Saturday, May 31, 2008

China: Hacker Transmits Fake Earthquake Forecasts


Panic was sparked in Shaanxi Province after a hacker attacked the province's seismological bureau's Website and said strong earthquakes were expected in the province, a Website reported yesterday.

The hacker wrote on the front page of the Shaanxi Seismological Bureau Website at 8:53pm on Thursday that a strong earthquake will strike the province at 11:30pm, said.

The bureau soon received numerous calls to confirm the information.

The Website was shut down at 10pm with a notice stating that a hacker had accessed the site. It also urged the media to clarify the situation and make it clear that the bureau did not issue an earthquake warning, said the report.

More here.

Hat-tip: Flying Hamster

Hacker Changes Phoenix Mars Lander Website

An AP newswire article, via, reports that:

A spokeswoman for the Phoenix Mars Lander mission says a hacker took over the mission's public Web site during the night and changed its lead news story.

Spokeswoman Sara Hammond says a mission update posted Friday was replaced with a hacker's signature and a link redirecting visitors to an overseas Web site.

Hammond says the site hosted by the University of Arizona has been taken off line while computer experts work to correct the problem.

More here.

Chinese Hackers Responsible For 88% Of All Website Hacks In Australia?

Chris Oates writes on AdelaideNow:

Chinese computer hackers are responsible for 88 per cent of attacks on Australian government web sites, according to web security company TippingPoint.

What's more, hacks per capita in Australia are higher than in the US, UK and Russia.

Linux systems accounted for 64.7 per cent of IT systems hacked, with Windows 2003 and 2000 systems attracting about 26 per cent between them, with all other systems hovering about the 1 per cent mark. AIX and Mac OS X were the least exploited, at 0.3 per cent each.

TippingPoint revealed its findings at the AusCERT 2008 conference at the Gold Coast last week, a conference for computer security professionals.

Marketing director, Ken Low said the high Linux exploits were largely due to versions of Linux being free of charge.

"Many organisations in Australia use Linux as the platform for their internet-facing servers to reduce their IT operating costs," Mr Low said.

"This is unfortunate as it is common to find Linux servers with security holes unpatched or security settings misconfigured among these organisations.

More here.

Friday, May 30, 2008

Mark Fiore: Pretty Good Generation

More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

FBI Agents Hunt for Comcast Hijackers

David Kravets writes on Threat Level:

FBI agents and local police in Northern California are taking the lead in investigating Thursday's hijacking of, the FBI told THREAT LEVEL on Friday.

The Bureau's cybercrime specialists are joining with the San Jose Police Department in Silicon Valley to try and track down the culprits in the case, according to FBI agent Joseph Schadler. "We are working closely with our local partners," Schadler said.

It was not immediately clear why the case is being investigated by Silicon Valley law enforcment. A police spokesman was not immediately prepared to comment.

More here.

Microsoft Warns of Safari Threat on WIndows Platforms

Microsoft Security Advisory (953818).

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

More here.

Network Security Issues Dog FDIC

Via The NetworkWorld "Layer 8" Blog.

While the Federal Deposit Insurance Corp. (FDIC) has made significant progress improving its information system controls, old and new weaknesses could limit the corporation’s ability to effectively protect the confidentiality, integrity, and availability of its financial systems and information.

That was the conclusion of a Government Accountability Office report [.pdf] issued today that found that the FDIC had corrected or mitigated 16 of the 21 weaknesses the GAO reported in its 2006 audit.

More here.

Researchers Breach Microsoft's CardSpace ID Technology

Jim Carr writes on SC Magazine US:

Three security researchers in Germany have reportedly broken Microsoft's CardSpace, which was designed to beef up the security of personal information while browsing the internet.

The technique essentially co-opts part of the CardSpace technology, which Microsoft believes can reduce problems such as identity theft plaguing internet users. Microsoft has said it plans to integrate CardSpace with OpenID, an open-source standard also designed to toughen up internet security.

More here.

