Showing posts with label hackers. Show all posts
Showing posts with label hackers. Show all posts
Thursday, September 03, 2015
Friday, January 02, 2015
Tuesday, August 26, 2014
Ad by cosstminn | Close This Ad Technology Russian Hackers Amass Over a Billion Internet Passwords
By NICOLE PERLROTH and DAVID GELLESAUG. 5, 2014
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
Alex Holden of Hold Security said most of the targeted websites were still vulnerable. Credit Darren Hauck for The New York Times
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.
There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.
And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.
But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.
“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”
Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.
So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.
But selling more of the records on the black market would be lucrative.
While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.
Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time.
Continue reading the main story
How to Keep Data Out of Hackers’ Hands
For people worried about identity theft and privacy, the discovery by Hold Security of a giant database of stolen data is highly personal. But there are steps everyone can take to minimize the hackers’ impact.
The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.
“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.
Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.
“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.
Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.
The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.
Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.
Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies.
“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.” Nicole Perlroth reported from San Francisco and David Gelles from New York City.
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.
There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.
And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.
But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.
“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”
Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.
So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.
But selling more of the records on the black market would be lucrative.
While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.
For people worried about identity theft and privacy, the discovery by Hold Security of a giant database of stolen data is highly personal. But there are steps everyone can take to minimize the hackers’ impact.
The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.
“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.
Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.
“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.
Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.
The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.
Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.
Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies.
“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.” Nicole Perlroth reported from San Francisco and David Gelles from New York City.
Friday, June 13, 2014
Your Secrets Aren't Safe
Data thieves are after your most private info—when you use Wi-Fi and shop online, and even when you store files in the
cloud
Friday, December 06, 2013
10 Ways to Protect Yourself Against Identity Theft
Protecting yourself against identity theft is always easier than having to clear your name and credit record after the fact. It can take a lot of your time and even some of your own money to clear your name if you are a victim. So, here are 10 things you can do to help protect yourself from becoming one of the 9.9 million victims of identity theft.
#1. Guard your social security number, PINs, passwords and account numbers. Are you walking around with your social security card in your wallet, on your checks and maybe even on your driver’s license? Do you have all your passwords and account numbers written out and shoved in your wallet or purse? If you do, you could make it really easy for a thief to open accounts in your name. Only give out your social security number when absolutely necessary, generally for tax purposes or when applying for credit. For job applications, driver’s license and school identification, your social security number is not usually required. When asked for your Social Security Number for things like driver’s licenses or student IDs, first ask if it is possible to not have it printed on these items. If that isn’t possible then find out how your information will be used and what measures will be taken to protect it..
#2. Monitor bank statements and credit card statements. Make sure you’re looking at your bank and credit card statements regularly, checking for any suspicious activity, such as withdrawals or purchases you didn’t make. If you don’t receive paper statements, make sure you are using online banking to check your statements often. The more frequently you are checking your accounts, the quicker you would catch the theft and contain the possible damage. .
#3. Shred documents. You should shred anything that has personal information on it, like past account statements and any of those pre-approved credit card offers that don’t interest you. You might also consider calling 1-888-5-OptOut or visiting www.optoutprescreen.com to be removed from any future mailing lists for those types of offers. Just know that there might be some good offers out there that you might miss out on. .
Click on the thumbnail to view full-size. Secure Site Example #4. Make sure websites are secure. Whether you’re shopping, banking or paying bills, you need to make sure that the information you share online is secure and won’t be shared with anyone else. Anytime you are about to share personal information, such as your Social Security number, credit card information or bank account number, make sure the site is secure by looking for two things: a yellow lock in the lower right-hand corner of your browser and the “s” on the end of http: in the URL line of your browser. If you don’t see these, find someplace else to shop. .
#5. Be cautious when sharing computers. If you share a computer with a roommate, or use a computer at a library or computer lab, make sure you clear all cookies when you are finished using the computer and always make sure you log out and delete your log in from the computer’s memory. .
#6. Guard your laptop, cell phone, PDA and other technology against theft. Laptops, cell phones and PDAs are hot targets for thieves, so make sure you keep close watch on these items and use strong passwords with a combination of upper and lower case letters, numbers and symbols to protect your data. #7. Keep copies of cards and documents. It’s a good idea to keep a copy of all your identification and credit cards, as well as other important documents, in case they are stolen. This is especially helpful if one or more of your credit cards goes missing because you’ll have the 1-800 numbers and account numbers so you’ll easily be able to call the credit card company and cancel your card. .
