11 total posts
U.S. Government Seizes LibertyReserve .com
U.S. Government Seizes LibertyReserve .com
U.S. federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve, an online, virtual currency that the U.S. government alleges acted as "a financial hub of the cyber-crime world" and processed more more than $6 billion in criminal proceeds over the past seven years.
The news comes four days after libertyreserve .com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company's founder Arthur Budovsky, 39-year-old Ukrainian native who moved to Costa Rica to start the business.
According to an indictment (PDF) filed in the U.S. District Court for the Southern District of New York, Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as "a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking."
Continued : http://krebsonsecurity.com/2013/05/u-s-government-seizes-libertyreserve-com/
Liberty Reserve Founder Indicted on $6 Billion Money-Laundering Charges
Liberty Reserve laundered $6 billion through illegal transactions
Anonymous Hacktivist Jeremy Hammond Pleads Guilty
Anonymous Hacktivist Jeremy Hammond Pleads Guilty to Stratfor Attack
At a time when the word "hacktivist" is routinely used to describe random brigands and petty vandals, Jeremy Hammond stands out as the real deal. In 2004 he urged DefCon attendees to target Republican National Convention delegates for "electronic civil disobedience." In 2006 he was sentenced to two years federal for hacking the website of a right-wing group. In between he reportedly picked up a handful of minor arrests for real-world civil disobedience, including at least one drum-banging protest.
Today, the 28-year-old Chicagoan pleaded guilty to conspiring in the keystone attack of the short-lived Lulzsec/AntiSec era, a damaging December 2011 intrusion into the servers of the private intelligence firm Strategic Forecasting, Inc. The Stratfor hack compromised 60,000 credit card numbers, some of which were promptly loaded up with $700,000 in fraudulent charges. Also stolen were 5 million email messages, which have been trickling out of WikiLeaks ever since.
As with his previous adventures, Hammond's motives in the Stratfor attack were purely non-profit.
Continued : http://www.wired.com/threatlevel/2013/05/hammond-plea/
Anonymous hacker Jeremy Hammond pleads guilty
Anonymous member pleads guilty to Stratfor hack
Accused Hacker Pleads Guilty to US Charges
Certificate pinning - first for websites, now for software?
You may have heard of certificate pinning.
Very simply put, it's a funky name for a sort of "allowlist" of digital certificates. It is intended to supplement (or even to supplant) the chain of trust on which normal digital certificates, such as those used for HTTPS, rely. [Screenshot]
We've explained the chain of trust before in varying levels of detail, but the concept is straightforward for securing traffic such as web browsing:
1. You send out a site certificate that is a public key people can use to encrypt traffic to your site, combined with a digital signature that identifies it as yours.
But the name in a certificate is just a text string typed in when it was created, so anyone can make a certificate that says it's yours. How do people know it is yours? Here's how:
PayPal to Fix XSS Flaw, But No Reward For Researcher
PayPal is in the process of fixing the cross-site scripting flaw on its Web site that was disclosed last week. The teenage researcher who found and disclosed the bug said Wednesday that PayPal security officials told him that someone else had reported the same vulnerability to them earlier and they're trying to patch it now.
Robert Kugler, a 17-year-old German student, posted a message on the Full Disclosure mailing list on May 24 disclosing the XSS vulnerability on several of PayPal's Web sites. He included a screen shot of the bug being exploited and said that he had reported the flaw to PayPal, a subsidiary of eBay, which runs a bug reward program for security researchers. Kugler said that he got a response from PayPal's security team informing him that he was below the minimum age of 18 to qualify for the reward program, so he posted the information on Full Disclosure instead.
The bug report drew quite a bit of media attention, as did PayPal's assertion that Kugler didn't qualify for its reward program. There isn't any stated age requirement in the guidelines for PayPal's reward program, but in its email to Kugler, the company's security team said that he was too young for the program. In a later email, which Kugler posted to the mailing list Wednesday, the security team reiterated that Kugler was too young, but also said that another researcher had reported the same XSS vulnerability to them before he did, which would have disqualified him for the reward in any case.
Continued : http://threatpost.com/paypal-to-fix-xss-flaw-but-no-reward-for-researcher/
PayPal refuses to pay bug-finding teen
German student Robert Kugler, 17, says he found a bug on PayPal's site.
