Posts Tagged: wired.com


23
Sep 11

Arrested LulzSec Suspect Pined for Job at DoD

A 23-year-old Arizona man arrested on Thursday in connection with the hack of Sony Pictures Entertainment last May was a model student who saw himself one day defending networks at the Department of Defense and the National Security Agency.

Wired.com’s Threat Level, the Associated Press, and other news outlets are reporting that Tempe, Ariz. based Cody Andrew Kretsinger is believed to be a member of the LulzSec group, an offshoot of the griefer collective Anonymous. According to the indictment against Kretsinger, he was involved in executing and later promoting the high-profile and costly attack on Sony’s networks. Sony estimates that the breaches would cost it more than $170 million this year.

UAT interview with Kretsinger

Kretsinger is a network security student at Tempe, Ariz. based University of Advancing Technology, according to Robert Wright, director of finance for UAT.  A cached page from UAT’s Web site shows that Kretsinger was named student of the month earlier this year. That page, which indicates Kretsinger was to graduate from the institution in the Fall semester of 2011, includes an interview with the suspected LulzSec member. In it, Kretsinger says he would like to work at the DoD after graduating.

Where do you want to work after graduation?

“I hope that I’ll be able to work for the Department of Defense. From what I hear, they’re pretty good at what I want to do.

Where do you see yourself in 5 years?

“Traveling, doing Network Security as a profession with the Department of Defense. While I wouldn’t mind being a penetration tester, I think it’s a lot more fun to try to build and secure a network and its devices from the ground up. I suppose I wouldn’t mind being in management, either.”

Continue reading →


15
Jul 11

More Than 100 Arrested in Fake Internet Sales

Law enforcement officials in Romania and the United States have arrested and charged more than 100 individuals in connection with an organized fraud ring that used phony online auctions for cars, boats and other high-priced items to bilk consumers out of at least $10 million.

According to a statement from the Justice Department, the scams run by this ring followed a familiar script. Conspirators located in Romania would post items for sale such as cars, motorcycles and boats on Internet auction and online websites. They would instruct interested buyers to wire transfer the purchase money to a fictitious name they claimed to be an employee of an escrow company. Once the victim wired the funds, the co-conspirators in Romania would text information about the wire transfer to co-conspirators in the United States known as “arrows” to enable them to retrieve the wired funds. They would also provide the arrows with instructions as to where to send the funds after retrieval.

Continue reading →


14
Apr 11

U.S. Government Takes Down Coreflood Botnet

The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.

Sample network diagram of Coreflood, Source:FBI

Sample network diagram of Coreflood, Source:FBI

The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.

Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.

By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.

On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.

ISC President Barry Greene said the government was wary of removing the bot software from infected machines.

“They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”

No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.

Continue reading →


3
Dec 10

Cable: No Cyber Attack in Brazilian ’09 Blackout

The Nov. 2009 blackout that plunged millions of Brazilians into darkness for up to six hours was not the result of cyber saboteurs, but instead an unusual confluence of independent factors that conspired to cause a cascading power failure, according to a classified cable from the U.S. embassy in Brazil.

The communication, one of roughly 250,000 to be published by Wikileaks.org, provides perhaps the most detailed explanation yet of what may have caused the widespread outage, which severed power to 18 of Brazil’s 27 states, cutting electricity for up to 60 million Brazilians for periods ranging from 20 minutes to six hours. The Nov. 2009 outage was notable because it came just three days after a CBS news magazine 60 Minutes report about a much more severe two-day outage in 2007 that cited unnamed sources claiming that the blackout was triggered by hackers targeting electric control systems.

Reports from Wired.com and other news publications quickly challenged that 60 Minutes segment, pointing to previous investigations that suggested a variety of factors contributed to the 2007 incident, including poorly-maintained electrical insulators. But when another outage hit Brazil three days after the CBS report, the coincidence led to more speculation about whether hackers were once again involved.

The cable relates information shared by executives and engineers from Brazil’s National Operator of the Interconnected Power System (ONS), which “further ruled out the possibility of hackers because, following some acknowledged interferences in past years, [the Government of Brazil] has closed the system to only a small group of authorized operators, separated the transmission control system from other systems, and installed filters.” From the cable:

“Coimbra confirmed that the ONS system is a CLAN network [classified local area network] using its own wires carried above the electricity wires. Oliveira pointed out that even if someone had managed to gain access to the system, a voice command is required to disrupt transmission. Coimbra said that while sabotage could have caused the outages, this type of disruption would have been deadly, and investigators would have found physical evidence, including the body of the perpetrator. He also noted that any internal attempts by system employees to disrupt the system would have been easily BRASILIA 00001383 003 OF 005 traceable, a fact known to anyone with access to the system.”

So what did cause the blackout? The cable suggests there were a range of contributing factors and some very bad timing:

Continue reading →


28
Jul 10

Hacked Companies Hit by the Obvious in 2009

As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from its contents.

Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

-Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

-85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

-94 percent of compromised records were the result of breaches at companies in the financial services industry.

-45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

Among the most counter-intuitive findings in the report?

There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

“Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

Continue reading →


14
Jan 10

The Wire: Google Security Edition

Google has reportedly stopped censoring Chinese search results for its Google.cn property, in response to what it said earlier this week were targeted attacks against its corporate infrastructure aimed at Chinese dissident groups. But a security research firm claims the attack that hit Google was part of a larger, unusually sophisticated assault aimed at stealing source code from Google and at least 30 other Silicon Valley firms, banks and defense contractors.

Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.

Continue reading →


12
Jan 10

The Wire

A periodic pointer to some of the more interesting and newsworthy security news stories. In no particular order:

Proof-of-concept for Mac OS X systems Released
Possible Malicious Apps for Google’s Android Phone
Online Gaming Exec. Sentenced to 33 Months
‘Massive Cybercrime Conspiracy’

Read after the jump for summaries and links to more information.

Continue reading →