#8. Treat mail with care. Always deposit any outgoing mail containing personally identifying information in a post office collection box or at the post office, rather than in an unsecured mailbox. And make sure you get your mail every day. You might consider contacting your bank, credit card provider and other companies that send you bills to switch to paperless billing. If you're planning to be away from home and have no one that can pick up your mail for you, contact the U.S. Postal Service to request a vacation hold. The USPS will hold your mail at your local post office until you can pick it up or can begin receiving it again. .
#9. Avoid phishing scams. Never give out your personal information on the phone, through the mail or via the Internet unless you are sure you know who you're dealing with. Identity thieves may pose as representatives of banks, Internet service providers (ISPs), or government agencies to get you to reveal your Social Security number, account numbers and other identifying information. .
#10. Be cautious when using the ATM. If you’re using a walk-up ATM, a gas pump, a grocery store card swipe machine or any other public debit or credit machine, make sure to keep an eye on the people around you to ensure they’re not “shoulder surfing,” or watching you as you enter in your PIN. Also make sure you take any receipts with you when you are finished with your transaction. Be on the lookout for any unusual equipment on the ATM to ensure a skimming device has not been attached. Another good tip is to cover the keyboard while entering your PIN so that it cannot be recorded by a hidden camera or seen by someone close by.
#1. Guard your social security number, PINs, passwords and account numbers. Are you walking around with your social security card in your wallet, on your checks and maybe even on your driver’s license? Do you have all your passwords and account numbers written out and shoved in your wallet or purse? If you do, you could make it really easy for a thief to open accounts in your name. Only give out your social security number when absolutely necessary, generally for tax purposes or when applying for credit. For job applications, driver’s license and school identification, your social security number is not usually required. When asked for your Social Security Number for things like driver’s licenses or student IDs, first ask if it is possible to not have it printed on these items. If that isn’t possible then find out how your information will be used and what measures will be taken to protect it..
#2. Monitor bank statements and credit card statements. Make sure you’re looking at your bank and credit card statements regularly, checking for any suspicious activity, such as withdrawals or purchases you didn’t make. If you don’t receive paper statements, make sure you are using online banking to check your statements often. The more frequently you are checking your accounts, the quicker you would catch the theft and contain the possible damage. .
#3. Shred documents. You should shred anything that has personal information on it, like past account statements and any of those pre-approved credit card offers that don’t interest you. You might also consider calling 1-888-5-OptOut or visiting www.optoutprescreen.com to be removed from any future mailing lists for those types of offers. Just know that there might be some good offers out there that you might miss out on. .
Click on the thumbnail to view full-size. Secure Site Example #4. Make sure websites are secure. Whether you’re shopping, banking or paying bills, you need to make sure that the information you share online is secure and won’t be shared with anyone else. Anytime you are about to share personal information, such as your Social Security number, credit card information or bank account number, make sure the site is secure by looking for two things: a yellow lock in the lower right-hand corner of your browser and the “s” on the end of http: in the URL line of your browser. If you don’t see these, find someplace else to shop. .
#5. Be cautious when sharing computers. If you share a computer with a roommate, or use a computer at a library or computer lab, make sure you clear all cookies when you are finished using the computer and always make sure you log out and delete your log in from the computer’s memory. .
#6. Guard your laptop, cell phone, PDA and other technology against theft. Laptops, cell phones and PDAs are hot targets for thieves, so make sure you keep close watch on these items and use strong passwords with a combination of upper and lower case letters, numbers and symbols to protect your data. #7. Keep copies of cards and documents. It’s a good idea to keep a copy of all your identification and credit cards, as well as other important documents, in case they are stolen. This is especially helpful if one or more of your credit cards goes missing because you’ll have the 1-800 numbers and account numbers so you’ll easily be able to call the credit card company and cancel your card. .
#8. Treat mail with care. Always deposit any outgoing mail containing personally identifying information in a post office collection box or at the post office, rather than in an unsecured mailbox. And make sure you get your mail every day. You might consider contacting your bank, credit card provider and other companies that send you bills to switch to paperless billing. If you're planning to be away from home and have no one that can pick up your mail for you, contact the U.S. Postal Service to request a vacation hold. The USPS will hold your mail at your local post office until you can pick it up or can begin receiving it again. .
