For an organization dedicated to not letting anything get by them, the Transportation Security Administration seriously dropped the ball this week when a full copy of its standard operating procedures for airport security leaked on the Web.

TSA officials said that the manual was posted online in a redacted form on a federal procurement Web site, but that the digital redactions were inadequate. They allowed computer users to recover blacked-out passages by copying and pasting them into a new document or an e-mail [Washington Post]. Among the information accidentally made public in the PDF: pictures of the passes that CIA officials and members of Congress use, as well as a list of the 12 countries whose passport holders are flagged for extra security checks. The document also revealed technical settings used by airport X-ray and explosive-detecting machines.

(more…)

SwiftHack, ClimateGate—whatever you want to call the response to hackers stealing and releasing a bevy of e-mails from the Hadley Climatic Research Unit (CRU) at the University of East Anglia in the U.K., the furor simmers still. Now, as the university begins its official inquiry into the incident, climatologist Phil Jones has stepped aside as the head of the CRU pending the result.

In addition, Penn State University said it would review the papers of Michael Mann, the RealClimate blogger and Penn State researcher whose name appears in many of the East Anglia e-mails. Mann responded to the criticisms of his words here.

(more…)

It started off innocently enough, with a Rickroll—when the first iPhone worm turned up in Australia two weeks ago, it changed its victim’s wallpaper to a portrait of “Never Gonna Give You Up” signer/Internet sensation Rick Astley. But now iPhone worms have turned malicious.

But by this week, some iPhones were victimized by the “Duh” worm, which steals personal banking info. Like the rickrolling original, the new malicious code targets only jailbroken iPhones—those on which that the owner has circumvented the Apple operating system to hack the phone. It is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING. It redirects the bank’s customers to a lookalike site with a log-in screen [BBC News]. An iPhone could spread the worm to others that use the same wi-fi hotspot.

As for Apple’s response to the growing iPhone threats? Don’t hack your phone, genius. Apple spokesperson Natalie Harrison says, “As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably” [The Loop].

Only a small percentage of iPhone users hack the device, so relatively few people are susceptible to this latest attack. Yet some researchers say the worm confirms that attacks against mobile users are evolving, and that cybercriminals are targeting the personal and financial information kept on portable devices. The ability to communicate with a central command-and-control server–a characteristic more commonly associated with hijacked PCs–also makes such software more dangerous [Technology Review].

Related Content:
80beats: Sorry, Australian iPhone Users: You’ve Been Rickrolled
80beats: AT&T and Verizon Wireless Take Their Cat Fight to Court
Discoblog: Weird iPhone Apps, our compendium of the strangest things to do with your smartphone.

Image: flickr / William Hook

Many medical devices come equipped with wireless communication systems these days, allowing doctors to customize their operations or to see their patents’ information. But fitting pacemakers or implanted defibrillators with WiFi also opens the door to hackers‘ attacks. Hackers could potentially steal personal information, remotely drain batteries, or cause a dangerous malfunction, so researchers are working on ways to block them. The approach relies on using ultrasound waves to determine the exact distance between a medical device and the wireless reader attempting to communicate with it [Technology Review]. The plan is to only allow access to a medical device from wireless reading devices within 10 feet, and only then after a series of authentication steps. However, in the event of an emergency, the medical device would grant access to anyone within a few inches of the device. In other words, to anyone close enough to assist.

The research team also has to consider how much power their security measures will drain from the devices, which is a not-so-trivial point for a  battery-operated pacemaker. But Claude Castelluccia, who was involved with designing the security system, said that because the device won’t respond to requests that come from outside the predetermined distance, it would also be harder for an attacker to wear down the battery by forcing it to process one request after another [Technology Review]. To test their system, researchers recently implanted a medical device in the stomach of a cow, and they’re currently shopping their patented technology to potential developers.

Related Content:
Hackers Infiltrate Pentagon’s $300 Billion Fighter Jet Project
Cyber Attack Hits Government Web Sites; North Korea Is Blamed
“Soupnazi” Hacker Pleads Guilty to Stealing Millions of Credit Card Numbers

Image: flickr / library_mistress

The first worm to infect iPhones is squirming through phones in Australia, spreading the face of the 1980s pop singer Rick Astley throughout the land. On infected phones, the wallpaper changes to a glamor shot of Astley, with a line of type that declares “Ikee is never going to give you up.”

As savvy internet users know, the iPhone has just been Rickrolled. For several years, the bait-and-switch trick has caused internet users to click on a link that looks relevant or promising, only to be led to Astley’s 1987 video, “Never Gonna Give You Up.”

However, only iPhone users who have ‘jailbroken’ their phones will be affected by the worm. Jailbreaking an iPhone involves running a program that circumvents the official Apple operating system and allows users to run software on their phone that has not been approved by Apple [Telegraph]. The worm preys specifically on iPhone users who haven’t changed their default passwords on an application called secure shell (SSH), which allows file transfers between smart phones.

The iPhone worm doesn’t appear to be a malicious or criminal act. Instead, it seems to be half warning, half prank. Ikee’s author, who identifies himself or herself as “ikex” in the worm’s source code, also wrote in the code that “People are stupid, and this is to prove it so,” adding that users should read their phones’ manuals.”It’s not that hard, guys,” ikex writes. “But hey who cares its only your bank details at stake” [ Forbes].

The worm’s creator was later identified as 21-year-old Ashley Towns, a programmer who lives near Sydney; no word yet on whether Towns will face any repercussions for his trick.

Related Content:

80beats: How Did “Soupnazi” Allegedly Steal 130 Million Credit Card Numbers?
80beats: Attack That Took Down Twitter May’ve Been Aimed at Just One Blogger
80beats: Mystery of the Conficker Worm Continues: Does It Want to Scam or Spam?
80beats: Computer Virus Travels Into Orbit, Lands on the Space Station

Image: flickr / William Hook

The self-proclaimed spam king of the Internet, Sam “Spamford” Wallace, was ordered to pay Facebook $711 million in civil damages for slinging spam on the social networking site. Wallace allegedly accessed Facebook accounts without obtaining permission, and used them to make bogus wall posts and spam the account holders’ friends. Those actions run afoul of the CAN-SPAM Act of 2003, which sets guidelines for commercial e-mails, which are enforced by the Federal Trade Commission (FTC) [PC World]. The judge also referred Wallace to the U.S. Attorney’s Office with a request that he be prosecuted for criminal contempt, which means he could actually face jail time if convicted.

If you’ve ever received an unsolicited email (and who hasn’t), chances are good that it came from Wallace’s company, Cyber Promotions, which was once the largest source of spam. So not surprisingly, this isn’t the first time Spamford has run afoul of the law. In May, 2008, MySpace won a $230 million judgment against Wallace for sending junk messages. Wallace was also fined $4 million by the Federal Trade Commission in 2006 for his excessive pop-up ads [CNN]. Officials at Facebook said they don’t expect to see much of the $711 million, seeing as how Wallace is bankrupt and may soon have to send out his spam as hand written letters from behind bars.

Related Content:
80beats: Happy 40th Birthday, Internet! (Um, Again.)
80beats: Twitter Security Breach Reveals Confidential Company Documents
80beats: Attack That Took Down Twitter May’ve Been Aimed at Just One Blogger

Image: flickr / benstein

The 28-year-old hacker Albert Gonzalez who stole credit and debit card numbers from millions of people pleaded guilty on Friday to 19 counts of conspiracy, fraud, and aggravated identity theft. Gonzalez, also known by his handles “Soupnazi” and “Segvec,” reached a deal with the federal government on charges brought against him in Massachusetts and New York, where he and his co-conspirators stole more than 40 million card numbers from retailers like T.J. Maxx and Barnes & Noble. Gonzalez and his co-conspirators sold the numbers to others for fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs [PC World], according to the Department of Justice.

Gonzalez faces a prison sentence of 15 to 25 years in Massachusetts and a maximum sentence of 20 years in New York, but based on the terms of his plea agreements the sentences will be served concurrently. Gonzalez also agreed to pay restitution for the loss suffered by his victims, and to forfeit more than $2.7 million, plus real estate, a 2006 BMW, a Tiffany diamond ring and Rolex watches, the DOJ said. Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard [PC World]. He’ll be sentenced in December for the Massachusetts and New York cases, but that’s far from the end of his legal troubles.

(more…)

A 28-year-old hacker has been charged in what federal prosecutors are calling the largest case of identity theft ever seen. The man, Albert Gonzalez, worked with two unnamed Russian conspirators to run wild through the computer networks of a handful of prominent corporations, including 7-Eleven, the supermarket chain Hannaford Brothers, and the payment processor Heartland Payment Center. The size of the heist—130 million credit and debit card numbers, according to prosecutors—have many people wondering: How exactly is such a massive theft carried out?

The Justice Department’s indictment (pdf) describes how Gonzales (a.k.a. “segvec” and “soupnazi,” among other aliases) and his co-conspirators pulled it off. They began the job by scanning lists of Fortune 500 companies for likely targets, and then visited retail outlets to scope out the payment systems used at checkout counters and to look for vulnerabilities. Then they would write specific codes to corrupt their data systems and launch a virus from computers in the United States and Europe to pull hundreds and thousands of credit card numbers, and sort through them using a “sniffer,” which is basically a data analysis system that decodes big chunks of information [The Atlantic].

(more…)

The cyber-attack that temporarily disabled Twitter and compromised Facebook and LiveJournal was politically motivated and was directed at a pro-Georgian blogger called Cyxymu, says a representative from Facebook.

The attack, which paralyzed Twitter for two hours and “degraded” service on Facebook, was one known as a distributed denial of service attack. This technique uses a network of tens of thousands of compromised computers, known as a “botnet”, to flood a website’s servers with page view requests, leaving legitimate traffic unable to get through. This huge amount of connection requests can quickly overwhelm a server and, in some cases, cause an entire website to crash [Telegraph]. It seems Twitter, a relatively new service with a U.S.-based infrastructure, couldn’t handle the surge in traffic, while Facebook and Google, which have many key services located internationally, were better-prepared for it.

