FBI Arrests 24 Cyber Criminals in an International Cyber Crime Takedown

FBI has released details of an international operation directed at curbing card crimes. The operation, which is said to be the largest aimed at curbing card crimes, lead to the arrest of 24 individuals in 13 countries among which, 11 are from US.

Carding crimes include stealing of personal information such as credit card details, social security numbers, bank account details etc. and using them or selling them in order to make money.

The operation was a result of a two year undercover operation lead by the FBI. Of the 13 arrested outside US, 6 are from United Kingdom, 2 from Bosnia and 1 each from Bulgaria, Norway and Germany, Italy and Japan.

Preet Bharara, Manhattan Attorney explained the crime in a press release,

“The allegations unsealed today chronicle a breath-taking spectrum of cyber schemes and scams. As described in the charging documents, individuals sold credit cards by the thousands and took the private information of untold numbers of people. As alleged, the defendants casually offered every stripe of malware and virus to fellow fraudsters, even including software-enabling cyber voyeurs to hijack an unsuspecting consumer’s personal computer camera. To expose and prosecute individuals like the alleged cyber criminals charged today will continue to require exactly the kind of coordinated response and international cooperation that made today’s arrests possible.”

Janice K. Fedaryck, FBI Assistant Director in Charge also commented on the operation as follows,

“From New York to Norway and Japan to Australia, Operation Card Shop targeted sophisticated, highly organized cyber criminals involved in buying and selling stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools. Spanning four continents, the two-year undercover FBI investigation is the latest example of our commitment to rooting out rampant criminal behavior on the Internet.”

FBI also conducted more than 30 searches and interviews as a part of the operation. The case is currently handled by the Complex Fraud’s Unit.

25 Passwords and ATM PINs You Should Never Use

With password breaches happening left and right, no one is really safe. The only real security measure you can take is to ensure that you don’t use the same password on any two websites. There are tools like LastPass and Keepass that make this a relatively hassle free affair. Yet, a surprisingly large number of netizens insist on sticking to the same password for all websites. Even worse, a massive number of users seem to be still using passwords like “password”.

Based on data compiled by Mark Burnett from a sample of over 6 million passwords, ESSET has published a list of 25 most commonly used passwords. Here’s the list:

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football
  11. letmein
  12. monkey
  13. 696969
  14. abc123
  15. mustang
  16. michael
  17. shadow
  18. master
  19. jennifer
  20. 111111
  21. 2000
  22. jordan
  23. superman
  24. harley
  25. 1234567

most-common-passwords

If your password is in the list, please punch yourself in the face and go ahead and change your password right now. You are a walking talking security disaster waiting to happen.

ESSET has also published a list of most popular debit/credit card pins. Here’s the list, and once again, if your pin is in the list, then it’s probably a damn good idea to change your pin.

  1. 1234
  2. 0000
  3. 2580
  4. 1111
  5. 5555
  6. 5683
  7. 0852
  8. 2222
  9. 1212
  10. 1998
  11. 6969
  12. 1379
  13. 1997
  14. 2468
  15. 9999
  16. 7777
  17. 1996
  18. 2011
  19. 3333
  20. 1999
  21. 8888
  22. 1995
  23. 2525
  24. 1590
  25. 1235

Flame: World’s Most Advanced Malware Discovered

Security researchers at Kaspersky Labs have discovered a new variety of malware that was used to spy on Middle Eastern countries. The attack has been highly targeted, infecting about 5000 computers across Iran, Israel, Sudan, Saudi Arabia and other unnamed countries. The malware, called Flame, affects Windows machines, and once infected, it can record audio conversations, take screenshots, sniff network traffic, intercept keyboard, etc.

Functionally, it can be said that Flame is similar to Stuxnet or Duqu but differs from them in several aspects. It is much more complex than either Stuxnet or Duqu. For those unaware, Stuxnet was used to target Uranium enrichment plants in Iran, while Duqu was used to steal sensitive information. While both Stuxnet and Duqu were single pieces of malware, Flame is a collection of modules consisting of a Trojan, a backdoor and a worm. While the payload size of Duqu was 300KB and that of Stuxnet was 500KB, Flame is a whopping 20MB in size. “The reason why Flame is so big is because it includes many diff
erent libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine,” explained Alexander Gostev of Kaspersky Labs in a blog post.

