IPad Hackers Charged For Email Scheme

Back in the Summer of last year, a hacker group called Goatse Security found a breach in AT&T's server security that allowed them to access the email addresses of iPad 3G users. They downloaded over one hundred thousand of those email addresses, then alerted AT&T, who promptly fixed the hole. This past week, two of the hackers belonging to that group were each charged with crimes related to that breach.

Andrew Auernheimer and Daniel Spitler have each been charged with "one count of conspiracy to access a computer without authorization and one count of fraud," according to the New York Times article on the subject. Last July, after the events transpired, the FBI received more than 150 pages of chat logs which detail how the men were able to download these email addresses. What it basically came down to was a program on the AT&T servers which when given an iPad's ID number, would return the email address associated with that iPad. Mr Auernheimer and Mr. Spitler then only had to write a small script to guess ID numbers and store the returned addresses.

Both of the men charged insist they did nothing illegal. Mr. Spitler, when asked why he felt that way, replied by saying "cause I didn't hack anything." Their defense rests in the fact that they were accessing data on a public server with no password or encryption, basically that this data was available to anyone on the Internet. There is no evidence thus far that shows anyone trying to sell the data they uncovered, and they informed AT&T of the security hole, allowing them to fix the problem. AT&T on the other hand, is labeling the data mining as "malicious" and claim that their customers could have been "exposed ... to spam or fraud."

If you feel the need to increase your company network and server security, call Razorpoint today, 212.744.6900!

Researcher Breaks Wi-Fi Passwords Using Cloud Computing Power

According to a press report, a German security specialist plans to give attendees at a hackers convention next week code that they can run on high-performance cloud computer systems to help them break passwords on seemingly secure, low-cost wireless networks – Wi-Fi, for instance.

As much as anything else, however, it's a demonstration of how much computing power is becoming available to larger numbers of people as a service for a fraction of what it costs to buy and maintain a supercomputer.

According to a report in Reuters, Thomas Roth, a security consultant in Cologne, used high-performance capabilities in Amazon.com's (NASDAQ: AMZN) Elastic Compute Cloud (EC2) service to "brute force" breaking passwords on wireless networks.

Roth will be speaking at next week's Black Hat Security Conference in Washington, D.C. His talk is titled "Breaking encryption in the cloud: GPU accelerated supercomputing for everyone."

The main focus of Roth's recent demonstration, however, was to show how easy, given the availability of such high-powered computing power in the cloud, it is today to break passwords that use an encryption algorithm he says was never meant to secure systems.

Roth reportedly said he was able to breach the relatively sophisticated encryption technology -- SHA-1 (Secure Hash Algorithm) -- by tapping a cluster of Nvidia graphics processors, available through Amazon's services, to provide the horsepower needed for the task of zipping through 400,000 possible passwords per second.

"SHA-1 was never made to store passwords. [It] is a hash algorithm ... made for verifying data. It was made to be as fast and as collision free as possible, and that's the problem when using it for storing passwords: It's too fast," Roth said on his blog in November.

Prices for the equivalent of a supercomputer provided as a service via the cloud are low as well. Roth told Reuters that it took 20 minutes to break into a network in his neighborhood, at a cost of 28 cents per minute -- and that, with improvements in the code, he could do the same in as few as six minutes now.

The problem is, as computing speeds climb ever higher and the price falls, the barrier to hackers falls as well.

"The speed of computers is increasing incredibly fast, and so brute forcing will get faster and faster, and the new cloud offerings make parallelization of such use tasks easy and affordable," Roth continued.

An Amazon spokesperson was not available at publication. However, in speaking with Reuters, a spokesperson made the point that the same feat could be achieved on competing cloud computing services as well.

By Stuart J. Johnston
January 12, 2011

1 in 4 AT&T iPhone users say they'll switch to Verizon

ChangeWave survey finds many AT&T customers dissatisfied with reception/coverage

A new ChangeWave Research survey of 4,050 consumers, completed just days before Verizon announced plans to offer Apple's iPhone, reveals that the carrier will be able to draw significant numbers of new subscribers from its rivals.

Of the sample, 10% said they plan on switching wireless providers in the next 90 days: 2-points higher than a previous ChangeWave survey in September and the highest churn level of the past 18 months.

It seems most of Verizon's success will be from switchers coming from rival carriers, instead of its existing customers: only 4% of Verizon's customers plan to switch in the next 90 days, compared with 10% of Sprint customers, and 15% of both T-Mobile and AT&T subscribers.

