The scale of this incident somehow reminds me of the whole TJ MAXX fiasco a few years back.

Anyway, this whole scheme sounds like a case of people installed VNC with weak passwords and someone finding it by accident – it doesn’t even seem to have been a targeted hack.

For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.

“This is the crime of the future,” said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, “root them from across the planet, and steal digitally.”

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

It seems like there’s a pretty large ring behind this operation, just due to the sheer number of locations compromised and the amount of time it must have taken to install all the malware and logging software.

Plus the network infrastructure that was build to receive the logs via FTP upload, the criminals were pretty smart too – they even ‘backed up’ their stolen data to sendspace just in case their hosting got taken down.

Once they were in, the hackers then deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems—including credit card scans. They also installed a trojan, xp.exe, onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware, and prevent any security software updates.

Collected data from the loggers was posted by the malware to FTP “dump” sites on a number of Web servers in the US created with domains they registered through GoDaddy.com using stolen credit card data. In addition to using the stolen data to register their own domains and pay for hosting service, the hackers periodically rounded up the dumped transaction data and moved it to sendspace.com, a file transfer site. Richard James of sendspace.com says that his company cooperated with the FBI in the investigation of the hack. ” Sendspace [is] a file hosting and transfer site used by millions every single day,” he said in an email to Ars Technica,”and as such can indeed be used for activities which are against our TOS and that we do not condone.”

Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines. One of the alleged hackers, Cezar Iulian Butu, was generating counterfeit cards with an embossing machine out of a house in Belgium in October of 2010, and working with a group, used the cards “among other uses [to] place bets at local French ‘tobacco’ shops,” the Justice Department said in its filing. The rest of the stolen data was sold in blocks to other criminals from the Sendspace server.

According to a report by Schuman, Subway’s corporate IT and a credit card company discovered the data breach “almost simultaneously.” Subway Corporate Press Relations Manager Kevin Kane told Ars that “the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it.” He said the company wouldn’t discuss the measures taken, as “we don’t want to give away the blueprint” to other potential attackers. And Kane added that Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.

It’ll be a pretty interesting case to watch either way, we’ll have to see what else gets discovered (and more importantly released to the public).

Subway corporate IT has taken some measures against this, but as it was franchisee stores that got owned – I don’t honestly see how much they can do. Unless they implement a complete new POS system (which is secure and preferably doesn’t run Windows and connect to the Internet).

POS in this case should well stand for Piece of Shit.

Source: Ars Technica

The thing that tickled me was, well there were two things actually..one that the challenge site was coded in ASP and the second was that you could avoid the whole cracking thing and find the solution page via Google by using the site: operand (O HAI).

Ok and another…the .css files aren’t absolute and don’t work outside of the home directory. I’m not surprised they are only paying £25,446 if this is the kind of talent they are hiring.

The GCHQ-set code-breaking puzzle was solved over the weekend.

The signals intelligence agency last week set a puzzle at canyoucrackit.co.uk in its attempt to unearth potential recruits beyond its traditional graduate programme. Late last week it emerged that the successful completion page for the puzzle was available by a simple Google search.

Many people have since cracked the code properly including Dr Gareth Owen, a computer scientist and senior lecturer at the University of Greenwich in England. Owen has posted a full video explanation of how to solve the three-part puzzle here.

Would-be code-breakers were presented with a 16×10 grid of paired hexadecimal numbers. The first stage involves recognising executable code as well as unpicking some steganography.

Stage two involves developing a virtual machine to execute code.

The challenge itself isn’t too bad, but it’s rather narrow in it’s scope – if you’re a x86 assembly kind of dude – you’ll be fine. If that aint your bag, you might struggle a bit with this – honestly it doesn’t fill me with hope for the future of the talent pool in GCHQ.

All negativity aside I personally applaud them for trying to do something different and trying to hire through different channels, it may well turn up some talent they wouldn’t normally be able to hire.

The final stage involves constructing a file with ‘gchqcyberwinAAAABBBBCCCC’ where A, B, C are the codes from earlier in the challenge. This code, when run, generates a web address which has the keyword (the web address is wrong if you put the wrong a,b,c in).

