Fox News scored this memo from inside the World Bank. In what one manager termed an "unprecedented crisis," the bank's servers were cracked over and over again beginning in the summer of 2007. They don't know yet what sensitive info on national economies has been stolen. Here's the breakdown on the break-ins:
Google's Hot Trends page has been gamed before, but today's #1 spot is the best ever — a dorky-white-guys rock band named Captain Caucasian and the Raging Idiots. No KKK references, just a bunch of guys with guitars and a singer whose baseball cap is two sizes too big. While we wait for Clay Shirky and Cory Doctorow to explain how this is a huge, huge victory for real people over the evil corporate monster that is the music industry, Google, or maybe it's Starbucks, I crawled through the band's traffic-slammed website to dig up their video for "Bust a Move."
"My twelve year old son brought to my attention a security bug he discovered on his iPhone," blogs programmer Karl Kraft. "He has an even more paranoid security mind than I do, because he primarily uses his iPhone to send and receive sweet nothings between himself and his girlfriend, and he is certain that his mother and I are desperate to intercept these messages." The poor kid doesn't realize his parents would be perfectly happy with an XML summary of the content. They could set alerts on it: WARNING sexual subtext identified. Steve Jobs has four kids, so don't tell me this isn't in the works.
Amazon.com's Video On Demand service, which allows you to preview and purchase streaming videos online, uses Adobe's Flash Media Server to deliver the video. Late last week, Reuters reported that hackers had discovered an exploit that would allow users to turn the free preview into the full stream, allowing folks to watch movies for free using software like Replay Media Catcher from Applian. Adobe took issue with Reuters' contention that Flash isn't secure — instead suggesting it was Amazon's fault for not enabling various security options such as streaming encryption and player verification. Why did Adobe choose to blame a customer instead of quietly fixing the problem behind the scenes? Probably seemed easier.
After a 4chan message board user broke into Sarah Palin's Yahoo Mail account and posted screenshots of her emails online, conservative Fox News pundit Bill O'Reilly went on the air and yelled about it. "I'm not going to mention the Web site that posted this, but it's one of those despicable, slimy, scummy websites," said O'Reilly on his show. "Everybody knows where this stuff is, OK, and they know the people who run the website, so why can't they go there tonight to the guy's house who runs it, put him in cuffs and take him down and book him? " 4chan management responded by changing the banner atop its random image posting board so that it read: "DESPICABLE, SLIMY, SCUMMY." One of the site's members took a more aggressive course of action, and hacked into O'Reilly's subscription-only site, BillOReilly.com, and posted the names, billing addresses, email addresses and passwords of 205 paying subscribers to Wikileaks and 4chan. In a statement, Wikileaks expressed no sympathy for O'Reilly — calling his site's security "nonexistent" — but had plenty for O'Reilly's attackers: "The hack was a response to the pundit's recent scurrilous attacks over the Sarah Palin's e-mail story — including on Wikileaks and other members of the press."
As far as we know, David Kernell, the University of Tennessee student suspected of hacking into VP-wannabe Sarah Palin’s email account, isn't thought to have done anything near the scale of HP's pretexting efforts that yielded the private records of its directors, employees and journalists. Nor did he order physical surveillance of Palin. Or seek to obtain her father's or spouse's records. Or hatch plans to infiltrate the governor's office with stooges. Or go through her trash. Or eavesdrop on her instant messaging. Or bug her email.So why did the HP execs and investigators get off scot-free (or with a 96-hours-of-community-service slap-on-the-wrist), while Kernell is having FBI agents raid his apartment? Ahhh, yes, money walks. Kernell may not. (Photo by AP)
Ehud "The Analyzer" Tenenbaum, who became world-famous when he and a number of fellow Israeli and California teens successfully exploited a vulnerability in Sun Solaris to gain access to computers at Nasa, Andrews Air Force Base and the Department of Defense, is in jail. Earlier this month he was arrested in Montreal on suspicion of having helped defraud credit card companies of $1.8 million. Wired dug up a slickly produced, pretty entertaining video produced by the FBI a year after the intrusion.I happened to be in Tel Aviv when Tenenbaum turned himself in to Israeli authorities on the day he was set to report for compulsory military service — he was treated as something of a national hero, a symbol of Israel's technology prowess, with even then Prime Minister Bibi Netanyahu praising him as "damn good." Tenenbaum ended up with probation and community service instead of jail time. So it wasn't with much surprise when I read Tenenbaum's mother calling the arrest a frame-up by the FBI. The truth? The prepaid credit card scam described is a classic modus operandi in Canadian tweaker circles, at least as described in Zero Day Threat. And Tenenbaum certainly had to chops to pull it off, with the cast of fellow suspects who've been released probably participating as mules to make transactions. So once again, I'm betting Canadian dollars to donuts from Tim Horton's on meth.
