Apple cofounder Steve Wozniak expounds on his hacking shenanigans and online mischief

Chicago -- In his keynote address at a security conference today, Apple co-founder Steve Wozniak admitted he has enjoyed many adventures in hacking often for the sake of pranks on friends and family, especially back in his college days and the early years of working on computers and the Internet.

Credit: REUTERS/Cathal McNaughton

Steve Wozniak

“I like to play jokes,” said the Wozniak jovially as he addressed his audience of thousands of security professionals attending the ASIS Conference in Chicago. The famed inventor at Apple admitted he also had some fun with light-hearted forays into hacking computer and telecommunications networks several decades ago back in his college years and while learning about electronics and computers.
People with imagination in engineering are naturally drawn to the idea of finding ways to bypass security controls as part of the process of discovering how things work, and Wozniak said this was especially true of himself.
“But I never once hacked a computer for real,” he told his audience, meaning his break-ins and intrusions were done in the spirit of exploration, never for profit or malice. One youthful prank involved some experimentation into a shared computer system several where he left nine pages of Polish jokes that were dumped on users.
[NEWS: Ten tech titans and their temper tantrums
MORE WOZ: Wozniak questions long-accepted date of 'Day One' at Apple
OTHER WOZNIAK THOUGHTS: A 5-minute Woz brain dump (AKA, 2013 UC Berkeley commencement address)]
As a young man in college when he read an article about how tone signaling techniques could be used to manipulate telephone networks to set up calls, he said he became intrigued and had to find out more and even try it himself.  He went out and learned more about the exact frequencies and tried them out on the telephone system. “I wanted to explore the network,” he said. It was all a form of “White Hat hacking” he says he did but never for purposes of stealing or avoiding paying bills.
As to his famous partnership with Steve Jobs, Wozniak said the two “became best friends instantly” and they shared a fascination with finding out how networks worked in sometimes unorthodox ways.  
Circumventing the controls placed by authority was sometimes part and parcel of satisfying the enormous drive he had as a budding computer engineer to experiment and grow in knowledge, he points out. Wozniak said he had a friend with the key to the college computing room and he snuck in in the middle of the night to run his computing programs on punch cards. He admitted he also used to sneak into at least one eminent Stanford institution’s lab every Sunday when it was supposed to be closed to find electronics and science manuals so he could learn more. It all just shows you “the brightest people in the world tend of leave their doors unlocked,” Wozniak said.
Wozniak said many of his break-in stunts were often combined with a prank, such as when he guessed his stepson’s password for the Macintosh and made the files he found hard to access, while also scheming with his wife to leave a folder marked “from Mom.” “He was livid,” said Wozniak about the prank.
Wozniak said one of his favorite pranks was coming up with a TV jammer that he secretly used to convince friends their TV sets were malfunctioning, while at the same time instructing them in outlandish ways to “fix” the problems — until he secretly stopped jamming their sets.
All of this youthful exuberance at the time may have occurred “because I was a geek, and had little hope of finding a girlfriend or a wife,” Wozniak says.

Is hacking in self-defence legal?

In sport, sometimes the best defense is a good offense, but since hacking is considered illegal, organizations under a cyber attack only have defensive options. Or do they? A legal expert says retaliatory hacking might not be illegal in Australia.
The general rule for penetration testers, or hackers who make a crust breaking into others' computers, is don't hack unless you've got consent.
"We can hack when we have permission to do it," says Rob McAdam, chief executive of penetration-testing firm PureHacking.
McAdam says he's been asked twice over 11 years to "hack back". "They were international sources that asked us to help with domestic circumstances, but both times we refused."

Advertisement

"White hat" hacking services that McAdam and others provide help customers mitigate vulnerabilities, such as un-patched software, that "blackhat" or bad hackers could exploit.
"Hack back" on the other hand moves the battle beyond the victim's network to the attacker's turf. The thinking goes that a company could eliminate a competitive technology that was born out of its stolen IP.
Matt Keil, senior research analyst with Palo Alto Networks, previoulsy told IT Pro he did not recommend it.
"I don't think companies should venture down that path. At a government level, this type of probing and poking as been going on for many years. I wouldn't condone attacking other organisations at government or company level," Keil says.
Questions over the legality of cyber retaliation linger for lawmakers in Australia and the US. Supporters say it's a necessary evolution in the fight against malicious hackers who only need to find the weakest point to gain entry. One employee who opens a malware-laden phishing email could be enough.
Earlier this year, a US private commission on intellectual property argued that laws and law-enforcement couldn't keep pace with nimble hackers, and petitioned for legal reform that would permit acts of self-defence if law enforcement support was limited.
Alongside calls in the US for more freedom to hack back, a new breed of security company has emerged promising "active defence". FireEye is one example, but the best-known is CrowdStrike, which promises to identify hackers, reveal their intent and disrupt their intrusion.
"It's less about trying to keep them out and more about being able to hunt them down and limit the damage that they're able to do," CrowdStrike CEO George Kutz told IT Pro recently. "You want to make it really costly for them to get in and you want to be able to identify them very quickly and eradicate them from the network."
While the company has mocked "passive defence", it's also been careful to avoid claiming it actually offers hack back services due to the tough stance the US takes on hacking.
"There isn't much 'hack back' going on in the real world these days," says H.D. Moore, chief researcher at US penetration testing firm Rapid7 and founder of Metasploit, a popular attack toolkit both blackhat and whitehat hackers use for remote intrusion, either to improve or break defences.
"Hack back is illegal as hell in the US, and even if you're military or intelligence, it's illegal until you get approval directly from the executive branch," he adds.
In Europe things are a little looser. "Their perspective is that no one's going to go after them if they're hacking bad guys, so they just sit around and hack Syria all day or Iran" Moore says.
Unlike the US, Australian organisations may have an option to fight back, according to Dr Alana Maurushat, a senior lecturer at the UNSW's Law Faculty, who has contributed to cyber elements of Australia's Model Criminal Code (MCC).
"Depending how it is done, it may not be illegal," Dr. Maurushat tells IT Pro, pointing to a 2001 MCC Officers Committee report, which considered "computerised counter attack against cybernet intruders" could be construed as self-defence.
According to Dr Maurushat's research, hack back is fairly common in Australia. She cites an anonymous survey at the 2009 AusCERT security conference where 20 per cent of the audience said they had used hack back. And since it's already happening, she's advocating legislation that permits it if it meets several conditions such as "sufficient attribution of the source of an attack" and "reasonable, proportionate and necessary" measures that also avoid damage to unintended third-parties.
Those are tricky to meet though. A report last week claimed 32 per cent of targeted attacks in the second quarter of 2013 involved a command and control server located in Australia. Chances are that many of these were actually compromised servers, not willing attackers.
Marcus Carey, a former NSA cryptography expert at the NSA explained the issue to IT Pro.
"When I was at NSA I had a co-worker try to hack back and he was actually hacking an American Oil company that had been compromised."
His rule: don't hack targets outside your network. But he adds: "You should be tracking all enemy activity such as keystrokes and all other traffic. This is where honeypots come into play."
Honeypots are decoy simulated environments designed to lure attackers. Researchers can use to them to study attackers' means and methods, but they do have limits.
"Fully automated simulations of a real network costs a lot and can be rather quickly discovered and blacklisted by the attackers. That is why they are not widely used," Vitaly Kamluk, chief malware analyst at Kaspersky' Lab Russian Global Research & Analysis Team says.
Nonetheless, Carey and McAdam have released honeypot-inspired "active defence" tools that help alert customers to when their information is stolen. Carey's HoneyDocs rigs decoy documents with a 'call back' feature that tells owners when the document has been accessed. McAdam's crawls the web for stolen data.
Another Australian company, Threat Intelligence, has launched a new online product that tracks hackers around the world and sends mobile and email alerts to users of its Threat Analytics about attacks against their websites before they begin. It includes hacker profiles and the types of attacks they usually perform.
"We are experiencing a shift in the global threat environment. To prevent falling behind and falling victim to a security breach, organisations need to mature their thinking beyond traditional security controls and into the era of threat management," says Ty Miller, Threat Intelligence founder and CEO. 
McAdams says clients are better informed.
"Where we do find a piece of information, we hand to the client [who] hands it over to the police and they go do their job. That's a completely appropriate way to do 'hack back'," says McAdams.
But if you've collected attack data and don't get joy from the cops?
"Your best recourse is to dump it publicly," says Moore. "Just publish it all and say hey guys, we're seeing attacks from this company in China, or Malaysia, or wherever it's going to be, and document it and back it all up. The press is probably the best thing you can do at that point."

