Unprecedented 25-Year Sentence Sought for TJX Hacker: Via Threat Level.

Computer hacker Albert Gonzalez deserves a quarter-century behind bars for leading a gang of cyberthieves who stole tens of millions of credit and debit card numbers from a transaction processor and several giant retail chains, federal prosecutors argued in a court filing Thursday night.

“[T]he sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime, which is appropriate because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation’s history,” wrote Boston-based Assistant U.S. Attorney Stephen Heymann. “He knowingly victimized a group of people whose population exceeded that of many major cities and some states.”

The government also disputed a defense claim that Gonzalez suffers from Asperger’s disorder, a mild form of autism that was grounds for a slightly reduced sentence in a previous hacking prosecution.

Gonzalez, 28, is set for sentencing next week on three indictments covering virtually every headline-making bank-card theft in recent years, including intrusions at TJX, DSW Shoe Warehouse, Office Max, Hannaford Brothers, 7-Eleven, and Heartland Payment Systems, which alone exposed magstripe data on 130 million credit and debit cards. He performed the intrusions while an informant for the Secret Service.

The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years. [ Read more ... ]

Hacker Disables More Than 100 Cars Remotely: Via Threat Level.

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

Police with Austin’s High Tech Crime Unit on Wednesday arrested 20-year-old Omar Ramos-Lopez, a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealership’s four Austin-area lots.

“We initially dismissed it as mechanical failure,” says Texas Auto Center manager Martin Garcia. “We started having a rash of up to a hundred customers at one time complaining. Some customers complained of the horns going off in the middle of the night. The only option they had was to remove the battery.”

The dealership used a system called Webtech Plus as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The system will not stop a running vehicle. [ Read more ... ]

Feds: TSA Worker Tried to Sabotage Terror Database: Via Threat Level.

A former Transportation Security Administration contractor is being charged in Colorado for allegedly injecting malicious code into a government network used for screening airport security workers and others.

The malicious code, a logic bomb installed last October, was designed to cause damage and disrupt data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

The CSOC network stores updated information from the government’s terrorist watchlist as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network. [ Read more ... ]

Zeus botnet dealt a blow as ISP Troyak knocked out: Via Computerworld Cybercrime/Hacking News.

Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines.

Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.

The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks. "There's lots of Zeus and Fragus exploit kit [sites]," he said. Whoever was behind the takedown "just decided to knock out a large area of cybercirme, and this was probably one of the easiest ways to do it." [ Read more ... ]

Hackers exploit latest IE zero-day with drive-by attacks: Via Computerworld Cybercrime/Hacking News.

Hackers are exploiting the just-disclosed unpatched bug in Internet Explorer (IE) to launch drive-by attacks from malicious Web sites, security researchers said today.

"This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out," said Craig Schmugar, a threat researcher at McAfee, in a blog post today.

Attacks are launched from Web sites in a classic drive-by fashion, said Schmugar and others. "Visiting the page is enough to get infected," Schmugar said.

Symantec also confirmed that it has spotted in-the-wild attacks exploiting the critical vulnerability in IE6 and IE7 that Microsoft acknowledged yesterday. "We're still seeing just limited attacks," said Ben Greenbaum, a senior research manager on Symantec's security response team. "The exploit is carried out simply by visiting a Web page hosting the vulnerability. When the browser opens the page, the exploit causes the user's computer to download and execute another piece of malware." [ Read more ... ]

The Botnet Challenge: by CDT Via Comcast Voices | The Official Comcast Blog.

Editor's Note: Our thanks to Leslie Harris, President and CEO, Center for Democracy & Technology, for writing this guest blog post about botnets.

Botnets are armies of computers that criminals have infected with malicious software so they can control them to remotely to steal information, launch denial-of-service attacks, spread malware and host illegal content. Botnets are one of the most serious threats to Internet security today. They have compromised untold millions of computers – and even DSL routers – worldwide. The Conficker worm alone has infected up to 15 million consumer, business and government computers into a massive botnet in a little over two years.

Botnet armies are built on the computers of regular Internet users who have no idea that their PCs have been compromised and are being used for malicious purposes. In fact, botnets depend on users’ ignorance in order to stay operational. At the same time, the spam, phishing, and denial-of-service attacks that botnets perpetrate may have little or no impact on the compromised users or their ISPs, while wreaking havoc on faraway users connected to entirely different networks. [ Read more ... ]

Serious Apache Exploit Discovered: Via Slashdot.

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.

Read Original Article:(Via Slashdot.)

Security Pros Question Deployment of Smart Meters: Via Threat Level.

