Microsoft Steps up Fight on Cyber Criminals

Microsoft has announced they have stepped-up their fight on cyber criminals by partnering with the FBI, A10 Networks, and Europol’s European Cybercrime Centre (EC3). The most recent endeavours by the new crime fighting union was said to have “successfully disrupted” a Botnet that was responsible for infecting nearly 2 million computers. It is estimated that this Botnet operation has been costing online advertisers more than $2.7 million dollars per month.
Microsoft is now working on a preliminary court injunction that would direct U.S. Internet Service Providers among other groups controlling domains and IP addresses, to shut down the Botnet’s network. The suit was filed in a Texas district court and asks these groups to also preserve material and content associated with the Botnet for helping with Microsoft’s fight.
The Botnet, known as ZeroAccess is very sophisticated and has not been totally disabled but Microsoft is hoping that the combined efforts of technical and legal action will put the Botnet in serious jeopardy. The actions of the cyber crime units are looking to disrupt the Botnet’s business model by affecting their criminal infrastructure. Their efforts are also hoping to protect the Botnet victims’ computers from executing any future fraudulent schemes.
The ZeroAccess Botnet affects search engines such as Bing, Yahoo, and Google, by hijacking an innocent person’s computer and redirecting their search results. Once hijacked, they are taken to dangerous websites which then install and infect a person’s computer with a malware. The cyber criminals can then access personal information and data and ultimately commit fraud by charge businesses for advertising clicks. ZeroAccess is disguised as legitimate software by tricking their victims into downloading and installing it on their computers.
ZeroAccess is a difficult to be totally eradicated as it relies on a peer-to-peer infrastructure. This infrastructure allows the cyber criminals to control the Botnet remotely from thousands and thousands of infected computers. According to Microsoft, the Botnet is one of the most sophisticated operations in history due to it being so durable and robust.
ZeroAccess malware will disable a user’s security features opening up their system to be vulnerable to even more secondary attacks. Microsoft recommends the immediate removal of the infection using up to date anti-virus software or malware removal tools.
Microsoft says they are stepping-up the fight on these cyber criminals by notifying people who have been infected with the malware. Microsoft is directing people to their support site for more information on the Botnet which provides them with information regarding its removal.
Microsoft’s fight against ZeroAccess is their first target since forming a new Cybercrime Center last month. The Cybercrime Center was formed after Microsoft was successful in disrupting over 1,000 Botnets back in June. Those Botnets were being used to rob innocent victims of their identity and banking information. Citadel was the name of the Botnet that infected more than 5 million people and was responsible for losses of over $500 million dollars.
Other entities such as Trustwave’s SpiderLabs, have recently looked at source code from a Botnet dubbed Pony, which was recently discovered. Pony successfully stole credentials for 1.58 million websites, including 320,000 email accounts. They also found the Botnet responsible for breaching security on 3,000 secure shell accounts, 3,000 remote desktops, and 41,000 FTP accounts.
In the past year, Microsoft’s technical and legal teams of their Digital Crimes Unit were successful in taking down the Bamital and Nitol Botnets. Microsoft announced on Thursday that their new Cyber Crime Unit and their newly formed alliances were stepping up their fight on cyber criminals, like those responsible for the ZeroAccess Botnet.

read more

Tor 'deep web' servers go offline as Irish man is held over child abuse images

Freedom Hosting, linked by the FBI to child abuse images, has gone offline, as the FBI sought the extradition of a 28-year-old suspect from Ireland.
Eric Eoin Marques is the subject of a US arrest warrant for distributing and promoting child abuse material online.

He has been refused bail by the high court in Dublin, reported the Irish Independent, until the extradition request is decided. Marques, who is both a US and Irish national, will face the high court again on Thursday.
If extradited to the US, Marques faces four charges relating to images hosted on the Freedom Hosting network, including images of the torture and rape of children. He could be sentenced to 30 years in prison.
Freedom Hosting hosted sites on the The Onion Router (Tor) network, which anonymises and encrypts traffic, masking the identity of users.