#9. Avoid phishing scams. Never give out your personal information on the phone, through the mail or via the Internet unless you are sure you know who you're dealing with. Identity thieves may pose as representatives of banks, Internet service providers (ISPs), or government agencies to get you to reveal your Social Security number, account numbers and other identifying information. .
#10. Be cautious when using the ATM. If you’re using a walk-up ATM, a gas pump, a grocery store card swipe machine or any other public debit or credit machine, make sure to keep an eye on the people around you to ensure they’re not “shoulder surfing,” or watching you as you enter in your PIN. Also make sure you take any receipts with you when you are finished with your transaction. Be on the lookout for any unusual equipment on the ATM to ensure a skimming device has not been attached. Another good tip is to cover the keyboard while entering your PIN so that it cannot be recorded by a hidden camera or seen by someone close by.
Monday, October 08, 2012
The Dangers of Using Wi-Fi on Smart Phones
The Dangers of Using Wi-Fi on Smart Phones
by Phillip Richards
The next time you use your smart phone’s Wi-Fi to access the internet be careful that you are not also exposing yourself to hackers who can actually access information on your phone and login passwords as well. There is a growing threat with the broad use of internet hotspots for hackers to steal information that they gather with fake Wi-Fi gateways. And once these crooks get you to use their Wi-Fi connection they can decrypt the information on your phone and then sell it to 3rd parties or use it themselves to steal your identity.
It has been estimated that there are over 100 million smart phone users in the United States alone. And this number continues to grow as smart phones overtake the use of feature phones and the ordinary cell phones that once dominated the market. One of the most useful features of these phones is the ability to access the internet via Wi-Fi. But since this wireless connection to the internet requires no identification, all mobile browsers see is a name of a Wi-Fi hotspot. And even with the best identity theft protection with services like Lifelock and Trusted ID, you are still at risk of identity theft if you access public Wi-Fi hotspots with your smart phone.
To make the problem even worse, many smart phones will connect to an available hotspot automatically without the cell phone user doing anything about it. So even if your smart phone is just powered on and just sitting there a crook with the right software and hardware can hack into your personal life when your phone connects to the Wi-Fi connection he has setup.
Companies are working on making Wi-Fi more secure, but it is increasingly difficult with more public places making free internet access available. All a hacker has to do is visit a high-traffic public coffee shop or park and setup his own fake Wi-Fi gateway. Then, while a user is surfing the internet and entering usernames and passwords, this information is automatically being picked up with the hacker’s software.
Identity thieves are using the information picked up from fake Wi-Fi hotspots to access email accounts, bank accounts, and Facebook accounts and all of this information can be used to steal an identity while the hacker remains completely anonymous.
So what can smart phone users do to prevent this? First of all, instead of using a public Wi-Fi hotspot you should just use your phones service provider to access personal accounts. So if you want to check your email, login to Facebook, or check your bank account, just use your phone’s 3g or 4g service. You can still use public Wi-Fi hotspots but only use it for generic internet surfing. Any internet usage that will not give away any personal data should be fine. However, if you know the internet connect is secure you should be ok to use it on your smart phone.
If your cell phone has the ability to automatically connect to hotspots whenever they become available you should turn this feature off. Or you can just turn the Wi-Fi off until you know you are going to use it. Having it on just drains your battery anyway, so you really have no reason to leave it on.
Saturday, September 03, 2011
Heat From Your Fingertips helps hackers
The secret codes typed in by banking customers can be recorded using the residual heat left behind on the keypad, says a group of researchers from the University of California at San Diego.
Hckers Use Infrared
Hckers Use Infrared
Saturday, August 27, 2011
Researchers say they've hacked car door locks
A group of computer security researchers in Israel and Belgium say they've discovered the electronic equivalent of a Slim Jim -- a way to pop the electronic door locks on most cars without ever touching them.
Drivers don't have to worry about their cars being hacked just yet – a baseball bat is still a more effective auto theft tool – but the announcement shows yet again that newfangled security devices can be more vulnerable than you think.