A new ChangeWave Research survey of 4,050 consumers, completed just days before Verizon announced plans to offer Apple's iPhone, reveals that the carrier will be able to draw significant numbers of new subscribers from its rivals.

Of the sample, 10% said they plan on switching wireless providers in the next 90 days: 2-points higher than a previous ChangeWave survey in September and the highest churn level of the past 18 months.

It seems most of Verizon's success will be from switchers coming from rival carriers, instead of its existing customers: only 4% of Verizon's customers plan to switch in the next 90 days, compared with 10% of Sprint customers, and 15% of both T-Mobile and AT&T subscribers.

No matter your cell phone provider, Razorpoint Security hopes that you take all precautions necessary to protect yourself from hackers!  If you are wondering how to best protect yourself, contact our data security experts in New York City today.

VERIZON IPHONE: 7 key facts you should know

ChangeWave found that AT&T's churn rate has more than doubled since June 2009, from 6% to 15% of AT&T customers saying they are "very likely" or "somewhat likely" to switch wireless carriers in the next 90 days.

These AT&T customers apparently have had it with the network's quality: 42% of these switchers cite poor reception/coverage as their top reason for leaving, followed by dropped calls, cited by 27%.

A total of 16% of existing AT&T subscribers say they'll switch to Verizon once it begins offering the iPhone; 23% say they don't know if they'll switch; 60% will stay with AT&T. Current Apple iPhone owners are the most likely group of all to switch: 26% saying they'll leave AT&T for Verizon.

In asking respondents how often they experienced dropped calls in the past 90 days, ChangeWave found major improvements for AT&T, though it still lags far behind Verizon Wireless at least in perception of network quality. The results showed 4.7% of the AT&T users in the survey had dropped calls, compared with 6.0% in the September 2010 survey.

This story appeared on Network World at
http://www.networkworld.com/news/2011/011311-iphone-verizon.html

Facebook Wants to Issue Your Internet Driver's License

Cybersecurity and privacy-enhancing "identity ecosystem" by Facebook? President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites.

President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites. If participation remains voluntary, could Facebook distribute your Internet driver's license?

Worldwide, e-commerce is estimated at $10 trillion annually. The National Strategy for Trusted Identities in Cyberspace (NSTIC) plan of developing a secure and privacy-enhancing "identity ecosystem" for the Internet is supposed to lower the risks of identity theft, which is rampant, and create a greater confidence in online transactions since less personal information would be collected and stored with each transaction. But there are privacy and civil liberties groups who oppose the idea of any government intelligence agency being in control of its citizens online ID. Many of those same group oppose the government requiring a backdoor into all online programs as part of the Internet's infrastructure.

According to Technology Review, Facebook is becoming a "critical part of the Internet's identity infrastructure" and wants to supply your Internet driver's license. Facebook Login allows any website to use its identity infrastructure by adding a few lines of code so users will see "Connect with Facebook" button on the site. Facebook Connect is one of the most popular codes adopted by websites, so that anyone with a Facebook account is but a click away from logging in, "liking" or sharing a site.

Besides being easy and free for websites to implement, Facebook Connect provides the site with the user's real name as required per Facebook's terms of service. Many sites don't want the hassle and headache of managing their own identity system, but do want users to login for commenting purposes and limiting spam.

On the negative side, Facebook has made horrible privacy mistakes in the past. Since it happened again and again, it seems Facebook showed little regard to its users' outrage of the privacy breaches. It's also a hot target for cyberthugs. Any site is only as strong as the weakest link -- which usually tends to be the user. On any given day on Facebook, there are always phishing scams, busy social engineers, and accounts taken over by hackers. The Firefox plug-in Firesheep makes sniffing out cookies and taking over accounts so easy that even the clueless can manage it over an unsecured Wi-Fi network.

Last fall, making itself a no less appealing target, a New Zealand bank opened the doors to Facebook's first online bank branch. When logged into Facebook, the bank's customers can access their banking information. As more businesses adopt Facebook Connect, it is becoming a universal login on the web, making Facebook a tempting target to cybercriminals.

If participation in Obama's NSTIC cybersecurity program is voluntary and not required, it offers people the ability to stay anonymous by simply not participating. However, if nearly all sites adopt it and then require it, that's not really very optional for people who want to remain anonymous online.

