Saturday, December 31, 2011

"Merry LulzXmas" Says Lulzsec

XMAS eve was not a happy day for U.S. security firm Stratfor when a hacktivist group Lulzsec stole credit card, email and other confidential data in activism against the prosecution of Bradley Manning’s in US Courts. Lulzsec and Anonymous are hacktivist groups who target firms rightly or wrongly using hacking tools to portray a political message. As opposed to hackers who hack for profit.These two groups have been protesting the prosecution of Bradley Manning who is alleged to have leaked confidential US cables on WikiLeaks. The trial is ongoing in the US.

Lulzsec published the XMAS message below when it released the full list of hacked account details in a 50 mb file. I have deleted the source of this file as I would not encourage my users to download it.

 I am sharing this message on my blog as it aptly illustrates the hacktivism thought process.


1.     _____                          
2.      /     \   __________________ ___.__.
3.     /  \ /  \_/ __ \_  __ \_  __ <   |  |                                                      MERRY
4.    /    Y    \  ___/|  | \/|  | \/\___  |
5.    \____|__  /\___  |__|   |__|   / ____|
6.            \/     \/              \/    
7.                                                                                                        LULZXMAS
8.    .____          .__         ____  ___                      
9.    |    |    __ __|  | _______\   \/  / _____ _____    ______
10.  |    |   |  |  |  | \___   /\     / /     \\__  \  /  ___/
11.  |    |___|  |  |  |__/    / /     \|  Y Y  \/ __ \_\___ \
12.  |_______ |____/|____/_____ /___/\  |__|_|  (____  /____  >
13.          \/                \/     \_/     \/     \/     \/
14.   
15.   
16.                                                                        #AntiSec™    (wtf? we hate copyright...)
17.   
18.   
19.  > Can I haz candy?
20.  > :3
21.                                               
22.  Greetings Global Pirates! Having fun riding the waves of the Global Financial Meltdown?  We sure are.
23.   
24.  Did Bradley Manning get his fancy LulzXmas dinner yet?
25.   
26.  hm... guess not.
27.   
28.  Still trying to lock him up for life?
29.  Still think we're just joking around?
30.  That's OK. The time for talk is over.
31.   
32.  So now let's talk... about XXXX:
33.  It's time to dump the full 75,000 names, addresses, CCs and md5 hashed passwords to every customer that has ever paid Stratfor.
34.  But that's not all: we're also dumping ~860,000 usernames, email addresses, and md5 hashed passwords for everyone who's ever registered on Stratfor's site.
35.   
36.  > ...
37.  > WTF?!?!
38.  > Did you say 860,000 accounts????
39.  > Did you notice 50,000 of these email addresses are .mil and .gov?
40.  > XXXX men...we're pretty much screwed up now...tinfoil hat please here..
41.  > yeah, for the lulz \:D/
42.  > sounds illegal...
43.  * /me phones police
44.  > holy shit, like frontal crash at 180mph!!!
45.  > :P
46.  > lol xD
47.   
48.  We almost have sympathy for those poor DHS employees and australian billionaires who had their bank accounts looted by the lulz (orly? i just fapped).
49.  But what did you expect? All our lives we have been robbed blindly and brutalized by corrupted politicians, establishmentarians and government agencies sex shops, and now it's time to take it back.
50.   
51.  We call upon all allied battleships, all armies from darkness, to use and abuse these password lists and credit card information to wreak unholy havok upon the systems and personal email accounts of these rich and powerful oppressors. Kill, kitties, kill and burn them down... peacefully. XD XD
52.   
53.  Is that it? 0h hell n0.
54.   
55.  On New Years Eve, there will be "noise demonstrations" in front of jails and prisons all over the world to show solidarity with those incarcerated.
56.  On this date, we will be launching our contributions to project mayhem
57.  by attacking multiple law enforcement targets from coast to coast.
58.  That's right: once again we bout to ride on the po po. Problem, officer? umad?
59.                                                                       
60.  Candiez, pr0n and cookies for LulzXmas:

61.     What follows is an Online dump of stratfor data – names, password, the works . I have removed the links to the five sites used,

Friday, December 30, 2011

Happy New Year 2012

Dear Readers,

Wish you and your families a Very Happy New Year

I would like to thank you all for your support and kind encouragement to my opinions on security. I never expected to have such a large readership when there are so many choices on the Internet, and my site was just one of those 80 million or so. This has greatly encouraged and motivated me to work actively towards the cybercrime awareness and Cybersafety.

 Until Next Year

Cheers
 Lucius

Ideology drives both Hacktivism and Online Piracy

2011 could very well have gone down as the year of Hacktivism. Hacktivism is the use of computers as a means of protest to promote political ends on the Internet, akin to regular activism and civil disobedience using hacking tools. Organizations like Anonymous and Lulzsec targeted attacks against high profile companies and governments linked to the ongoing campaign against WikiLeaks, made Hacktivism a buzzword. There were other similar campaigns against political targets in Russia and other countries. Most of these campaigns are ideological, not for profit movements.

Online piracy is also growing at rapid pace. According to reports piracy in books, movies, games, films and software results in a 200 billion US$ loss annually. Most piracy is undertaken by net users who buy and share on file sharing sites.  Most of those who share and others who download believe that there is nothing incorrect in doing so, taking in justification in what they believe is the high price charged by companies. In short, the act of sharing is also ideological, though there is an element of individual monetary gain for net pirates.

Wednesday, December 28, 2011

Subtle, poorly drafted Government Regulation aims to police a free Internet

From October 2011 we have seen attempts by various governments to impose some form of regulation on online content. These regulations focus on copyright violation and obscene content. While there may not be too much ambiguity on the definition of copyright, we know that many countries turn a blind eye to piracy. In case of obscene content the definition varies by country based on local laws and people’s sentiment.
Changing government sentiment may see a restructuring of the Internet and the imposition of technical controls to subdivide the Internet and regulate its use. This will have an impact on online businesses, law enforcement, investments in web firms and the business models of Internet firms. Access to the Internet is virtually ruled by Search Engines and any move to bar a website from search results can have a dramatic result on the firm’s business. Most of the confusion also arises from the drafting of such bills which generally aim to be so broad that they confer sweeping powers to the government. In case of SOPA any US consumer who uses a website overseas immediately gives the US jurisdiction the power to potentially take action against it.
I have highlighted two examples which depict the changing times:
Obscene Content
This week a court in India has summoned over 20 websites to face trial for criminal conspiracy for selling and publicly exhibiting antisocial and antireligious content contained obscene picture and derogatory articles pertaining to Prophet Mohammad, Jesus Christ and various Hindu Gods and Goddesses. The court felt that these contents were disrespectful to the religious sentiments and faith and seem to be intended to outrage the feelings of religious people whether Hindu, Muslim or Christian. In the last few months there has been an attempt by the Indian Government to regulate online content which is defamatory and antisocial which led to a widespread public outcry. The UK government too tried to introduce similar regulation which was also met by a similar public outcry.

Read More: TOI 24 Dec 11 Court summons Facebook, others for ‘obscene content’

Copyright
According to Wikipedia “In a bill brought out in the US called SOPA or Stop Online Piracy Act, the US Government wants to in act a law on October 26, 2011 that expands the ability of U.S. law enforcement and copyright holders to fight online trafficking in copyrighted intellectual property and counterfeit goods.
 The bill would allow the U.S. Department of Justice, as well as copyright holders, to seek court orders against websites accused of enabling or facilitating copyright infringement. Depending on who requests the court orders, the actions could include barring online advertising networks and payment facilitators such as PayPal from doing business with the allegedly infringing website, barring search engines from linking to such sites, and requiring Internet service providers to block access to such sites. The bill would make unauthorized streaming of copyrighted content a felony. The bill also gives immunity to Internet services that voluntarily take action against websites dedicated to infringement, while making liable for damages any copyright holder who knowingly misrepresents that a website is dedicated to infringement”
Related Reads:

Censoring the India Web ! Why shoot Kapil Sibal?