Most modern cars are now equipped with convenient remote keyless entry systems. Now it seems that tool could be a convenient way for criminals to break into hundreds of cars in an afternoon.
--------------------------------------------------------------------------------
By listening in on the wireless "conversation" between a car and its key, the researchers found they could crack the code that keeps the communication secret. Then they were able to emulate the electronic key and trick the car into unlocking itself.
Nearly all cars with remote keyless entry use an encryption system called KeeLoq. It was developed during the 1980s and purchased by Microchip Technology Inc. in the 1990s. Like all encryption systems, KeeLoq scrambles messages so they can't be read by anyone who intercepts them. Only someone -- or something -- with the appropriate deciphering key can unscramble the message.
Eli Biham, a computer science professor at the Technion-Israel Institute of Technology, says there are 18 billion possible keys for a KeeLoq transmission, making it practically impossible for even the fastest computer to work out the key through brute force.
"But," he said, "we found a shortcut."
By intercepting several transmissions from the electronic key and analyzing them, Biham and his colleagues say they were able to eliminate many of those 18 billion possibilities and work out a master key in about one day. All that's required is remote access to one key for about an hour -- say, while a person is sitting in his office with the key still in a shirt pocket.
Then, after working out the encryption scheme, Biham's group says it can unlock all cars using that master key within a few minutes.
"In modern ciphers, you don't expect this to happen," Biham says, noting that carmakers are still relying on 20-year-old cryptography to keep cars safe. "I don't understand how companies sell cryptography from the 1980s."
'Badly broken'
The research paper, called "How to Steal Cars, (PDF)" was presented at the Crypto 2007 conference at the University of California, Santa Barbara, last week. Exact details for exploiting the discovery won't be published for several months, Biham says, but Microchip Technology was informed weeks ago.
"KeeLoq is badly broken," the paper says, adding, tongue-in-cheek, "Soon, cryptographers will all drive expensive cars."
advertisementadvertisement
advertisement
Microchip wouldn't comment on the team's discovery.
"Microchip Technology Inc. doesn't address matters of security in the public domain," was all that spokesman Eric Lawson would say.
But other cryptography experts said the research was significant.
"This is a very practical application of cryptanalysis," said Jon Callas, chief technology officer with the encryption firm PGP Corp., who attended the presentation. "There is a larger lesson here, which is some of these devices aren't as secure as they are being sold to us."
Slim Jim a bigger threat
Still Callas isn't worried about his car locks being hacked just yet. There are several barriers to using the technology. While a key hacker would be able to pop the lock on the door and perhaps disarm and alarm, he or she probably couldn't get the car started without using old-fashioned car theft tools, he said. And even with the most sophisticated computers, hacking the locks still takes over an hour, while a baseball bat can do just as good a job in a second or two.
"There is not a whole lot of threat to the end consumer," he said. "A guy with a Slim Jim is a bigger threat."
The method could prove lucrative under the right circumstances, however. A thief armed with a master key could park a car with listening devices in the middle of a shopping mall lot and eavesdrop on every car as a driver parks, walks away, and pushes their key to lock the doors. Within seconds, the transmission could be intercepted, analyzed, paired with information about a known master key and used to pop the locks. A criminal could theoretically open hundreds of cars each day that way, stealing a treasure trove of iPods and GPS gadgets without leaving a trace
"That would be worth someone's time," Callas said. Victims "would have a hard time convincing (their) insurance companies that this had happened."
A simple fix
Modest adjustments to encryption tools would foil such a plot, Callas said. Biham's method requires tricking the car's system into answers a long series of questions. But the use of "throttling" -- inserting a delay after every three requests, as some Web sites now do – can slow or eliminate such brute force attacks. So Callas has no plans to disable his electronic locks, which could be done by disconnecting the car's battery while parked.
"I'm more concerned about losing my radio presets than having my car stolen like this," he joked.
Intense research into Keeloq by several groups began last year after proprietary information about KeeLoq's cryptography was leaked onto a Russian Web site. Biham said the information aided his group's research, but argued that properly implemented cryptography should withstand publication of such details.
Both he and Callas were critical of Microchip for not publishing its cryptographic scheme in public earlier, which would have allowed researches to probe it for holes.
advertisementadvertisement
advertisement
"Those of us who are in the field believe that algorithms should be published from the start because an analysis can strengthen them," Callas said. "We only use public algorithms because in long term they are more secure."