 

Flame has the ability to add new modules later to improve its functionality, making it even more dangerous. Considering the sheer complexity and the limited targeting of Middle Eastern countries, one can only assume that this might be a work of a nation state. According to Hungary’s Laboratory of Cryptography and System Security,

The results of our technical analysis support the hypothesis that [the worm] was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities. It is certainly the most sophisticated malware we [have] encountered. Arguably, it is the most complex malware ever found.

Flame still remains undetected by the 43 major anti-virus vendors.

Iran’s Computer Emergency Response Team is investigating the virus and has posted some features as shown below.

·         Distribution via removable medias[sic]

·         Distribution through local networks

·         Network sniffing, detecting network resources and collecting lists of vulnerable passwords

·         Scanning the disk of infected system looking for specific extensions and contents

·         Creating series of user’s screen captures when some specific processes or windows are active

·         Using the infected system’s attached microphone to record the environment sounds

·         Transferring saved data to control servers

·         Using more than 10 domains as C&C servers

·         Establishment of secure connection with C&C servers through SSH and HTTPS protocols

·         Bypassing tens of known antiviruses, anti-malware and other security software

·         Capable of infecting Windows XP, Vista and 7 operating systems

·         Infecting large scale local networks

You can read a detailed Q&A about the Flame malware, published by Kaspersky here.

Reckz0r Hacks Sony, Dox Available on Pastebin as Usual

Reckz0r is a known online hacktivist who has been involved in many online hacks and security breaches. What makes him unique, is that he likes to fly solo and regularly exposes (wannabe) security experts who cannot secure their own websites well enough. Nonetheless, Reckz0r has always supported the Anonymous group and is active on Twitter as well.

This time, Reckz0r has brought us some loot from Sony, and dramatically, it appears just in time for the court trials of the LulzSec four. Reckz0r has hacked Sony and posted the looted data on Pastebin. The Pastebin page also gives away an SQL injection vulnerability, however, it seems like not everyone is excited is about this hack. Discordian has criticized Reckz0r on this hack, saying most of the data was already out in the public domain. He wrote on Twitter, saying,

These websites and emails in that pastebin are ALL publically available, can you tell me where the vulnerabilities are listed?

The complete release is available on Pastebin.

In other news, Sony has recorded a loss for the fourth year in a row, and the amount this time is Y457 billion out of which, Y255 billion was in the last quarter alone. To make a comparison, Sony’s loss in the last fiscal year was Y260 billion. This year, a large part of this loss is being accounted to the Thailand floods and the tsunami in Japan.

Pirate Bay Criticizes Anonymous for Virgin Media DDoS

A UK based ISP Virgin Media has decided to ban access to the Pirate Bay, following a court order. The court order affects five major ISPs in the UK, Virgin Media being the second largest in all of Britain. British Telecom (BT) is still in talks over this matter, in spite of being asked to implement a ban, last year. The ban on The Pirate Bay came after the British Phonographic Industry (BPI), which represents a number of media houses, aggressively pursued a case.

Furious over the ban, The Pirate Bay has given enough tips to circumvent this ban, rendering it useless anyway. On the bright side of things, it has also recorded a traffic boost of 12 million, after the court order. However, when Anonymous came out in support of The Pirate Bay and decided to DDoS Virgin Media, it was not pleased at all. The DDoS was carried out between 5 and 6 PM and Anonymous took down the Virgin Media website for over an hour.

The Pirate Bay has made it clear that it does not support DDoS as a means of protest.the-pirate-bay-virgin-hack

We believe in the open and free Internet, where anyone can express his or her views. Even if we strongly disagree with them and even if they hate us. So don’t fight them using their ugly methods. DDOS and blocks are both forms of censorship. If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol, print some pro piracy posters and decorate your town with, support our promo bay artists.

With this ban, Virgin Media has become the first UK based ISP to impose a ban on The Pirate Bay. Legally, Virgin Media is not at fault here because it is just following court orders. However, instead of accepting the ban so happily, Virgin should have questioned the decision and followed BT’s example. ISPs should in no way determine what content to push to its users, and what to filter; this is against net-neutrality and free speech. If they are being forced to censor content like in this case, it is their rightful duty to question such decisions, as BT did.