“The last stage contains a deliberate security hole, which GCHQ emailed me to say was deliberate to make solving the problem easier – but it turns out I took a short cut instead and bypassed this bit,” Owen explained.

Reaching the successful completion page was a “rather disappointing end to quite a lot of work,” as he puts it.

GCHQ is offering would/be applicants who crack the code a starting salary of just £25k, very low for a skilled job, as the Daily Telegraph notes.

Owen summed up the feelings of many when he told El Reg: “Why are we paying world-class cyber security experts what we pay passport-stampers at the border-control-agency?”

Anyway if you want to go directly to the job application, it’s here:

CYBER SECURITY SPECIALIST

Closing date for applications is 12 December 2011, so you’ve still got a little bit of time if you’re itching to earn £25K a year.

Source: The Register

Keep your dick in your pants son, especially if you want to expose the governments of the World with your rather comprehensive collection of cables.

Julian Assange has ditched his Swedish legal counsel and lined up a new defence team in readiness for a likely return to the country to face allegations of sexual molestation and rape against two women.

His new lawyers include Per Samuelson, who in 2009 represented Carl Lundström – one of the co-founders of notorious BitTorrent tracker website The Pirate Bay.

At the start of November, WikiLeaks founder Assange was ordered by a High Court judge in London to return to Sweden.

He was arrested by Scotland Yard police 11 months ago and was granted bail earlier this year, after his lawyers secured funds of around £200,000 from a number of celebrity friends.

Swedish prosecutors have repeatedly requested that Assange make himself available for questioning. They issued a warrant for the WikiLeaker’s arrest, however they are yet to file charges in the case.

The latest twist in the case is that he’s dropped his own Swedish defence lawyer and hired the chaps famous for defending TPB (The Pirate Bay).

Assange is actually supposed to be extradited to Sweden already but he’s fighting the extradition order tooth and nail, honestly I think he’s gonna be out of the UK soon and in hot water.

Assange is still fighting that extradition order. Lawyers acting for him in the UK filed appeal papers with the Supreme Court earlier this week.

But that really is his final chance to appeal against being banished from Blighty to Sweden.

Assange reportedly confirmed in a petition lodged with the Stockholm District Court yesterday that he wanted to work with attorneys Per E Samuelson and Thomas Olsson, according to the Local.

He ditched his previous lawyer, Björn Hurtig, who had represented the WikiLeaker-in-chief in Sweden since September last year.

Olsson told TT news agency that he has had only limited contact with Assange so far. “He’ll have to explain his motivation behind changing defenders,” the lawyer said, who is now reviewing Assange’s case.

Hurtig said there was no conflict between him and Assange over the legal team switch.

“You’ll have to ask him why he’s decided to change. But it’s not unusual that someone change lawyers and he’s chosen two superb new representatives. I wish him the best of luck,” he said.

It’ll be interesting to see what happens next, I’d imagine he changed lawyers because the previous chap couldn’t halt the extradition and he’s pinning his hopes on these two new chaps being able to keep him on British soil.

To be honest I haven’t really followed the whole affair very closely, but I found this piece of news interesting enough to comment on.

Source: The Register

It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another person’s account, sign up another account with a different identity, hack the phone without the developer program access and so on..

Really it’s quite a harsh move from Apple and it’s not going to make them any friends in the security industry.

Apple has banned well-known security researcher Charlie Miller from its developer program, for creating an apparently benign iOS app that was actually designed to exploit a security flaw he had uncovered in the firmware.

Within hours of talking about the exploit with Forbes’ security reporter Andy Greenberg, who published the details, Miller received an email from Apple: “This letter serves as notice of termination of the iOS Developer Program License Agreement … between you and Apple. Effective immediately.”

Based on Greenberg’s follow-up story, Apple was clearly within its rights to do so. Miller created a proof-of-concept application to demonstrate the security flaw and how it could be exploited by malicious code. He then hid it inside an apparently legitimate stock ticker program, an action that, according to Apple, “violated the developer agreement that forbid[s] him to ‘hide, misrepresent or obscure’ any part of his app,” Greenberg wrote.

He quoted Miller, who works for security consultancy Acuvant, “I’m mad. I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”

In a way though, you have to agree that Miller did violate the very specific developer program agreement by hiding the PoC inside a legitimate application. That probably wasn’t his smartest idea, but then again it’s helping Apple and he’s not doing it in a malicious way to infect people – he’s doing it as a security researcher.

Apple should be more proactive on working with people like this, people who are actually fixing bugs in their products for free and improving the user experience.

It’s the way Apple operates though, secretive, exclusive, domineering etc. If you don’t do things their way, screw you.

Miller, a former National Security Agency staffer, is a well-known “white hat” hacker (he made Network World’s recent list of “Security All Stars”), with expertise in Apple’s Mac OS X and iOS platforms, including the Safari browser, and in Android. Miller “has found and reported dozens of bugs to Apple in the last few years,” Greenberg noted. Miller reported the latest one barely three weeks ago, and it was Greenberg’s public account of it yesterday, in advance of a planned public presentation by Miller next week, that got the researcher kicked out of the developer program.

The vulnerability is a fascinating exercise in information security sleuthing. Miller uncovered a flaw introduced in Apple’s restrictions on code signing on iOS devices. Code signing is a process by which only Apple-approved commands run in device memory, according to Greenberg’s account.

Miller began to suspect a flaw when Apple released iOS 4.3 in March. He realized that to boost the speed of the mobile Safari browser, Apple for the first time had allowed javascript code from a website to run at a deeper level in memory. This entailed creating a security exception, allowing the browser to run unapproved code. According to Greenberg’s story, Apple created other security restrictions to block untrusted websites from exploiting this exception, so that only the browser could make use of it.

Miller wasn’t the only one to notice that Apple had done something different with Safari in iOS 4.3, but many didn’t understand what was actually happening. Various news sites and bloggers claimed that Web apps running outside of Safari, and its new Nitro javascript engine, were slower. Some suggested that Apple was deliberately slowing them down to make Web apps less attractive than native ones.

The way in which Miller uncovered the flaw once again shows his technical brilliance – something which Apple really should be harnessing rather than turning away.

A lot of people noticed changes with iOS 4.3, but couldn’t actually figure out what was going on. Well that’s what we know in the public realm anyway, no doubt the bad guys had their eyes on it and were digging in with much more malicious exploits.

It basically seems like a way to bypass any kind of code validation by Apple and execute arbitrary code from an attack server – dangerous indeed.

Source: Network World

Now whilst we wouldn’t quite expect that kind of oppressive behaviour from a country like Germany, they do seem to have a law enforcement monitoring trojan which is pretty nasty.

The trojan was initially examined by the infamous hacking group from Germany itself – Chaos Computer Club (CCC) and was apparently first discovered by Kaspersky Lab.

A Trojan used by German law enforcement authorities to intercept Internet phone calls is capable of monitoring traffic from 15 programs, including browsers and instant messaging applications.

The discovery was made by malware analysts from antivirus vendor Kaspersky Lab, who took apart the so-called lawful surveillance software, dubbed 0zapftis, Bundestrojaner or R2D2 by the security community. The Trojan was initially analyzed by famous German hacker collective the Chaos Computer Club (CCC), which determined that Skype is one of its targets.

The Trojan’s installer deploys five components, each with a different purpose, and Kaspersky has analyzed all of them, said Tillmann Werner, a security researcher with Kaspersky in Germany.

“Amongst the new things we found in there are two rather interesting ones: Firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows,” he said. “Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.”

The trojan seems quite complex and technically quite adept – it had the capability to deploy various components in both 32-bit and 64-bit Windows operating systems.

It can infect 15 different applications, most of which are quite commonly found and prevalent on the majority of Windows based machines. Instant messaging (IM) software such as MSN Messenger, Yahoo! Messenger, Skype are covered and the major browsers (IE, Firefox and Opera).

It’s surprising to see Chrome is not in the list, it could be an editorial exclusion or it could just be the fact that Chrome is in fact pretty secure and they weren’t able to hijack it successfully.

