Tag: hacking

Half of users click on everything a phisher sends

nemoSecurity experts were shocked to discover that half of internet users are so stupid that they click on everything anyone sends to them.

The study by German researchers found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages. What is worse is that they had previously indicated that they were aware of phishing risks.

The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany  revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts.

The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year’s Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message “access denied,” but the site logged the clicks by each student.

The messages that addressed the targets by name scored clicks from 56 percent of e-mail targets and 37 percent of Facebook message recipients. But while the less-targeted messages in the second test only yielded 20 percent results for the e-mails, they scored 42 percent via Facebook messages.

FAU Computer Science Department Chair Dr Zinaida Benenson  was stunned by the results as more than 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links.  But 45 percent had clicked on the links.

For those who admitted to clicking on the link, the majority said they did so out of curiosity. Half of those who didn’t were warned off because they didn’t recognise the sender’s name, and a small minority avoided clicking because they were concerned about the privacy of the person who may have accidentally sent them the link.

“I think that with careful planning and execution, anyone can be made to click on this type of link, even if it’s just out of curiosity,” Benenson said.


Russian politician’s son convicted for hacking US restaurants

920x920The son of a Russian politician was convicted for trying to hack US businesses to steal and sell credit card numbers.

The scam apparently cost financial institutions more than $169 million, so he must have been pretty good at it.

Roman Seleznev, also known as “Track2,” was found guilty by a federal jury in Seattle on 38 of 40 counts including wire fraud and intentional damage to a protected computer following an eight-day trial, prosecutors said.

Seleznev hails from Vladivostok and was dragged from his home in the Maldives by US spooks in what he called a kidnapping.

Seleznev, the son of Valery Seleznev, a member of the Russian Parliament, is scheduled to be sentenced on December 2. His minimum sentence will be  four years in prison.

Browne said Seleznev, 32, plans to appeal and challenge what he called Seleznev’s illegal arrest in the Maldives and a ruling that allowed prosecutors to introduce evidence from a corrupted laptop seized at the time of his arrest.

“I don’t know of any case that has allowed such outrageous behaviour,” Browne said.

Prosecutors said that from October 2009 to October 2013, Seleznev hacked into retail point-of-sale systems and installed malware to steal credit card numbers from businesses, including restaurants and pizza parlours in Washington state. He will not get much sympathy there – many of them were forced to close after the hacks.

Seleznev sold the credit card information on various “carding” websites. Buyers in turn used the card numbers for fraudulent purchases, they said, causing 3,700 financial institutions to lose more than $169 million.

Valery Seleznev insisted his son did not know a thing about computers, although how he explained why all the stolen card details were found on his laptop is anyone’s guess. Instead of worrying about the crime he waded into the US government for ignoring international extradition arrangements. It seems that everyone is focusing on the method of arrest rather than the poor pizza shop owners who had to close because of his antics.


Texas wants to charge systems admins with hacking

US court in texas

US court in texas

Systems administrators in Texas could suddenly find themselves locked up if case law accepts a recent decision by 12 Texas jurors.

Sys Admin Michael Thomas, 37 was found guilty under the Computer Fraud and Abuse Act, a verdict with a maximum sentence of 10 years in prison and up to $250,000 in restitution.  What the court heard though was that Thomas had deleted files before leaving his job at the auto dealership software firm ClickMotive in 2011.

According to Wired the prosecution presented evidence that Thomas intentionally harmed ClickMotive by combing through executives’ email, tampering with the network’s error-alert system, and changing authentication settings that disabled the company’s VPN for remote employees. He also deleted 615 backup files and some pages of an internal wiki.

However Thomas’ lawyer Tor Ekeland has pointed out, that was Thomas’s job. He added that Thomas wasn’t charged with the usual CFAA violation of “unauthorized access” or “exceeding authorized access,” but rather “unauthorised damages.” Ekeland said that the law is “dangerous for anyone working in the IT industry. If you get in a dispute with your employer, and you delete something even in the routine course of your work, you can be charged with a felony.”

ClickMotive, which was later acquired by the larger auto dealership software firm DealerTrack, claims that those changes caused $140,000 in damages as they struggled to determine the extent of Thomas’s tampering.

The prosecutor claimed that Thomas wanted to harm ClickMotive as revenge after two of his fellow IT staffers were laid off. However as his defense pointed out seems to have at least stopped far short of maximizing the amount of damage he could do.

Thomas went into the company’s offices the weekend before he quit—just days after those layoffs—to help defend the company against a denial-of-service attack on its website and to repair a cascading power outage problem.

Those 615 backup files he deleted were all replicated elsewhere on the network. There was not a single communication produced at trial, a single written document that showed he wasn’t authorized to do what he did, claimed Ekeland.

All it took was your boss to say ‘that wasn’t authorized,’ you violated an unwritten policy, and bang, you’re hit with a felony.”

The Electronic Frontier Foundation attorney Nate Cardozo points to the prosecution as a dangerous use of the law, and one that should have been settled with a civil lawsuit.