Anil Ambani hacking probe reveals more breaches; tax accounts of Dhoni, SRK, Sachin and Salman hacked

Mumbai Police, which is probing the alleged hacking by a CA student into Anil Ambani's e-filing of Income-Tax returns account, has stumbled upon another CA student who not only accessed the top industrialist's account, but also of popular cricketers and film stars including Sachin Tendulkar, M S Dhoni, Shah Rukh Khan and Salman Khan.

According to police, during the probe of the case of a Hyderabad-based young CA student hacking into the IT account of Ambani, it has emerged that the business tycoon's account was also fraudulently accessed from Noida, northern outskirts of Delhi.

"We questioned the girl if she had also accessed the account from Noida for which she replied in negative. She also denied she knew anybody from Noida," said Mukund Pawar, Senior Inspector at Cyber Cell of the crime branch, Thursday.

The 21-year-old woman, who has been doing her chartered accountancy articleship at Manoj Daga & Company in Hyderabad, was booked under relevant sections of Information Technology Act on September 7, police said.

The probe took them to Vishal Kaushal Company, an accountancy firm in Noida, where CA student Sanchit Katiyal (22) was found to have hacked into Ambani's account, he said.

Sanchit, who is doing his articleship, was accordingly booked by the Cyber Crime Cell on September 16 and his computer and hard disks were seized, Pawar added.

Like the Hyderabad based girl, Sanchit had also for curiosity had hacked into Ambani's account on June 26.

The accused first accessed the accounts of Shah Rukh and Salman on June 22, Dhoni's account on June 24 and then broke into Ambani's account.

He again accessed Dhoni's account on June 28, and Sachin's account on July 4.

The modus operandi in both the cases was similar. The two had sent e-mails to the IT department seeking change in the password of the person whose account they planned to hack into. The IT department then did the needful, a procedure that highlights the fragility of the department, says Crime branch.

Using the new password, the duo accessed the accounts of the prominent personalities.

Both the accused are not yet arrested, said another police officer adding that, "the offences were bailable. We have plans to file the charge-sheets at the earliest. And at the time of filing the chargesheets, we would place the duo under arrest."

Read more at: http://indiatoday.intoday.in/story/anil-ambani-mumbai-police-ca-student-hacks-into-anil-ambanis-account-sachin-tendulkar-account-hacked-m-s-dhoni-shah-rukh-khan-salman-khan/1/311933.html

Security Code Review Techniques–SQL Injection Edition

Security on the Brain
Security is something we all know is important, but is it something that we always do? Most likely, not always. That’s partially because security is complex and takes time to implement. Many of you, these days, don’t have that time (it’s all about shortest time-to-market, right?) to think about security. You make sure that minimal security checks and balances are there, but that’s about it. Totally understand.

But security doesn’t have to be complex to implement once you know what you have already available to you in the frameworks and products that you use every day. Over the course of the next few weeks, often as we’ll be demystifying different aspects of application security, simple things you can do to protect your applications, how to use the tools and frameworks you’re already using as your lines of defense against hacking, and more.

What is SQL Injection

SQL Injection is a programming weakness where the application dynamically constructs sql queries using string concatenation of unsantized data. Imagine the following scenario where the application is retrieving two parameters from the request: “username” and “password”. The application then uses these two parameters to construct the SQL statement used to verify whether the credentials are correct.

so for example, if username was “BobTheGreat” and the password was “AccessDenied!” then the resulting SQL would look something like:

But imagine if a slimy little attacker who enters their username as: “slimy’ or 1=1--” Now the resulting SQL statement would look something like this:

The result? The slimy dude just bypassed authentication!

Why is it a big deal?

Simple, the attacker just got access to your data, possibly all your data, and potentially your server as a bonus. The attacker essentially “0wned” your database in hackers’ terms.
7 out of 10 biggest all time data breaches were made possible using SQL Injections:

• Heartland Payment Systems: 130 Million records lost – Jan 20, 2009
• TJX Companies: 94 Million records lost – Jan 17, 2007
• TRW: 90 Million records lost – June 1, 1984
• Sony Corporation: 77 Million records lost – April 26, 2011
• Card Systems: 40 Million records lost – June 19, 2005
• RockYou: 32 Million record lost – Dec 14, 2009
• Sony Corporation: 25 Million records lost – May 2, 2011

Effective Controls in .NET:
.NET provides very effective ways to protect against SQL Injection attacks. So in case of inline SQL statements, the framework offers a simple way to construct parameterized SQL statements as follows:

For stored procedures:

Piece-of-cake! Why Do We Still Have SQL Injection Then??