Whistleblowers, journalists and dissidents too?

On Sunday, Tor's official blog posted a detailed statement confirming that a large number of "hidden service addresses", or servers anonymised using the network, had unexpectedly gone offline.
Tor was quick to distance itself from Freedom Hosting, which has been claimed to be a hub for child abuse material as well as Silk Road – the eBay of hard drugs, saying "the persons who run Freedom Hosting are in no way affiliated or connected to the Tor Project Inc, the organisation co-ordinating the development of the Tor software and research."
"Anyone can run hidden services, and many do," said the statement. "Organisations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse recovery.
"Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example."
Security blogger and former Washington Post reporter Brian Krebs wrote on Sunday that users were identified using a flaw in Firefox 17, on which the Tor browser is based.
Rik Ferguson, vice-president of security research at Trend Micro, said he was awaiting further details to be made public as Marques is brought to trial, but that the takedown and related law enforcement "is great news for the campaign against child exploitation".
"The malicious code made a 'victim machine' which visited one of the compromised hidden sites, and requested a website on the 'visible' web, via HTTP, thereby exposing its real IP address. As the exploit did not deliver any malicious code, it is highly unlikely that this was a cybercriminal operation.
"It is a legitimate concern that users of child abuse material may simply go elsewhere, and as such the individual users should continue to be targeted by law enforcement globally. However, going after the people and organisations that really enable this content to be made available at all is a much more effective strategy."
In 2011, hacking collective Anonymous took down Freedom Hosting with a targeted DDos attack as part of an anti-paedophile campaign. Anonymous also published details of the accounts of 1,500 members of Lolita City, claiming Freedom Hosting was home to 100GB of child abuse material.

FBI conspiracy?

Users on the Tor sub-Reddit were suspicious about the news, dissecting the details of the vulnerability and pointing to a previous case where the FBI had taken over and maintained a site hosting child abuse material for two weeks in order to identify users.
"FBI uploads malicious code on the deep web sites while everyone is off at Defcon. Talk about paying dirty," commented VarthDaTor. Defcon is an annual event in the US for security experts and hackers.
"The situation is serious," said gmerni. "They got the owner of FH and now they're going after all of us. Half the onion sites were hosted on FH! Disable Javascript in your Tor browser for the sake of your own safety."

read more

Drupal hacked, resets passwords after millions of accounts exposed

Passwords for almost one million accounts on the Drupal.org website are being reset after hackers gained unauthorized access to sensitive user data.

Drupal.org is the official website for the popular open-source content management platform. The breach is the result of an attack that exploited a vulnerability in an undisclosed third-party application, not in Drupal itself, Holly Ross, executive director of the Drupal Association, wrote in a blog post published Wednesday. The hack exposed usernames, e-mail addresses, country information, and cryptographically hashed passwords, although investigators may discover additional types of information were compromised.

"Malicious files were placed on association.drupal.org servers via a third-party application used by that site," Ross wrote. "Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability."

There's no indication credit card data was intercepted. There's also no evidence that any unauthorized changes were made to Drupal source code or projects.

Drupal.org administrators have responded by rebuilding production, staging, and development systems and enhancing most servers with grsecurity, a set of security patches for the Linux operating system. The admins have also hardened their configuration of the Apache Web server application and added antivirus scanning to their security routine. Some Dupal.org subsites, particularly those with older content, have been converted to static archives so they can't be updated in the future.

Drupal.org account holders will be required to change their password by visiting this link, entering their username or e-mail address, and following the link included in the e-mail message that follows. Ross also encouraged account holders to change login credentials on other sites that used the same or a similar password used on Drupal.org.