One thing Facebook might have over the Commerce Department issuing unique online IDs is that many people will not trust a government sponsored ID system.  As CDT's Jim Dempsey said, any Internet ID must be created by the private sector and must stay voluntary and competitive. "The government cannot create that identity infrastructure. If it tried to, it wouldn't be trusted," stated Dempsey.

However, Commerce Department Secretary Gary Locke was quick to reassure people that the cybersecurity ID wasn't a guise for more big brother government. "We are not talking about a national ID card," Locke said at the Stanford Institute for Economic Policy Research event. "We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

White House Cybersecurity Coordinator Howard Schmidt assured people that anonymity and pseudonymity will remain possible online. "I don't have to get a credential, if I don't want to," Schmidt stated. He added there is no chance that "a centralized database will emerge."

The Commerce Department beat out other candidates such as the NSA and DHS to head up the new online identity project. Cnet pointed out, this "should please groups that have raised concerns over security agencies doing double duty in police and intelligence work."

Somehow it doesn't seem too hard to see the potential for abuse if either the government or Facebook become the Internet cops handing out IDs. Can we trust either one to guard users' privacy and security above their own interests and motives?

The 10 biggest hoaxes in Wikipedia's first 10 years

From Stephen Colbert and Rush Limbaugh to Adolf Hitler: a history of Wikipedia hoaxes

Wikipedia will celebrate its 10th birthday on Saturday, with founder Jimmy Wales having built the site from nothing to one of the most influential destinations on the Internet. Wikipedia's goal may be to compile the sum total of all human knowledge, but it's also, perhaps, the best tool in existence for perpetuating Internet hoaxes. Let's take a look at the 10 biggest hoaxes in Wikipedia's history. (Did we miss any? Let us know in the comments).

Wikipedia will celebrate its 10th birthday on Saturday, with founder Jimmy Wales having built the site from nothing to one of the most influential destinations on the Internet. Wikipedia's goal may be to compile the sum total of all human knowledge, but it's also, perhaps, the best tool in existence for perpetuating Internet hoaxes. Let's take a look at the 10 biggest hoaxes in Wikipedia's history. (Did we miss any? Let us know in the comments).

The Essjay controversy

This one's so big it has its own Wikipedia page. In February 2007 a Wikipedia administrator who went by the name Essjay "was found to have made false claims about his academic qualifications and professional experiences on his Wikipedia user page and to journalist Stacy Schiff during an interview for The New Yorker, and to have exploited his supposed qualifications as leverage in internal disputes over Wikipedia content." Essjay had been contributing to Wikipedia since 2005, claiming that he "teaches graduate theology, with doctorates in Theology and Canon Law." He also gained a job with Wikipedia sister company Wikia. "Jimmy Wales proposed a credential verification system on Wikipedia following the Essjay controversy, but the proposal was rejected," according to the Wikipedia article.

Edward Owens

Another hoax worthy of its own Wikipedia page, "Edward Owens" was a "fictional character, part of a historical hoax created by students at George Mason University on Dec. 3, 2008 as a project in a class dealing with historical hoaxes called "Lying About the Past." One tactic was creating a Wikipedia article about Owens, "who supposedly lived from 1852 to 1938 in Virginia ... fell on hard times during the Long Depression that began in 1873 and took up pirating in Chesapeake Bay to survive the economic downturn." After media outlets including USA Today were fooled, the class professor decided in December 2008 to reveal the hoax.

Stephen Colbert inflates the population of African elephants

Oh, Stephen Colbert. What would we do without you? Colbert's brilliant media satire show, the Colbert Report, took on Wikipedia in July 2006, urging viewers to edit the encyclopedia to indicate that the population of African elephants had tripled in the previous six months. Known for inventing the word "truthiness," Colbert also gave us "wikiality," the concept that "together we can create a reality that we all agree on — the reality we just agreed on."

Sinbad dead? No, that was just his career ... hey-ohh!

This bit of wiki-vandalism brought Wikipedia down (or up?) to the level of newspapers, which have been known for publishing quite a few premature obituaries. In this case, Wikipedia falsely reported the death of the 50-year-old Sinbad, who even received a telephone call from his daughter and calls, texts and e-mails from hundreds of others after the hoax spread. The Sinbad Wikipedia page was temporarily protected from editing to prevent further vandalism. But numerous others have been falsely listed as dead on Wikipedia, including Sen. Edward Kennedy (months before his actual death), Miley Cyrus, Sergey Brin and Paul Reiser.

