Inside a Hacker Forum

Hacker forums function as a kind of combination training academy, social network and central bazaar for attackers looking for new tools, methods and techniques. They're also often patrolled by law enforcement agents and security researchers, but it's rare that any of the information that those people gather ever makes it into the hands of the public. One security company is now laying out some of the details of a year-long observation of a large hacker forum.

As it turns out, hackers in many ways are just like most people, with the small distinction that they steal things for a living. Researchers at Imperva began looking at one specific forum in June 2010, and focused in large part on what kinds of discussions the members were having. They found that many of the would-be attackers are not only interested in finding new tools and techniques, but also sometimes enjoy discussing religion, books and philosophy.

But when it comes to specific attacks, much of the discussion focuses on the techniques that have been among the more popular methods in recent years, especially DDoS and SQL injection. They found that 22 percent of the discussions on attack techniques by members of this unnamed forum were about DDoS attacks, while another 19 percent were about SQL injection. Both of those methods have been in widespread use for a long time now, and they also can be executed by people without a lot of technical skills.

DDoS attacks in particular often are the first forays by new attackers as they get into the scene, and there are a lot of simple point-and-shoot tools available for these people to experiment with. Even with these tools readily available, a lot of the discussions on hacking methods also center on learning how to get started, the researchers found. The Imperva study is by no means a a comprehensive survey of hacker forums, but just a snapshot of one specific forum at a point in time.

"Hackers devote most of their time, 25%, towards discussing beginning hacking. The strongest category with nearly 25% of discussions was on hacking tutorials. This means there’s a strong, steady interest in content to learn hacking, ensuring a steady supply of new talent. Other hacks, such as botnets and zombies, were prominent but website hacking more than tripled the next highest topic," the study found.

In addition to discussions about specific techniques and tools, the forum that the researchers studied also includes quite a bit of educational content for members looking to learn. There are sections on learning skills such as social engineering, SQL injection and how to cover your tracks once you've compromised a machine.

As nice as all of the education and sharing on the forum is, the main reason for being for many of these sites is to help attackers who are looking to buy or sell pilfered goods find one another. The Imperva researchers found that in the forum they observed, credit card numbers, many of which include dates of birth and other information, were selling for short money. For U.S. numbers, the prices ranged from $2 for Visa up to $6 for Discover. The prices were slightly higher for numbers from countries in the European Union, going as high as $8 for American Express and Discover. Read More...

Massachusetts Attorney General, Victim of an iTunes Scam, Says She'll Demand Answers

Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple's popular online music store.

In a lunchtime address to business and technology leaders in Massachusetts, Coakley said she was a victim of identity theft in recent months, and that her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by Threatpost) about whether such fraud constitutes a reportable event under the Bay State's strict data breach notification law, Coakley said that her office would be looking into that question and demanding answers from Cupertino, California based Apple, which has steadfastly refused to comment, or report the breaches to Massachusetts regulators.

Coakley was speaking before an audience of technology and business leaders at an inaugural lunch for Massachusetts' Advanced Cyber Security Center (ACSC). Coakley said that her investment in protecting consumers from identity theft was personal, acknowledging that her bank account was emptied after cyber criminals stole her debit card information during a ski trip to New Hampshire. It was not the first time Coakley had mentioned the incident in public. After skimming the card info, Coakley said the thieves attempted to use it to purchase a laptop from Dell Computer, which detected the fraudulent transaction and contacted Coakley. Not so Apple, whose iTunes media store was used to make a slew of transactions that emptied the Attorney General's account.

Informed of the well documented pattern of fraud through iTunes, in which stolen credit cards or bogus iTunes gift cards are matched with compromised iTunes accounts and used to purchase merchandise, Coakley said she wasn't aware of the larger pattern, but that it could be a reportable offense under the State's data privacy law. She promised her office would be contacting Apple for more information that very afternoon - a statement that received hearty applause from the audience.

Despite the tough tone, Coakley's speech was tailored more to a business audience wary of burdensome enforcement of State data privacy laws, including the State's data breach notification law and 201 CMR 17, the Massachusetts Data Protection Law. That law took effect in March, 2010 but the first fine under the law was issued in March of 2011 to Briar Group, a Boston-area restaurant chain that showed gross negligence in securing its networks and handling customers' credit card numbers.

Coakley said that companies that attempt, in good faith, to adhere to the State's privacy laws have little to fear in the way of fines or prosecution. However, organizations that flaunt the law or ignore the need for data security should count themselves warned.

Describing her office as the first line of defense for consumers, Coakley said her office was pursuing a "common sense" approach to enforcement and notification. Large breaches, such as the hack of Massachusetts retailer TJX, warrant an all out effort to notify the public. In the case of smaller breaches, Coakley said her office wanted to work with victim organizations to make sure that holes in their defenses and IT security practice are addressed.

The Attorney General said her office has received around 480 data breach notifications so far in 2011, and 1,166 since the law took effect in March, 2010 - suggesting that the incidence of data breaches is holding steady, despite a tough economy. The vast majority of those breaches are small in nature. Eighty two percent of disclosed breaches affected fewer than 100 people, and just 4% affected between 1,000 and 10,000 people. Similarly, hacking incidents only made up a quarter of the reported breaches, with another quarter due to inadvertent human error, Coakley said.