Most of the passwords stored by Drupal.org were both salted and, more importantly, passed through a cryptographic hash function multiple times using the open-source phpass application. Some older passwords weren't salted. If Drupal engineers followed good practices—and there's no indication they didn't—the repeated hash iterations will go a long way to preventing anyone who obtains the data from quickly cracking the hashes and exposing the underlying plaintext that generated them. (Cryptographic salting, which appends unique characters to each password before it's hashed, is also helpful, although people frequently overstate the protection it provides. For much more on password protection see the Ars feature Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.)

Ross didn't identify the exploited third-party application. Given Drupal.org's use of Apache, it's possible the site was compromised by the same attack that has plagued at least 20,000 other sites in recent weeks. Researchers still don't know how attackers are gaining almost unfettered, "root" access on these servers, but the same backdoor, often known as Linux/Cdorked, more recently started compromising sites that run on the nginx and Lighttpd Web servers too.

The hacks are underscoring the growing vulnerability of websites to serious malware attacks. On Tuesday, evidence emerged that servers running the Ruby on Rails framework were being compromised and made part of a botnet. The attackers in that case were exploiting an extremely critical vulnerability that was patched in early January.

Drupal's front page states there are 967,545 people in 228 countries (speaking 181 languages) using the platform.

read more

LulzSec hacker Jeremy Hammond pleads guilty to Stratfor hack

Jeremy "anarchaos" Hammond, LulzSec member and self-styled activist, announced today that he's pleading guilty to one count of violating the Computer Fraud and Abuse Act (CFAA).

Hammond admits that he worked with Anonymous to hack into the website of private intelligence company Stratfor as well as other sites involved in the law enforcement and intelligence sphere. He says he acted because he believes "people have a right to know what governments and corporations are doing behind closed doors." Some five million e-mails between the company and its clients were given to WikiLeaks, which has in turn published slightly more than 900,000 of them.

This attack was part of the "AntiSec" (Anti-Security) operation started by LulzSec in June 2011. That initiative saw numerous law enforcement and intelligence organizations attacked.

Hammond pled not guilty to the charges about one year ago. He says he changed his plea because the prosecutor "stacked the charges with inflated damage figures." These high damage figures mean that under current sentencing guidelines Hammond faced more than 30 years in prison if found guilty.

Further, with other indictments outstanding against him, Hammond says that even if he won one trial, further trials were likely to occur.

Under the terms of the plea agreement, Hammond will be given immunity from further prosecution in federal courts. He still faces up to 10 years in prison for the charge he admitted to, as Hammond supporters argue that he should be sentenced to no more than time served. The LulzSec man already spent 15 months in prison awaiting trial. Sentencing is scheduled to take place on September 6. Hammond has also agreed to pay $250,000 in restitution.

Hammond broke into Statfor's systems in late 2011. After doing so, he got in touch with LulzSec ringleader Hector "Sabu" Monsegur to discuss the hack, using Monsegur's servers to store the data.

The e-mails were given to WikiLeaks. Other information—including e-mail addresses, hashed passwords, and around 30,000 credit card numbers—was published online. Subsequent to the hack, some $700,000 in unauthorized charges was made to the stolen cards.

What Hammond didn't know at the time was that Monsegur had been arrested earlier that year and was secretly working as an FBI informant. The offer of storage space for the purloined data came at the FBI's request. The FBI used information from Hammond's chats with Sabu, including mentions of previous arrests, to determine his identity.

Earlier in the month, four LulzSec members in the UK were sentenced to between 24 and 32 months for their parts in the group's hacking activities. Two group members in Ireland were arrested but subsequently released, with prosecutors there declining to press charges.

read more

Lulzsec hackers to be sentenced for cyber attacks on the CIA and Pentagon

A court has heard that four UK-based hackers involved with the Lulzsec group thought of themselves as being "modern-day pirates".

Ryan Ackroyd, Jake Davis, Mustafa al-Bassam and Ryan Cleary have all pleaded guilty to hacking offences.

Cleary has also pleaded guilty to possession of images showing child abuse, which were found by police on his hard drive.

The men will be sentenced at Southwark Crown Court later this week.

