NEWS - June 10, 2011

Spanish Police Arrest Three Members of Anonymous

Spanish police said Friday they arrested three members of the Anonymous hacking group who allegedly directed attacks on banks, government websites and companies including Sony.

Spain said it was the first police operation in the country dedicated to tracking down Anonymous, a decentralized group of activists who have mounted distributed denial-of-service attacks (DDOS) against businesses and organizations. The arrests were made in Barcelona, Alicante and Valencia.

Targets for Anonymous have included the Scientology website and companies that cut off relations with the whistleblower WikiLeaks website, such as Visa, MasterCard, PayPal, and PostFinance, a Swiss financial institution.

The loose-knit group attracted followers who downloaded a tool called the Low Orbit Ion Cannon (LOIC), a simple DDOS tool to aid in the attacks. Some of the more technically adept Anonymous members used botnets, or networks of hacked computers, to carry out DDOS attacks.

Continued :

Spanish police cuff three Anonymous hack suspects
Spanish police arrest Anonymous hacking suspects
Discussion is locked
Reply to: NEWS - June 10, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 10, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
UK Health Service Warned of Poor Security by Hacker Group

The U.K. National Health Service (NHS) said Friday that no patient data was compromised after an intrusion of one of its websites by Lulz Security, a hacker group that has recently stung organizations including a U.S. public broadcasting network and Sony.

Lulz Security apparently obtained administrative passwords for a website for a local NHS organization, according to a spokeswoman. The NHS did not reveal the name of the organization.

The NHS said that the Department of Health has previously issued security guidance to local NHS organizations on how to protect their data, and that none of its information systems had been affected by this latest incident.

Lulz, which frequently writes of its exploits on Twitter, wrote on Thursday that it had warned the NHS of the compromise by e-mail, and posted an image of the message.

"We're a somewhat known band of pirate-ninjas that go by LulzSec," the group wrote on Twitter. "While you aren't considered an enemy -- your work is of course brilliant -- we did stumble upon several of your admin passwords, which are as follows. We mean you no harm and only want to help you fix your tech issues."

Continued :

Hackers warn NHS over security
LulzSec warns NHS about compromised passwords

- Collapse -
RSA appoints its first Chief Security Officer

Eddie Schwartz, previously the Chief Security Officer (CSO) at security analysis company NetWitness, has been appointed to the same position at RSA. Although at the time of writing no statement has emerged from RSA, Schwartz acknowledged the move in several Twitter messages on 8 June and also changed his profiles on Twitter and LinkedIn to reflect the new position.

Less than a month after the March data theft from RSA's servers, the EMC Corporation - RSA's parent company - purchased NetWitness and brought it in to operate as part of RSA, EMC's security subsidiary. It appears that Schwartz will be RSA's first CSO, although EMC has a person in a similar role. Schwartz had been with NetWitness since January 2007, and has 25 years experience in IT and security technology management.

During the attack on RSA in March, sensitive data was stolen that included information concerning one of the company's most high profile products, the SecurID hardware-token-based, two-factor authentication system. It was not clear at the time of the attack how damaging the theft had been but then, last month, defence contractor Lockheed Martin was attacked. RSA later admitted that stolen SecurID information was used in the attack and has started to replace some, if not all, of the 40 million hardware tokens that it had distributed.

Continued :

Also: In wake of breach, RSA names chief security officer

- Collapse -
Phishers LAMP web hosts

Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers, the APWG report found, with between 76 and 82 per cent of respondents using one or more components of the LAMP architecture.

All 270 websites surveyed had been cracked. In the vast majority of cases, the sites were not the primary targets, but were compromised to act as launching pads for phishing attacks against third parties.

"While we acknowledge that LAMP - Linux, Apache, MySQL, PHP - is the most popular web operating environment, the APWG IPC is concerned that this profile is exploited with such apparent frequency," the report, authored by ICANN's Dave Piscitello, noted.

According to the latest numbers from Netcraft, Apache has about a 63 per cent market share.

The APWG survey also found that 37 per cent of sites had been pwned more than once in the last 12 months, and that 35 per cent were under the control of the attackers for two days or more.

