Can you trust Chinese computer equipment?: Via ITworld.

China may not only be breaking into Google's network, but giving people deliberately bugged technology gear. Can we trust any technology that comes from China?

As you surely know, Google has accused China of hacking into its systems and is considering pulling out of China altogether. The U.S. government is taking this seriously, and Google has partnered with the NSA (National Security Agency) to get to the bottom of this. What you may not know is that the United Kingdom's MI5 -- Americans can think of this as a combination of the FBI and CIA -- has reported that the Chinese government has been giving UK executives electronics with built-in security holes.

According to the Sunday Times, "A leaked MI5 document says that undercover intelligence officers from the People's Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of 'gifts' and 'lavish hospitality.' The gifts -- cameras and memory sticks -- have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users' computers." [ Read more ... ]

Hackers Steal Millions in Carbon Credits: Via Threat Level.

Credit card numbers are so passe. Today’s hackers know the real powerhouse data to steal is emission certificates.

That’s exactly what hackers went after last week when they obtained unauthorized access to online accounts where companies maintain their carbon credits, according to the German newspaper Der Spiegel.

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded. [ Read more ... ]

Pentagon Report Calls for Office of ‘Strategic Deception’: Via Danger Room.

The Defense Department needs to get better at lying and fooling people about its intentions. That’s the conclusion from an influential Pentagon panel, the Defense Science Board (DSB), which recommends that the military and intelligence communities join in a new agency devoted to “strategic surprise/deception.”

Tricking battlefield opponents has been a part of war since guys started beating each other with bones and sticks. But these days, such moves are harder to pull off, the DSB notes in a January report (.pdf) first unearthed by InsideDefense.com. “In an era of ubiquitous information access, anonymous leaks and public demands for transparency, deception operations are extraordinarily difficult. Nevertheless, successful strategic deception has in the past provided the United States with significant advantages that translated into operational and tactical success. Successful deception also minimizes U.S. vulnerabilities, while simultaneously setting conditions to surprise adversaries.”

The U.S. can’t wait until it’s at war with a particular country or group before engaging in this strategic trickery, however. “Deception cannot succeed in wartime without developing theory and doctrine in peacetime,” according to the DSB. [ Read more ... ]

Bank sues victim of $800,000 cybertheft: Via Computerworld Security News.

In twist, Texas bank sues business customer, claiming cybertheft not its fault

A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.

In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.

Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.

PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." [ Read more ... ]

FBI Illegally Gathered Phone Records And Misused National Security Letters: Via American Civil Liberties Union.

Congress Must Curb NSL Abuse Through Patriot Act Revisions

FOR IMMEDIATE RELEASE
CONTACT: (202) 675-2312 or media@dcaclu.org 
               (212) 519-7829 or 549-2666 or media@aclu.org
 
WASHINGTON – According to a report in the Washington Post today, the FBI routinely claimed false terrorism emergencies to illegally collect the phone records of Americans for four years of the Bush administration by abusing an already expansive Patriot Act power. Using “exigent letters,” or emergency letters, to gain private records for investigations when no emergency existed, the FBI seemingly violated the Electronic Communications Privacy Act. The FBI also routinely issued National Security Letters (NSLs) after the fact in an attempt to legitimize the use of exigent letters. [ Read more ... ]

FBI Broke Law Spying on Americans’ Phone Records, Post Reports: Via Threat Level.

An internal audit found the FBI broke the law thousands of times when requesting Americans’ phone records using fake emergency letters that were never followed up on with true subpoenas — even though top officials knew the practice was illegal, according to The Washington Post.

The inspector general’s follow-up report on the so-called “exigent” letters — an investigation that started in 2007 — is due in a few months. E-mails obtained by the Post showed that responsible agency officials informed superiors in 2005, but the practice continued for two more years.

While it looks as if the nation’s top law enforcement agency routinely violated the nation’s wiretapping laws for years, it seems no one will actually be prosecuted since the violations are being judged as merely “technical.” [ Read more ... ]

Fishy Android apps may have been malware, says researcher: Via Computerworld Security News.

Dubious apps appear, then disappear, from Google's Android Market

Suspicious applications that may have stolen users' online banking credentials have appeared on the Android Market, the Google-run app store for its mobile operating system.

Although the potentially-malicious applications first appeared on Google's online mart in December, news of them went public only today as several outlets and security companies noticed warnings posted by banks and credit unions. Google has since removed the applications from the online market.

One of those financial institutions, BayPort Credit Union of Newport News, Va., posted its alert Dec. 22 about a rogue Android app that promised its members easy access to their online banking. "It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users financial information," said BayPort's warning.

First Tech Credit Union of Portland Ore. -- it also has branches in Salem and Eugene, Ore., as well as in the Seattle, Wash. area -- issued a similar warning the same day. [ Read more ... ]

FBI investigating online New York school district theft: Via Computerworld Cybercrime/Hacking News.

A New York school district has reverted to using paper checks after cybercriminals tried to steal about $3.8 million from its online accounts just before Christmas, prompting an FBI investigation.

For three days starting Dec. 18, cybercriminals started transferring money overseas from the accounts of the Duanesburg Central School District, which has two schools with about 950 students about 20 miles west of Albany, New York. [ Read more ... ]

The Decade’s 10 Most Dastardly Cybercrimes: Via Threat Level.

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium. [ Read more ... ]

Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack: Via Threat Level.

The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.

While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”

Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network. The breach cost TJX $200 million, according to its 2009 SEC filing. [ Read more ... ]

Cyberthief Seeks Hit Man to Kill Informant: Via Threat Level.

A convicted credit card thief and bank fraudster has pleaded guilty to solicitation of murder. He attempted to put out a contract on a federal informant.

Pavel Igorevich Valkovich, 28, admitted last week that he discussed hiring a hit man to kill the unidentified informant in a drive-by shooting. He submitted his guilty plea the first day of his trial on the murder-for-hire charge.

According to authorities, last January, Valkovich discussed paying a hitman $10,000 (.pdf) to kill the informant. In the conversation with someone he met in prison, he indicated that he wanted a silencer used in the murder. [ Read more ... ]

TJX Hacker to Plead Guilty to Heartland Breach: Via Threat Level.

Admitted TJX intruder Albert Gonzalez has entered into a plea agreement on charges that he hacked into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two other unnamed national retailers.

The revelation comes in a filing made by Gonzalez’s attorney in U.S. District Court in New Jersey, where the Heartland charges were filed in August.

A federal judge on Tuesday officially transferred the New Jersey case to Massachusetts, where Gonzalez is seeking to merge it with two other cases in which he’s already pleaded guilty.

Gonzalez, a former Secret Service informant known by the online nicks “segvec” and “Cumbajohnny,” was charged in New Jersey in August, along with two unnamed Russian hackers. They were accused of stealing more than 130 million debit and credit cards from card-processing company Heartland and the other target companies. [ Read more ... ]

"Godfather of Spam" goes to prison for four years: Via Law & Disorder Section - Ars Technica.

Alan Ralsky, the so-called "Godfather of spam" was yesterday sentenced by a federal judge in Detroit to spend the next 51 months of his life in prison for wire fraud, mail fraud, and violations of the CAN-SPAM act.

Not content simply to move boxes of pills or to sign people up for new mortgages, Ralsky's operation instead pulled in millions of dollars through "pump and dump" schemes of thinly traded stocks in companies you've never heard of. [ Read more ... ]

Judge Calls Bull on ‘Psycho-Acoustic’ Beatles Covers: Via Threat Level.

A federal judge dealt what may be a death blow to a Santa Cruz, California, company marketing Beatles music and other tunes as 25-cent downloads, despite the company’s claim that the tracks were computer-generated cover versions produced by a process called “psycho-acoustic simulation.”

EMI and other labels sued BlueBeat a month ago, and a federal judge late Wednesday blocked sales from the site after declaring BlueBeat’s technical claims suspect. BlueBeat’s defense rested, in part, on copyright law allowing musicians to produce cover versions of songs for a licensing fee. [ Read more ... ]

Feds Charge 3 With Comcast.net Hijacking: Via Threat Level.

Three alleged members of the hacker gang Kryogeniks were hit with a federal conspiracy charge Thursday for a 2008 stunt that replaced Comcast’s homepage with a shout-out to other hackers.

Prosecutors identified Christopher Allen Lewis, 19, and James Robert Black Jr., 20, as the hackers “EBK” and “Defiant,” known for hijacking Comcast’s domain name in May of last year — a prank that took down the cable giant’s homepage and webmail service for more than five hours, and allegedly cost the company over $128,000.

Visitors to Comcast.net had been redirected to a simple page reading “KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven.” [ Read more ... ]

Beyond Security Theater: Via Schneier on Security.

[I was asked to write this essay for the New Internationalist (n. 427, November 2009, pp. 10–13). It's nothing I haven't said before, but I'm pleased with how this essay came together.]

Terrorism is rare, far rarer than many people think. It's rare because very few people want to commit acts of terrorism, and executing a terrorist plot is much harder than television makes it appear. The best defenses against terrorism are largely invisible: investigation, intelligence, and emergency response. But even these are less effective at keeping us safe than our social and political policies, both at home and abroad. However, our elected leaders don't think this way: they are far more likely to implement security theater against movie-plot threats. [ Read more ... ]

4 Hackers Indicted in $9.5 Million Bank Card Attack: Via Threat Level.

Four men have been indicted in Georgia on charges that they hacked into the Atlanta-based bank card processing company RBS WorldPay. They allegedly used an army of flunkies to steal $9.5 million in cash from ATM machines around the world in a span of hours.

Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3″ were indicted by a federal grand jury in what’s being described as “perhaps the most sophisticated and organized computer fraud attack ever conducted.”

The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack. [ Read more ... ]

Trick or Tweet? Malware Abundant in Twitter URLs: Via Threat Level.

As many as one in every 500 web addresses posted on Twitter lead to sites hosting malware, according to researchers at Kaspersky Labs who have deployed a tool that examines URLs circulating in tweets.