Lulzsec carried out a series of attacks in 2011. Targets included Sony Pictures, video games maker EA, the News International media group and Britain's Serious Organised Crime Agency (Soca).

'International notoriety'

Ackroyd, 26, from Mexborough, South Yorkshire, has admitted stealing data from Sony. The former soldier was also responsible for redirecting visitors trying to visit the Sun newspaper's site to a fake story about News Corp chairman Rupert Murdoch committing suicide.

He has pleaded guilty to carrying out an unauthorised act to impair the operation of a computer.

Bassam, 18, from south London, Davis, 20, from Lerwick, Shetland, and Cleary, 21, from Wickford, Essex, all pleaded guilty to two charges - hacking and launching cyber-attacks against organisations including the CIA and Soca.

In addition, Cleary pleaded guilty to a further four charges, including hacking into the US Air Force's computers and possession of indecent images of babies and children.

Prosecutor Sandip Patel said that unlike the others, Cleary was not a core member of Lulzsec although he had wanted to be.

"It's clear from the evidence that they intended to achieve extensive national and international notoriety and publicity," he said.

"This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cybercriminal."

Judge Deborah Taylor will sentence the men after considering mitigating factors highlighted by their lawyers.

Cleary's lawyer said his client suffered from Asperger's syndrome, which had been misdiagnosed as attention deficit disorder.

Botnet attack

Lulzsec's name is combination of the acronym Lol - meaning laugh out loud - and security.

It emerged as a splinter-group from the hacking collective Anonymous two years ago.

Mr Patel said the spin-off lacked the "libertarian" political agenda of the larger group. Instead, its stated goal was to laugh at others' flawed security measures "just because we could".

This involved stealing emails, credit card details and passwords from their targets' computer servers and crashing victim's websites with distributed denial of service (DDoS) attacks. This involved flooding organisations' web servers with requests sent from hijacked computers used as part of a botnet.

Lulzsec's original ringleader is alleged to be another man - US-based Hector Monsegur, also known as Sabu. He was arrested in June 2011 and later co-operated with the FBI to help it identify other members of Lulzsec. Monsegur has yet to be sentenced.

A 24-year-old Australian has also been arrested and accused of attacking and defacing a government website as part of Lulzsec's campaign.

source

read more

Indian Government approved National Cyber Security Policy

The government approved the National Cyber Security Policy that aims to create a secure computing environment in the country and build capacities to strengthen the current set up with focus on manpower training.

The Cabinet Committee on Security (CCS) approved the policy which stresses on augmenting India's indigenous capabilities in terms of developing the cyber security set up.

"CCS met today and approved the National Cyber Security Policy, which sets a road map for strengthening cyber security of the country by building capacities in the country, training manpower etc," a source said after the meeting.

A senior official in the Department of Information Technology said the policy strives for a secure computing environment and seeks to build adequate trust and confidence in electronic transactions.

"This policy caters for the whole spectrum of ICT users and providers including small and home users, medium and large enterprises and government and non-government entities," the official added.

It aims to create a cyber security framework that will address all related issues over a long period. The framework will lead to specific actions and programmes to enhance the security posture of country's cyber space.

Besides, cyber security intelligence forms an integral component to be able to anticipate attacks and quickly adopt counter measures.

read more

Web host Linode, hackers clash over credit card raid claim

Crooks claim they gained access to server hosting biz Linode's customer passwords and credit card numbers.

On Friday, Linode said someone tried to compromise one of its clients' machines, but insisted no financially sensitive information was leaked. Linode reset all account passwords as a precautionary measure. The virtual server provider stated:

Message from Linode administrators

Linode administrators have discovered and blocked suspicious activity on the Linode network.  This activity appears to have been a coordinated attempt to access the account of one of our customers.  This customer is aware of this activity and we have determined its extent and impact.  We have found no evidence that any Linode data of any other customer was accessed.  In addition, we have found no evidence that payment information of any customer was accessed.