Continued :

- Collapse -
Watch out for Counterfeit Concert Tickets or Hotel Vouchers

BitDefenders' Malware City Blog:

Double or, better yet, triple check the authenticity of the ticketing sites that throw at you dazzling offers

Around occasions such as concerts, spots events and holiday booking time, cyber crooks hope that folks would fall for tricks and scams no matter how old they are. Unfortunately, they have been proved right in too many instances.

It all begins with people searching for tickets or vacation bargains on the Internet. They unwarily stumble upon a fake ticketing website or a copy of a legitimate site; see the offer, find the event or the holiday venue they are interested in and decide to make the purchase without further investigating the legitimacy of the sites. Unfortunately once they pay, they will never see neither the tickets nor their money again. They are left instead with a bunch of bogus promises: to receive the ticket in a week's time or to meet someone at the venue precisely the day of the event. But, this is just a false assurance that will only give the crooks more time to flee the scene.

When planning the perfect vacation, the scenario is as follows: offers of dreamy sceneries start pouring into the people's inbox. The spam messages are sprinkled with a few pictures of deserted isles, appealing prices for some popular vacation destinations and thus the malicious set is complete.Based on the reports I received from the BitDefender anti-spam labs, the top ranking baits used this year by crooks in their spam messages are "Plan a vacation in sunny Virginia Beach", "69 euro x settimana in Turchia, Spagna, Sardegna, Sicilia!" [Screenshot: Spam advertising vacation offers]

Continued :

- Collapse -
Third-Party Twitter Apps Can Access Your Private Messages

"Third-Party Twitter Apps Can Access Your Private Messages Without Authorization"

Any third-party Twitter app developer can currently ask you to authorize software using OAuth under the pretense that they will not be able to access any of your private - both sent and received - messages, while in fact they easily can. TechCrunch was contacted by developer Simon Colijn, who hopes to make as many people aware of this privacy issue - or disaster, if you will - as possible.

Colijn created this test application to prove that the anomaly with the authorization process actually exists. You can use a dummy account if you're not comfortable clicking anything on that page, but I just ran a test with my personal Twitter account.

Sure enough, I was shown an authorization screen that explicitly told me that the app would not be able to access my private messages ? after which it swiftly did in mere seconds.

To be clear, the developer had selected the option 'Read-only', which means he wasn't supposed to be able to fetch (and thus download and store) my direct Twitter messages at all.

This obviously gives the term 'private messages' a whole new meaning.

- Collapse -
Ten Immutable Laws Of Security (Version 2.0)

As referenced in "June Advance Notification Service and 10 Immutable Laws Revisited" at MSRC:

Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from an issue in one of our products; when this happens, we develop a corrective update as quickly as possible. In other cases, the reported problems simply result from a mistake someone made in using the product, or our investigation finds a problem with the product that, while troublesome for users, does not expose them to a security vulnerability. But many fall in between. They are genuine security problems, but the problems don't result from product flaws. Over the years, we've developed a list of issues like these that we call the 10 Immutable Laws of Security.

Don't hold your breath waiting for an update that will protect you from the issues we'll discuss below. It isn't possible for Microsoft-or any software vendor-to "fix" them, because they result from the way computers work. But don't abandon all hope yet. Sound judgment is the key to protecting yourself against these pitfalls, and if you keep them in mind, you can significantly improve the security of your computers, whether they sit on your desk, travel in your pocket, or exist in a virtual cloud. (Throughout this list we'll use "computer" to mean all of those objects, by the way.)

The 10 Immutable Laws

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore

It's an unfortunate fact of computer science: when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful. When you choose to run a program, you are making a decision to turn over a certain level of control of your computer to it -- often anything up to the limits of what you yourself can do on the computer (and sometimes beyond). It could monitor your keystrokes and send them to criminals eager for the information. It could open every document on the computer, and change the word "will" to "won't" in all of them. It could send rude emails to all your friends. It could install a virus. It could create a "back door" that lets someone remotely control your computer. It could relay a bad guy's attack on someone else's computers. Or it could just reformat your hard drive.

Continued :

- Collapse -
Codemasters warns customers after hackers steal data

Codemasters, the UK-based video game development company, has fallen foul of hackers, who have broken into their network and stolen customer information.