The spread of malware is aided by the popular use of shortened URLs on Twitter, which generally hide the real website address from users before they click on a link, preventing them from self-filtering links that appear to be dodgy.

Kaspersky, an anti-virus and computer security firm based in Moscow, created a tool called Krab Krawler, which extracts URLs from millions of Tweets a day. The tools expands shortened URLs to examine words in the web address for those matching known malware sites. For unknown sites, Kaspersky visits the webpage to determine if it’s hosting malicious code that could infect visitors. [ Read more ... ]

EFF fights 'censorship' with Takedown Hall of Shame | NetworkWorld.com Community: Via NetworkWorld.com Community.

The Electronic Frontier Foundation today has aimed a demonstrably potent weapon -- the spotlight of public shame -- at those corporations and individuals who abuse copyright claims to stifle free speech.

From an EFF press release:

"Free speech in the 21st century often depends on incorporating video clips and other content from various sources," explained EFF Senior Staff Attorney and Kahle Promise Fellow Corynne McSherry.  "It's what The Daily Show with Jon Stewart does every night.  This is 'fair use' of copyrighted or trademarked material and protected under U.S. law.  But that hasn't stopped thin-skinned corporations and others from abusing the legal system to get these new works removed from the Internet.  We wanted to document this censorship for all to see." [ Read more ... ]

Cybercrooks Trick Gawker Into Serving Malware-Laced Ad: Via Threat Level.

Remember when the global economic crisis was supposed to drive legions of desperate, unemployed computer programmers into cybercrime? It turns out the real threat comes from unemployed advertising agents.

Scammers posing as the well-known ad agency Spark-SMG tricked Gawker Media into running a fake Suzuki ad last week that served malicious code, according to a report in Silicon Alley Insider. A similar scam hit the New York Times in September. Unlike the newspaper, Gawker has released the e-mails it exchanged with the scammers, and the messages show just how confidently the perps navigated the ad-buy process. [ Read more ... ]

Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices: Via Threat Level.

Researchers scanning the internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack. Their administrative interfaces are viewable from anywhere on the internet and their owners have failed to change the manufacturer’s default password.

Linksys routers had the highest percent of vulnerable devices found in the United States — 45 percent of 2,729 routers that were publicly accessible still had a default password in place. Polycom VoIP units came in second, with default passwords lingering on about 29 percent of 585 devices accessible over the internet.

“You can reflash the firmware or install any software you wish on vulnerable devices,” said Salvatore Stolfo, a Columbia University computer science professor who is overseeing the research project aimed at uncovering vulnerable appliances on the internet. “These devices will be owned and used by bot herders and other miscreants.” [ Read more ... ]

Facebook, Twitter users beware: Crooks are a mouse click away: Via CNN.

If you're on Facebook, Twitter or any other social networking site, you could be the next victim.

That's because more cyberthieves are targeting increasingly popular social networking sites that provide a gold mine of personal information, according to the FBI. Since 2006, nearly 3,200 account hijacking cases have been reported to the Internet Crime Complaint Center, a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance.

It starts with a friend updating his or her status or sending you a message with an innocent link or video. Maybe your friend is in distress abroad and needs some help.

All you have to do is click. [ Read more ... ]

Sneaky Microsoft plug-in puts Firefox users at risk: Via computerworld.

Patches critical bug, exploitable because of add-on silently slipped into Firefox last February

An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves the browser open to attack, Microsoft's security engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."

The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site. [ Read more ... ]

Twitter Adds a Report Spam Option: Via Mashable.

Twitter spammers have been put on notice. Starting today, each profile on Twitter now includes a “report [username] for spam” link. When clicked, the feature alerts you that it will immediately block the user and report them to Twitter for review.

To-date, Twitter has been using the @spam account to allow users to quickly report spam messages via direct message. The “report spam” link should make this process a bit easier and more readily apparent for users of the Web interface.

Spam has been an ongoing problem with Twitter as it’s grown in popularity. We’ve discussed how spammers frequently target trending topics, as well as mass follow users in an effort to get them to click on links. Hopefully, this will be another step in alleviating the problem.

Read Original Article:(Via Mashable.)

Texas Statute Paves Way for Highway Robbery: Via Blog of Rights: Official Blog of the American Civil Liberties Union.

Last Friday, the ACLU and the ACLU of Texas submitted a brief to the Texas Attorney General’s office arguing that a District Attorney in East Texas should be barred from using money unfairly taken from motorists under Texas’s asset forfeiture law to defend herself from a lawsuit brought by motorists who claim that their property was taken illegally.

The District Attorney, Lynda K. Russell, is accused of participating in a scheme in which police officers routinely pulled over motorists in the vicinity of Tenaha, Texas without cause, asked if they were carrying cash and, if they were, ordered them to sign over the cash to the town or face felony charges of money laundering or other serious crimes. The seizures were purportedly made under Texas’s asset forfeiture law, which enables authorities to seize the profits of crime without a conviction. However, authorities had no evidence that plaintiffs were engaged in any criminal activity. None of the plaintiffs was arrested or ever charged with a crime. [ Read more ... ]