Re: Cyber Warfare

[satan_baby]

DDoS attacks take out Myanmar

November 04, 2010 - Myanmar was severed from the internet on Tuesday following more than 10 days of distributed denial of service attacks that culminated in a massive data flood that overwhelmed the Southeast Asian country's infrastructure, a researcher said.

The DDoS assault directed as much as 15 Gbps of junk data to Myanmar's main internet provider, more than 15 times bigger than the 2007 attack that brought some official Estonian websites to their knees, said Craig Labovitz, a researcher at Arbor Networks. It was evenly distributed throughout Myanmar's 20 or so providers and included multiple variations, including TCP SYN, and RST.

“While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks — especially ones targeting an entire country — remain rare with a few notable exceptions,” Labovitz wrote, referring to the Georgia attacks, which coincided with the country's armed conflict with Russia. “At 10-15 Gbps, the Myanmar [DDoS attack] is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS.”

[satan_baby]

Hackers shut down Saudi education ministry website

The Saudi education ministry's website was shut down on Monday after hackers posted pictures of Hezbollah leader Hassan Nasrallah and a youth wielding a syringe.

Hackers calling themselves the "True Promise Team" posted Nasrallah's picture and blasted Saudi treatment of the kingdom's minority Shiites in the first hack, according to a cached version of the page published on the Sabq.org news website.

They signed it with the name of Ali al-Sistani, Iraq's top Shiite cleric. Saudi Arabia is predominantly Sunni Muslim. The first page was subsequently replaced by another hack, carrying a photo of a syringe-wielding young man or woman, the cache of which could be accessed through Google.

[hacksecrets]

EU simulates cyber warfare

The European Union has launched a pan-European cyber warfare simulation designed to test the region's defences.

The tests, dubbed Cyber Europe 2010, will see experts from EU Member States try to cope with a series of simulated attacks on key internet services, which could, if not defended against, cripple Europe's online connectivity and bring about a total network crash.

The exercises require the different countries to work closely together to ward off wave after wave of attacks from hackers to prevent a blackout of all of Europe's internet services. All 27 EU Member States are participating in the tests, either actively or as observers. Some non-EU states, such as Iceland, Norway and Switzerland, are also participating.

[hacksecrets]

Hackers break into OECD computer system

The OECD, the Paris-based club of the world's 33 richest countries, has been successfully hacked by people looking for sensitive information on money laundering, high-level corruption and tax evasion.

OECD spokesman Stephen Di Biasio told EUobserver by phone from France on Thursday (4 November) that the body first detected "unusual" activity in its IT network in August and is still battling to get malware out of its computers three months later despite calling in help from the French security services and private cyber-defence companies. "We've got a team trying to close down their points of entry, but we're not in a position today to say we've cleared them out of our system," he said.

"What we know is it's quite a sophisticated attack. We've got quite high levels of security protocols at the OECD and this has been able to bypass those security measures ... What we are seeing is that it's not a destructive attack. It's obviously fishing for information. Because the OECD works in such a broad array of areas, they are searching around to see what they can get."

[sunny]

Hackers take control of 1 million mobile phones

MORE than 1 million Chinese mobile phone users have unwittingly sent spam messages, costing them around 2 million yuan (US$300,000) a day, after their phones were recently infected by malware.

The "zombie" virus, hidden in a bogus anti-virus application, can send the phone user's SIM card information to hackers, who then remotely control the phone to send URL links, usually pay-per-click ads, in text messages to contacts in the user's address book.

Users who click the links will also get infected, thus causing the virus to spread rapidly, China Central Television reported yesterday. This replicating mobile phone virus hit 1 million users in their pockets in the first week of September, according to a report by the National Computer Network Emergency Response Technical Team Center.

[hacksecrets]

Hacker accesses Louisiana EMT licensing database

An unauthorized individual recently gained access to a Louisiana state licensing database that contained the personal information of tens of thousands of emergency medical technicians (EMTs).

How many victims? 56,000.

What type of personal information? Names and Social Security numbers.

What happened? It is believed that on Sept. 17 hackers gained access to a state Department of Health and Hospitals (DHH) database that contained information about individuals who have applied for classes or who are certified as first responders or EMTs in Louisiana. The list includes high school seniors who are in EMS-related programs through the Education Department. The breach was discovered by personnel with the state's Bureau of Emergency Medical Services. A computer screen displayed the message: “You have been hacked.”

[hacksecrets]

Five password-security myths dispelled

Over the past few years, companies have increasingly adopted considerably stronger password policies. Unfortunately, there's still ample confusion in how to strengthen password policies and to mitigate password-focused attacks. I found dozens of mistakes in various security portals' password-hacking whitepapers, seen respected security vendors recommending incorrect mitigations to conflated attacks, and took note of highly knowledgeable security teams operating on mistaken assumptions.

I understand the confusion: There are many different types of password attacks (and defenses) and so much incorrect information on the Internet. The following are a few myths about password security that often surprise even the most seasoned security admins.

For starters, many admins think that password information retrieved from locally stored Windows profiles can be used in pass-the-hash attacks. In reality, the password verifiers stored in local profiles are extremely resilient against cracking -- up to tens of thousands of times harder to crack than a normal password hashes. What's more, they can't be used in pass-the-hash attacks at all.

[satan_baby]

Malware spawning peaks at 60,000 a day

Daily malware growth hit a new level in the third quarter, with an average of 60,000 new pieces seen every day, McAfee has found.