Cry over Censorship is Simply an Attempt to Evade Regulation by large online businesses

 Eight Political Issues around Security and Privacy in Cyberspace

Tuesday, December 27, 2011

Ridding oneself of Digital Trash to prevent Identity Theft

I think humans have a tendency to hoard. It is not unusual to undertake an annual house cleaning exercise to get rid of the items we once thought to be extremely important? Another characteristic is the tendency to dispose and not destroy. I am quite certain many of us simply throw out our posts without shredding irrespective if they are bank or credit card statements. Companies do so too, as I read in a blog post of a that a recent UK study reveals that up to 40 per cent of London’s commercial bins contain confidential business documents, such as email print outs, letters and reports, many of which contained sensitive personal information.
I have never seen an article on the consequences of hoarding digital trash. Digital Trash represents those thousands of documents that we store on all forms of storage in our possession over the years. I am sure that all of us have several years of email archives, and documents in our folders which we believed important but simply lie there waiting for the time when the hard disk is replaced, or we lose our flash drive or someone steals our storage. The consequences of this loss on personal data or even personal confidential data can be catastrophic. I know a few people who have had sleepless nights!
I must confess that I too suffer from this digital hoarding addiction. Though my exposure may be limited as there were a few rules, which I have followed judiciously such as:
1.    I do not store sensitive information on my mobile phones. All my emails once downloaded on my desktop are deleted automatically from my mobile devices
2.    I do not store much information online or on free email
3.    I do not carry portable drives, though I use one at home. No pen drives, and if I do, I ensure all data is removed
4.    I also shred important  paper document before disposal at home and in office
I will henceforth add a fifth rule, to eliminate digital trash and undertake a routine digital housekeeping exercise which I would strongly recommend to you all.
Related Reads:  3G,Cell Phones, Social Networking and the not so Innocent Obsession

Friday, December 23, 2011

A Security Analysis of Google Transperancy Report


Google publishes every six months a transparency report on the number of requests it receives and action taken from government agencies and courts around the world to remove content from our services and hand over user data. Removal requests ask for removal of content from Google search results or from another Google product, including YouTube.

The report excludes data on content removed by default by Google which violate its content policies such as pornography and copyright requests which are primarily received from private parties. This report is a significant first step and should be adopted by other social media sites.

Content Removal
Content removal requests are primarily in eight categories ranging from defamation to hate speech. Content requests are sometimes due to violation of local laws. The two categories that stand out are content deletion for Defamation and Privacy/Security.

The most shouted category Government Criticism seems to account for a low volume of requests. It seems that this category may be touted more vigorously by media when Governments try to regulate Internet content. We have seen this recently in India.




User Data Requests
User data requests ask for information about Google user accounts, primarily for detection or prosecution of criminal activities. Volumes seems low for the amount of content stored online but is increasing at a steady pace. I for one, would have expected this category to have much more requests, but the low volume is perhaps a reflection of the difficulty in tracing cybercrime due to the unavailability of trained law enforcement officers, cross juridiction issues and limitations of cyberforensics.



Related Reads : Censoring the India Web ! Why shoot Kapil Sibal?

