears to be Facebook's stance on anonymity on the Internet. Speaking last week at a social media conference hosted by Marie Claire magazine, Facebook's Marketing Director, Randi Zuckerburg, is quoted: 'I think anonymity on the Internet has to go away. People behave a lot better when they have their real names down. I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.' This position appears to apply to the entire Internet, not just Facebook (which already requires that its users post real names instead of pseudonyms). The EFF goes on to point out how this would be a bad choice for civil liberties online."


(Related)

http://gizmodo.com/5826957/murder-by-facebook

Murder by Facebook

Six months after the murder of 19-year old student Jason Rodriguez, Orlando policehave finally arrested a suspect. Six months. That's how long it took to untangle the digital detritus of one of the most twisted internet-enabled crimes in memory.



Dilbert wounds me deeply!

http://dilbert.com/strips/comic/2011-08-03/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+dilbert%2Fdaily_strip+%28Dilbert+Daily+Strip+-+UU%29


No comments: