At some Subways, the sandwiches aren’t the only thing that’s
Security in the networked world of today isn’t always the easiest to understand, we’ll admit. But business owners, who are in a position of trust when it comes to customers’ debit and credit card transactions, should really be up on basic internet security. When they’re not, they literally give away their customers’ information to hackers. Case in point: about 150 Subway franchises, which, along with at least 50 other small retailers, caused 80,000 customers to lose a total of $3 million after they set up debit card scanners without proper security and encryption.
Here’s what happened: Though Subway distributes lists of security requirements to franchisees, some neglected to follow them. According to a Justice Department statement, in addition to disregarding encryption requirements, they installed cheap remote desktop software, the kind that lets a computer be accessed from another location. All hackers had to do was guess or otherwise determine the password for access, which, as all too many people have found out, isn’t very hard when your password is “password” or “12345.” Once they had that, the hackers were like kids in a candy store, and it took quite some time for anyone to notice what was going on.
It’s enough to make you take a good, hard look at your lunch joint’s manager, and, if he looks like he doesn’t know a trojan from a man in a toga, walk right back out that door.
Read more at Ars Technica.
Image courtesy of Brixton / flickr
What’s the News: Cyber attacks undertaken by another nation can be considered an act of war, according to a new Pentagon policy to be released in the next month. If you mess with the US online, the Pentagon has decided, it may retaliate offline, in the form of bombs, missiles, and other very real attacks. One military official sums it up thusly to the Wall Street Journal, which broke the story: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.” How exactly this stance will be put into practice, though, isn’t clear.
A hacked page on PBS’s site announces the perpetrators.
What’s the News: On Sunday night, PBS found itself the victim of a cyber attack by the group LulzSec, which hacked PBS’s site in retaliation for a Frontline episode about WikiLeaks whose tone they found unfavorable. The first evidence? A post on the NewsHour blog alleging that rapper Tupac Shakur, who died in 1996, was still alive and well in New Zealand. PBS responded quickly, but as late as Monday night at about 5:50 pm, according to Boing Boing, LulzSec still had access to the site. Their motivation, the group says in an interview with Forbes, is a mixture of “lulz and justice.”
It wasn’t too surprising when scientists first hacked into a car using its own onboard diagnostic port—sure, it’s easy to get into a car’s electronic brain if you’re already inside the car. Now the science of car-hacking has received a digital upgrade: Researchers have have gained access to modern, electronics-riddled cars from the outside. And in so doing, they’ve managed to take control of a car’s door locks, dashboard displays, and even its brakes.
The oddest part of these findings, which were presented this week to the National Academy of Science’s Committee on Electronic Vehicle Controls and Unintended Acceleration, is that they weren’t entirely intentional: It was all part of an investigation prompted by the Toyota acceleration problems, and was meant to probe the safety of electronic automotive systems. But testing those system’s safety also uncovered some flaws.
How It Works
The researchers took a 2009 sedan (they declined to identify the make and embarrass the manufacturer) and methodically tried to hack into it using every trick they could think of. They discovered a couple good ones.
Stuxnet seems to become scarier every time you hear about it. The sophisticated piece of malware came to the world’s attention in September; shortly thereafter we heard that it was perfectly designed to attack nuclear centrifuges, and in fact had disrupted some nuclear research in Iran. Now comes more news about how it works, and who might be using it next.
The security group Symantec has been trying to analyze and understand the waves of Stuxnet attacks against Iran, and now its researchers have found the base of the attacks, according to Symantec’s Orla Cox.
The new research, which analysed 12,000 infections collected by various anti-virus firms, shows that the worm targeted five “industrial processing” organisations in Iran. “These were the seeds of all other infections,” said Ms Cox. The firm was able to identify the targets because Stuxnet collected information about each computer it infected, including its name, location and a time stamp of when it was compromised. [BBC News]
Though Symantec isn’t naming the five targets in Iran, another security expert studying Stuxnet’s code, Ralph Langner, told CNET the likely target of the whole attack was the Natanz nuclear enrichment plant.
Over the last two years (and perhaps as long as four), hackers probably based in China have been targeting several huge multinational energy companies and using long-established techniques to extract information. That’s according to the computer security firm McAfee, which helped some of the companies fight back against the ongoing wave of attacks it has dubbed “Night Dragon.”
“We have confirmed that five companies have been attacked,” said Dmitri Alperovitch, McAfee’s vice president for threat research. He said he suspected that at least a dozen companies might have been affected by the team of computer hackers seemingly based in Beijing and who appeared to work during standard business hours there. “These people seemed to be more like company worker bees rather than free-spirited computer hackers,” he said. “These attacks were bold, even brazen, and they left behind a trail of evidence.” [The New York Times]
In a blog post about the attacks, McAfee CTO George Kurtz notes that the hackers took advantage of techniques that have been around for more than a decade. In fact, he says, their simplicity helped them to evade security software.
During the last two years — and up to four years — the hackers had access to the computer networks, focusing on financial documents related to oil and gas field exploration and bidding contracts, said Alperovitch. They also copied proprietary industrial processes. “That information is tremendously sensitive and would be worth a huge amount of money to competitors,” said Alperovitch. [Reuters]
When last we covered the hacking group Anonymous, its members were trying to bring down the websites of companies like PayPal and Mastercard that had withdrawn support from WikiLeaks under government pressure. Now hackers have a new political target: Groups like Anonymous are launching attacks to bring down government websites in Egypt and Yemen as a show of solidarity with the protesters there.
The website of President Ali Abdullah Saleh has become inaccessible as Yemenis stage anti-government protests. It follows attacks on the websites of Egypt’s ruling party and ministry of information this week. Last month Anonymous shut down some Tunisian websites, including the government’s official site. [BBC News]
Anonymous managed to bring down the Ministry of Information site in Egypt, as well as that of President Hosni Mubarak’s National Democratic Party. As was the case during the war over WikiLeaks, Anonymous hackers’ primary weapon has been distributed denial of service attacks.
Google extends its tendrils into new arenas so quickly that it’s difficult to keep up. This week the giant tech company is creating digital art museums, challenging the hackers of the world, letting you play doctor on your tablet, and messing around with fractals.
Google Art Project
Going to an art museum: Sure, it’s a great way to improve your cultural cachet, but it also makes your feet hurt. Fortunately for couch potato art lovers (or those of us who can’t fly all over the world on a whim), Google is bringing some of the world’s greatest museums to you through Art Project, which takes Street View technology into the Metropolitan Museum of Art, the Van Gogh Museum, and others.
The level of detail offered up by up to 14 billion pixels is pretty jaw-dropping. Take “The Ambassadors” by Hans Holbein the Younger at the National Gallery in London. It would be easy to ignore the sheet of music that sits on a table in the painting. But with the Google Art Project’s magnification, users can see that the sheet music actually has real music painted onto it. The user can zoom-in and see the individual notes and words with pin-sharp clarity. [Wall Street Journal]
For now just one painting from each of the participating museums is captured in such detail. More could come, and the project’s founder is also seeking a way to capture three-dimensional art, like sculpture.
A Chrome Challenge
For the first time, Google is taking its Chrome browser to Pwn2Own, a competition in which hackers try to break into the major Internet browsers including Firefox and Internet Explorer. And the company is making things a little more interesting, kicking in an additional $20,000 of prize money into the pool.
Today WikiLeaks founder Julian Assange, wanted in connection with sex-related charges in Sweden, turned himself in to the police in London. And while Assange’s personal troubles escalate, so does the online war over WikiLeaks.
Last week came the cyber attack against WikiLeaks.org, which hacker “Jester” claimed to have organized.
On his blog, Jester describes himself as a”hacktivist for good” and someone who is “obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys.” [Los Angeles Times]
That disrupted the site’s operation and left WikiLeaks scrambling. But this week the tide of hacking has turned: Hackers operating under the names Operation Payback or Anonymous are targeting sites that have withdrawn support from WikiLeaks during the current controversy.
Noa Bar Yossef, senior security strategist for Imperva, commented via e-mail to say, “Operation Payback’s goal is not hacking for profit. In the classical external hacker case we see hackers grab information from wherever they can and monetize on it. In this case though, the hackers’ goal is to cripple a service, disrupt services, protest their cause and cause humiliation. In fact, what we see here is a very focused attack – knocking the servers offline due to so-called ‘hacker injustice’.” [PC World]
It was late September when the world got wind of Stuxnet, the complex piece of malware that appeared to specifically target Iranian nuclear sites. Now, analysis of Stuxnet suggests it was almost perfectly designed to corrupt nuclear centrifuges, according to David Albright of the Institute for Science and International Security.
On Wednesday, Mr. Albright and a colleague, Andrea Stricker, released a report saying that when the worm ramped up the frequency of the electrical current supplying the centrifuges, they would spin faster and faster. The worm eventually makes the current hit 1,410 Hertz, or cycles per second — just enough, they reported, to send the centrifuges flying apart. In a spooky flourish, Mr. Albright said in the interview, the worm ends the attack with a command to restore the current to the perfect operating frequency for the centrifuges — which, by that time, would presumably be destroyed. [The New York Times]
Computer experts don’t know Stuxnet’s origin for sure, though the Times’ story drops a few cryptic hints of Israeli involvement. And further study of the attack shows that although Stuxnet appears calibrated to disrupt centrifuges, it could be easily adapted to seize the reins of other systems.
The widespread interconnection of corporate networks and use of SCADA systems [supervisory control and data acquisition] means that industrial infrastructure is increasingly vulnerable to software attack. Such control systems are used in virtually every industry—food production, vehicle assembly, chemical manufacturing—and are commonly exposed to insecure networks. This leaves them vulnerable to tampering, such as with Stuxnet, as well as intellectual property theft. [Ars Technica]