 Eight Political Issues around Security and Privacy in Cyberspace

Thursday, December 22, 2011

IBM 5 in 5 Predicts the Demise of Passwords

Every year IBM releases IBM 5 in 5 which is a forecast of the five Innovations that will change the Tech Landscape in the next five years. The successes of IBM’s predictions seem to have mixed but beside PR, IBM derives value by forcing the entire company to think along these predictions.
One of 2012 predictions is on the future of passwords.
The name "multifactor biometrics" sounds as intriguing as the thrillers that use it as a plot device. In real life, the use of your retinal scan or your voice as a passport to verification will replace multiple passwords for access to information and secret hideouts, should you decide to accept the option. Your unique biological identity becomes your only password as multifactor biometrics aggregate these characteristics in real time to prevent identity theft.
There seems to be a fair possibility of this prediction coming true in the 3-5 years timeframe. Building biometrics into smartphones and tablets may spur adoption. I believe companies and government may be early adopters. Biometric’s as a substitute to passwords still have a few challenges to overcome such a cost, reliability and unknown unknowns that may result in biometric compromise in the future.
The full value of biometrics will however be derived if normal Internet users can use them for commerce transactions on the Internet, which I believe will be largely driven my marketplace economics. Adoptions by large credit card firms such as VISA and Mastercard may tilt the balance.
So in a nutshell, its wait and watch! No relief in sight just yet.
My expectations are that in the short term the number of passwords will reduce via
  1. Cloud based Identity Brokers who will help individuals authenticate to a single source and then authenticate them to Internet Sites
  2. Use of Open ID by major social networking sites
  3. Enhanced strength of passwords through a second factor authentication means using a photo or a code
  4. Increased use of virtual keyboards to key in passwords to defeat key loggers

Wednesday, December 21, 2011

Youngest Team attempts to Raid an ATM in Mumbai

My most read blogpost ironically happens to be "12 Ways to Steal Money from an ATM? Just kidding!". Yesterday two slum children aged 12 and 15 smashed open an unguarded ATM with a iron rod trying to make off with the cash. They were caught before they reached the cash box by a police patrol.

There were a few thoughts that struck me when I read this news report. Firstly, this may be the youngest team ever to attempt such a robbery, secondly their creativity and ingenuity in figuring out that there was lots of money in the ATM, that a portion of it was plastic and could be broken off by a rod, thirdly that they even figured out that they needed to hide their faces from the CCTV and lastly the planning that went into the attempted heist.

Truly Amazing !

Read the full article: Times of India 21 Dec 12  2 boys smash ATM with rod, nearly steal 21 lakh

Related Reads
 "12 Ways to Steal Money from an ATM? Just kidding!"

Lady Gaga social media Hack is a warning to celebrities to ensure their PR firms invest in information security

Phew. The hacking is over! And just in time, I'm on my way to Japan! So excited to spend Xmastime with my TokyoMonsters! I also want to thank Little Monsters for making tomorrow the 20th Marry The Night Download Day. You are so sweet + generous, I love u. Xx Ready for redwine and 12 hrs of napping. Is it weird I like flying because I can sleep and my t-t-telephone has no service? #stopcallin wee!
Was one of the latest posts on Lady Gaga’s facebook page after her Twitter and Facebook account had been hacked and several posts/tweets went out promising her fans iPad’s.
On FaceBook
"Lady Gaga's new iPad comes out in 3 days!
"So for the next 72 hours we will be hosting a massive giveaway to all the Mother Monster fans. Sign up and receive your special Lady Gaga edition iPad in time for the Holidays! For contest rules and registration visit the link below."
And Twitter
"Monsters, I'm giving away FREE ipad2's to each one of you in the spirit of the holidays :)"
Fans normally follow celebrities and fake links on celebrity events, news and rumours are popularly used to lure fans to click on spam or malicious links sending such messages viral.
Compromise of a legitimate site with millions of users is the holy grail of celebrity hacks as there is instant access to a wide population of trusting fans. In this case 100000 fans clicked on the links. The usual recommendation of think before you click holds no good when the attack comes from a site of high credibility. No wonder it caused Lady Gaga Stress. I am happy that her team has been able to quell the hack and remove the links.
I advised in my post “Celebrities at High Risk from Hackers” those big celebrities who use social media like Twitter and Facebook to interact with fans and hire media firms to manage these accounts, should ensure that their teams with access to the celebrity’s account and personal data protect its confidentiality through the use of security best practices.
I believe that the current Lady Gaga hack is an apt example of the risks celebrities’ face.