Comcast Is Hiring an Internet Snoop for the Feds

Noah Shachtman writes on Danger Room:

Wanna tap e-mail, voice and Web traffic for the government? Well, here's your chance. Comcast, the country's second-largest Internet provider, is looking for an engineer to handle "reconnaissance" and "analysis" of "subscriber intelligence" for the company's "National Security Operations."

Day-to-day tasks, the company says in an online job listing, will include "deploy[ing], installing] and remov[ing] strategic and tactical data intercept equipment on a nationwide basis to meet Comcast and Government lawful intercept needs." The person in this "intercept engineering" position will help collect and process traffic on the company's "CDV [Comcast Digital Voice], HSI [High Speed Internet] and Video" services.

More here.

Microsoft: On SQL Injection Attacks

Via The Microsoft Security Vulnerability Research & Defense Blog.

Beginning late last year, a number of websites were defaced to include malicious HTML tags in text that was stored in a SQL database and used to generate dynamic web pages. These attacks began to accelerate in the first quarter of 2008 and are continuing to affect vulnerable web applications.

The web applications compromised share several commonalities:

  • Application uses classic ASP code
  • Application uses a SQL Server database
  • Application code generates dynamic SQL queries based on URI query strings (

This represents a new approach to SQL injection. In the past, SQL injection attacks were targeted to specific web applications where the vulnerabilities and the structure of the underlying database were either known or discovered by the attacker. This attack differs because it has been abstracted such that it is possible to attack virtually any vulnerability that is present in an ASP page creating dynamic SQL queries from URI query strings.

This attack does not exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploits vulnerabilities in custom web applications running on this infrastructure. Microsoft has investigated these attacks thoroughly and determined that they are not related to any patched or 0-day vulnerabilities in Microsoft products.

I highly recommend this resource, since it also has recommendations for consumers to prevent these attacks from being successful on their web infrastructure.

More here.

A Look Into The Dark Underbelly of Data Breaches

Via The NetworkWorld "Layer 8" Blog.

The process by which large volumes of data are stolen, resold, and ultimately used by criminals to commit fraud, has evolved from the sale of a few pieces of sensitive information, such as credit card numbers and expiration dates, to full blown identity packages containing multiple types of sensitive personal information.

That is but one of the disconcerting details of a Department of Justice-penned report [.pdf] that looks at the rapidly morphing, dark side of stolen personal information set to appear in next month’s issue of the Santa Clara Computer and High Technology Journal.

The article goes on to say the large volumes of stolen data are priced to sell and charges are determined by the degree of difficulty in obtaining the data, according to the paper’s author, DOJ attorney Kimberly Kiefer Peretti. In the first half of 2007, for example, credit card information ranged from $0.50 to $5.00 per card, bank account information ranged from $30.00 to $400.00, and full identity information ranged from $10 to $150.79. Such information is available on illegal Web sites known as carding forums.

More here.

Quote of The Day: Dancho Danchev

"It’s official, even a pothead can social engineer Network Solutions."

- Dancho Danchev, writing on the ZDNet "Zero Day" Blog regarding yesterday's DNS hijacking mishap at Comcast.

Researchers: Stolen Data Ending Up In Google Cache

Robert Westervelt writes on SearchSecurity:

The Finjan security researchers, who uncovered several unprotected hacker servers containing the sensitive email and Web-based data of thousands of people, demonstrated how easy it is to find the data using Google.

By using a simple string of search terms the researchers were able to find stolen passwords and usernames, Social Security numbers, and even the usernames and passwords of internal databases of companies all stored in Google's public caching server.

Google returns the results based on log files available on the unprotected servers. The servers stored stolen data collected by Trojan horses running on infected end-user PCs, Ayelet Heyman, a researcher at Finjan's Malicious Code Research Center, said in Finjan's Malicious Code Research Center blog.

"Google just indexed these log files as they do with any other public file on the Web," Heyman said. "It's not a hoax as some people wrote; it's 100% harsh reality."

More here.