We have been advised that law enforcement officials are aware of the intrusion into this customer’s systems. We have implemented all appropriate measures to provide the maximum amount of protection to our customers. Out of an abundance of caution, however, we have decided to implement a Linode Manager password reset. In so doing, we have immediately expired all current passwords. You will be prompted to create a new password the next time that you log into the Linode Manager. We also recommend changing your LISH passwords and, if applicable, regenerating your API key.


But on Monday, the hackers broke cover to dispute Linode's version of events: the miscreants revealed hashed passwords, source code snippets and directory listings to substantiate their claims that they obtained credit card details and the hashed password database from a Linode management system.

The infiltrators sneaked into the server via an insecure installation of web app maker Adobe ColdFusion, according to a transcript of the hackers' IRC chatter. "It's surprising that anyone is still running ColdFusion - that's like connecting a Windows 98 box to the internet without a firewall," said "Ryan", a representative of the HTP black-hat crew that apparently slurped the data.

Ryan claimed Linode encrypted its customers' credit card information but "both the private and public keys were stored on the web server", implying that the cache could be decrypted.

Today Linode, which operates a cloud of Linux virtual servers, responded to these claims with an updated statement denying that customer credit card data was leaked. It blamed a ColdFusion bug for allowing in the hackers:

Linode has come under attack from black hats before. Last year Linode was hacked by cyber-thieves who made off with a stash of bitcoins worth $71,000 after breaking into the digital safety deposit boxes of eight of its customers. Linode promised to revamp its security procedures in the wake of the robbery.

read more

Hacker sentenced for funding terrorist groups

A hacker 'Cahya Fitrianta' sentenced to eight years in prison by the West Jakarta District Court judges for hacking into many economic websites to steal money and funding that money to terrorist groups.

He is also ordered to pay a Rp 500 million ($51,000) fine. He is charged with breaking into many sites, for running online fraud of billions of dollars and fund that money to terrorist training in Poso, Central Sulawesi.

Cahya was arrested in May last year in a Bandung hotel. The defendant, along with another man, Rizki Gunawan. Police in May arrested Rizki, accusing him of hacking a marketing firm’s website to steal money in order to fund militant training.

They both accused of channeling money to terrorism suspect Umar Patek, who was sentenced this year to 20 years for his role in the 2002 Bali bombing.

“Aside from engaging in a vicious conspiracy, the defendant was also found guilty of laundering money, which he obtained from hacking the www.speedline.com website and used the proceeds to fund military training in Poso”

Meanwhile, the prosecutor decided to appeal because the sentence received is lower than demand and even it is lighter than the 12 years prosecutors.

read more

Cybercrime law is suspended by Philippines court

The Philippines' top court has suspended a controversial law targeting cybercrime, following protests by critics who say it stifles free speech.

The new law, called the Cybercrime Prevention Act of 2012, came into effect earlier this month.
It was intended to prevent online child pornography, identity theft and spamming, officials say. Reports say a 120-day suspension is in place.
The law also made libel a cybercrime punishable by up to 12 years in jail.
The Supreme Court issued a temporary restraining order preventing the act from being enforced after 15 petitions questioning its legality were filed.
The government says the law is intended to address "legitimate concerns" about criminal and abusive behaviour online.
But protesters say the legislation could be used to target government critics and crack down on freedom of speech.
Under the new act, a person found guilty of libellous comments online, including comments made on social networks such as Facebook and Twitter or blogs, could be fined or jailed.
The act is also designed to prevent cybersex, defined as sexually explicit chat over the internet - often involving "cam girls" performing sexual acts in front of webcams for internet clients.
Government officials would also have had new powers to search and seize data from people's online accounts.
The law generated a number of protests - anonymous activists hacked into government websites and journalists held rallies.
In a statement, Human Rights Watch's Asia director Brad Adams welcomed the move by the court, but urged it to "now go further by striking down this seriously flawed law".

source

read more