Norton 2013 Begins Public Beta, Introduces Windows 8 Support

Windows 8 is still several months away from being released; however, major software firms are already hard at work to ensure that their applications support the latest and greatest from Microsoft’s stables right out of the gate.

Earlier this month, Symantec kicked off the public beta testing phase of Norton 2013 series of products (Norton 360 2013, Norton Internet Security 2013, and Norton AntiVirus 2013). The biggest draw of Norton 2013 seems to be complete Windows 8 compatibility. In fact, Symantec has even tweaked Norton’s interface to make it better suited to Windows 8’s design aesthetics.

Norton-2013-Dashboard

Norton-2013-Protection

Norton-2013-Settings

Official changelog for Norton 2013 is yet to be published. The only new feature that is readily apparent is bandwidth monitoring, which can restrict the download of non-critical updates over expensive networks. However, there are quite a few other minor tweaks that Download Crew has managed to spot. Norton Insight is now integrated with the Firewall, and the Insight File Reputation database is updated more quickly. SONAR (Symantec Online Network for Advanced Response), which is Norton’s heuristics engine, now works even in safe mode. And finally, Norton now automatically downloads and installs Norton Power Eraser tool if any infection is detected.

Head over to the official public beta forum to download Norton 2013. However, keep in mind that using non-release build of security products is not recommended.

Gmail Starts Sending Suspicious Sign in Prevented Emails

I have been using for a few years now and have come to love their spam filtering and security among other things. Gmail was probably one of the first free email provider to allow users to see where they logged in from and also provide an additional security layer with 2-step verification logins.

Some of the most interesting features in Gmail have been the ability to detect suspicious emails from your contacts, ability to alert you whenever any suspicious activity takes place in your account and the feature which alerts you whenever any filters have been setup to forward emails to another account.

However, there is a chance that most of the users do not access their accounts through the web interface and instead prefer using IMAP, notifying such types of accounts is harder. To overcome that problem Gmail has now started sending out emails to users saying that they have detected and prevented a suspicious login from an unknown location.

Gmail Suspicious Sign in Prevented Email

The email which arrived in my inbox earlier today can be seen in the image above. The message reads:

Keith,

Someone recently tried to use an application to sign in to your Google Account, [redacted]. We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

May 8, 2012 8:37am GMT
IP Address: 204.15.240.72
Location: Sunnyvale, California, United States

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately. Find out how at http://support.google.com/accounts?p=reset_pw

If this was you, and you want to give this application access to your account, complete the troubleshooting steps listed at http://support.google.com/mail?p=client_login

Sincerely,
The Google Accounts Team

This email approach from Gmail seems to be new and will allow users who don’t access the web interface to find out if their account is being compromised. It is not clear though whether the user was able to login successfully or not. Nevertheless, you should definitely change your password if you receive it.

If you need help generating strong passwords, you can check out 4 unique apps to generate strong passwords.

Also Read: How to find if your Gmail account is hacked and what to do

Update: For all those asking I had already confirmed that this is a legit email and a Gmail community manager has also confirmed this it is legitimate in a stack exchange thread:

I am the Gmail Community Manager, and I can confirm that we do send email notifications in certain cases such as described here.

Always carefully check the URL and never enter your Google password on a page that is not hosted at google.com. For example, it is OK to enter your password at https://accounts.google.com or https://mail.google.com, but not gooogle.com, g00gle.com, etc.

Update 2: Turns out that Google is now actively blocking login attempts from services like Plaxo and . A thread on Dropbox reports similar emails being sent out to users.

WhatsApp Security Woes; Hardcoded AES Key Used For Message Storage

It seems security is still an issue with WhatsApp. Previously, it was a vulnerability that allowed users to remotely change status names on other accounts simply by entering the mobile phone number tied to their account.

The newest issue has to do with the message storage database that WhatsApp uses to keep a log of incoming and outgoing messages. While the SQLite database is stored in a directory that is only accessible through jailbreaking or rooting a device, and the database is encrypted using AES-192, it’s unfortunately crypted with a hard-coded and static key.