So the vile HACKER who HACKED poor Sarah Palin and her precious emails? Some kid from Tennessee. His dad is a Democratic state representative, which means of course that he was paid by Barack Obama personally to HACK the shit out of that poor woman. The kid (the ALLEGED HACKER) is obviously a brilliant computer genius. Didn't you hear how he hacked all that hacking he hacked? He went to the "I forgot my password" screen and correctly guessed the answers to the "security questions." HACK HACK HACK. Now the FBI is going to throw him in jail for a zillion years, even though they should be arresting Yahoo, it seems like. The dumb kid brought it on himself by revealing the proxy server he used to hack hack hack, and his Anonymous buddies at 4Chan (NSFW) are either disavowing that he was truly anonymous or saying he's a SMOKESCREEN, or something. Internet, lol. [CNET]
Federal agents searched the apartment of a University of Tennessee student on Sunday they believe might be the hacker script kiddy who broke into Republican VP nominee Sarah Palin's Yahoo account and then posted its password to the subversive discussion board site 4chan.org. The feds pinpointed the accused's IP address after contacting the proxy service he used in an attempt to disguise his identity. Gabriel Ramuglia, who runs the proxy service, told Portfolio that only one of his users had activity which matched what the feds were looking for: someone who "visited Yahoo Mail, 4chan.org, and the Web addresses that were visible in the posted screenshots."The authorities won't say, but consensus has it the Tennessee college student under investigation is one David Kernell, a 20-year-old whose father, Mike Kernell, is a Democrat in the Tennessee state legislature. His email address is rubicon10@yahoo.com, which matches the name of a 4chan user — Rubico — who posted a detailed confession of the hack on the site last week. Also, whoever broke into Palin's account first changed the password to "popcorn," which could be a pun on Kernell's last name.
Perhaps yesterday's Sarah Palin email hack reminded you of that brilliant engrossing story the New York Times ran back in July about 4chan, the juvenile message board community of hackers, trolls and sundry internet misanthropes that pulled it off? The writer hung out with that molestation victim who wrote the nasty fake blog about that thirteen-year-old MySpace hoax suicide case and got his identity stolen by a hacker with a Rolls Royce named Weev. Well, we found the writer, Matt Schwartz*, on the internet to engage in a brief exchange on hackers, trolls, and why the Lulz Generation hates Sarah Palin. He even gets Weev to weigh in on how he might have done it better! A full interview after the jump.SCHWARTZ: A few random thoughts: 1. The question of whether the email of public servants is public or private is an interesting question. Public servants now have reason to behave as if every email might be read aloud in court. This standard might not actually be in the public interest, in the long run. It might make it harder for public servants to do their job. 2. It appears Palin used passwords that were too weak, and didn't change them often enough. Passwords should not be real words. they should include at least three digits and at least one non-alphanumeric character. Example: foo&&b@x7978. That's what a strong password should look like. 3. Weev's take: i wish they'd done it properly screenshots? should have archived the mailspool and waited a few days for the logs to go away i figure someone is going to get seriously v& for this maybe not the person who actually did it but someone MOE: Uh, v&? SCHWARTZ: What? oh. I dunno. That's what he said. I'm guessing it means "fucked by the national intelligence establishment." If you run that please be clear that he is NOT taking credit. MOE: Pareene wrote that the /b/ hacker didn't really seem to know what he was looking for and should have probably figured that out before sharing the password with the world. Do you think this sort of demonstrates the limitations of 4chan, like, ideologically? This was maybe their chance to get mainstream attention for doing something with a potential public interest. SCHWARTZ: All this demonstrates is that 4chan knows how to break into peoples' email accounts. 4chan has no coherent ideology ... it's more like a series of memes/trends. It might have some sort of ideology but for the fact that it doesn't have a memory. It erases itself multiple times a day. Moot can't afford to archive stuff. Server space is too expensive. So it's really hard for people to follow 4chan for a long period of time. There's no institutional memory. People drop in and drop out. It's like a mosh pit. But I do thinks it's significant that you can have 4chan and other anonymous people breaking national news. MOE: I guess Sarah Palin is the ultimate meme generation politician. SCHWARTZ: What do you mean? MOE: Her absurdity lends itself naturally to Lulz. Her averageness. Her momness. To the kid who doesn't remember Ollie North or Reagan or hear in her rhetoric the echoes of the destructive Reagan-era "culture wars", she is just a clueless lady with a funny accent and a bunch of fucked up kids. And like, of course her password is something stupid, you know? SCHWARTZ: I guess you're right. She doesn't make me that angry, either. Nor am i especially interested in why she makes others angry. I was already angry. I've been angry for a long time MOE: Right, and if she doesn't make us that angry, she is definitely not making 4chan angry. SCHWARTZ: It's interesting that all these pols use Yahoo! Or that Palin does. She writes pretty long emails. Very different from say, [former Philadelphia mayor and federal probe subject] John Street. The Alaskan government seems to have a rather vital textual culture. It has yet to succumb to the shorthand of the handheld thumbwriting favored by John Street, Eliot Spitzer, etc. What her email tells me is: "I am a mom. I write real, substantial, long, single-paragraph email with sincere expressions of my feelings." MOE: Yeah, and those are just the earnest, near universally relatable sort of positive qualities 4chan CAN'T STAND.