The list of targeted applications includes major browsers, including Internet Explorer, Firefox and Opera, as well programs with VoIP and data encryption functionality, including ICQ, MSN Messenger, Yahoo Messenger, Skype, Low-Rate VoIP, CounterPath X-Lite and Paltalk.

On 32-bit Windows systems the Trojan uses a kernel-mode rootkit that monitors targeted processes and injects rogue libraries into them. However, on 64-bit platforms, the system driver is much more basic and only serves as an interface to modify registry entries or the file system.

Furthermore, it is signed with a certificate that isn’t trusted under Windows by default. This means that deploying the Trojan requires user confirmation, which might not necessarily be a problem for authorities, because they reportedly install it during border searches or similar interventions.

Kaspersky said its products detected the Trojan installer heuristically even before a sample was analyzed and signatures were added for it. However, those tools may not help if outsiders can manually add an exception in the program. Computer users can prevent outsiders from doing this by using a password to protect their antivirus configurations, and most products offer this option.

It seems though the trojan isn’t intended to be spread over the Internet or via networks, or in fact any self-propagating method. Which is good…

The law enforcement agency would plant the trojan during a raid/border search or so on. It certainly does seem effective, but then again Kaspersky detected it as malware before they even added a signature for it – which makes me suspect it could well be using components from other pre-existing malware.

We did report on what probably became this project back in 2008 when it first started – German Police Creating Law Enforcement Trojan.

Source: Network World

The latest news is they’ve been hit with a colossal lawsuit of almost $5 Billion! The lawsuit is regarding a recent breach involving a healthcare system for military personnel and their families.

It’s a pretty heavy suit, claiming $1000 for each of the 4.9 million people affected by the compromise.

The U.S. Department of Defense has been hit with a $4.9 billion lawsuit over a recently disclosed data breach involving TRICARE, a healthcare system for active and retired military personnel and their families.

The lawsuit, filed in federal court in Washington D.C. this week by four people whose data was allegedly compromised, seeks $1000 in damages for each of the 4.9 million individuals affected by the breach.

The suit charges TRICARE, the Department and Defense Secretary Leon Panetta with failing to adequately protect private data and of “intentional, willful and reckless disregard” for patient privacy rights.

TRICARE did not respond immediately to a request for comment. In the complaint, the four plaintiffs faulted TRICARE for failing to properly encrypt the private data in its possession and for taking too long to notify victims of the breach.

The four plaintiffs are Virginia Gaffney, a Hampton, Va.-based individual who described herself in court papers as the spouse of a decorated war veteran; her two children; and Adrienne Taylor, a Glendale, Az. Based Air Force veteran.

It’s an interesting culture the US has, people are always suing each other, bringing up lawsuits with ridiculous amounts and trying to get a free ride out of something that didn’t really affect them adversely.

Seriously, do you really think this data breach affected the plaintiff in any negative manner – I don’t see how it could of to be honest. Either way it’s an interesting case and it could potentially cost the already struggling US government a boatload of money.

TRICARE in September disclosed that sensitive data including Social Security Numbers, names, addresses, phone numbers and personal health data belonging to about 4.9 million active and retired U.S. military personnel may have been compromised after unencrypted backup tapes containing the data went missing.

The information on the tapes was from an electronic healthcare application used to capture patient data. The backup tapes were stolen from the car of an employee at Science Applications International Corp. (SAIC), a TRICARE contractor. The breach affects all those who received care at the military’s San Antonio area military treatment facilities between 1992 and Sept. 7. 2011.

Lawsuits such as this one have become increasingly common in the immediate aftermath of a major data breach.

Earlier this month, for instance, Stanford Hospital and Clinics was hit with a $20 million proposed class action lawsuit for a data breach involving a third-party contractor. And major breaches such as the ones at Heartland Payment Systems, TJX and Hannaford Bros. have all prompted their share of consumer lawsuits charging the companies with negligence, breach of contract and other charges.