Inconsistency in using Parameterized SQL Statements
The most common mistake developers make is not applying parameterized SQL statements consistently. Developers sometimes want to check a complicated query and debug why is not running properly, so they comment the parameterized version of the query and run the dynamically constructed version and forget to revert back to the parameterized version.
Another example, a junior developer just the team and didn’t get around to learn what SQL injection is all about might change queries and use a non-parameterized SQL statements.
Finally, and this is not uncommon at all, when the development team decides that using parameterized SQL statements is just not for them and vouch for using filtering known bad characters such as single quote (‘) instead. Of corse, this is a very dangerous strategy because 100% of the applications I reviewed, which followed this path; had a few places where the developers missed escaping data input, and if it didn’t take me long to find those places, it is not going to take the attacker long either.
Using Parameterized Stored Procedures Correctly Yet Still Vulnerable
Although it is not as common as it is used to be, using parameterized stored procedure in a wrong way will lead to SQL Injection flaws. Consider the following example:

No SQL Injection right? Now, look at how the stored procedure is implemented:

Although the stored procedure is parameterized and the data was passed correctly to the stored procedure, the stored procedure didn’t use the parameter properly, i.e. used string concatenation to construct the SQL statement opening up the application back to SQL injection.
So the lesson here, is to make sure to peak inside your stored procedures and make sure that there are no string concatenation in there.

Second Order Injection Attacks

Second order injection happens when the application uses unsanitized data retrieved from the database. There are several scenarios for Second Order Injection attacks, but here is one:

1. The application retrieves unsanitized data from the user.
2. Parameterized SQL statements are used to insert the data into the database.
3. The application later on, retrieves this data and uses it to construct SQL statements using string concatenation.

So the SQL injection does not actually happen on the first time the data is inserted into the database because it is obvious here that we would need to use parameterized SQL statements. But the SQL Injection happens in the second time when the data is used without parameterized SQL statements. We see this scenario a lot actually in the field, where developers think that data retrieved from the database is safe to use and don’t bother using parameterized SQL statements there.
Another common scenario when the application uses data retrieved from the database, this data has been entered through another application. Assuming that the data is safe and using string concatenation to construct SQL statements will again lead to SQL Injection vulnerabilities.

Finally, Failure to Use The Principal of Least Privilege

How many of you guys have used administrative accounts to connect to the database? Oh, wow, all of you? You guys break my heart!!
No, seriously, we’ve all done it. It is easier, convenient and no permissions mess.
However, using an administrative account means that the attacker would also have administrative privileges on your database if they were able to break in. So all what the attacker needs to do is to find a tiny SQL Injection here or there and bam, they 0wn your database.
Using an account with the least amount of privileges absolutely necessary for the application to perform its function is essential to provide depth into your defences.

Summary

I help my clients uncover and remediate all the vulnerabilities in their applications. However, if I had a magic wand to erase just one vulnerability from existence it would definitely be SQL Injection. Attackers can steal your customer’s data in a flash, inject malware into your database and infect all your users or compromise your server and maybe your whole network using SQL Injection techniques.
Making sure proper input validation is done, using parameterized SQL statements and/or parameterized stored procedures properly and consistently in addition to using accounts with the least amount of privileges are all techniques that should help you mitigate the risk of SQL Injection attacks.

NSA accused of hacking into India's nuclear systems

According to Edward Snowden's cache of documents, the NSA has been delving deeper into India's servers than many could have imagined. The Hindu is reporting that, in addition to the usual PRISM snooping, the agency also vacuumed up data on the country's nuclear, political and space programs. The newspaper says it has a document, entitled "A Week in the Life of PRISM reporting," which allegedly shows that discussions between high-ranking politicians, nuclear and space scientists were being monitored in "real-time." The revelation comes a few months after Kapil Sibal, India's IT chief, denied that any such surveillance was being undertaken. Who knows? Maybe he was spending so much time on his other projects that he missed the clues. For its part, the US has insisted that its hands are clean in India. Back in June, Secretary of State John Kerry said that the US doesn't look at individual conversations but instead "randomly surveys" data in order to discover communications that are "linked to terrorists."

Hacker to get $12,500 from Facebook for finding photo glitch

An “ethical hacking enthusiast” from southern India is to receive a $12,500 bounty from Facebook after discovering a vulnerability which allowed him to delete any photo hosted on the social network.

Posting details of the discovery on his blog this week, Arul Kumar told how the bug was initially dismissed by the company, prompting him to make a step-by-step video showing the flaw in detail.

In the video he explained how he “exploited Mark Zuckerberg’s photo from his photo album”.

Kumar held off on actually deleting any images of the Facebook founder, but on receiving the video evidence the bug was accepted as fact by Facebook, with Kumar receiving a message from one of the company’s security team telling him, “I wish all bug reports had such a video”.

Rewarded
With the vulnerability fixed in recent days, it allowed the 21-year-old to reveal full details of his work and the $12,500 reward through his blog.

Vice president for security research with Trend Micro, Rik Ferguson, said some industrious ethical hackers may see finding such issues as a solid revenue stream, with other companies such as Microsoft, Google and PayPal offering similar rewards for finding glitches within their sites, services and products.

“And why not? It’s a lot of effort to find the defects and it’s only right then that people should be rewarded for those efforts as it’s helping whoever the defect affects to develop a better end product,” he said.

Ferguson told The Irish Times that “there was a big movement a few years ago of ‘no more free bugs’ as people were sick of not being rewarded for finding errors and vulnerabilities, and in response to that a lot of companies have begun these bounty programs.”

Security blogger and head of technology for the Asia Pacific region with Sophos, Paul Ducklin, noted that the reason Facebook paid Kumar “top dollar” by bounty standards (with many bounties starting at $500) was that “it’s not just deleting a photo, it’s something which could be used for malware”.

Ducklin noted that in the case of a company such as Microsoft some bounties can reach up to $100,000, depending on the complexity and importance of the flaw discovered. Ducklin added that the decision by Kumar to present his case by video was certainly of help to his case.

Vulnerability
“The bounty amounts vary by how hard it is yes, but also how well you present your case and by doing it through video it makes it much easier for them to fix it as they can see what exactly they have to do.”

Kumar’s methods of highlighting the bug were more successful than the recent efforts of Khalil Shreateh, an IT graduate from Palestine, who had discovered a vulnerability which allowed someone to post a message on a person’s Facebook timeline, even if they were not “friends” with that individual.

After becoming upset when an official Facebook response told him “this is not a bug”, Shreateh posted a message on Zuckerberg’s personal wall utilising the vulnerability in question.

However, as this violated the company’s terms for discovering bounties Shreateh found he would not be receiving any reward and instead saw his account temporarily suspended.

McAfee opens Cyber Defense Center in Dubai to tackle hacking

DUBAI: Computer anti-virus giant McAfee has opened its first Cyber Defense Center (CDC) in Dubai at a time when the region's businesses have witnessed numerous damaging attacks.