Monday, December 19, 2011

Spies set honey traps on social networks to obtain strategic information

Online temptation the art of using search engines to honey trap businessmen, politicians, bureaucrats and military officials “was an article I wrote seven months ago on the use of Social Networks to honey trap for corporate and military espionage. The Indian government today requested senior paramilitary and armed force personnel to stop flaunting their career information on such sites or stay away altogether. Many of these personnel posed in official uniform to impress people including girls. They became easy target for “across the border honey’s” who enticed them further with video chats and other types of conversation designed to extract strategic information or blackmail. This channel was also used to introduce malware onto sensitive government computers which is a high security threat. The government has decided to monitor social network pages of officials in sensitive positions, particularly those in border positions.
Honey traps have been effectively used by petty thieves. Do read a previous post on “Entrapment for Theft”

Reported Examples

Times of India 20 Dec 12 Indian Army Colonel honey-trapped by ISI, probe ordered
Excerpt: A Colonel was cultivated by a woman when he was posted in Bangladesh for a military course in one of the institutes of the neighbouring country. The relationship developed into a love affair sometime in the middle of this year.The Colonel was approached by ISI operatives based in Bangladesh, asking him to work for them. Sources said the Colonel also received letters threatening to put up on the Internet photographs of him in compromising position with the woman, as well as to send them to Delhi, if he failed to work for the ISI

Sunday, December 18, 2011

Six Actions Governments must take to build a Secure Cyberspace

The rate of growth of cyberspace fuelled by individuals and businesses has been rapid.  The advent of smartphones has ensured a network of over 5 billion internet devices. Cloud computing and smart phone apps are major drivers of online commerce. Internet has entered utilities, businesses, homes, and even cars. Governments use cyberspace to provide egovernance to their citizens.
As interconnectivity and online transactions grew so did three major cyber risks – corporate espionage, cyber warfare and cyber crime. The rate of growth of these three risk vectors have left most governments underprepared and underinvested in building strong national and international cyber ecosystems. The rapid growth rate of a free Internet coupled with the not so technology savvy bureaucrats left governments without any relevant policy on building a strong ecosystem for the development and protection of national cyberspace. Bridging the gap requires a multibillion US dollar investment in building cyber institutions, cyber policy and domestic cyber development capability in products, services and training.
The six focus areas and related laundry list below should ideally  be enacted/executed in partnership with Industry and academia.
1.    Create an ecosystem for development of domestic cyber protection capabilities
a.    Capability to build secure products for the national cyber ecosystems
b.    Incentives for tech entrepreneurs to invest in security product development
c.    Labs and standards for evaluating and certifying products as security compliant
d.    Policies or regulation to ensure critical national infrastructure players invest in security defenses
e.    Set-up standard bodies for development and promulgation of security standards
f.     Enhance existing bodies like CERT for better incident response and vulnerabilility reporting
g.    Develop better online monitoring mechanism to detect hostile activities on the Internet

2.    Create an ecosystem for safe business transactions
a.    Capability to build tools for fraud detection and control
b.    Bodies that will establish trust in online identities such as identity service providers who can provide authentication services
c.    Capability to build tools for prescreening Internet content
d.    Capability to report online cybercrime
e.    Capability to trust online transactions
f.     Capability to trust and rate online business entities
g.    Capability to monitor the activities of online businesses in real time to certify businesses as safe to transact with
h.    Promulgate ethical standards for use of the Internet by business  in partnership with industry bodies

3.    Create an ecosystem for lawful use of the Internet
a.    Develop cyber police and cyber courts
b.    Training of police and judiciary
c.    Effective laws and regulation
d.    Cyber Bills and Acts

4.    Create an infrastructure to train new cyber security professionals
a.    Security courses in schools and college
b.    Funded research

5.    Develop effective international policies to deal with cross border issues
a.    Sign transactional treaties for fighting cybercrime internationally
b.    Establish international policy on privacy and law for use of cyberspace
c.    Establish norms for Internet service provider hosting content from or related to, India or Indians

6.    Promotion of cyber security awareness
a.    Encourage mcommerce players to promote citizen cyber security awareness
b.    Encourage the media to highlight cyber security issues and create awareness
c.    Institutionalize cybersecurity awareness training for children in schools
d.    National cybersecurity day