Thursday, May 29, 2008

Pentagon Intelligence Oversight Falls Short

Steven Aftergood writes on Secrecy News:

While U.S. intelligence operations are more controversial than ever, routine oversight of the Department of Defense’s massive and far-flung intelligence apparatus has been significantly reduced, according to a recent report to Congress from the DoD Inspector General.

Due to resource limitations, “We have not been able to perform planned audits and evaluations in key intelligence disciplines such as Imagery Intelligence, Measurement and Signature Intelligence and Open Source Intelligence,” the DoD Inspector General told Congress in a March 2008 report [.pdf].

In addition, the report said, intelligence oversight has been cut back in areas such as: National Reconnaissance Office activities, especially major acquisitions; National Security Agency Operations Security and Information Security Programs; National Geospatial-Intelligence Agency programs; National Intelligence Program/Military Intelligence Program funding; Service Intelligence Component activities; Operations and Support Special Access Programs; DoD Counterintelligence Field Activity Programs; and others.

More here.

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan figures via The Boston Globe (AP).

As of Thursday, May 29, 2008, at least 4,085 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,330 died as a result of hostile action, according to the military's numbers.

The AP count is one fewer than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

As of Thursday, May 29, 2008, at least 436 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Saturday, May 24, at 10 a.m. EDT.

Of those, the military reports 302 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Web 2.0 Sites a Thriving Marketplace for Malware

Erik Larkin writes on PC World:

A wiry young man with his head shaved and wearing a tank top points a handgun straight at the camera in a disturbing YouTube video. The man wears what appears to be a wedding ring, and he gazes vacantly away from the viewer.

Though it's an odd image for an advertisement, this video isn't promoting your average company. It's from a not-so-underground Albanian hacker group that's out to make a name for themselves in the thriving world of malware and computer crime. Besides the shot of the gunman, the video showcases images of a computer screen, a table loaded with foreign currency, and plenty of links to the group's Web site.

Malware is big business, and groups like the Albanian hackers are trying to cash in, using the latest Web 2.0 tools: social networking profiles, blogs, and other publicly available media and Web pages. The digital desperados are moving more and more into wide-scale advertising and brand building on public sites and networks to grow their underground trade.

More here.

Third-Party Advertisers Tracking Users in Google Ad Network

Grant Gross writes on

Google is apparently allowing third-party advertisers to track consumers using the company's ad network, a practice that raised concerns from one privacy advocate.

Some of the third-party ad servers and ad agencies that Google has approved to deliver ads through its network engage in behavioral advertising practices that require tracking consumers, said Jeffrey Chester, a privacy advocate and frequent critic of Google's privacy practices.

More here.

Did China's Hackers Shut Off the Lights? - UPDATE

Noah Shachtman writes on Danger Room:

Hackers working on behalf of China's People’s Liberation Army have penetrated networks controlling electric power grids in the United States, computer security experts believe. And that may have precipitated a massive blackout on the east coast in 2003, as well as a blackout in Florida this year.

That's just one blockbuster assertion in a long story full of them, from National Journal scoopster Shane Harris.

Harris also reports that spyware was found on the electronics devices used by Commerce Secretary Carlos Gutierrez on an official trade trip to Beijing in December 2007. The malicious code found on these devices was identical to code found on the laptop computers of several U.S. corporate executives who had their information "slurped" in China.

Joel Brenner, the government's top counterintelligence official, said that a major U.S. corporation had its negotiating points and sensitive information obtained by their Chinese counterparts in advance of a business meeting there. “China is indeed a counterintelligence threat, and specifically a cyber counterintelligence threat,” Brenner said. “If you travel abroad and are the director of research or the chief executive of a large company, you’re a target."

More here.

UPDATE: 23:29 PDT: I love Kevin Poulsen: "It's official: cyber terror is the new yellowcake uranium." Rock on. -ferg

Did Chinese Hack Cabinet Secretary's Laptop?