The entire contents of the database can be decrypted using the known key. The database, which is stored in /com.whatsapp/databases/msgstore.db on Android phones and ~/Documents/ChatStorage.sqlite on iOS devices, can be decrypted by supplying the key and requesting that openssl revert the database to plaintext;

openssl enc -d  -aes-192-ecb -in msgstore-1.db.crypt -out msgstore.db.sqlite -K346a23652a46392b4d73257c67317e352e3372482177652c

In order to make it easier for decryption, an online portal was created for doing the deed. Of course you’ll need a jailbroken or rooted device in order to get the crypted database, then you can simply upload the file to http://www2.unsec.net/whatsapp/ and it will be decrypted.

Last time, it took WhatsApp just under a week to patch the hole. In order for them to fix this issue, an update to the client will be required, in order to add a new key – hopefully one that is generated using device-specific information or something the user can input to create a strong key, and then encrypt the database again.

UPDATE: As pointed out by a reader, the original research and analysis conducted on the database can be found in a PDF and there is also a WhatsApp Xtract application posted on XDA-Developers. Thanks Martina!

Sophos Security Threat Report 2012 Identifies Decline in Fake Antivirus Threats, but Increase in Infected Websites

Popular security firm Sophos has published its annual security report, which analyzes the major security trends of the year gone by. The latest report dives into the various security threats that we witnessed in 2011.

Sophos dubbed 2011 as the year hacking evolved from being a way to steal money to a form of protest. The first year of the new decade witnessed Anonymous and its offshoot LulzSec capture public imagination and dominate headlines. It also saw an increase in data theft, drive by infections, and malwares for Mac.

The full report, which spans 31 pages, is available for download or online viewing from Sophos’ website. Here are some of the key takeaways.

  • Since 2005, security breaches have compromised more than 500 million U.S. records alone.
  • In 2010, the costs of a data breach reached $214 per compromised record, and averaged $7.2 million per data breach event.
  • More than three years after its initial release, the Conficker worm was still the most commonly encountered piece of malicious software, representing 14.8% of all infection attempts seen by Sophos customers in the last six months.
  • There has been a sharp decline in the threat posed by fake antivirus products, but they were still responsible for 5.5% of infections in the last six months of 2011.
  • As a result of the Rustock botnet shutdown (previously responsible for the largest volume of spam), there was an immediate drop of about 30% in global spam volumes in March 2011. Unfortunately, Sophos Labs also witnessed an increase in the volume of spam with attached malware.

Top-Spam-Producing-Countries

  • According to Sophos Labs, more than 30,000 websites are infected every day and 80% of these infected sites are legitimate. Eighty-five percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web. Today, drive-by downloads have become the top web threat. And in 2011, we saw one drive-by malware rise to number one, known as Blackhole.
    About 10% of detections are exploit sites, about two-thirds of which are Blackhole sites.

Website-Infections-Blackhole

  • 2011 saw the emergence of Mac malwares as a genuine threat. Fake antivirus schemes such as MacDefender, Mac Security, MacProtector and MacGuard all came to light this year.

History-Mac-Malware

  • Windows may be the most attacked OS, but the primary vectors for hacking Windows have been through PDF or Flash.

Redditor Uncovers the Mystery Behind the DuQu Trojan

Although a large part of the DuQu trojan was confirmed to have been written in C++, Kaspersky could not reach a conclusion about a particular section of the code. This section deals with the communication with the command and control servers, and is contained inside the payload.dll file. This section of code is expected to have been written in an object-oriented language and Kaspersky Lab engineer, Igor Soumenkov, says

The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.

This mysterious section of code receives instructions and returns stolen data. The Kaspersky Labs turned to enthusiastic programmers and asked for help on deciphering the doubtful section of code. Reddit, being the awesome community that it is, offered some timely help, nonetheless.

It is interesting to note that the mystery man why demystified DuQu is none other than Igor Skochinsky, who reverse-engineered the Kindle in early 2008. You can always visit his blog to refresh your memory. He goes by the handle igor_sk on Reddit and his exact comment on DuQu was,

I can say with some certainty that the code in the snippets comes from the MSVC compiler, since its register allocator tends to use esi first. “pop ecx” instead of “add esp, 4″ is another MSVC trait. Have a look at this presentation for a more formalized approach to compiler detection.

When confronted with the fact that Kaspersky had debunked the possibility of the code being compiled with MSVC compiler, he boldly claimed that the guys at Kaspersky were wrong. Redditors never fail to amaze me. This vital piece of information will be useful when dealing with the DuQu trojan and stopping its communications with the command center.