The State's breach notification law, dubbed 201 CMR 17, sets clear guidelines for the types of incidents that constitute reportable breaches. Any incident resulting in "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data" that creates a "substantial risk of identity theft or fraud against a resident of the commonwealth" need to be disclosed, as well as combinations of personal information, such as a name and credit card number, must be reported. That would seem to describe the use of Coakley's credit card information on iTunes. However, its is unclear whether Apple actually holds the data used to process the transaction on iTunes, or whether the purchases are merely "pass through" transactions about which Apple has no knowledge or visibility, according to a source within the Attorney General's Office.

nb : threatpost Read More...

Google Wallet - why you shouldn't throw away your wallet just yet

Filed Under: Featured, Mobile, Privacy

Google has announced, to some fanfare, what it hopes will be a revolution in the way we pay for things: Google Wallet.

Google Wallet is a smartphone app (currently only available for the Nexus S 4G Android phone) that aims to replace your credit cards.

It works like this. You go to a store (let's imagine it's a coffee shop), the barista hands you your steaming skinny caramel macchiato and a toasted onion bagel with low fat cream cheese and bacon, and rather than give them your credit card or reach into your pocket for some coins, you..

* take out your smartphone
* unlock it
* run the Google Wallet app
* enter the PIN for your Google Wallet app
* swipe your smartphone against the coffee shop's pay point.

How convenient!

The Google Wallet app uses NFC (near-field communications) technology in your smartphone to wirelessly debit the credit card you have linked with the application.

Here's a video that Google has produced describing Google Wallet.

Human nature being what it is, some people will be nervous of adopting this kind of technology to pay for goods. Just remember how long it took for some people to switch to using credit cards.

The PIN

It looks like Google recognises that some people will be fearful, and is keen for potential users to know that the Google Wallet app is protected by a four digit PIN.

Unless the PIN is entered, the NFC antenna is switched off - meaning that you can't make any purchases. Similarly when the phone's screen is switched off, the NFC antenna is disabled.

The Google Wallet app insists that you re-enter your PIN every five minutes by default - something that I suspect many users will find irritating, and will change to a longer time period for more convenience and less security.
Another concern I have, though, is whether users will choose sensible PINs to protect their Google Wallet.

When you're waiting to slurp your steaming skinny caramel macchiato and munch on your toasted onion bagel with low fat cream cheese and bacon, will you be entering a PIN code that is convenient or one that is more secure?

Research published earlier this year, revealed the top 10 passcodes that iPhone owners use to protect their devices and we have to assume that Google Wallet users will be just as laissez-faire when choosing a PIN.



We already know that 67% of consumers don't have any form of password on their mobile phones.

It's hard to imagine that all users are going to choose a PIN code for their Google Wallet which is hard to crack, let alone different from the one which they should be using to protect all the rest of their smartphone.

So, if you lose your smartphone and have not chosen a sensible PIN code both for the device and a different one for your Google Wallet then there may be opportunities for criminals to take advantage.

Don't throw away your wallet just yet

I don't want to rain on the parade entirely, however. It's not Google's fault that people might choose dumb obvious PINs or use the same PIN code for their digital wallet as for the device itself (although Google might do some work to reduce the likelihood of those happening, or give an option for longer pass codes).
We may be a long way off throwing away our physical wallets entirely - as folks still like to carry around their receipts, driving license, business cards and some old fashioned bank notes - but we will see mobile devices being used more and more for commerce.

It's going to take some years for merchants to invest in the hardware to provide support for Google Wallet, and some may prefer to wait and see how the market plays out and if a rival option becomes more popular.

Always have a backup

I have one piece of advice though, which will probably hold true for many years to come. Think about this. What happens when your smartphone runs out of juice?

You won't be able to open your Google Wallet app to pay for the late night train ride home if the battery is flat. Then you'll be rueing not having a real credit card in your pocket or a couple of notes hidden in the sole of your shoes.

nb : nakedsecurity.sophos

Read More...

Hackers steal credit card details at Wisconsin and Tennessee Wilderness resorts

Bad news if you have been on vacation at one of the Wilderness resorts in Tennessee and Wisconsin in the last couple of years - hackers may now have your credit card details.

VacationLand Vendors Inc, a firm which provides arcade and vending machines to businesses, has revealed that a hacker broke into its credit card processing systems and stolen up to 40,000 credit card details.

The credit cards were used in arcades at the Wilderness Hotel & Golf Resort in Wisconsin, and the Wilderness at the Smokies Waterpark Resort in Tennessee.
Precise details of how the data breach occurred have not been made public, but the company has published a warning on its website, and advised customers to keep their eyes peeled for unusual transactions on their credit cards.



Vacationland Vendors says that it "deeply regrets" the security breach and shut down its systems at the affected arcades as soon as it discovered the problem on March 25, 2011 - but that patrons may be impacted as far back as December 12, 2008.

The FTC has produced a website all about how consumers can protect themselves against identity theft.

nb : nakedsecurity.sophos

Read More...