Wikipedia biography controversy, or "the Seigenthaler incident"

In May 2005 a Wikipedia editor created a hoax article declaring that 78-year-old American journalist John Seigenthaler "had been a suspect in the assassinations of U.S. President John F. Kennedy and Attorney General Robert F. Kennedy," and it went uncorrected for more than four months. Seigenthaler ultimately wrote about the incident in a USA Today column. Afterward, Wales "stated that the encyclopedia had barred unregistered users from creating new content," the Wikipedia page on the controversy states. But unregistered users can still edit existing articles.

The founder of Orange Julius did not invent a shower stall for pigeons

Jeopardy champion and all-around smart guy Ken Jennings apparently discovered this one, blogging in May 2010 about how the Wikipedia article on Orange Julius namesake Julius Freed was "full of all kinds of crazy trivia, like the fact that he invented a shower stall for pigeons." What Jennings calls "the funniest development on this story" is that "Dairy Queen, which now owns Orange Julius, inadvertently used the hoax material as the basis for a 2007 ad campaign!" This was one of the more successful Wikipedia hoaxes, judging by the amount of time it remained on the site, having stayed up there for five years. "How many hundreds (thousands?) of other articles like this are sitting out in the Wiki-ether right now, wreaking havoc and just waiting to be debunked?" Jennings wonders.

College student fools the whole world's media

If you're a journalist, Wikipedia is a great initial source of information. But you should always use primary sources to verify that what Wikipedia says is true before actually running with it (unless you're writing a cheesy top 10 list story like this one). But one student's experiment in 2009 showed that media members are apparently allergic to fact-checking when it comes to lifting material from Wikipedia. A Dublin University student named Shane Fitzgerald inserted a fabricated quote into the Wikipedia article about recently deceased composer Maurice Jarre. The quote wasn't damaging to Jarre himself - it read "One could say my life itself has been one long soundtrack. Music was my life, music brought me to life, and music is how I will be remembered long after I leave this life. When I die there will be a final waltz playing in my head that only I can hear." But it was damaging to the credibility of newspapers such as The Guardian, which were fooled into using the quote in obituaries. No one even noticed the hoax until Fitzgerald himself reported it a month later, and said he was "shocked at the results" of his own experiment.

Rush Limbaugh turns out to be just as incompetent as the rest of the media

Last year, Limbaugh spent a while talking about Roger Vinson, a federal judge involved in a legal challenge to the new healthcare law. According to The New York Times, "The conservative radio host informed his listeners that the judge was an avid hunter and amateur taxidermist who once killed three brown bears and mounted their heads over his courtroom door to 'instill the fear of God into the accused.' ... But, in fact, Judge Vinson has never shot anything other than a water moccasin (last Saturday, at his weekend cabin), is not a taxidermist and, as president of the American Camellia Society, is far more familiar with Camellia reticulata than with Ursus arctos." It was all because Rush (or his staffers) read hoax material on a Wikipedia page and repeated it as fact. Limbaugh's staff claimed they found the information in a Pensacola News Journal article, but no such article existed.

Actually, maybe this is how we know Rush Limbaugh is a real journalist. He trusts Wikipedia.

Henryk Batuta hoax

Another hoax worthy of its own Wikipedia page, this one was "perpetrated on the Polish Wikipedia from November 2004 to February 2006," and concerned "an article about Henryk Batuta (born Izaak Apfelbaum), a fictional socialist revolutionary and Polish Communist. The fake biography said Batuta was born in Odessa in 1898, participated in the Russian Civil War", and that "a street in Warsaw was named 'Henryk Batuta Street.'" Several Polish newspapers and magazines wrote about the Wikipedia article, which was deleted. The article was apparently a protest designed to "draw attention to the fact that there are still places in Poland named after former communist officials who do not deserve the honour."

Tony Blair – Hitler worshipper?

We couldn't get through a whole Wikipedia hoax article without mentioning Hitler, now could we? It's Godwin's law. Anyway, the Wikipedia page on former British Prime Minister Tony Blair once said that he kept posters of Adolf Hitler on his bedroom wall during his teenage years. Actually, I couldn't find any proof that those words ever appeared on his Wikipedia page, but it seems to have been reported on enough sites that it must have happened. Plus, it was in a book or something.

Fake White House holiday e-mail is cyber attack

It looked like an innocent e-mail Christmas card from the White House.