The country’s swift deployment of smart-grid technology has security professionals concerned that utilities and smart-meter vendors are repeating the mistakes made in the rollout of the public internet, when security became a priority only after malicious attacks had reached mass levels.

But when it comes to the power grid, the costs of remote hack attacks are potentially more dramatic.

“The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco this week. [ Read more ... ]

Spain Busts Hackers for Infecting 13 Million PCs: Via Threat Level.

BOSTON (Reuters) — Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security. [ Read more ... ]

The Spy at Harriton High: Via Stryde Hax blog.

This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.
PanoMasterMind

The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. [ Read more ... ]

Opinion: Dear Facebook, it's time to act like a grown-up about security: Via Computerworld Cybercrime/Hacking News.

An open letter to Facebook from Ira Winkler, who had no luck contacting the company via conventional means.

Dear Facebook,

I appreciate your service. I really do. I'm sure that many of your 400 million active users appreciate it as well. But now that you have a market value estimated at billions of dollars, it is time for you to start acting like a grown-up company. That means you have to provide basic security for your customers. And it means responding when your customers try to contact you, as I did recently to talk about an important security issue. Do you think you will be able to hold on to 400 million users if you treat them that way, and if you put their computers at risk? I don't.

As you can see, I have had to resort to writing an open letter on Computerworld's Web site, because all other attempts to get through to you were unsuccessful. [ Read more ... ]

iPhone Privacy, Security Not What Apple Claims, Researcher Says: Via PCWorld.

Apple's claims about iPhone privacy and security are exaggerated, according to software engineer and security expert Nicolas Seriot, who gave a presentation yesterday about the iPhone at the Black Hat Conference in DC.

Apple's sandboxing technology restricts iPhone applications to operating system resources with a list of deny/allow rules at the kernel level, but these and other permissions are "way too loose," and "Apple should not claim that an application cannot access data from another application," said Seriot, who works as an iPhone programming trainer at a company called Sen:te. [ Read more ... ]

Another Debit Card Skimmer: Via Schneier on Security.

This one is installed inside gas pumps. There's nothing the customer can detect.

Read Original Article:(Via Schneier on Security.)

Probe Traces Google Hack to Chinese Schools: Via Threat Level.

NEW YORK (Reuters) - Recent cyber attacks on Google and other American corporations have been traced to a top Chinese university as well as a school with ties to the Chinese military, The New York Times reported on Thursday, citing people involved in the investigation.

Those people told the Times that the Chinese schools involved are Shanghai Jiaotong University and the Lanxiang Vocational School. They said the attacks may have started as early as April 2009 — earlier than previously thought.

According to the report, investigators believe there is evidence suggesting a link to a computer science class at the vocational school taught by a Ukrainian professor.

Google jolted U.S.-China ties with its Jan. 12 announcement that it had faced a “highly sophisticated and targeted attack” in mid-December, allegedly from inside China. [ Read more ... ]

Over 75,000 systems compromised in cyberattack: Via Computerworld Cybercrime/Hacking News.

Correction: An earlier version of this story incorrectly said the cyberattacks began in 1998. They began in 2008.

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.
The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday. [ Read more ... ]

Security bug opens Google Buzz to hackers: Via Security Central - InfoWorld.

The cross-site scripting flaw was discovered by the same person who hacked Miley Cyrus' e-mail

A common Web programming error could give hackers a way to take over Google Buzz accounts, a security expert said Tuesday.

The flaw is a "medium-sized problem" with the Buzz for Mobile Web site, said Robert Hansen, CEO of SecTheory, who first reported the issue.

This type of Web programming error, called a cross-site scripting flaw, lets the attacker put his own scripting code into Web pages that belong to trusted Web sites such as Google.com. It is a fairly common flaw but one that can have major consequences when exploited on widely used Web sites.

The attacker "can force you to say things you don't want to say, to follow people," he said. "Whatever Google Buzz allows you to do, it allows him to do to you." [ Read more ... ]

Spying on User Web Browsing Histories for Fun and Profit!: Via Lauren Weinstein's Blog.

Greetings. A bit over a year ago, I reported here about a commercial firm using JavaScript tricks to pry into the site browsing history of unsuspecting Web users, and I discussed the serious negative implications of such spying.

Now comes a handy "do it yourself" guide detailing the kinds of obnoxious techniques involved, under the name "Sniff browser history for improved user experience" -- a quintessential example of how to portray (that is, spin) an obvious privacy invasion as if it were a user-friendly value proposition.

It's not terribly surprising that the author of the piece devotes only a couple of words to even the possibility that such techniques could be used for "evil" purposes. [ Read more ... ]

Rogue antivirus program comes with tech support: Via Computerworld Security News.