While the immediate threat to car owners is low, Biham says the research shows the technology used to protect remote keyless entry systems is outdated.
"There are other tools criminals can use today (to steal cars) that are easier," Biham says. "But we show that it's possible to (hack the locks) and these systems to be replaced."
Drivers don't have to worry about their cars being hacked just yet – a baseball bat is still a more effective auto theft tool – but the announcement shows yet again that newfangled security devices can be more vulnerable than you think.
Most modern cars are now equipped with convenient remote keyless entry systems. Now it seems that tool could be a convenient way for criminals to break into hundreds of cars in an afternoon.
--------------------------------------------------------------------------------
By listening in on the wireless "conversation" between a car and its key, the researchers found they could crack the code that keeps the communication secret. Then they were able to emulate the electronic key and trick the car into unlocking itself.
Nearly all cars with remote keyless entry use an encryption system called KeeLoq. It was developed during the 1980s and purchased by Microchip Technology Inc. in the 1990s. Like all encryption systems, KeeLoq scrambles messages so they can't be read by anyone who intercepts them. Only someone -- or something -- with the appropriate deciphering key can unscramble the message.
Eli Biham, a computer science professor at the Technion-Israel Institute of Technology, says there are 18 billion possible keys for a KeeLoq transmission, making it practically impossible for even the fastest computer to work out the key through brute force.
"But," he said, "we found a shortcut."
By intercepting several transmissions from the electronic key and analyzing them, Biham and his colleagues say they were able to eliminate many of those 18 billion possibilities and work out a master key in about one day. All that's required is remote access to one key for about an hour -- say, while a person is sitting in his office with the key still in a shirt pocket.
Then, after working out the encryption scheme, Biham's group says it can unlock all cars using that master key within a few minutes.
"In modern ciphers, you don't expect this to happen," Biham says, noting that carmakers are still relying on 20-year-old cryptography to keep cars safe. "I don't understand how companies sell cryptography from the 1980s."
'Badly broken'
The research paper, called "How to Steal Cars, (PDF)" was presented at the Crypto 2007 conference at the University of California, Santa Barbara, last week. Exact details for exploiting the discovery won't be published for several months, Biham says, but Microchip Technology was informed weeks ago.
"KeeLoq is badly broken," the paper says, adding, tongue-in-cheek, "Soon, cryptographers will all drive expensive cars."
advertisementadvertisement
advertisement
Microchip wouldn't comment on the team's discovery.
"Microchip Technology Inc. doesn't address matters of security in the public domain," was all that spokesman Eric Lawson would say.
But other cryptography experts said the research was significant.
"This is a very practical application of cryptanalysis," said Jon Callas, chief technology officer with the encryption firm PGP Corp., who attended the presentation. "There is a larger lesson here, which is some of these devices aren't as secure as they are being sold to us."
Slim Jim a bigger threat
Still Callas isn't worried about his car locks being hacked just yet. There are several barriers to using the technology. While a key hacker would be able to pop the lock on the door and perhaps disarm and alarm, he or she probably couldn't get the car started without using old-fashioned car theft tools, he said. And even with the most sophisticated computers, hacking the locks still takes over an hour, while a baseball bat can do just as good a job in a second or two.
"There is not a whole lot of threat to the end consumer," he said. "A guy with a Slim Jim is a bigger threat."
The method could prove lucrative under the right circumstances, however. A thief armed with a master key could park a car with listening devices in the middle of a shopping mall lot and eavesdrop on every car as a driver parks, walks away, and pushes their key to lock the doors. Within seconds, the transmission could be intercepted, analyzed, paired with information about a known master key and used to pop the locks. A criminal could theoretically open hundreds of cars each day that way, stealing a treasure trove of iPods and GPS gadgets without leaving a trace
"That would be worth someone's time," Callas said. Victims "would have a hard time convincing (their) insurance companies that this had happened."
A simple fix
Modest adjustments to encryption tools would foil such a plot, Callas said. Biham's method requires tricking the car's system into answers a long series of questions. But the use of "throttling" -- inserting a delay after every three requests, as some Web sites now do – can slow or eliminate such brute force attacks. So Callas has no plans to disable his electronic locks, which could be done by disconnecting the car's battery while parked.
