Web Concepts

Posts Tagged ‘hackers’

But while its easy enough for a criminal type to determine the digits in your pin with an IR camera, it’s fairly difficult to determine the order. And the hack only seems to work on plastic keypads--metal returns too much heat noise for the IR camera to reliably discern with keys were just pressed.

Then there’s the fact that an IR camera isn't exactly an implement of petty crime. By the time one amassed the princely sum (around $18,000 to buy a good rig--the $150 Midnight/Shot won't cut it) necessary to acquire one, he or she probably wouldn’t need to steal ATM PINs anymore.

But none of that changes the fact that a security scheme on which most people regularly rely has a fairly exploitable hole. And it doesn’t just go for ATM machines--keypad safes, security doors, keypad activated garage doors, even the keypads that open up some car doors are susceptible to the IR hack, particularly where plastic keypads are involved.

Of course, to thwart the scheme you could simply place your hand over the entire keypad to impart heat to every key after you punch in your PIN. And if that doesn’t jive with you germophobic readers, you can always just preemptively Mace the person behind you in line each time you visit the ATM. Better safe than sorry.

[Technology Review]

The hacks are tied together into a single ongoing event by the fact that they were discovered via the log contents of a central “command and control” server being examined by McAfee investigators beginning in 2009. McAfee investigators dubbed the attack “Operation Shady RAT,” with RAT short for “remote access tool,” the common umbrella term for the software hackers and security types use to access networks from afar.

So who was attacked? Reuters' highlight reel:

The long list of victims in the five-year campaign include the governments of the United States, Taiwan, India, South Korea, Vietnam and Canada; the Association of Southeast Asian Nations (ASEAN); the International Olympic Committee (IOC); the World Anti-Doping Agency; and an array of companies, from defense contractors to high-tech enterprises.

And China, right? Surely if someone was going to hack big targets in the U.S. and Europe, the IOC, the UN, and every major economic player in Asia/Indochina, that person surely wouldn’t overlook China, the biggest player of them all, right? No? That’s interesting.

I’m not the only one who thinks so. Cyber experts not affiliated with McAfee say everything points to the Chinese--the keen interest in Taiwan, the hacking of the IOC prior to the 2008 Beijing Olympics, the defense contractors and high-tech companies whose trade secrets could be exploited. All of this information might be interesting to anyone. But it would be especially interesting to China.

China has not issued an official comment on the hack-a-thon. But if they had, we can assume it would be something along the lines of: “Who, me?”

[Reuters]

The idea goes something like this: China and other regimes around the world inherently have an upper hand when it comes to cyber defense because their lack of civil liberty protections lets the government freely monitor online activity. Things like “deep packet inspection” (which gained notoriety during Iranian election protests back in 2009) that let governments monitor citizens traffic also let them monitor for unusual activity.

That activity could be cyber criminals at work, or it could be foreign-backed cyber warriors and cyber spies working to weaken a nation’s infrastructure or penetrate sensitive government systems. Regardless, other countries are better protected. The U.S. Internet, by virtue of its adherence civil liberties, is more like the wild west. Everyone does everything online anonymously, and while that’s great for liberties, it’s also dangerous when cyber criminals/foreign hackers are roaming the cyber countryside.

The proposed solution: a dot-secure safe zone (basically, a seperate Internet) where things like financial institutions, sensitive infrastructure, government contractors, and the government itself can hide behind heavier defenses. Your fourth amendment privacy rights wouldn’t apply here, as you would consent to give them up upon entry; as when walking onto a military base or into an airport, users would have to show detailed identification and credentials to get in. Those who want to remain anonymous on the Web can still frolic about in the world of dot-com, but in the dot-secure realm you would have to prove you are you.

A wise man once warned about giving up a little liberty for a little security, but a tiered Internet with varying levels of freedom, security, and anonymity may be the way the Internet goes in the end. The Obama administration and members of Congress are finally taking cybersecurity quite seriously it appears, and big-league legislation is likely imminent. When the dust settles, you may not be able to go to certain neighborhoods of the Web without showing your papers at a checkpoint--and perhaps subjecting yourself to one of those humiliating electronic pat-downs as well.

[Nextgov]

The U.S. government is doing little to protect American interests from cyber threats, claims Clarke in an op-ed

Clarke worked in various high-level security roles for every president from Reagan to G.W. Bush, leaving the White House in 2003 with the title Special Advisor to the President on cybersecurity. That is, he’s got some background on the topic at hand. And his assessment is pretty bleak: Senior U.S. officials know--and have known--that Chinese hackers are systematically infiltrating our networks, stealing source code, valuable R&D, and trade secrets from corporations while probing our power grids and other critical infrastructure for weaknesses, leaving behind easy access for themselves should they ever need to return and carry out more malicious acts.