In an effort to boost sales, sellers of a fake antivirus product known as Live PC Care are offering their victims live technical support.

According to researchers at Symantec, once users have installed the program, they see a screen, falsely informing them that their PC is infected with several types of malware. That's typical of this type of program. What's unusual, however, is the fact that the free trial version of Live PC Care includes a big yellow "online support" button.

Clicking on the button connects the victim with an agent, who will answer questions about the product via instant message.

Symantec says the agent is no automated script, but in fact a live person. [ Read more ... ]

Microsoft's new 'phone home' anti-piracy practice unacceptable, says critic: Via Computerworld Privacy News.

'At what point is one free of this' perpetual checking, asks Lauren Weinstein

The Internet advocate who blasted Microsoft in 2006 over the daily "phone home" habits of its anti-piracy software took the company to task again today for a new practice that will examine consumers' Windows 7 PCs every 90 days to make sure they're running legitimate copies of the OS.

Lauren Weinstein, the co-founder of People For Internet Responsibility (PFIR), urged Windows 7 users not to accept the option update to Windows Activation Technologies (WAT) when Microsoft begins seeding it to the Windows Update service later this month.

"The approach that Microsoft is now taking doesn't seem to make sense, even for honest consumers," Weinstein argued in a post to his blog. "Microsoft will trigger forced downgrading to non-genuine status if they believe a Windows 7 system is potentially pirated based on their 'phone home' checks that will occur at (for now) 90 day intervals during the entire life of Windows 7 on a given PC, even months or years after purchase. [ Read more ... ]

Researchers find huge weakness in European payment cards: Via Computerworld Security News.

Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.

The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.

European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.

But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered. [ Read more ... ]

Record 13-Year Sentence for Hacker Max Vision: Via Threat Level.

PITTSBURGH — A skilled San Francisco-based computer intruder was sentenced to 13 years in federal prison Friday for stealing nearly two million credit card numbers from banks, businesses and other hackers — receiving the longest hacking sentence in U.S. history.

Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to 1,000 different banks, who tallied the fraudulent charges on the cards at $86.4 million. [ Read more ... ]

New Russian botnet tries to kill rival: Via Computerworld Cybercrime/Hacking News.

An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.

Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. [ Read more ... ]

Anonymous Unfurls ‘Operation Titstorm’: Via Threat Level.

Several Australian government websites were slowly recovering Wednesday hours after the online prankster group, Anonymous, unleashed a massive distributed denial-of-service attack to protest the country’s evolution toward internet censorship.

The group, which has brought down Scientology’s websites and undertaken a host of other online pranks, dubbed the attack “Operation Titstorm” to protest the government’s move to require the filtering of pornography hosting adult actors if they appeared under age. Other violent material targeting children is also to be censored.

Anonymous, whose past targets include uncool virtual worlds, an epilepsy message board and a Neo-Nazi webcaster,  sent Australian media e-mail messages warning of the attack, the Sydney Morning Herald said. [ Read more ... ]

Feds Bust Cookie-Stuffing Code Seller: Via Threat Level.

Federal authorities are charging a Las Vegas man with marketing a so-called “cookie-stuffing” operation, enriching himself and others while defrauding eBay along the way.

The felony conspiracy to commit wire fraud charge levied Tuesday against Christopher Kennedy, who faces a maximum 5-year prison term, centers around his website the authorities claim he owns called saucekit. The now-defunct site lets nefarious website owners purchase his cookie-stuffing code to unwittingly dupe eBay to pay those site owners thousands of dollars in advertising referral fees, the authorities said.

Authorities in San Jose, California, declined to say how many website owners — or underground eBay affiliates — had purchased the program, or how much Kennedy charged. But message boards and court documents claim that some underground entrepreneurs made up to $10,000 monthly in fraudulent eBay payments. [ Read more ... ]

Sweden Probing Cisco, NASA Hacks: Via Threat Level.

Swedish investigators are probing a hacker U.S. authorities accuse of unlawfully intruding into Cisco Systems, NASA’s Ames Research Center and NASA’s Advanced Supercomputing Division, the authorities said Monday.

Philip Gabriel Pettersson, known in the hacking world as “Stakkato,” allegedly seized computer code that controls internet traffic. After the 2004 breach of Cisco, the proprietary source code for Cisco’s IOS operating system was discovered on a Russian website.

Pettersson was indicted in the United States in May on five hacking counts, (.pdf) but could not be brought from Sweden to the United States for trial. Sweden does not extradite its own citizens, but said it was examining whether to prosecute him in Sweden after U.S. authorities in San Francisco initiated that request. [ Read more ... ]