"I'm more concerned about losing my radio presets than having my car stolen like this," he joked.
Intense research into Keeloq by several groups began last year after proprietary information about KeeLoq's cryptography was leaked onto a Russian Web site. Biham said the information aided his group's research, but argued that properly implemented cryptography should withstand publication of such details.
Both he and Callas were critical of Microchip for not publishing its cryptographic scheme in public earlier, which would have allowed researches to probe it for holes.
advertisementadvertisement
advertisement
"Those of us who are in the field believe that algorithms should be published from the start because an analysis can strengthen them," Callas said. "We only use public algorithms because in long term they are more secure."
While the immediate threat to car owners is low, Biham says the research shows the technology used to protect remote keyless entry systems is outdated.
"There are other tools criminals can use today (to steal cars) that are easier," Biham says. "But we show that it's possible to (hack the locks) and these systems to be replaced."
Tuesday, July 26, 2011
16 Suspected 'Anonymous' Hackers Arrested in Nationwide Sweep
Sixteen suspected members of "Anonymous" were arrested this morning in states across the country, from California to New York, in a federal raid on the notorious hacking group.
The arrests Tuesday, first reported by FoxNews.com, are part of an ongoing investigation into Anonymous, which has claimed responsibility for numerous cyberattacks against a variety of websites, including Visa and Mastercard.
July 19, 2011: FBI agents execute a search warrant at the Long Island, NY, home of a suspected member of notorious hacking group Anonymous.
Related Stories
EXCLUSIVE: FBI Raids Homes of Suspected 'Anonymous' Hackers
LulzSec Hackers Claim Attack on Sun Website
Hacker Group Says It Stole U.S. Military Email Addresses, Passwords
Hackers Hit Washington Post, Affecting 1.27 Million Users
The Department of Justice, in announcing the arrests and more than 35 search warrants in the case, said the case stemmed from an alleged cyberattack on the website PayPal over its action against controversial group WikiLeaks, one of the inspirations for the hacker group Anonymous.
Fourteen of the arrests were identified in the same indictment out of California, while two separate criminal complaints filed out of courts in Newark, N.J., and Tampa, Fla., name the two other alleged hackers. All are believed to have been involved in carrying out nationwide coordinated distributed denial of service (DDoS) attacks on multiple high-profile, billion-dollar companies.
"In retribution for PayPal’s termination of WikiLeaks’ donation account, a group calling itself Anonymous coordinated and executed distributed denial of service (DDoS) attacks against PayPal’s computer servers using an open source computer program the group makes available for free download on the Internet," the Justice Department said in a news release.
The department identified the suspects in the California indictment as Christopher Wayne Cooper, 23, aka “Anthrophobic;” Joshua John Covelli, 26, aka “Absolem” and “Toxic;” Keith Wilson Downey, 26; Mercedes Renee Haefer, 20, aka “No” and “MMMM;” Donald Husband, 29, aka “Ananon;” Vincent Charles Kershaw, 27, aka “Trivette,” “Triv” and “Reaper;” Ethan Miles, 33; James C. Murphy, 36; Drew Alan Phillips, 26, aka “Drew010;” Jeffrey Puglisi, 28, aka “Jeffer,” “Jefferp” and “Ji;” Daniel Sullivan, 22; Tracy Ann Valenzuela, 42; and Christopher Quang Vo, 22. One individual’s name has been withheld by the court.
They are charged with various counts of conspiracy and intentional damage to a protected computer, which carries a maximum sentence of 10 years in prison and a fine of up to $250,000. Each count of conspiracy carries a maximum penalty of five years in prison and a $250,000 fine.
Also Tuesday, Scott Matthew Arciszewski, 21, was arrested in Florida on charges of intentional damage to a protected computer for allegedly accessing without authorization the Tampa Bay InfraGard website and uploaded three files.
And Lance Moore, 21, of Las Cruces, N.M., was arrested on the New Jersey indictment, which accuses him of stealing confidential business information stored on AT&T’s servers and posting it on a file-sharing site. He is charged with one count of accessing a protected computer without authorization.
U.S. law enforcement officials also told FoxNews.com that the arrest of a 16-year-old hacker in London, who goes by the online user name Tflow, was related to the raids in the U.S.