In many cases, courts however have tended to dismiss lawsuits in data breach cases. Several courts have held that consumers cannot claim compensatory or punitive damages in data breach cases unless they can demonstrate that they have suffered actual monetary damage as the result of a breach.

The notion that someone might become the victim of ID theft in future because of a data breach cannot be used as a basis for claims, courts have held.

It’s a pretty huge breach seen as though the tapes stolen contained backups with 19 years of data on them, that’s a LOT of data. But then again, like I said above – they are unlikely to get anywhere with this as I don’t think they would have lost any money from this breach.

Once again it was due to a third party contractor being careless – as has been the case many times. And well in this case, if they do get hit with the lawsuit and need to pay out – they should pass it onto the contractor.

Source: Network World

As much as it may well have a use in law enforcement, I’m sorry but I don’t want any single organization, corporation or entity to have the power to take out domains.

It’s just plain wrong, and well the UK has already started tabling something like this back in September.

VeriSign, which manages the database of all .com internet addresses, wants powers to shut down “non-legitimate” domain names when asked to by law enforcement.

The company said today it wants to be able to enforce the “denial, cancellation or transfer of any registration” in any of a laundry list of scenarios where a domain is deemed to be “abusive”.

VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process”, according to a document it filed today with domain name industry overseer ICANN.

The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.

That seizure process has come under fire because, in at least one fringe case, a seized .com domain’s website had already been ruled legal by a court in its native Spain.

Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.

But the new powers would be international and, according to VeriSign’s filing, could enable it to shut down a domain also when it receives “requests from law enforcement”, without a court order.

Yes VeriSign do manage all the .com and .net domains, but they aren’t technically ruled under the US jurisdiction – there are plenty of .com domains that are hosted outside of the US, including the DNS infrastructure.

What I’m especially interested in, is how they plan to handle the fact that lots of things are illegal in some countries and perfectly legal in others. The part that scares me is they will be able to take down a domain without a court order, just on ‘request’ from a law enforcement agency.

To me, that opens it up to abuse – if you are going to do something like this, at least institute a due process to manage it properly.

“Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names,” VeriSign told ICANN, describing its system as “an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure”.

The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.

It’s not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.

VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.

The request also separately asks for permission to launch a “malware scanning service”, not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.

That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free “informational only” security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

Scary thoughts really. However the malware scanning service sounds like something that would help the Internet clean up all the nasty stuff, but then again – do the registrars really care, and would they respond?

Either way, I don’t like the fact that these draconian control laws may be placed on the Internet as we know – that basically allow US law enforcement agencies to take down domains as they please.

What I’m guessing, if this is implemented, it may well become a major target for Social Engineering efforts. What’s more effective than a traditional DDoS attack? Having the domain completely killed by VeriSign – that’s what.

Source: The Register

It only lasted a few minutes but as the account has 120,000 followers – it caused quite a stir. It’s not known how the hackers who call themselves ‘Script Kiddies’ got access to the account, but my guess would be social engineering.

Hackers calling themselves the Script Kiddies took control of the NBC News Twitter account on Friday afternoon and used it to send out a series of hoax Twitter messages claiming there was a repeat terrorist attack on New York’s Ground Zero.

The Script Kiddies had control of the account, which has more than 120,000 followers, for about 10 minutes before it was suspended. During that time they sent three messages stating that hijackers had crashed two airplanes on the site of the Sept. 11, 2001, terrorist attacks. “This is not a joke, Ground Zero has just been attacked. We’re attempting to get reporters on the scene. #groundzeroattacked.” said one of the messages.

Then, a minute later, perhaps sensing that the jig was up, they wrote. “NBCNEWS hacked by The Script Kiddies. Follow them at @s_kiddies!”

That s_kiddies Twitter account was immediately suspended, but according to a cached version of the page, the group describes themselves as “Anonymous Supporters :: Hackers :: Exploiting simplistic methods with hilarious results :: Occasionally doing it for teh lulz :: We are The Script Kiddies.”

The hack was brought to an abrupt end fairly shortly and the perpetrators own Twitter account was also suspended – @s_kiddies.