An AP newswire article, via MSNBC, reports that:

U.S. authorities are investigating whether Chinese officials secretly copied the contents of a government laptop computer during a visit to China by Commerce Secretary Carlos M. Gutierrez and used the information to try to hack into Commerce computers, officials and industry experts told The Associated Press.

Surreptitious copying is believed to have occurred when a laptop was left unattended during Gutierrez's trip to Beijing for trade talks in December, people familiar with the incident told the AP. These people spoke on condition of anonymity because the incident was under investigation.

Gutierrez told the AP on Thursday he could not discuss whether or how the laptop's contents might have been copied.

More here.

In Passing: Harvey Korman

Harvey Korman
February 15, 1927 – May 29, 2008

Comcast Hijackers Say They Warned the Company First

Kevin Poulsen writes on Threat Level:

The computer attackers who took down Comcast's homepage and webmail service for over five hours Thursday say they didn't know what they were getting themselves into.

In an hour-long telephone conference call with Threat Level, the hackers known as "Defiant" and "EBK" expressed astonishment over the attention their DNS hijacking has garnered. In the call, the pair bounded freely between jubilant excitement over the impact of their attack, and fatalism that they would soon be arrested for it.

More here.

Comcast Homepage Hacked

Marguerite Reardon writes on the C|Net News Blog:

Comcast's Web portal has been hacked, leaving some subscribers unable to access their e-mail.

A company spokeswoman confirmed that the Comcast Web page had been hacked late on Wednesday. Subscribers who tried to access the site to check e-mail or access the company's official forums were greeted with [the text pictured above] instead.

The hackers apparently changed Comcast's registrar account at Network Solutions, which altered the DNS servers that were used to direct requests. In other words, the hackers essentially redirected traffic destined for the URL Instead, the traffic went to IP addresses in Germany and elsewhere, reported the blog Broadband Reports.

Comcast has stopped the traffic from being redirected to bogus servers, but users were still having trouble accessing the page as of 11:30 a.m. EDT. The reason is that it could take hours for the redirected traffic to propagate through DNS servers throughout the Internet.

More here.

Image source: C|Net

Wednesday, May 28, 2008

Italy Officer Tells of Spying on Spies in Cleric's Kidnapping

Tracy Wilkinson writes in The Los Angeles Times:

One of Italy's top cops told a court Wednesday how, with meticulous detective work and substantial luck, he blew the lid off one of the Bush administration's most controversial counter-terrorism tactics.

Testifying in the trial of 26 Americans, most of them CIA operatives, who are accused of abducting a radical Egyptian cleric in Milan, the senior officer described tracking massive amounts of cellular telephone traffic to piece together Europe's only prosecution of the much-disputed practice known as extraordinary rendition.

More here.

22 Detained in French Hacker Probe

An AP newswire article, via The New Zealand Herald, reports that:

French police say they've detained 22 people across France in an investigation of a suspected computer hacking network.

The sweep stems from a probe begun in the eastern city of Dijon in February after about 30 domestic and foreign companies reported cases of computer network vandalism and destruction of some files.

Police say the motives are not immediately clear. They are not ruling out economic espionage.

Authorities say the suspects in the network appeared to challenge one another in online forums. Most are young - with one aged 13 - authorities said.

More here.

Hacking Into a Billion-Dollar SAP Solution

Mario Morejon writes on ChannelWeb:

After notification by our Test Center, SAP security experts have "fast-tracked" an investigation into potential holes in certain deployments of the software giant's server technology -- holes that apparently could leave entire data stores wide open to potential abuse by hackers.

The Waldorf, Germany-based company is examining potentially alarming scenarios, brought to its attention by our Test Center, which found that one data store built on SAP technology revealed an easy opportunity for cyber criminals to gain access to a large corporate database.

Fritz Bauspiess, director of SAP NetWeaver product management security, says the company is looking at the issue brought to its attention by the Test Center earlier this month.

More here.

Hat-tip: InfoSec News

New Zealand: Hacker in $300,000 ATM Fraud Jailed For Three Years

Via The New Zealand Herald.