Google, he says, has had the stones to stand up and admit it when its networks have been breached. But other companies, usually out of fear of being labeled “not secure,” haven’t done so. The recent RSA Security breach says it all; Chinese hackers--with government support--are walking all over us digitally, and the U.S. government is doing little to protect jeopardized American interests that aren’t on a .gov or .mil server.

How do we know the Chinese government is behind these hacks? The Chinese claim attacks originating on their soil are rogue hackers, not government-backed cyber warriors. But, Clarke says, cyber criminals breach companies for financial gain, swiping credit cards or otherwise making away with funds. There’s no money in hacking the U.S. electrical grid, yet President Obama himself has admitted that the grid has been thoroughly probed by hackers. Says Clarke:

“What would we do if we discovered that Chinese explosives had been laid throughout our national electrical system? The public would demand a government response. If, however, the explosive is a digital bomb that could do even more damage, our response is apparently muted—especially from our government.”

Tough words from a former cybersecurity czar. The op-ed is worth a read if you’re staying current on cyber threats and the larger geopolitical situation. Click through below for the whole story.

[WSJ]

Bloomberg cites “a person with knowledge of the matter,” who said a hacker used a fake name to set up a bogus Amazon EC2 account. Amazon’s servers were not hacked; rather, someone purchased computing power and used it to attack Sony’s network, compromising the personal information of 100 million users.

Amazon’s Web Services division allows users to buy processing power and space so they don’t need their own physical servers. EC2 prices range from 3 cents to $2.48 an hour for users on the East Coast, depending on your data needs; details can be found on Amazon’s website.

Extra computing power could also enable hackers to crack passwords and obtain other information more efficiently, as Bloomberg’s report explains.

Several computer security experts quoted in the story explain that there’s not much, if anything, Amazon can do about it: “There is no way of telling who’s a good guy and who’s a bad guy,” said Pete Malcolm, chief executive officer of Abiquo Inc., a California-based cloud services firm.

The PlayStation network went back online in the U.S. over the weekend, nearly a month after the intrusion, which Sony labeled a deliberate and sophisticated attack. It's still not back online in Japan.

Hackers have been known to use hijacked or rented servers, as Bloomberg’s report points out, but this appears to be a first — hackers buying legitimate time on a cloud platform, just like any other customer, but for nefarious purposes.

Sounds like the White House’s new International Strategy for Cyberspace, announced this weekend, has something else to consider.

[Bloomberg News]

Several major companies have made the operation of Wikileaks much more difficult. Mastercard and PayPal both blocked all donations to the site, claiming Wikileaks dabbles in "illegal activities" (despite Wikileaks has never been formally charged with a crime). That's a major source of revenue for Wikileaks, the cessation of which is going to prove a serious problem for continued operation. Other targets of the wrath of Anonymous include Amazon, which briefly hosted the site before booting them due to concerns over terms of service violations (including proper ownership of stored documents and possible security concerns), the Swedish lawyer representing the women who are accusing Julian Assange of sex crimes, and the Swiss postal system's financial arm (which blocked Assange's accounts).

Anonymous is not really a traditional group, a fact easily divined from its name. There's no leader, and no real organization. Instead, various hackers (who often populate messageboards like 4Chan and wikis like the Encyclopedia Dramatica), working independently, identify under the "Anonymous" banner. The group, which has in the past targeted the Church of Scientology and, um, Gene Simmons, typically uses denial-of-service attacks, which flood the target's servers, often disabling them or shutting them down outright.

In this case, some 1,500 hackers operating under the name Anonymous decided to appoint themselves the defenders of Wikileaks and Assange, flooding their targets with denial-of-service attacks. Some, like Amazon, managed to fend off the attacks, but others weren't so lucky. Mastercard's site, thought to be extremely secure, has at the time of this writing been shut down for hours. (Side note: It's a nice quirk that the news coverage of this outage invariably points readers to mastercard.com--but if readers go there, they'll only be making Mastercard's recovery harder but adding more traffic to the pile!)

To Anonymous, all of these companies have been pressured politically to cripple Wikileaks in any way they can. Though Amazon, for one, has denied it, the group continues its attack, hoping to bring visibility to the fight for transparency and openness--or at least extract a little revenge. Hey, Wikileaks knows how to do security, so why shouldn't Mastercard, right?

[New York Times]

Click to launch the photo gallery.