Thomas’s defence team says they plan to ask the judge in the trial to overrule the jury under a Rule 29 motion, and if that fails, to seek an appeal.


Apple does not want to know how the FBI hacked its iPhone

3 monkeys 3Fruity cargo cult Apple is not going to try and force the FBI to tell it how it hacked the iPhone of the San Bernardino terrorist and what security hole it used.

Attorneys for Apple speaking on background during a media briefing call on Friday said that it believed the method used to unlock the iPhone 5c would be short lived.

FBI director James Comey admitted that the hack used to unlock the encrypted phone works on a “narrow slice” of devices.

Of course Apple’s attorneys were guessing. They don’t know what the flaw was, but argued that the normal product development would see that a fix for the flaw would be implemented down the line. A little bit of an odd argument.  Apple is basically saying that it will fix a flaw it did not notice sometime in the future when it does not matter.

Apple is usually slow in fixing flaws in its software, it is hard to see it fixing this one, if it finds it, for any reason other than rubbing the FBI’s face in it. Apple was extremely embarrassed when it told the world that its iOS system was so secure it would require it to write a backdoored version of the OS to allow the FBI access. Then an Israeli firm used one of the many security loopholes it has at its disposal to let the FBI in.

Microsoft faces jail over user alerts

Microsoft campusSoftware giant Microsoft said that it will notify people if it thinks that accounts have been targeted or compromised by spooks working for nation states.

That could mean its executives could find themselves in clink in the UK, because a bill passing through parliament here specifically criminalises people that work for tech companies doing that, as we reported here yesterday.

Microsoft’s Scott Charney, a corporate vice president, said in a blog entry that it already tells people if their accounts have been compromised.

“We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others,” Charney t wrote.

Microsoft said it won’t provide detailed information about the attackers or their methods.

Twitter warns people about state hacking

TwitterSocial media chatterer Twitter has warned some people that use its software that state sponsored hackers might have tried to pry open their accounts in a search for data.

Twitter hasn’t issued this kind of warning before, but Facebook and Google have both alerted people that they may be under state based attack.

Twitter didn’t say which state is behind the hacking but it’s believed that all the major powers indulge in this type of activity.

Only a small group of people were warned of the attacks by Twitter and it’s not entirely clear whether the state, or states, obtained anything of very much interest.

A Canadian organisation called Coldhawk told Reuters it had been warned by Twitter but it doesn’t appear to be particularly worried by the alert.

1.2 billion web credentials hacked

Skull and crossbonesThe Federal Bureau of Investigation (FBI) has filed documents that show 1.2 billion web credentials were stolen by a Russian gang.

According to Reuters, the FBI investigation was based on an announcement from a security company Hold Security that it believed the Russian gang, called CyberVor, stole 1.2 billion credentials and as many as half a billion email addresses.

The FBI found posts in Russian hacking forums that a “mr.grey” either operated or had access to stolen data.

This “mister grey” had offered to make available account details for Facebook and Twitter users.

Hold Security revealed earlier this year that 420,000 websites were hacked, but this investigation is different.

US prosecutors have charged three men for alleged cyber crime offences for hacking into a number of websites, including JP Morgan Chase.

Third person arrested in TalkTalk case

Screen Shot 2015-10-23 at 14.18.56The police have arrested a third individual after the recent hack of TalkTalk.

According to Reuters, police have detained a 20 year old man from Staffordshire and his address is being searched.

Last week police arrested a 15 year old boy in Northern Ireland and later in the week arrested a 16 year boy on Thursday.

Both these boys have been released on police bail but the 20 year old is being held in custody for questioning.

TalkTalk said last week that not as many of its customers’ accounts had been accessed as it at first feared.

TalkTalk hack still huge

Screen Shot 2015-10-23 at 14.18.56TalkTalk said today that the amount of accounts hacked was “significantly less” than it first believed and issued figures to underline its claim.

Nevertheless, TalkTalk said that just under 1.2 million customer email addresses, names and phone numbers were accessed.

It also said that under 15,000 customers dates of birth were accessesd, just under 21,000 unique bank account numbers and sort codes; and under 28,000 obscured credit and debit card details.

It said that the credit and debit card details can’t be used for financial transactions.

It said the Metropololitan Police investigation continues – today another youth, in London, is being questioned in connection with the attack.

Dido Harding, TalkTalk’s CEO said her company had decided to be as open, honest and transparent as it could be.

Boy bailed in TalkTalk case

Screen Shot 2015-10-23 at 14.18.56The 15 year old boy arrested as part of an investigation into a TalkTalk investigation has been released on police bail.

He was arrested on Monday and questioned by police overnight, and released on police bail first thing this morning.

Police in Ballymena, Northern Ireland, arrested the boy on suspicion of breaking the Computer Misuse Act.

Meanwhile, TalkTalk has moved to restrict people with contracts from simply leaving the service and taking their business elsewhere.

It will only release customers from terminating their contracts if there is evidence that money has been stolen, and that is only a “gesture of goodwill”, the company said.

TalkTalk said over last weekend that the attack wasn’t as far reaching as it first thought.

The company has four million UK customers.