While loofah-licious Fox News blowhard Bill O'Reilly is busy tearing what little hair he has left out over "slimy, scummy" blogs, everyone has been focused on the content (or lack there of) in the screenshots purported to be from a Yahoo email account used by Alaskan Governor Sarah Palin. But what about the clues to the methods and motivation behind the swarm of Internet users from 4chan's /b/ forum left in the screenshots? In this image, someone claiming membership in the lovable griefer army known as Anonymous emails Palin's friend Ivy Frye to let her know that the email account has been hacked. And it came complete with every browser tab and application running on the desktop. Let me take you on a journey deep inside the mind of an unknown operative who's changing the rules of politics — if not for the better, then certainly for the funnier.
Remember Terry Childs, the disgruntled San Francisco IT guy who locked other admins out of the city's network, but finally surrendered the passwords only to superuser-of-love Gavin Newsom? The city's Department of Technology has set aside $1 million to pay for upgrades to the network, which require a mix of pricey consultants and overtime pay for city workers. I hate to put it this way, but by showing the pooh-bahs how easily their critical information systems could be taken over, yet not making use of his takeover to harm anything other than his bosses' egos, Childs may have done us all a white-hat favor.
Did you know Sarah Palin was a hacker, too? We already suspected there was nothing the Republican vice-presidential candidate couldn't do. While serving as Alaska's governor, she just had a baby. Even as she runs for office, she's preparing to be a grandma and planning her eldest daughter's not-so-coincidental wedding. Google has revealed the superwoman from the north's background as Miss Wasilla, her career as a sports journalist, and other highlights of her resume. But rifling through computer files for evidence? Not a problem for Palin. The Anchorage Daily News laid out how the VPILF used her technical savvy to discover evidence that suggested a state politician was in bed with the oil industry:
The laptops up on the International Space Station have been infected with a virus — the W32.Gammima.AG worm, to be precise — which raises an interesting challenge: How do you wipe a computer clean when you're 217 miles away from Earth and moving at 17,000+ miles per hour? According to the BBC, the ISS isn't net-connected. All data is subject to scan before transmission upstairs. So the laptops were probably infected via flash drive before they left. The worm itself doesn't threaten the station — all it wants is your gaming passwords — and the laptops aren't connected to mission-critical computers. But the lack of an Internet connection makes fixing things tricky.The solution to the problem is the same one you would use for your grandma who refuses to get off of her 56K connection. Pack a free version of AVG and their update files onto a flash drive and talk them through the installation and cleaning process. Don't forget the part where they owe you a beer or dinner for helping them out. You have plenty of time to plan — the next supply run is due to leave on or about November 10 from Launch Pad 39A at Kennedy Space Center. (Virus-protein image by Allen Portner and Gopal Murti)
Officially, Facebook is treating the onslaught of viruses piggybacking on the social network's popularity as a very, very serious matter. We're talking Sheryl Sandberg serious. Facebook's press statement reads: "We are investigating every report, removing false content, blocking bogus links and addressing the concerns of our users. These efforts have limited the affected users to a small percentage of those on Facebook.” The unofficial response from cofounder Dustin Moskovitz, posted on CEO Mark Zuckerberg's Facebook profile, is much more fun:
Facebook CEO Mark Zuckerberg should be relieved to learn that someone is at last "leveraging the social graph," as he might put it, for financial gain. Problem is, it's not Facebook. It's hackers pulling a phishing scam. A tipster tells us his friends at Facebook are busy fighting a virus that tricks a user into opening "a YouTube phishing site," delivered in the form of a Facebook message from one of the user's Facebook friends.
"Last week Red Hat detected an intrusion on certain of its computer systems," says a security advisory from the leading Linux vendor. "The intruder was able to sign a small number of OpenSSH packages," in what seemed like an attempt to place something into the company's downloadable enterprise software packages. Red Hat's spokespeople say they don't believe any hacked packages were distributed, but still.Most security scare stories are about potential problems. This was a real, successful break-in at the open source movement's most high-profile brand. So here's the big question: Why did it take Red Hat a week to acknowledge the problem? Because I can imagine the reaction if Microsoft did that. (Photo by Eric Skiff)
Although not as hardcore as the British hacker that did his work over 56k, another hacker should be commended for his ability to hijack FEMA phone systems and make $12,000 worth of free phone calls this weekend. The Department of Homeland Security was apparently upgrading FEMA's voicemail system with outdated Private Branch Exchange (PBX) technology but failed to configure the security settings properly. The phreak was able to exploit a vulnerability and use Homeland Security's own phones to ring up countries like Afghanistan, Saudi Arabia, and Yemen. Which all proves that Michael Chertoff was right to fear the power hackers have over inept government bureaucracies. [AP] (Photo by gthills)