In an email sent to customers, Codemasters explained that the intrusion was detected on Friday June 3rd, and users are urged to change their online passwords and keep an eye open for scams which might exploit the stolen information. [Screenshot]

Names, addresses, usernames, dates of birth, telephone numbers, gamer tags, and encrypted passwords are just some of the pieces of information stolen by the hackers. Fortunately, the firm assures customers that credit card information was not included in the hackers' haul, but the data which was exposed would be of value to phishers and other online criminals.

It's clearly a serious problem, even if some online gamers are trying to see the funny side:

Continued :

Also: Codemasters pulls website after hackers pwn customer database

- Collapse -
Malware writers rely on users not updating

When infecting PCs, online criminals are increasingly benefiting from uninstalled updates for browsers and their components. Research carried out by G Data SecurityLabs indicates that unclosed security holes in browser plug-ins are very much in fashion with cybercriminals.

This distribution concept means that current security holes are far from being the only ones exploited by the perpetrators, as evidenced in the current malware analysis for the month of May 2011.

In the previous month alone, four of the Top 10 computer malware programs had been targeting Java security holes for which Oracle had been offering an update since March 2010. There's also been an increase in malware that installs adware or tries to lure users to install bogus antivirus programs.

The malware industry has been focusing on Java security holes since the end of last year. This kind of computer malware is already dominating the malware landscape and has recently ousted PDF security holes from the Top 10.

Continued :

- Collapse -
Celebrities Play the Les Paul Google Doodle

[Security related news? Not really. Have fun playing with it, nonetheless! Happy ]

The most recent Google Doodle, an interactive, playable guitar that commemorated what would have been the 96th birthday of musician Les Paul, has gotten so much attention that its stay on the Google homepage was extended through today. Some of that popularity has rubbed off on celebrities who have taken a stab at playing the doodle.

MSNBC commentator Rachel Maddow was one of the first to try her hand at playing the doodle, first banging out a clumsy version of "Hey, Jude" before reversing the telescope on the idea of the doodle: instead of figuring out how to play specific songs with a keyboard and mouse, she decided to see how musical regular typing sounded.

Predictably, she completed her experiment by comparing the "melodiousness" of the first names of politicians in the news. First typing out "Barack" and concluding the doodle-ized tune of president's name sounded like a jingle for an oil company, Maddow then compared various leading Republicans, from Mitt ("not bad") to Timothy ("Gh") to Sarah ("not a pleasant sound"). Shocker: "Barack" was most pleasant to Maddow's ears.

Continued :,2817,2386741,00.asp

Related: How To Play Guitar On The Les Paul Google Doodle (LESSONS)

Offical Google Blog: A doodle for an instrumental inventor

- Collapse -
FBI Investigating Cyber Theft of $139,000 from Pittsford, NY

Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.

The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.

Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.

Continued :

- Collapse -
Malware gang's $14.8 million bank account frozen

The US Attorney's office has today frozen a Swiss bank account belonging to Sam Shaileshkumar.

Mr. Shaileskumar, together with Bj

- Collapse -
Announcing newest StopBadware report: The State of Badware

Today, StopBadware is proud to announce the public release of our first State of Badware report. The State of Badware offers insight into recent badware trends and responses and examines the factors that contribute to badware's persistence.

Badware is a significant challenge for all members of the Internet ecosystem, from individual computer users to big businesses and world governments. Cybercrime has evolved into a complex, profitable economy, and badware is the tool of choice for cybercriminals who perpetuate this economy. Despite the considerable resources poured into attempts to eliminate it, badware is, by all accounts, still on the rise. We believe that to truly understand the badware threat, it's necessary to look at the interconnected systems that are tasked with defending against badware: The State of Badware explores four major areas of vulnerability-technical, behavioral, economic, and legal-in the Internet ecosystem's overall structure that contribute to badware's perseverance.

It's clear that the today's approaches to security aren't enough to repel or eradicate increasingly dynamic and hard-to-measure badware; we must create new and more centralized methods of measuring and responding to this threat. The State of Badware highlights key opportunities for improvement: it is intended as a resource to help individuals, business leaders, and policymakers understand how both badware and the industry's response to it are evolving-and what steps we can take to defend against it.

You can read the full press release here. We at StopBadware are excited about this report--both its release and its potential as a tool for those who want to take action. As always, we welcome thoughtful discussion. You can download the full State of Badware at

CNET Forums