No major damage was done, but it does interest me as to how this was achieved – it has happened numerous times to celebrities on Twitter. I would have thought a fairly serious news organization would have better controls and processes in place though.

This hack doesn’t have anything to do with the Anonymous group though, it seems to be for the lulz more than anything else.

This type of account compromise is a regular occurrence on Twitter, although it is typically celebrities, and not trusted news organizations, that fall victim. Often the accounts are taken over following a phishing attack. Script Kiddies did not respond to an email asking them how they managed to take over the NBC News account.

Script kiddies is a hacking term, referring to technically unsophisticated hackers who rely on automated scripts rather than hacking wiles to conduct their online attacks.

Friday wasn’t exactly a gold star day for accuracy on Twitter. Earlier in the day, an account associated with CBS News show “What’s Trending” erroneously posted a Twitter message citing rumors that Apple founder Steve Jobs had died. That message was quickly deleted and “What’s Trending” apologized.

I guess this may well be the new Web2.0 version of defacement for a new generation of Script Kiddies – breaking into high profile Twitter/Facebook accounts and spamming them with humorous or offensive updates.

I don’t think there will be any more to this story than what has already been published, I’m sure we’ll see many more similar cases in the future though.

Source: Network World

This is bad news and apparently has been in the wild for a while, some people are linking to deaths in Iran as the cert could be used to hijack Gmail accounts using a MITM attack.

If you want to check out the cert directly, you can do so here:

Gmail.com SSL MITM ATTACK BY Iranian Government – 27/8/2011

The story seems to originate here where a user in Iran noticed a MITM was being perpetrated on him – probably by his own ISP or government.

Is This MITM Attack to Gmail’s SSL ?

Hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider, a security researcher said today. Criminals could use the certificate to conduct “man-in-the-middle” attacks targeting users of Gmail, Google’s search engine or any other service operated by the Mountain View, Calif. company.

“This is a wildcard for any of the Google domains,” said Roel Schouwenberg, senior malware researcher with Kaspersky Lab, in an email interview Monday.

“[Attackers] could poison DNS, present their site with the fake cert and bingo, they have the user’s credentials,” said Andrew Storms, director of security operations at nCircle Security.

Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked. Details of the certificate were posted on Pastebin.com last Saturday. Pastebin.com is a public site where developers — including hackers — often post source code samples.

According to Schouwenberg, the SSL (secure socket layer) certificate is valid, and was issued by DigiNotar, a Dutch certificate authority, or CA. DigiNotar was acquired earlier this year by Chicago-based Vasco, which bills itself on its site as “a world leader in strong authentication.”

Vasco did not reply to a request for comment.

The cert is valid, which is scary. One thing which is currently unknown is how the cert got out there, if it was a hack or a leak or someone from the outside got access to the DigiNotar CA.

If you want more technical details on how to verify the cert, you can check this out:

Internet death sentence for DigiNotar’s Root CA!

Security researcher and Tor developer Jacob Applebaum confirmed that the certificate was valid in an email answer to Computerworld questions, as did noted SSL researcher Moxie Marlinspike on Twitter. “Yep, just verified the signature, that pastebin *.google.com certificate is real,” said Marlinspike .

Because the certificate is valid, a browser would not display a warning message if its user went to a website signed with the certificate.

It’s unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company’s certificate issuing website.

Schouwenberg urged the company to provide more information as soon as possible.

“Given their ties to the government and financial sectors it’s extremely important we find out the scope of the breach as quickly as possible,” Schouwenberg said. The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web’s biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.

Then, Comodo said that nine certificates had been fraudulently issued after attackers used an account assigned to a company partner in southern Europe.

Initially, Comodo argued that Iran’s government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates.

Today, Kaspersky’s Schouwenberg said “nation-state involvement is the most plausible explanation” for the acquisition of the DigiNotar-issued certificate.

Google have also mentioned in on their security blog here:

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

An update on attempted man-in-the-middle attacks

There was also quick action taken by both Mozilla and Microsoft.

It’s been pretty quiet really to say this is really a major issue, I hope more details come out about how this occurred. If you are using Firefox there are instructions on how to delete/distrust the DigiNotar CA here.