The launch of the CDC will be an additional tool to help protect customers across the Europe, Middle East and Africa (EMEA) region from emerging threats.

The CDC team comprises of expert consultants, with more than 70 years combined experience in incident response handling across the public and private sector.

"McAfee's elite presence in the region enables customers to have a connected approach to cyber security," said Ayman Al-Issa, Digital Oilfields Cyber Security advisor.

"The local, on-the-ground presence provided by the CDC will make it easier for all entities to take advantage of McAfee's expertise and also reduce response time in the event of a crisis of any kind. McAfee once again shows leadership and solution differentiation with the opening of this new Center," he added.

The governments in the region have been investing heavily in new solutions to prevent and minimise the impact of attacks and McAfee's CDC will be working closely with key stakeholders to look for ways to improve protection.

"The rising frequency of outages due to hacktivist, criminal and terrorist activities has brought the security issue front of mind," said Gert-Jan Schenk, President of McAfee in EMEA.

Over the last year, a tremendous increase has been detected in malware and attacks targeted at EMEA organisations. As an example, Ukraine and Belarus both experienced an increase in spam of more than 200 per cent in Q2 2013.

Pranav Mistry: Samsung Galaxy Gear smartwatch is packed with technologies from the next decade

BERLIN: Samsung Electronics unveiled its highly anticipated digital wristwatch that can snap photos, track workouts and use an array of apps - gadgetry that the company hopes will catapult it into a market of smart portable devices that leave cellphones in users' pockets.

Named the Samsung Galaxy Gear, the so-called smartwatch will join Google Glass as the latest example of wearable technology. The watch is synced to a cellphone, allowing users to answer calls and receive text messages from their wrists. The timing of the release could also give Samsung a leg up over Apple, which has yet to unveil a similar device but has long been rumored to be working on one.

At a much-hyped unveiling ceremony ahead of Berlin's Internationale Funkausstellung, one of the world's largest trade shows for consumer electronics, Samsung's head of mobile communications, JK Shin, introduced the device by pretending to receive a text message on stage.

"Don't forget to mention Android," Shin's message read.

He then raised his left arm, exposing the watch to applause from both the Berlin crowd and people in Times Square in New York, who were patched into the event via a video stream. Like other smartphones and tablets Samsung produces, Gear runs on Google's Android operating system.

From the Gear's small screen, which measures 1.63 inches diagonally, users can also receive emails, share pictures and use apps designed for Gear. It does not, however, function as a stand-alone device and must be paired with a Samsung phone or tablet.

Pranav Mistry, the head of research at Samsung Research America, said the watch was "packed with technologies from the next decade."

The watch has a rubbery wristband in which a small 1.9-megapixel camera is embedded. Its display surface has stainless steel bezels with four visible screws in each corner.

The watch is activated by pressing a button on the outer right side of the display or aiming the wristband lens at an object. A gentle swipe downward quickly turns on the camera, a feature Samsung calls the "Memographer."

"This is a feature that changes the way we interact, the way we express and the way we capture," Mistry said.

From the home screen, swiping upward brings up a number pad where a user can make a call. Because a gyroscope and accelerometer detect the Gear's movement, a user can answer calls by lifting his wrist to his ear.

"We have uniquely positioned the speakers and microphones so you can talk as you would on a regular phone," Mistry said.

The Gear is set to be released worldwide next month, although neither Shin nor Mistry gave a date. Also under wraps was the cost, something many believe could be a determining factor in whether the next-generation technology hits home with consumers who have historically been reluctant to adopt such "wearables of tomorrow," as Mistry called the Gear.

Samsung, which overtook Apple last year as the world's largest producer of smartphones, got into the watch business in 1999 with a model that consumers shunned.

Galaxy Gear has 512 megabytes of RAM and an internal memory of four gigabytes. It has an 800-megahertz, single-core central processing unit and weighs 2.6 ounces. Available colors include lime green, oatmeal beige, wild orange, mocha gray, jet black and rose gold.

Researchers: Oracle’s Java Security Fails

Faced with an onslaught of malware attacks that leverage vulnerabilities and design weaknesses in Java, Oracle Corp. recently tweaked things so that Java now warns users about the security risks of running Java content. But new research suggests that the integrity and accuracy of these warning messages can be subverted easily in any number of ways, and that Oracle’s new security scheme actually punishes Java application developers who adhere to it.

Java’s security dialog box.

Running a Java applet now pops up a security dialog box that presents users with information about the name, publisher and source of the application. Oracle says this pop-up is designed to warn users of potential security risks, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.
Security experts differ over whether regular users pay any mind whatsoever to these warnings. But to make matters worse, new research suggests most of the information contained in the pop-ups can be forged by malware writers.
In a series of scathing blog posts, longtime Java developer Jerry Jongerius details the various ways that attackers can subvert the usefulness of these dialog boxes. To illustrate his point, Jongerius uses an applet obtained from Oracle’s own Web site — javadetection.jar — and shows that the information in two out of three of its file descriptors (the “Name” and “Location” fields) can be changed, even if the applet is already cryptographically signed.
“The bottom line in all of this is not the security risk of the errors but that Oracle made such incredibly basic ’101′ type errors — in allowing ‘unsigned information’ into their security dialogs,” Jongerius wrote in an email exchange. “The magnitude of that ‘fail’ is huge.”
Jongerius presents the following scenario in which an attacker might use the dialog boxes to trick users into running unsafe applets:
“Imagine a hacker taking a real signed Java application for remote desktop control / assistance, and placing it on a gaming site, renaming it ‘Chess’. An unsuspecting end user would get a security popup from Java asking if they want to run ‘Chess’, and because they do, answer yes — but behind the scenes, the end user’s computer is now under the remote control of a hacker (and maybe to throw off suspicion, implemented a basic ‘Chess’ in HTML5 so it looks like that applet worked) — all because Oracle allowed the ‘Name’ in security dialogs to be forged to something innocent and incorrect.”
Oracle has not responded to requests for comment. But Jongerius is hardly the only software expert crying foul about the company’s security prompts. Will Dormann, writing for the Carnegie Mellon University’s Software Engineering Institute, actually warns Java developers against adopting a key tenet of Oracle’s new security guidelines.

