Hacking Beyond Limit-’China-based servers in Japan cyber attacks’

TOKYO A virus that infected computers at Japanese overseas diplomatic missions had been designed to send data to servers in China, a report said on Friday.

The virus — Backdoor Agent MOF — has been found to have infected computers at around 10 embassies and consulates, and at least two of the servers designated as the recipients of stolen information were in China, the Yomiuri Shimbun said.

The virus is capable of transmitting user IDs and other information to terminals outside and operating software by bypassing authorised users, the daily said.

The domain of the servers was the same as that used for earlier cyber attacks on Google and tens of other companies, the Yomiuri said, quoting unnamed sources.

A “backdoor” virus opens a route into a computer’s system to allow access by a remote hacker, who could use it to steal data.

The Yomiuri earlier this week reported Japan had found viruses in computers at overseas diplomatic missions including those in France, the Netherlands, Myanmar, the US, Canada, China and South Korea. MORE

Wireless Insulin Pumps Exposed to Hacker Attacks

A famous security researcher proved that the embedded insulin pumps on which many diabetics rely can be accessed remotely and reprogrammed to inject a lethal dose.

According to Threat Post, Barnaby Jack, a security researcher at McAfee, demonstrated the proof of concept at the Hacker Halted conference that recently took place in Miami.
It’s not the first time when someone uncovers the weaknesses that lie in such medical equipment, as not long ago, Jerome Radcliffe made a similar demonstration. At the time, Radcliffe remotely connected to the pump and changed the dosage and all he needed to do that was to possess the unique id of the device.

Barnaby managed to get even past that, proving that with the use of a modified antenna, an attacker can take control of the implantable insulin pump and deliver a fatal blow to its owner. He practically showed that by tuning in to the right frequency, anyone within 300 feet of the apparatus can cause serious damage.more

Hackers Use Social Engineering to Obtain Facebook Security Tokens

The Anti-CSRF tokens generated by Facebook and other websites that want to keep their customers protected are being targeted by cybercriminals who can use them to temporarilytake over an account.

Symantec researchers did a little digging on the matter and found a few cunning plots in which attackers try to dupe users into providing the highly desired codes.

Cross-site request forgery (CSRF) is an attack in which basically the victim’s active session is borrowed by the cyber masterminds to perform illegal operations. Once the security token is obtained, the attacker can do whatever he wants as the website’s server detects him as being legitimate.more

600,000+ compromised account logins every day on Facebook, official figures reveal

If you’ve an unauthorised party has logged into your Facebook account, then you’re far from alone.

New official statistics revealed by the social networking giant reveal that 0.06% of the more than billion logins that they have each day are compromised.

Put another way, that’s more than 600,000 per day – or, if you really like to make your mind melt, one every 14 milliseconds.

The statistic was revealed in an infographic published alongside an official Facebook blog post trumpeting new security features introduced by the firm.

The new security features include Trusted friends (called “Guardian angels” in the infographic). Read the rest of this entry »

Hacker’s phone call to Boston Police saying he defaced their website.. because he was bored

A number of websites associated with US police have been compromised by AntiSec hackers in apparent support of the “Occupy” demonstrations.

One of the sites targeted was the Boston Police Patrolmen’s Association (BPPA), which suffered a hack which resulted in the release of a thousand usernames and passwords. An obvious danger is that staff may be using the same username/password combinations on other sites – such as their email accounts or Facebook.

In addition, the AntiSec movement claimed in an online press release to be publishing more than 600MB of data stolen from the International Association of Chief of Police (IACP) website, including names and addresses, passwords and internal documents.

Names, addresses, phone numbers and social security numbers for police officers in Alabama have also been exposed, and a contact database associated with employees and clients of the internet company Matrix Group made public. Read the rest of this entry »

Will a hacker cause World War III?

By Patrick Lambert,TechRepublic

Patrick Lambert discusses whether he thinks World War III will be caused by a rogue hacker.

We all remember movies like WarGames, where some whiz kid wants to show off his computer skills, hacking into government computers, poking around until he finds the control for nuclear weapons. Then, tragedy is averted at the last second before World War III is triggered. That’s some good entertainment, but gone are the days when people thought this kind of event could actually happen. Read the rest of this entry »

LulzSec suspect pleads not guilty to Sony Pictures website hack

A 23-year-old man, suspected of being a member of the LulzSec hacking gang, has pleaded not guilty to an attack on the Sony Pictures website.

Cody Kretsinger, from Phoenix, Arizona, pleaded not guilty to conspiracy and unauthorized impairment of a protected computer during a hearing at Los Angeles District Court.

Kretsinger is alleged to be the LulzSec member known as “Recursion”, and is accused of being involved in an SQL injection attack that stole information from Sony Pictures in June, exposing users email addresses and passwords.

Approximately 150,000 confidential records were subsequently published online by LulzSec who mocked Sony’s weak security:

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Prosecutors claim that Kretsinger used the HideMyAss.com proxy server website to disguise his IP address as he allegedly probed Sony Pictures’ computer systems in May 2011, hunting for vulnerabilities.