Some of the arrests were out of the San Francisco field office, sources said. Earlier in the day, the FBI executed search warrants at the New York homes -- two in Long Island, N.Y., and one in Brooklyn, N.Y. -- of three suspected members of Anonymous, FoxNews.com reported.
More than 10 FBI agents arrived at the Baldwin, N.Y., home of Giordani Jordan with a search warrant for computers and computer-related accessories, removing at least one laptop from the premises.
The Anonymous group is a loose collection of cybersavvy activists inspired by WikiLeaks and its flamboyant head Julian Assange to fight for "Internet freedom" -- along the way defacing websites, shutting down servers, and scrawling messages across screens web-wide.
The Anonymous vigilante group recently turned its efforts to the Arizona police department, posting personal information of law officers and hacking and defacing websites in response, the group claims, to the state's controversial SB1070 immigration law.
While Anonymous is largely a politically motivated organization, splinter group LulzSec -- which dominated headlines in the spring for a similar streak of cyberattacks -- was largely in it for the thrills.
The metropolitan police in London arrested the first alleged member of the LulzSec group on June 20, a 19-year-old teen named Ryan Cleary. Subsequent sweeps through Italy and Switzerland in early July led to the arrests of 15 more people -- all between the ages of 15 and 28 years old.
The two groups are responsible for a broad spate of digital break-ins targeting governments and large corporations, including Japanese technology giant Sony, the U.S. Senate, telecommunications giant AT&T, Fox.com, and other government and private entities
Read more: http://www.foxnews.com/scitech/2011/07/19/exclusive-fbi-search-warrants-nationwide-hunt-anonymous/#ixzz1TDsHoPxm
The arrests Tuesday, first reported by FoxNews.com, are part of an ongoing investigation into Anonymous, which has claimed responsibility for numerous cyberattacks against a variety of websites, including Visa and Mastercard.
July 19, 2011: FBI agents execute a search warrant at the Long Island, NY, home of a suspected member of notorious hacking group Anonymous.
Related Stories
EXCLUSIVE: FBI Raids Homes of Suspected 'Anonymous' Hackers
LulzSec Hackers Claim Attack on Sun Website
Hacker Group Says It Stole U.S. Military Email Addresses, Passwords
Hackers Hit Washington Post, Affecting 1.27 Million Users
The Department of Justice, in announcing the arrests and more than 35 search warrants in the case, said the case stemmed from an alleged cyberattack on the website PayPal over its action against controversial group WikiLeaks, one of the inspirations for the hacker group Anonymous.
Fourteen of the arrests were identified in the same indictment out of California, while two separate criminal complaints filed out of courts in Newark, N.J., and Tampa, Fla., name the two other alleged hackers. All are believed to have been involved in carrying out nationwide coordinated distributed denial of service (DDoS) attacks on multiple high-profile, billion-dollar companies.
"In retribution for PayPal’s termination of WikiLeaks’ donation account, a group calling itself Anonymous coordinated and executed distributed denial of service (DDoS) attacks against PayPal’s computer servers using an open source computer program the group makes available for free download on the Internet," the Justice Department said in a news release.
The department identified the suspects in the California indictment as Christopher Wayne Cooper, 23, aka “Anthrophobic;” Joshua John Covelli, 26, aka “Absolem” and “Toxic;” Keith Wilson Downey, 26; Mercedes Renee Haefer, 20, aka “No” and “MMMM;” Donald Husband, 29, aka “Ananon;” Vincent Charles Kershaw, 27, aka “Trivette,” “Triv” and “Reaper;” Ethan Miles, 33; James C. Murphy, 36; Drew Alan Phillips, 26, aka “Drew010;” Jeffrey Puglisi, 28, aka “Jeffer,” “Jefferp” and “Ji;” Daniel Sullivan, 22; Tracy Ann Valenzuela, 42; and Christopher Quang Vo, 22. One individual’s name has been withheld by the court.
They are charged with various counts of conspiracy and intentional damage to a protected computer, which carries a maximum sentence of 10 years in prison and a fine of up to $250,000. Each count of conspiracy carries a maximum penalty of five years in prison and a $250,000 fine.