Being a good netizen, he responsibly disclosed the bug by contributing it to PayPal's Bug Bounty Program.
PayPal's response was twofold: First, somebody else already found the cross-site scripting (XSS) flaw, the company said.
Secondly, 'thanks, but no thanks, kiddo - you would have been too young to participate anyway'.
PayPal, did you irk a budding security researcher?
It certainly seems so, as Kugler's next step was to do what is universally accepted in the security industry as irresponsible - he publicly disclosed the bug.
Kugler's remark, from his May 24 full disclosure posting:
"I don't want to allege PayPal a kind of bug bounty cost saving, but it's not the best idea when you're interested in motivated security researchers ..."
PayPal emailed this statement in defense of its actions to TechWeek Europe:
Continued : http://nakedsecurity.sophos.com/2013/05/29/paypal-refuses-to-pay-bug-finding-teen/
Related: PayPal vulnerable to cross-site scripting again
Can mobile malware be activated via sensors?
Can mobile malware be activated via sensors available on current mobile devices, and receive commands through out-of-band communication methods? If you ask a group of researchers from the University of Alabama at Birmingham and the Polytechnic Institute of NYU, the answer is yes.
To prove their theory, they have created and tested proof-of-concept Android apps that received command and control trigger messages from a distance of 55 feet indoors and 45 feet outdoors, sent by using only low-end PC speakers with minimal amplification and low-volume.
In theory, such a signal can be incorporated into TV or radio programs, background music services, Internet TV program and even musical greeting cards, and the signal is received even if the device is located in a user's pocket.
Continued : http://www.net-security.org/malware_news.php?id=2507
Face recognition API for Google Glass to be released
... this week
An API that will enable developers to program facial recognition into Google Glass apps is due to be released this week by Lambda Labs, a San Francisco startup.
Company co-founder Stephen Balaban said that the API will be available to any interested developer, according to TechCrunch's Sarah Perez.
TechCrunch says that Lambda Labs' facial recognition API went into beta last year and is now in use by 1,000 developers, including several major international firms.
The API is now seeing 5 million calls per month and is growing at 15 percent month-over-month, Perez writes, with Lambda Labs now on the brink of releasing a version of the API that will recognize faces and objects in Google Glass apps.
Seriously? USA to legalize rootkits, spyware, ransomware and
...trojans to combat piracy?
From the Emsisoft Blog:
By now most users will already be familiar with ransomware, either because they have been affected by it themselves at some point or because they have seen it on a friend's PC. Ransomware usually refers to a special category of malware that essentially tries to hold a user's computer and files hostage and demands payment of a ransom in exchange for returning control of the computer back to the user. The general method of operation so far has been to simply confront the user with fictitious legal accusations. However there is a slight chance that in the not so distant future these accusations may no longer be fabricated.
Just a few days ago the "Commission on the Theft of American Intellectual Property" released their 84-page report (pdf). Amidst a large amount of rather naive ideas there is one idea that strikes us as particularly insane: The report proposes the use of malware to determine whether or not you are pirating intellectual property and if you are, to lock your computer and holds all your files hostage until you call the police and confess to your crime:
Moore, Oklahoma tornado charitable organization scams
Moore, Oklahoma tornado charitable organization scams, malware, and phishing
Adrien de Beaupré @ the SANS ISC Diary:
I find it sad that in times when people are facing disaster, many have died, others missing, and the survivors facing having lost everything that there are scumbags who will try to take advantage. Be very wary of any charity that is raising funds for victims of any disaster, particularly one that has not been around for very long. There are many legit charities, I would recommend sticking to ones you are already familiar with. The American Red Cross for example has been around for a long time, does amazing work, and is always in need of funding. They are just one example of a well established charity that does good work and is already involved in helping out in Moore, Oklahoma.
Routine monitoring of newly registered domain names shows a number of brand new ones that have words like Oklahoma, Moore, tornado, recovery, help, assistance, and similar. I am certain that a number are registered by well meaning people, however I am equally sure that many are fake or scams. It does not take long for any recent newsworthy topic to be the subject line of phishing, malware, and scammers.
Another handler remarked that the new trend seems to be crowd funding, hopefully the money raised will make its way to the charity where it belongs.