HideMyAss.com’s terms and conditions stipulate that their service is not to be used for illegal activity, however, and they co-operated with the authorities when a court order was received requesting information.

Kretsinger’s trial is scheduled to begin on December 13th. If convicted he faces up to 15 years in prison.SRC

Hackers add porn to Sesame Street YouTube channel

Sesame Street’s YouTube channel was hacked today, leaving its normally family-friendly content replaced with pornographic content, according to a report on the tech blog The Next Web.

YouTube had the content removed in 22 minutes, according to the report, and as of this writing, the show’s channel has been replaced by a message saying it is unavailable.

YouTube representatives declined to comment on Sesame Street’s incident but said the removal of the content was in keeping with user guidelines.

“YouTube’s Community Guidelines prohibit graphic content,” a YouTube spokesperson said. “As always, we remove inappropriate material as soon as we are made aware of it.”

Hackers also altered the Sesame Street YouTube channel’s profile page to add the name MrEdxwx as the user, according to a screenshot posted by Naked Security. The profile also included the following message:MORE

Occupy Wall Street Hackathons Want to Build a Better Protest

Occupy Wall Street has an IT department. The movement’s technologists, like their park-squatting counterparts, are a decentralized group. But they’ve independently started hackathons this weekend in New York City, San Francisco and Washington, D.C.

Even before the first protester showed up at Wall Street on Sept. 17, a group of people had started working on the movement’s technology components . The so-called Internet working group has held meetings that covered how to edit the site openly, how to run the Twitter account and what server space to use. It’s not necessarily the most organized operation, but it’s becoming more so.

“I think we’re going to see a few people leading the helm really soon and saying this is what we need, this is what we’re working on right now,” says Occupy Together NYC Hackathon creator Andrew Gwozdziewycz, who is a casual member of several listervs that discuss the movement’s technology needs. “So far that doesn’t seem to be happening yet. … They are taking over the main website and centralizing control of it.”

Meanwhile, hackathoners like Gwozdziewycz are hoping to build better technologies that aid the movement and its on-the-ground protesters. He, for instance, plans to build a group messaging app that sends text messages to groups members that are in a similar location.

“Right now they’re using the people’s microphone to broadcast the fact that there’s a working group meeting at the library,” Gwozdziewycz says. “And that’s a lot of noise for no reason when people could be coordinating on their phone.”

 

A hackathon at Meetup headquarters on Friday aims to build programs that aid the Occupy Wall Street movement.

 

Gwozdziewycz is a Meetup employee and is hosting the hackathon at the group meeting platform’s Broadway-Avenue office on Friday. About a dozen hackathon participants are there working on communication platforms, media aggregation tools or even, in one case, a “distributed decision making platform.” Aaron Williamson is working on an ongoing project that aims to preserve privacy online. He, like most of the people who are running and participating in the Occupy Wall Street hackathons, has not been very involved in the Occupy Wall Street protests.

“Honestly I haven’t even gotten down to the movement,” he says, “mostly because I have a full-time job.”

“I don’t really know a whole lot about what is going on down there,” says Cameron Cundiff, who was thinking about building a tool that could sort which Tweets are most relevant to protest activities. “I’ve only seen what I’ve been able to gleen in popular forms, but I wanted to learn more and I also think it’s an interesting design challenge because you don’t want to screw that up, helping someone who is under pressure and the risk of being arrested. It gives you constraints that are pretty hard.”MORE

Sony suffers another security scare – 93,000 user accounts broken into

Hackers successfully broke into 93,000 accounts at Sony over the last few days, once again impacting users of the Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services.

According to a blog post by Philip Reitinger, Sony’s Chief Information Security Officer, credit card details were not compromised.

As a precautionary step, Sony has frozen the compromised accounts and will email impacted users asking them to confirm their identity and reset their passwords.

Some compromised accounts “showed additional activity prior to being locked,” but the only hint from Sony as to what that activity might entail is that the company says it will “work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”

What’s interesting is that it appears that the hackers gained access to the Sony accounts by working through a large database of stolen usernames and passwords – believed to have been sourced from somewhere else. That suggests that the accounts which were broken into were using a non-unique password.

In other words, you were using the same password on the Sony PlayStation Network as you were on website X.

It’s never a good idea to use the same password in multiple places.

Sony’s security team were alerted to the intrusion when they noticed a high number of failed login attempts – so well done to those users who weren’tusing the same password.

At the end of its blog post, Sony’s Reitinger offers some sensible advice to users:

We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

The only silver lining for Sony is that this security breach appears to be much smaller in scale than the attacks which hit it earlier this year, where millions had their personal information stolen and the Sony PlayStation Network wasforced offline.

Sony’s reputation was badly harmed earlier this year by the series of hacking attacks. This latest incident certainly isn’t going to do them any favours – as customers will (rightly or wrongly) continue to associate the Sony brand with security breaches.

I’m sure Sony will be hoping that this is the last time a security incident will put their company in the news headlines for all the wrong reasons.