Oracle recommends that all Java applets be cryptographically signed regardless of the privileges required by the program. Unsigned Java applets will run within a web page with a scary red warning that, “Running this application may be a security risk.” One of Java’s most-touted features is a “sandbox” security mechanism that is supposed to prevent certain functions when the applet is sent as part of a Web page. But according to both Jongerius and Dormann, Oracle made the default behavior for signed code to be full access to the computer (essentially, negating the usefulness of the sandbox).
“What about Oracle’s vision of a Java future where every Java applet is signed?,” asks Dornan, a longtime security research with the Department of Homeland Security’s US Computer Emergency Readiness Team (US-CERT). “What this vision means is that every Java applet, which would be signed, would also now be in a state where it could be repurposed because it is now no longer restricted by the sandbox. A poorly designed sandboxed Java applet can’t do much of anything.  However, a poorly designed signed Java applet can do pretty much anything that native code can.”
Both Dorrmann and Jongerius offer a number of ideas that Oracle could use to remedy the situation. Only time will tell if the company will take notice of the recommendations. In the meantime, I’ll continue to urge regular Internet users to get rid of Java completely, or at least to disconnect the Java plugin from any Web browsers (obligatory disclaimer: this advice does not scale for business users, whose computers may rely on Java for specific applications).

'The Messiah' gives his reasons for hacking Sun Ho's site

A hacker who calls himself "The Messiah", and who hacked into the website of City Harvest Church (CHC) co-founder Sun Ho, has resurfaced with a Q&A site.

In the site, titled “8 questions with the Messiah”, the hacker — who revealed that he operates under the umbrella of hacking group "Anonymous Collective" -- said that Ho's website has very little security. It is something which he said is “horrifying” as the site is apparently responsible for the information of over 5,000 churchgoers.

“It took us less than 15 minutes to gain access,” he said.

The information he referred to included names, addresses, telephone numbers and passwords. Perhaps to show how insecure Ho's site is, the hacker said he intends to expose the information soon. However, revealing them now would be "rash", he added.

Kong and his deputies have been charged with the alleged misuse of church funds amounting to about $50 million; most of it went to Sun Ho’s singing career in the US. The trial is ongoing.

Hackers crack car systems wide open

As cars become more like PCs on wheels, what's to stop a hacker from taking over yours?

In recent demonstrations, hackers have shown they can slam a car's brakes on at freeway speeds, jerk the steering wheel and even shut down the engine - all from their laptop computers.

The hackers are publicising their work to reveal vulnerabilities present in a growing number of car computers. All cars and trucks contain from 20 to 70 computers. They control everything from the brakes to acceleration to the windows, and are connected to an internal network. A few hackers have recently managed to find their way into these intricate networks.

In one case, a pair of hackers manipulated two cars by plugging a laptop into a port under the dashboard where mechanics connect their computers to search for problems. Scarier yet, another group took control of a car's computers through cellular telephone and Bluetooth connections, the CD player and even the tyre pressure monitoring system.

SECURITY EXPERTS

To be sure, the “hackers” involved were well-intentioned computer security experts, and it took both groups months to break into the computers. And there have been no real-world cases of a hacker remotely taking over a car. But experts say high-tech hijackings will get easier as automakers give cars full internet access and add computer-controlled safety devices that take over driving duties, such as braking or steering, in emergencies.

Another possibility: A tech-savvy thief could unlock the doors and drive off with your vehicle.

Security research company CEO Rich Mogull commented: “The more technology they add to the vehicle, the more opportunities there are for that to be abused for nefarious purposes.

“History keeps showing us that anything with a computer chip in it is vulnerable.”

Over the past 25 years, car companies have gradually computerised functions such as steering, braking, accelerating and chaning gears. Electronic throttle position sensors, for instance, are more reliable than the old throttle cables. Electronic parts also reduce weight and help cars use less fuel - but the networks of little computers inside today's cars are fertile ground for hackers.

Charlie Miller, a security engineer for Twitter, and fellow hacker Chris Valasek, director of intelligence at a Pittsburgh computer security consulting firm, cracked the computer systems of a 2010 Toyota Prius and 2010 Ford Escape through ports used by mechanics - although, even with their expertise, it took them nine months to do it.

Valasek said: “We could control steering, braking, acceleration to a certain extent, the seat belts, lights, hooter, speedometer and even the fuel gauge.”

GOING PUBLIC

Their report, which included instructions on how to break into the cars' networks, was released at a hacker convention in August. They said they went public to draw attention to the problem and get automakers to fix it, saying car companies haven’t put any security measures on the diagnostic ports.

Ford wouldn't comment other than saying it took security seriously, and pointing out that Miller and Valasek needed physical access to the cars to hack in.

Toyota said it did have added security - which it continually tested to stay ahead of hackers; it said its computers were programmed to recognise rogue commands and reject them.

“We could have turned the brakes off.”

Two years ago, researchers at the University of Washington and University of California in San Diego did more extensive work, hacking their way into a 2009-model mid-sized car through its cellular, Bluetooth and other wireless connections - even the CD player.

Computer science professor Stefan Savage said he and other researchers could control nearly everything but the car's steering.

“We could have killed the engine. We could have engaged the brakes,” he said.

Savage wouldn't identify the make or model of the car they hacked into, but two people who knew about the resarch said the car was from General Motors and the researchers compromised the OnStar safety system, best known for using cellular technology to check on customers and call for help in a crash.

GM wouldn't comment on the research, but said it took security seriously and was putting strategies in place to reduce risk.

CLOSING THE LOOPHOLES

One of the people said GM engineers initially dismissed the researchers' work, but after reading the report, quickly moved to close loopholes that allowed access to the car's computers.

Savage doesn't think common criminals will be able to seize control of cars electronically anytime soon - it would take too much time, expertise, money and hard work to hack into the multitude of computer systems found in a modern car.

“You're talking about a rarefied group with the resources and wherewithal,” he said.

Instead, he believes basic theft is a more likely consequence of computerisation, with criminals being able to unlock doors remotely and then start and drive the car by hacking through the diagnostic port. Remote door unlocking could also lead to theft of packages, phones and other items stored in a car. - Sapa-AP