Source: Network World

Now here a strange case, a man climbs into a young girls bedroom in the middle of the night, threatens her with a baseball bat and then chains a bomb to her neck. His random instructions include e-mailing to a Gmail account and he leaves a ‘soft copy’ version of the ransom note on a pen-drive with the girl.

You can find the court docs here – Collar Bomber Complaint

The man who claimed to have attached a bomb collar to an Australian high school student two weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn’t realize is that he also left his name, hidden deep in the device’s memory.

Court documents unsealed Tuesday describe the harrowing Aug. 3 incident, which began when a man broke into Madeline Pulver’s bedroom wearing a striped balaclava and wielding a black aluminum baseball bat. He told her to sit down and chained a black box around her neck.

He also draped a purple lanyard over the terrified girl with a note saying that the black box was a bomb. The note included ransom instructions for Pulver’s family, telling them to e-mail a Google address — dirkstraun1840@gmail.com — for further instructions. Also on the lanyard was a 4GB USB stick that contained a digital version of the note, saved as a pdf file.

The next 10 hours were a gruelling ordeal for the girl before a Sydney police bomb squad was able to determined that the threat was a hoax. But a closer look at the USB drive turned up a couple of files that the criminal thought he’d deleted. One of them, a version of the ransom note written in Microsoft Word, contained metadata about the document’s author, including his name: “Paul P.”

On Monday, U.S. authorities arrested Paul “Doug” Peters, 50, in La Grange, Kentucky, seeking to extradite him to Australia to face kidnapping and breaking-and-entering charges. It’s not clear why Peters attempted such a bizarre crime, but U.S. prosecutors say he once worked for a company linked to Pulver’s family. The girl’s father, Bill Pulver, is the CEO of voice recognition software company Appen Butler Hill.

There are plenty of metadata extraction tools such as Metagoofil and The Revisionist. And well even without those, after recovering the file you can just open it in Word and view the metadata.

I’m guessing this Paul Peters chap wasn’t so familiar with wear levelling and metadata. He should have known better, and well he was doing this for a ransom..so really he should have just bought a new pen-drive for the job.

But as we know well, these people don’t think like we do – that’s why they end up in the news.

Police collected footage from surveillance cameras in a library where a computer was used to access the Gmail account. The footage, along with the USB drive and circumstantial evidence, such as purchases made around the time of the incident, link Peters to the crime, prosecutors say.

Even if the collar bomber had known his name was on the USB drive, it would have been very hard to remove it, according to Frank McClain, an independent computer forensics expert.

As computer geeks and investigators know, when users delete a file from a computer the file isn’t deleted immediately from the hard drive. Instead, the computer takes note that the area of the disk where the file is stored is now available to be written over. So investigators can often recover at least snippets of data from files that are supposed to have been deleted.

With flash drives things are more complex, thanks to mechanisms built into the drives to prolong their lifespan. Because flash memory cells stop working after they’ve been overwritten too many times, flash devices use tricks called “wear leveling” to even out how the memory cells are used. A side effect of wear levelling is that it is “almost impossible” to completely erase data from a flash device, McClain said.

That can come in handy for people trying to recover photos or other files they’ve accidentally deleted, and there are many tools, some of them free, to help recover their data.

The collar bomber’s first mistake was thinking he could delete something completely from his USB stick. But he also erred by not altering the metadata in his Word document. When Word saves a document, it automatically saves data, such as the user’s login name, as part of the file. Office 2007 users can see this metadata by hitting the Office button, then “Prepare” and “Properties.”

Well there you go, an interesting mid-week story – not entirely sure what is going to happen to this guy. Doesn’t seem like a really strong case for extradition – he just seems like a complete nutcase.

He had a decent enough idea for extortion I suppose, just a really poor execution. Perhaps he’s been watching to o many Hollywood movies where these things seem really easy and nothing even goes wrong.

BTW if any of you readers out there see any cool new tools/techniques or news tidbits that I may have missed, I always welcome a heads-up so just hit me up on the Contact Page here.

Source: Network World