An Auckland computer hacker, who scammed hundreds of thousands of dollars and attracted the FBI to New Zealand, has been jailed for three years.

Thomasz Grygoruk, 22, was jailed on five charges of blackmail, document and computer fraud when he appeared in the High Court at Auckland yesterday.

Grygoruk spent five years and used an internet scam getting personal details from people to make A" cards. He then used the cards to withdraw up to $300,000.

The court heard he also got into the email account of an American teacher in Pennsylvania and tried to blackmail him, threatening to disclose details of a relationship with a student unless he was paid US$10,000 ($13,000). The relationship was not inappropriate.

Grygoruk had threatened to tell the teacher's local police and newspaper he was a paedophile who was romantically involved with the student.

The teacher called the FBI and an FBI agent pretended to be the teacher's accountant and later traced Grygoruk's New Zealand address.

The FBI also sent an agent to New Zealand last year to help with the case.

More here.

Hat-tip: InfoSec News

Deutsche Telekom Scandal Could Spread to U.S.

Cassimir Medford writes on Red Herring:

The U.S. Federal Communications Commission could enter investigations into Deutsche Telekom over admissions it spied on phone calls to identify news leaks, according to a source on Wednesday.

The FCC could initiate its own action to see if DT’s “pretexting” extended to DT-owned T-Mobile USA, the No. 4 U.S. mobile carrier.

“Pretexting is clearly against the law in the U.S.,” said Joe Nordgaard, director of wireless consulting firm Spectral Advantage. “That was made clear in the HP scandal, but there are other complications stemming from the fact that DT is part owned by the German government.”

A spokesman for the FCC said that the agency has not begun an investigation of T-Mobile USA but it has authority to begin one if there is evidence that the DT scandal spread to the United States.

More here.

Programming Note: Back From Tokyo...

View of Akasaka area of Tokyo from the Crown Prince Hotel

So I got back to California from Tokyo, and the APWG Counter e-Crime Operations Summit (APWG CeCOS II), earlier this morning, but my internal clock is all screwed up & I'm exhausted. So there will probably be no new blog posts until later tonight at the earliest.

Now for a nap...


- ferg

Tuesday, May 27, 2008

Russian Nuclear Power Websites Attacked

Via RIA Novosti.

Hackers attacked Russian nuclear power websites that allow users to check radiation background amid false rumors of a nuclear accident in northwest Russia, a nuclear industry official said on Friday.

On Tuesday and Wednesday, several Internet forums carried reports of radioactive emissions from the Leningrad Nuclear Power Plant near St. Petersburg, and of a planned evacuation of local residents.

A spokesman for the Rosatom state nuclear corporation said the cyber attacks had been planned and coincided with the release of the reports.

"People who stand to lose out from the Russian nuclear power industry's development have an incentive to spread false rumors of an accident at the nuclear plant," he said.

"This was a planned action by hackers, which has brought down almost all sites providing access to the Automatic Radiation Environment Control System (ASKRO), including the Leningrad NPP site, the site, and others. For several hours users were unable to reach the sites and obtain reliable information on the situation at the plant."

More here.

Monday, May 26, 2008

In Passing: Sydney Pollack

Sydney Pollack
July 1, 1934 - May 26, 2008

In Passing: Dick Martin

Dick Martin
January 30, 1922 – May 24, 2008

Six Hours to Hack The FBI (And Other Pen-Testing Adventures)

Sandra Gittlen writes on ComputerWorld:

It takes a lot to shock Chris Goggans; he's been a pen (penetration) tester since 1991, getting paid to break into a wide variety of networks. But he says nothing was as egregious as security lapses in both infrastructure design and patch management at a civilian government agency -- holes that let him hack his way through to a major FBI crime database within a mere six hours.

Goggans, currently senior security consultant at security firm PatchAdvisor Inc. in Alexandria, Va., says his adventure started when, during a routine network scan, he discovered a series of unpatched vulnerabilities in the civilian government agency's Web server, as well as other parts of the enterprise.

More here.