8/7/2008 Weekly Security Post

Crime Doesn’t Pay In the End…
A ring of hackers who ripped off 40 million credit card numbers has been charged. The case may go on the record books as the largest hacking and identity theft case in history. In all eleven individuals were charged with hacking the records of nine major retailers.

The charges were issued in a Boston court and included conspiracy, computer intrusion, fraud and identity theft. The hackers’ modus operandi was to gain access to the networks and then to install “sniffer” programs to collect customers’ credit card numbers, as the retailers processed credit and debit transactions.

Even more sinister, the ring sold information to criminal entities in the U.S. and in Eastern Europe. These entities used it to make fake cards complete with magnetic strips, which could be used to clean out the customers’ bank accounts from ATM machines. Security experts were sympathetic but blame users for failing to check their bank records.

The retailers hit were TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority, Forever 21, and DSW.

Virus University

Students at the Sonoma State University are being taught how to write viruses.  The syllabus, which reads like a thinly veiled attack against security kingpins McAfee, Symantec and their ilk who made close to $5B USD in revenue last year, encourages students to learn to write destructive viruses and then use that knowledge to develop independent security efforts.

Led by their Professor George Ledin, a Venezuelan who came to the U.S. after initially studying biology, the students delve into the darker side of computing.  Some students create keystroke monitors, others make programs to spam synthetic message boards.  Professor Ledin says security these days is a thuggish business akin to cryptography in the 70s and 80s.  However, not everyone agrees with his “the truth will set you free” philosophy and many of the antivirus firms are furious at him for creating what they say will become a legion of hackers.

Fake Flash Player Hits CNN.com, and Many More
In a complex attack, hackers first sent users spam email with links to what looked like CNN.com news feeds.  However when users go to the site and click on the news “stories” they get a message saying their flash player is incorrectly installed. While some savvy users decided to click “cancel”, the clever hackers broke their will by trapping them in an endless loop.  Clicking “cancel” would yield a warning that the site would not display without the update, and clicking through the warning would bring the original message back up.

When the weary users finally accepted the update they instead get a piece of malware, which phones home to a central server, which installs loads more malware.  Over a 140 million bogus emails were sent in the last 2 days.  Also over 1,000 pages had been hacked to be used to display the links.  A Denver-based security company MX Logic Inc. helped to discover the attack and is investigating its origins.

Security Expert To RIAA: MAC Address != IPs
In the latest RIAA case, Zomba v. Does 1-11, the record industry’s draconian enforcer was dealt another blow.  A security expert called upon in the case, said that MAC addresses could not be tied to IP addresses accurately, as some MAC addresses have multiple users.  The case is part of the RIAA’s campaign to crack down on uncooperative colleges.  It was filed against Tuft’s University for its DHCP systems which “were not designed to facilitate forensic examinations.”

Massive DNS Vulnerability Compromises Virtually Any Site Email, Quickly Being Patched
Saving the best (or worst) for last, Dan Kaminsky of Seattle-based security consultant IOActive Inc. at the Black Hat hacker conference in Las Vegas gave details on Wednesday of how an attack on the DNS servers, which direct internet traffic by name, via a vulnerability he discovered could be used to compromise the entire internet.

The vulnerability had already been exploited by some.  Texan hackers had used the link to hack the DNS servers to send some Google.com users to a fake Google page, which used Google’s search, but automatically clicked the links on the page hundreds of times, earning the hackers a big payday.

Many email servers were also susceptible to the DNS vulnerability.  Kaminsky said this would allow the attacker to put themselves between the sender and the receiver, allowing them to peruse their email.  Hackers can use this features to help them retrieve user passwords sent by email, a common practice among a broad variety of sites, even banking sites. 

Following the announcement Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc. and others quickly issued patches, though some internet providers have held off on fixing the problem, putting internet users at risk.

That’s all for this time.  Please travel here for the last edition of the Security Post.

Recent Posts

AMD Dual-Core Optimization Utility Available

AMD Dual-Core Optimization Utility Available

Improving dual-core compatibility for gaming

5.7″ ZTE ZMAX “Phablet” Coming to T-Mobile Sept 24 for $252

ZMAX will come with a Snapdragon 400 processor and 720p display

100 Northern California Households to Receive Plug-in Priuses

UC Davis dares to go where Toyota won't with the Prius

Apple on Microsoft Ads: PCs Are “No Bargain”, Macs Are “Cool”

An Apple spokesperson fires back over Microsoft's latest commercials

Update: 13.3″ Dell XPS m1330 Notebook Details Leaked

Engadget gets the scoop on Dell's latest "ultra-portable" notebook