Also Tuesday, Scott Matthew Arciszewski, 21, was arrested in Florida on charges of intentional damage to a protected computer for allegedly accessing without authorization the Tampa Bay InfraGard website and uploaded three files.
And Lance Moore, 21, of Las Cruces, N.M., was arrested on the New Jersey indictment, which accuses him of stealing confidential business information stored on AT&T’s servers and posting it on a file-sharing site. He is charged with one count of accessing a protected computer without authorization.
U.S. law enforcement officials also told FoxNews.com that the arrest of a 16-year-old hacker in London, who goes by the online user name Tflow, was related to the raids in the U.S.
Some of the arrests were out of the San Francisco field office, sources said. Earlier in the day, the FBI executed search warrants at the New York homes -- two in Long Island, N.Y., and one in Brooklyn, N.Y. -- of three suspected members of Anonymous, FoxNews.com reported.
More than 10 FBI agents arrived at the Baldwin, N.Y., home of Giordani Jordan with a search warrant for computers and computer-related accessories, removing at least one laptop from the premises.
The Anonymous group is a loose collection of cybersavvy activists inspired by WikiLeaks and its flamboyant head Julian Assange to fight for "Internet freedom" -- along the way defacing websites, shutting down servers, and scrawling messages across screens web-wide.
The Anonymous vigilante group recently turned its efforts to the Arizona police department, posting personal information of law officers and hacking and defacing websites in response, the group claims, to the state's controversial SB1070 immigration law.
While Anonymous is largely a politically motivated organization, splinter group LulzSec -- which dominated headlines in the spring for a similar streak of cyberattacks -- was largely in it for the thrills.
The metropolitan police in London arrested the first alleged member of the LulzSec group on June 20, a 19-year-old teen named Ryan Cleary. Subsequent sweeps through Italy and Switzerland in early July led to the arrests of 15 more people -- all between the ages of 15 and 28 years old.
The two groups are responsible for a broad spate of digital break-ins targeting governments and large corporations, including Japanese technology giant Sony, the U.S. Senate, telecommunications giant AT&T, Fox.com, and other government and private entities
Read more: http://www.foxnews.com/scitech/2011/07/19/exclusive-fbi-search-warrants-nationwide-hunt-anonymous/#ixzz1TDsHoPxm
Thursday, April 28, 2011
Sony Was Hacked
Hi Again,
Just in case you haven't heard Sony's online gaming network was hacked and been shutdown for a week now . Finally all the deatails are beginning to come out
Hackers broke into the Sony Playstation Network on April 19 and personal information – such as names, addresses and even credit card numbers — from 77 million PlayStation subscribers worldwide may be compromised.
Sony Was Hacked
Just in case you haven't heard Sony's online gaming network was hacked and been shutdown for a week now . Finally all the deatails are beginning to come out
Hackers broke into the Sony Playstation Network on April 19 and personal information – such as names, addresses and even credit card numbers — from 77 million PlayStation subscribers worldwide may be compromised.
Sony Was Hacked
Thursday, January 28, 2010
Fighting Cybercrime
Welcome back,
It's now 2010 and things are really cranking up due to the recession and the rapid advancements in technology. I came across this story which will give you a great overall picture of things the way they are.
Fighting Cybercrime-One digital thug at a time
It's now 2010 and things are really cranking up due to the recession and the rapid advancements in technology. I came across this story which will give you a great overall picture of things the way they are.
Fighting Cybercrime-One digital thug at a time
Wednesday, October 01, 2008
Credit Card Theft
Yesterday's announcement of an unprecedented identity theft bust exposed just how difficult it is to protect commerce in the digital age.
The Justice Department charged 11 people with stealing more than 40 million credit card and debit card numbers.
This link leads to a series of reports on how difficult it's becoming to protect your personal info. As the holiday season approaches it's pays to be vigilant.
Notebook
The Justice Department charged 11 people with stealing more than 40 million credit card and debit card numbers.
This link leads to a series of reports on how difficult it's becoming to protect your personal info. As the holiday season approaches it's pays to be vigilant.
Notebook
Friday, December 07, 2007
Wednesday, April 11, 2007
Microsoft Refunds XBox LIVE User for Fraudulent Activity
A number of people whose children use X-Box Live have had their back accounts violated.
Read More Here
Read More Here
Subscribe to:
Posts (Atom)