NSA Laughs at PCs, Prefers Hacking Routers and Switches for bugging

The NSA runs a massive, full-time hacking operation targeting foreign systems, the latest leaks from Edward Snowden show. But unlike conventional cybercriminals, the agency is less interested in hacking PCs and Macs. Instead, America’s spooks have their eyes on the internet routers and switches that form the basic infrastructure of the net, and are largely overlooked as security vulnerabilities.
Under a $652-million program codenamed “Genie,” U.S. intel agencies have hacked into foreign computers and networks to monitor communications crossing them and to establish control over them, according to a secret black budget document leaked to the Washington Post. U.S. intelligence agencies conducted 231 offensive cyber operations in 2011 to penetrate the computer networks of targets abroad.
This included not only installing covert “implants” in foreign desktop computers but also on routers and firewalls — tens of thousands of machines every year in all. According to the Post, the government planned to expand the program to cover millions of additional foreign machines in the future and preferred hacking routers to individual PCs because it gave agencies access to data from entire networks of computers instead of just individual machines.
Most of the hacks targeted the systems and communications of top adversaries like China, Russia, Iran and North Korea and included activities around nuclear proliferation.
The NSA’s focus on routers highlights an often-overlooked attack vector with huge advantages for the intruder, says Marc Maiffret, chief technology officer at security firm Beyond Trust. Hacking routers is an ideal way for an intelligence or military agency to maintain a persistent hold on network traffic because the systems aren’t updated with new software very often or patched in the way that Windows and Linux systems are.
“No on updates their routers,” he says. “If you think people are bad about patching Windows and Linux (which they are) then they are … horrible about updating their networking gear because it is too critical, and usually they don’t have redundancy to be able to do it properly.”
He also notes that routers don’t have security software that can help detect a breach.
“The challenge [with desktop systems] is that while antivirus don’t work well on your desktop, they at least do something [to detect attacks],” he says. “But you don’t even have an integrity check for the most part on routers and other such devices like IP cameras.”
Hijacking routers and switches could allow the NSA to do more than just eavesdrop on all the communications crossing that equipment. It would also let them bring down networks or prevent certain communication, such as military orders, from getting through, though the Post story doesn’t report any such activities. With control of routers, the NSA could re-route traffic to a different location, or even alter it for disinformation campaigns, such as planting information that would have a detrimental political effect or altering orders to re-route troops or supplies in a military operation.
According to the budget document, the CIA’s Tailored Access Programs and NSA’s software engineers possess “templates” for breaking into common brands and models of routers, switches and firewalls.
The article doesn’t say it, but this would likely involve pre-written scripts or backdoor tools and root kits for attacking known but unpatched vulnerabilities in these systems, as well as for attacking zero-day vulnerabilities that are yet unknown to the vendor and customers.
“[Router software is] just an operating system and can be hacked just as Windows or Linux would be hacked,” Maiffret says. “They’ve tried to harden them a little bit more [than these other systems], but for folks at a place like the NSA or any other major government intelligence agency, it’s pretty standard fare of having a ready-to-go backdoor for your [off-the-shelf] Cisco or Juniper models.”
Not all of the activity mentioned in the budget document involved remote hacking. In some cases, according to the document, the operations involved clandestine activity by the CIA or military intelligence units to “physically place hardware implants or software modifications” to aid the spying.
“Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO),” the Post writes in its story about the document. “As its name suggests, TAO builds attack tools that are custom-fitted to their targets.”
A handful of security researchers have uncovered vulnerabilities in routers in recent years that could be used to do the kind of hacking described in the budget document.
In 2005, security researcher Mike Lynn found a serious vulnerability in Cisco IOS, the operating system running on millions of Cisco routers around the world.
Lynn discovered the vulnerability after his employer, Internet Security Systems, asked him to reverse-engineer the Cisco operating system to see if he could find security problems with it. Cisco makes the majority of the routers that operate the backbone of the internet as well as many company networks and critical infrastructure systems. The Cisco IOS is as ubiquitous in the backbone as the Windows operating system is on desktops.
The vulnerability Lynn found, in a new version of the operation system that Cisco planned to release at the time, would have allowed someone to create a router worm that would shut down every Cisco router through which it passed, bringing down a nation’s critical infrastructure. It also would have allowed an attacker to gain complete control of the router to sniff all traffic passing through a network in order to read, record or alter it, or simply prevent traffic from reaching its recipient.
Once Lynn found the vulnerability, it took him six months to develop a working exploit to attack it.
Lynn had planned to discuss the vulnerability at the Black Hat security conference in Las Vegas, until Cisco intervened and forced him to pull the talk under threat of a lawsuit.
But if Lynn knew about the vulnerability, there were likely others who did as well — including intelligence agencies and criminal hackers.
Source code for Cisco’s IOS has been stolen at least twice, either by entities who were interested in studying the software to gain a competitive advantage or to uncover vulnerabilities that would allow someone to hack or control them.
Other researchers have uncovered different vulnerabilities in other Cisco routers that are commonly used in small businesses and home offices.
Every year at computer security conferences around the world — including the Black Hat conference where NSA Director Keith Alexander presented a keynote this year — U.S. intelligence agencies and contractors from around the world attend to discover information about new vulnerabilities that might be exploited and to hire talented researchers and hackers capable of finding more vulnerabilities in systems.
In 2008, a researcher at Core Security Technologies developed a root kit for the Cisco IOS that was designed to give an attacker a persistent foothold on a Cisco router while remaining undetected.
According to the Post story, the NSA designs most of the offensive tools it uses in its Genie operation, but it spent $25.1 million in one year for “additional covert purchases of software vulnerabilities” from private malware vendors who operate on the grey market — closed markets that peddle vulnerabilities and exploits to law enforcement and intelligence agencies, as opposed to the black market that sells them to cyber criminals.
The price of vulnerabilities and exploits varies, depending on a number of factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to more than a million, depending on the exclusivity of the purchase — some vulnerabilities are sold to multiple parties with the understanding that others are using it as well — and their ubiquity. A vulnerability that exists in multiple versions of an operating system is more valuable than a vulnerability that exists in just one version. A class of vulnerability that crosses multiple browser brands is also more valuable that a single vulnerability that just affects the Safari browser or Chrome.
The Stuxnet cyber weapon that was reportedly created by the U.S. and Israel to sabotage centrifuges used in Iran’s uranium enrichment program, used five zero-day exploits to spread itself among systems in Iran, including a rare exploit that attacked the .LNK function in multiple versions of the Windows operating system in order to spread the worm silently via infected USB sticks.
Ubiquitous router vulnerabilities are difficult to find since there are so many different configurations for routers and an attack that works against one router configuration might not work for another. But a vulnerability that affects the core operating system is much more valuable since it is less likely to be dependent on the configuration. Maiffret says there hasn’t been a lot of public research on router vulnerabilities but whenever someone has taken a look at them, they have found security holes in them.
“They’re always successful in finding something,” he says.
Once a vulnerability becomes known to the software maker and is patched, it loses its value. But because many users do not patch their systems, some vulnerabilities can be used effectively for years even after a patch is available. The Conficker worm, for example, continued to infect millions of computers long after Microsoft released a patch that should have stopped the worm from spreading.
Routers in particular often remain patched because system administrators don’t think they will be targeted and because administrators are concerned about network outages that could occur while the patch is applied or if the patch is faulty.

Pro-Assad Hackers Hit Marines Website

Computer hackers break into the Marine Corps recruiting website, call Obama "a traitor who wants to put your lives in danger."

Computer hackers who support Syrian President Bashar Al-Assad broke on Monday into the Marine Corps recruiting website, reported the Associated Press.

The hackers redirected visitors to a screen that called U.S. President Barack Obama "a traitor who wants to put your lives in danger to rescue Al-Qaeda insurgents."

A Marine Corps spokesman confirmed that the site, marines.com, was tampered with and redirected temporarily, but no information was put at risk.