But the holiday greeting that surfaced just before Christmas was a ruse by cybercriminals to steal documents and other data from law enforcement, military and government workers — particularly those involved in computer crime investigations.

Analysts who have studied the malicious software said Tuesday that hackers were able to use the e-mail to collect sensitive law enforcement data. But so far there has been no evidence that any classified information was compromised.

The targeted e-mail attack comes as the federal government is desperately trying to beef up its cybersecurity after the release of thousands of State Department cables and military documents by the WikiLeaks website. Federal authorities want to improve technology systems and crack down on employees to prevent the theft or loss of classified and sensitive information.

The red holiday e-mail card, with its brightly decorated Christmas tree, prompted recipients to click on a link, which would then download the ZueS malware — a well-known malicious code that is often used to steal passwords and other online credentials, primarily to poach Internet banking information. The malware was created several years ago and is widely available for criminals to acquire and adapt. It has been used to steal millions of dollars.

In this case, however, the code downloaded a second payload that is designed to steal documents from the recipient's computer, accessing Microsoft Word and Excel files.

Don Jackson, director of threat intelligence for Atlanta-based SecureWorks, a computer security consulting company, said the attack was somewhat small and targeted to a limited number of groups with law enforcement, military and government affiliations.

It was small enough, he said, to suggest that is was sent out manually and not by a large network of infected computers. He said it was not large enough to be picked up by cybersecurity spam traps or sensors.

Alex Cox, principle research analyst for NetWitness, a cybersecurity firm in northern Virginia, said the e-mail was sent out just a day or so before Christmas, delivered by a control server in Belarus. He and Jackson said they believe this ZueS version was created by the same people who launched a similar but much larger attack last February.

Cox, who discovered the ZueS-infected malware last year when it infected at least 74,000 computers, said it's hard to determine how many people were affected or how many documents were stolen in this latest attack.

Jackson said at the hackers stole at least several gigabytes of data.

Analysts learned of the e-mail attack last week and have spoken with federal authorities about it.

Homeland Security Department spokeswoman Amy Kudwa said officials are aware of the ZueS e-mail and are monitoring it along with other similar malware attacks that have been tracked for some time.

Cox and Jackson would not disclose details on who was attacked or what documents may have been compromised but agreed that the hackers probably were after the documents, rather than any banking or financial passwords.

One theory, said Jackson, is that the hackers were looking for information about law enforcement cases and investigative techniques related to cybercrime so that they could sell it to other criminals.

The e-mail attack, however, underscores the continuing vulnerability of government workers and their computer systems to versions of the ZueS malware. Hackers can easily tweak the code each time so that it does not trigger antivirus software.

"Criminals have found that if they change the files in small ways it can slip past antivirus software," said Jackson.

While ZueS-related attacks are fairly common, this latest one stood out because of the use of the White House connection to lure recipients in and the targeted way it went after law enforcement, analysts said.

One U.S. official said that the code was rather poorly written. The hackers could only get easily accessible documents and not those filed deep within layers of folders on the hard drive, said the official, who spoke on condition of anonymity to discuss ongoing investigations.

Do not get caught in an e-mail cyber attack!  Contact Razorpoint Security today to ensure your systems are well protected!

Army kicks off construction of $1.2 billion NSA cybersecurity center

The US Army Corps of Engineers (USACE) is scheduled to begin work this week on a $1.2 billion data center at Camp Williams in Salt Lake City, Utah, that will house a National Security Agency cybersecurity intelligence center.

The 1.5-million-square-foot facility, known as the Utah Data Center, will house an NSA facility that will gather intelligence about cybersecurity threats to federal government networks. Construction on the center is scheduled to begin on Thursday.

The center will consist of 100,000 square feet of raised floor data center space and more than 900,000 square feet of technical support and administrative space, according to a USACE release. Support facilities include an electrical substation, a vehicle inspection facility and visitor control center, fuel storage, water storage and a chiller plant.

The NSA center is being built as part of the White House’s Comprehensive National Security Initiative (CNSI), which is designed to improve cybersecurity efforts to protect federal computer networks.

The CNSI has the following goals:

• To establish a front line of defense against immediate cybersecurity threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the federal government and acting to reduce current vulnerabilities and prevent intrusions.
  
  
• To defend against the full spectrum of cybersecurity threats by enhancing counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
  
  
• To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the federal government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.