The recently-acquired security giant also identified more than 14 million unique pieces of malware over the period - one million more than in the third quarter of 2009. “Our Q3 Threat report shows that cyber criminals are not only becoming more savvy, but attacks are becoming increasingly more severe,” said Mike Gallagher, senior vice president and chief technology
officer of global threat intelligence at McAfee.

The Zeus piece of malware caused plenty of havoc over the period and a mobile version of the highly sophisticated malicious software
was created during the quarter. McAfee also saw an increase in email campaigns attempting to deliver the Zeus botnet using well-known organisations names, such as Western Union, as part of hackers’ social engineering tricks.

[satan_baby]

[sze=18]Stuxnet virus could target many industries[/size]

A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, affecting the production of everything from chemicals to baby formula, government officials and cyberexperts warned Wednesday.

Experts told senators that attackers can use information made public about the so-called Stuxnet virus to develop variations targeting other industries, and that the worm's consequences go "beyond any threat we have seen."

The code has attacked industrial sites in Iran and several other countries, and infected several employees' laptops at the Bushehr nuclear plans. Iran has said it believes Stuxnet is part of a Western plot to sabotage its nuclear program, but experts see few signs of major damage at Iranian facilities.

[satan_baby]

Password cracking in the cloud

On-demand cloud computing is a wonderful tool for companies that need some computing capacity for a short time, but don't want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers -- a lot of hacking activities involve cracking passwords, keys or other forms of brute force that are computationally expensive but highly parallelizable.

For a hacker, there are two great sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from a service provider. Either one can deliver computing-on-demand for the purpose of brute-force computation. Botnets are unreliable, heterogeneous and will take longer to "provision." But they cost nothing to use and can scale to enormous size; researchers have found botnets composed of hundreds of thousands of PCs. A commercial cloud-computing offering will be faster to provision, have predictable performance and can be billed to a stolen credit card.

The balance of power between security controls and attack methods shifts quite dramatically if you assume the attacker has high-performance computing available at low cost. Take passwords, for example. The length and complexity of a password determines the effort required to mount a brute force attack. Assume an attacker has access to the "hashed" value of a password database, a database that can be compromised through a vulnerable Web server or authentication server. The hash, usually based on an algorithm such as the Secure Hashing Algorithm, cannot be reversed but it can be brute-forced by trying all possible values of a password. This brute-force calculation happens far from the authentication server and therefore is not limited by a three-tries-lockout mechanism.

[satan_baby]

China telecom briefly hijacked US Web traffic

China Telecom sent incorrect routing information last April that resulted in Internet traffic to major corporate websites and U.S. military and government sites being sent through China for 18 minutes, according to a report by a congressional advisory group.

The incident was one of several discussed by the U.S.-China Economic and Security Review Commission. Reuters obtained a copy of the draft report, which will formally be released on Wednesday.

In the hijacking incident, the Web traffic, much of which originated in the United States and was directed toward U.S. corporate and government websites, should have gone the shortest available route and not through China. Some of the traffic was headed to sites owned by the U.S. Senate, the office of the secretary of defense, NASA and the Commerce Department, the draft said.

[satan_baby]

Google charges Feds $25 a head for user surveillance

Microsoft does not charge for government surveillance of its users, whereas Google charges $25 per user, according to a US Drug Enforcement Admission document turned up by security and privacy guru Christopher Soghoian.

With a Freedom of Information Act (FOIA) request, Soghoian has exposed four years of DEA spending on wiretaps and pen registers. A wiretap grabs actual telephone or Internet conversations, whereas a pen register merely grabs numbers and addresses that show who's doing the communicating.

In 2010, the document shows, the DEA paid ISPs, telcos, and other communication providers $6.7 million for pen registers and $6.5 million for wiretaps. Pen register payments more than tripled over the past three years and nearly doubled over the past two. Wiretap payments stayed roughly the same.

[satan_baby]

German hacker uses rented computing to crack hashing algorithm

A German security enthusiast has used rented computing resources to crack a secure hashing algorithm (SHA-1) password.

Thomas Roth used a GPU-based rentable computer resource to run a brute force attack to crack SHA1 hashes. Encryption experts warned for at least five years SHA-1 could no longer be considered secure so what's noteworthy about Roth's project is not what he did or the approach he used, which was essentially based on trying every possible combination until he found a hit, but the technology he used.

What used to be the stuff of distributed computing projects with worldwide participants that took many months to bear fruit can now be done by a lone individuals in minutes and using rentable resources that cost the same price as a morning coffee to carry out the trick. Roth's proof-of-concept exercise cost just $2. This was the amount needed to hire a bank of powerful graphics processing units to carry out the required number-crunching using the Cuda-Multiforcer.

[satan_baby]

Malaysian Man Accused of Hacking Federal Reserve

A Malaysian man was charged today by a federal grand jury with hacking into a Federal Reserve Bank computer network and possessing more than 400,000 credit and debit card numbers.

Lin Mun Poo, 32, was arrested shortly after his arrival in the United States Oct. 21, and has been in custody since then, according to the U.S. Attorney’s Office for the Eastern District of New York. According to the government’s pleadings and a detention letter filed today, Poo targeted not just financial institutions, but also major corporations and a defense contractor.

“As today’s technology
continues to evolve, cybercriminals use these advances and enhancements to perpetrate an expanding range of crimes,” said Secret Service Special Agent in Charge Parr, in a statement. “These crimes not only affect our nation’s financial infrastructure, but are also an ongoing threat to our national security.”