Capt. Eric Flanagan would not say who was responsible for the hacking, but the site was redirected to a message from the Syrian Electronic Army, a hacker group that has claimed responsibility for previous break-ins into other websites.

The message to the Marine Corps was a plea for Americans to fight alongside the Syrian army and not aide the rebels.

The Syrian Electronic Army is believed to be behind an attack last week on the website of the New York Times. The group also claimed credit for hacking into Twitter's registry account and changing information there.

Last April, the group took control of the Associated Press' official Twitter feed, and sent out a false message about two explosions at the White House and injury to the president.

Several weeks later, the group hacked the Twitter feed of satirical U.S. news website The Onion, posting comments and photos in line with similar intrusions at other news organizations.

The full message which the group posted on the Marines site, as quoted by AP, is:

“This is a message written by your brothers in the Syrian Army, who have been fighting Al-Qaeda for the last 3 years. We understand your patriotism and love for your country so please understand our love for ours. Obama is a traitor who wants to put your lives in danger to rescue Al-Qaeda insurgents.

Marines, please take a look at what your comrades think about Obama's alliance with Al-Qaeda against Syria. Your officer in charge probably has no qualms about sending you to die against soldiers just like you, fighting a vile common enemy. The Syrian army should be your ally not your enemy.

Refuse your orders and concentrate on the real reason every soldier joins their military, to defend their homeland. You're more than welcome to fight alongside our army rather than against it.

Your brothers, the Syrian army soldiers. A message delivered by the SEA.”

 

Hackers plan reprisal of Holocaust Memorial Day cyber attacks.

An English-language video posted to YouTube on Monday calls on Muslim hackers around the world to participate in a movement to bring down American and Israeli websites on September 11, marking the anniversary of the 9/11 terrorist attacks in New York City.

"Hi, Israel do you remember us?" the modified voice-over in the video asks, referring to previous hacking operations, as a kaffiya-clad Joker laughs at the audience. 



"We are the same people who f****d you on April 7. And now we are back. To punish you again," the voice declares, in reference to an April attempt, by the group Anonymous, to "erase Israel from the internet" on International Holocaust Memorial Day.

In their most recent operation, the group of technical militants announce the launch of a new operation,"#OpIsrael #Reborn." They then ask "all hacker Muslims to join their September 11 operation.

"There is no Israel in this map," the voice says in reference to ongoing Israeli-Palestinian political conflict, and a potential clue as to the intentions behind the operation. "No one recognizes you. Because it is Palestine."

The voice then poses a question to viewers. "Who are the terrorists?" it asks, while showing images of violent terrorist attacks.

It then calls on Americans and Israelis to expect an attack of some kind on September 11. "America, Israel. We will show you," it reiterates.

Toward the end, the video credits three separate hacker groups including Anonymous, who have attempted several similar operations, as well as lesser known groups, AnonGhost and Fallaga.

A logo with the words "Free Palestine" is printed across the last screenshot of the video, emphasizing the politics that are behind hacking schemes such as this.

Underneath the main text, in a barely visible font, the video pleas for the protection of all involved in the scheme. "May Allah help out hackers and mujahideen."

Government sites guard against hacking

Ministries and government agencies in the Kingdom have been on standby after receiving warnings of a new wave of hacking against their websites.
Warnings came after attacks were carried out on the websites of the Ministries of Interior, Finance, Foreign Affairs and Labor during the course of this year.
Government entities received this warning from higher authorities. A telegram from the Ministry of Interior warned government agencies against impending attacks after hacker groups defined their targeted websites.
The Ministry of Interior foiled these attacks by issuing warnings to higher authorities telling them about the groups' intentions, sources said.
Hackers intended to target university and ministry websites and the Ministry of Interior has called on agencies to take precautionary measures against such attacks.
The hackers also planned to target the Ministry of Municipal and Rural Affairs, the sources said.
“Tens of hackers joined attempts aimed at disabling the websites of certain government offices. Most of these attacks aimed to block the services of these websites for minutes or hours at a time, depending on the strength of the attack and the website's ability to defend itself. Hacking attempts have failed to achieve serious breaches until now,” said Fayez Al-Barakati, a software expert at the Technical College in Jeddah.
Last April, a local daily published a report stating the Saudi National e-Security Center has conducted a campaign to raise the level of awareness among government employees and facilitate access to special security instructions for government authorities.
Government agencies warned against non-application of public policies and security procedures, which are related to information protection. It called on employees not to click on suspicious links and websites or links that are attached to e-mails in case they contain malicious programs and data theft attempts.

US charges 6 in major credit card, Nasdaq hacking cases

U.S. prosecutors charged six foreign nationals with hacking crimes, including credit and debit card thefts that authorities say cost U.S. and European companies more than $300 million in losses, and charged one of them with breaching Nasdaq computers. By David Jones and Jim Finkle.

 

 

 

Prosecutors said the indictments unsealed on Thursday for the payment card hacking were the biggest cyber fraud case filed in U.S. history.

The long list of victims include financial firms Citigroup Inc, Nasdaq OMX Group Inc, PNC Financial Services Group Inc and a Visa Inc licensee, Visa Jordan. Others include retailers Carrefour SA and J.C. Penney Co along with JetBlue Airways Corp, prosecutors said as they announced indictments.

Prosecutors said they conservatively estimate that a group of five men stole at least 160 million credit card numbers, resulting in losses in excess of $300 million.

Authorities in New Jersey charged that each of the defendants had specialized tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine.

Russian Dmitriy Smilianets, 29, is accused of selling the stolen data and distributing the profits. Prosecutors said he charged $10 for U.S. cards, $15 for ones from Canada and $50 for European cards, which are more expensive because they have computer chips that make them more secure.

The five concealed their efforts by disabling anti-virus software on victims computers and storing data on multiple hacking platforms, prosecutors said. They sold the payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards.

"This type of crime is the cutting edge," said U.S. Attorney Paul J. Fishman for the District of New Jersey. "Those who have the expertise and the inclination to break into our computer networks threaten our economic wellbeing, our privacy and our national security."

The indictment also cited Albert Gonzalez as a co-conspirator. He is serving 20 years in federal prison after pleading guilty to helping mastermind one of the biggest hacking fraud schemes in U.S. history, helping steal millions of credit and debit cards.

Drinkman and Smilianets were arrested on June 28, 2012, while traveling in Netherlands at the request of U.S. authorities. Smilianets was extradited last September and is expected to appear in New Jersey Federal court next week. Drinkman is awaiting an extradition hearing in the Netherlands.

Asked if he believed the other three are still in Russia, Fishman said: "I'm not going to say where I believe they are, we just know they're not in our custody."

Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Gonzalez, 32, in connection with five breaches - including one on Heartland Payment Systems.

NASDAQ BREACH

The U.S. Attorney's Office in Manhattan announced two other indictments against Kalinin, one charging he hacked servers used by Nasdaq from November 2008 through October 2010. It said he installed malicious software that enabled him and others to execute commands to delete, change or steal data.

The infected servers did not include the trading platform that allows Nasdaq customers to buy and sell securities, prosecutors said. Officials with Nasdaq said they could not immediately comment.

A source with knowledge of the breach said on Thursday the indictment was not related to a 2010 attack that Nasdaq had previously disclosed, though it has said little about the matter. Sources told Reuters in 2011 that the previously disclosed attack was targeted against Directors Desk, a service used by corporate boards to share documents and communicate with executives, among other things. ()

The source who spoke to Reuters on Thursday, who asked to remain anonymous due to the sensitivity of the matter, said that Nasdaq was working with the FBI and Department of Justice on the matter.

The second indictment filed against Kalinin in Manhattan, which was unsealed on Thursday, charged that he worked with a sixth hacker, Russian Nikolay Nasenkov, 31, to steal bank account information from thousands of customers at Citibank and PNC Bank from 2005 to 2008, resulting in the theft of millions of dollars.

MAKING PROGRESS

Mark Rasch, a former federal cyber crimes prosecutor, told Reuters that the arrests show that law enforcement is making progress in identifying those responsible for major cyber crimes.

"They involve dozens or even hundreds of people huddled over computer terminals all over the world in a common purpose of stealing of disseminating credit card numbers," said Rasch, who was not involved in bringing the case.

Among the breaches cited in the New Jersey indictment, prosecutors charged that the group was responsible for the theft of more than 130 million credit card numbers from U.S. payment processor Heartland Payment Systems beginning in December 2007, resulting in approximately $200 million of losses.

The indictment charged that they took approximately 30 million payment card numbers from British payment processor Commidea Ltd in 2008 and 800,000 card numbers from Visa Inc's licensee Visa Jordan in 2011.

An attack on Global Payment Systems that begin in about January 2011 resulted in the theft of more than 950,000 cards and losses of about $93 million, according to the indictment.

It charged the ring with stealing approximately 2 million credit card numbers from French retailer Carrefour SA, beginning as early as October 2007, and 4.2 million card numbers from U.S. grocer Hannaford Brothers Co., a unit of Delhaize Group. It said the theft of card numbers from Dexia Bank Belgium resulted in $1.7 million in losses.

Other victims included Dow Jones, Wet Seal Inc and 7-Eleven Inc, according to prosecutors.

Dow Jones said in a statement that there was "no evidence" that information of Dow Jones or Wall Street Journal customers information was compromised as a result of the breaches. DM

Is it time to start hacking the hackers?

Network World - In the light of unprecedented attacks by cybercriminals against businesses that span every industry, this question has come to the fore: Is it time to fight back?

As the Founder and CEO of Wisegate, a private, expert peer group for senior-level IT executives, I get to work with some of IT’s best and brightest security professionals and have a ringside seat to the discussions that unfold.
Wisegate member Jeff Bardin, Chief Intel Officer at Treadstone 71, says “hacker groups and disruption of business has reached an all-time high and no longer can be ignored. We want to get the ‘adversary’ to understand that if they launch an attack against a company, there will be costs to pay.”
[ALSO: 12 white hat hackers you should know]
But members not in favor of going on the offense point to the issue of attribution as a major reason why it won’t work: it’s too difficult to pinpoint the location and source of many cyberattacks. Yet many security experts say there are some “offense-like” tactics that can drive up the cost of hacking into a corporate network and, if deployed properly, could discourage hackers enough to have a major impact on the threat landscape.
There are interesting questions being raised about how far businesses can go and what types of attacks can actually be effective, says Wisegate member Martin Zinaich, Information Security Officer of the City of Tampa. “It doesn’t necessarily have to go from nothing to launching a full out assault against cybercrime infrastructure. It could be much more subtle things like feeding the bad guys misinformation or doing your own reconnaissance.”

In fact, many Wisegate members believe there are offensive security measures the good guys can leverage.  Misdirection tactics, for example, can be deployed by heavily targeted companies, such as those in the financial or defense sectors.
“We need to start thinking like our adversaries, to look at different approaches and techniques to confuse an attacker,” said Wisegate member Tim McCreight, CISO for the Government of Alberta.  “We’re looking at using ethical or ‘white hat’ hackers to check our defenses, and we’re approaching our program like we’re trying to break into our systems. We need to adopt this mindset, and keep focusing on risks.”
Unfortunately, offensive security tactics may have their drawbacks as well. Some companies may want to refrain from specifically targeting hackivist groups since it raises ethical questions and the legality of the practice. In addition, building phony systems and fake credentials may be too costly to deploy.
Wisegate members agree it's hard to agree whether "hacking back" is an acceptable enterprise defense practice when no one can agree what the term means. Offensive security is huge but relatively undefined and it's compounded by the fact that the laws governing it are vague.

I believe this topic is critical. While hot button issues will be raised and flames fanned by the media, it takes time to think through the best responses to issues our IT leaders are facing. It takes time for the issues to be raised in the trenches and substantive opinions to be developed.

New Hacking Software Tries 8 Million Times Per Second to Crack Password

While the National Security Agency (NSA) makes nearly-daily headlines about spying on people and their Internet activity, a new application recently released to the public can reportedly crack passwords with 8 million guesses per second.
This type of hacking, called "brute force," is when a hacker employs numerous combinations of letters and words to crack a password.
The application, oclHashcat-plus, is plugged as a free password cracking and recovery tool, but it's likely to be used by third parties. The software was released this weekend by Hashcat.net.
The oclHashcat-plus can crack passwords up to 55 characters and uses password guesses based upon password-construction protocol followed by a company, notes ArsTechnica.com.

To test oclHashcat-plus, a security researcher at ArsTechinica.com cracked the password “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1,” which is a phrase from a horror story written by H.P. Lovecraft.

Police report filed over Sun Ho website hacking: CHC

The lawyer of City Harvest Church said the hacking of singer Sun Ho's official website has been brought to the attention of the police. In a separate response, a church spokesman said a police report was filed on Monday afternoon.

 

 

SINGAPORE: The lawyer of City Harvest Church said the hacking of singer Sun Ho's official website has been brought to the attention of the police.Mr Desmond Ong said this in response to Channel NewsAsia's queries about the incident.
In a separate response, a church spokesman said a police report was filed on Monday afternoon.
Ms Ho is the wife of City Harvest Church founder Kong Hee.
Kong is standing trial along with five other leaders on charges of misusing church funds to further Ms Ho's singing career.

- CNA/xq