It has not been confirmed who perpetrated the attack, but the blogger says he believes it could have been an attempt by the Russian government to squelch his criticism of over Russia’s conduct in the war over the disputed South Ossetia region, which began a year ago today. “Maybe it was carried out by ordinary hackers but I’m certain the order came from the Russian government” [Guardian], the blogger said. Such a widespread attack, some believe, would only be possible if the coordinator of the attack had access to significant resources.

(more…)

A French hacker broke into the email accounts of Twitter executives and employees, and now the cyber snoop is leaking business and personal info about company leaders to TechCrunch, an American blog, and Korben, a French blog. The hacker reportedly guessed passwords and gained access to several Gmail accounts, as well as accounts with Google Docs, PayPal, and other services.

TechCrunch received a compressed zip file of 310 confidential documents, including a complete Twitter employee list and salary information; food preferences of Twitter employees; confidential contracts with companies such as Nokia, Samsung, Dell, AOL, Microsoft, and others; a contact list of notable Web and entertainment personalities; meeting reports; [and] applicant resumes [PC World]. Now it’s up to the site to decide what information to publish. Thus far, TechCrunch has decided not to release anything that is personally embarrassing. Still, under the philosophy “News is what somebody somewhere wants to suppress; all the rest is advertising,” the site will release documents it considers relevant to the company. These include notes from executive meetings, the original pitch for a Twitter TV show, and certain company financial information.

(more…)

A bold and sophisticated cyber attack that began last weekend took down government Web sites in both the United States and South Korea, and South Korean officials have blamed their neighbors to the north for the onslaught. South Korea’s National Intelligence Service, the nation’s main spy agency, told a group of South Korean lawmakers Wednesday it believes that North Korea or North Korean sympathizers in the South “were behind” the attacks [AP].

The attack, which began on July 4, brought down the Web sites of U.S. agencies like the Treasury Department, the Secret Service, and the Federal Trade Commission, with some of the problems lasting for days. In South Korea, an attack that began Tuesday crashed sites belonging to the presidential Blue House and the Defense Ministry, among others. In both countries, the cyber strike also targeted a few large commercial Web sites. “This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level,” the National Intelligence Service said in a statement [The New York Times].

(more…)

Were you born after 1988 in a small state? If so, researchers would have a particularly good chance of figuring out your Social Security number. In a new study, researchers used publicly available data, including an individual’s place and date of birth, to guess the Social Security number that would have been assigned to that person. And the study’s authors say that cyber-crooks could use similar techniques for identity theft. “We live in a precarious time, where knowledge of a Social Security number, along with other information about one’s name and date of birth, is sometimes sufficient to impersonate another individual,” said Alessandro Acquisti, the study’s lead author [Bloomberg].

Acquisti’s team shared their results with the federal government, but the Social Security office is downplaying the findings; spokesman Mark Lassiter said there is still no “foolproof” method for predicting Social Security numbers. “The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail. However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year” [AP].

(more…)

Cyber spies have hacked into computers containing information about the U.S. Defense Department’s most expensive weapons program ever: the $300 billion Joint Strike Fighter, a fighter jet also known as F35 Lightning II. The intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft. The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together [The Wall Street Journal].

U.S. officials reportedly traced the hackers back to China, but experts note that it’s extremely difficult to determine the real origin of an online attack, as paths can be disguised and identities masked. Meanwhile, the Chinese Embassy said in a statement that China “opposes and forbids all forms of cyber crimes.” It called the Pentagon’s report “a product of the Cold War mentality” and said the allegations of cyber espionage are “intentionally fabricated to fan up China threat sensations” [The Wall Street Journal].

(more…)

The computer worm known as Conficker that has infected millions of PCs around the world stirred yesterday and raised new fears that the hackers behind the worm are gearing up to cause mischief, but experts say their intentions are still mysterious. The worm went active on April 1, but it didn’t seek to disrupt networks and didn’t harness infected computers to send out waves of spam. The lack of a clear business model for Conficker … had confounded researchers and analysts. In fact, it was one of the reasons why there was so much attention paid to the worm’s new communications scheme activation date: Everyone wondered what it would do on April 1 to monetize the effort spent collecting a massive botnet [Computerworld].

Over the past two days infected machines have begun to download additional software, but so far the results still haven’t been as dire as many experts originally predicted. According to varying reports, some computers are just preparing to run a small-scale scam on their users, while others have adopted an existing email worm that can steal passwords and send spam. The latter function may be more troublesome, some experts say. The consensus within the computer security industry is that although there are now some indications that Conficker’s authors are intent on building a giant spam system, there is no hard evidence. “This is just Step 5 in a thousand-step chess match,” [The New York Times], said security expert Vincent Weafer.

(more…)

Spies have hacked into the U.S. electrical grid and left behind software programs that could allow outside agents to seize control of the grid and disrupt the flow of electricity across the nation, according to a report in The Wall Street Journal.

The spies came from China, Russia and other countries, [national security] officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians” [The Wall Street Journal]. While officials say they traced the intrusions back to China, Russia, and other countries, experts say it’s nearly impossible to prove that the hacks were government-sponsored. The Chinese and Russian governments have denied any wrongdoing.

(more…)