The Mandiant security firm has released a report attributing a number of hacking events to Advanced Persistent Threat (APT) activity perpetrated by China's 2nd Bureau of the People's Liberation Army General Staff Deparment's 3rd Department. They have also released an appendix containing multiple artifacts that can be used to detect intrusions on networks.
A new report, the National Intelligence Estimate, released by the US Office of the Director of National Intelligence "represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of [China-based] hacking over the past five years, including energy, finance, information technology, aerospace and automotive." One face of Chinese state-sponsored hackers profiled by Bloomberg Business Week is Zhang Changhe, an instructor at the People's Liberation Army Information Engineering University in Zhengzhou. [more inside]
“On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices,” says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.
A card game to teach computer security. [d0x3d!] is the creation of some Naval Postgraduate School computer scientists, designed to help players learn digital security concepts. Playtested with middle school students.
The New York Times has detailed a successful 4-month hacking campaign by China, infiltrating its computer systems and acquiring passwords for reporters/employees. The campaign was likely in retaliation for the NYT investigation of the wealth amassed by relatives of Chinese Prime Minister Wen Jiabao. Following the NYT announcement, the Wall Street Journal announced that it too was hacked last year. The Washington Post may also have been infiltrated. Slate asks if this could have a chilling effect on journalists writing about China. [more inside]
If special hardware can crack all your passwords, if people have a hard time remembering them anyway, if people don't implement them in the first place, it is no wonder Google (with Yubico) is "declar[ing] war on the password." [more inside]
An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.
The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”[more inside]
10 Raspberry Pi creations that show how amazing the tiny PC can be "The Raspberry Pi, the $35 credit card-sized computer, has lived an interesting life despite being less than a year old. It has been used to teach programming and host servers, but above all it has provided a near-perfect platform for some of the most fun and interesting hobbyist projects in the computing world. Arcade cabinets, computing clusters housed in LEGOs, musical instruments, robots, and wearable computers are just some of the uses Pi owners have found. It turns out you can do a lot with an ARM processor, GPU, a few ports and GPIO pins, and an operating system (typically Linux-based) loaded onto an SD card. Here are 10 of the coolest Raspberry Pi creations we've been able to find."
Hacker sets up SiriProxy and a Raspberry Pi-controlled relay to make his iPhone's Siri voice control open his garage door
"For the seventh time in less than 70 years, a report has been commissioned by the Government which has dealt with concerns about the press. It was sparked by public revulsion about a single action – the hacking of the mobile phone of a murdered teenager. From that beginning, the scope of the Inquiry was expanded to cover the culture, practices and ethics of the press in its relations with the public, with the police, with politicians and, as to the police and politicians, the conduct of each."The report, in four volumes of around 500 pages each, is available for download.
"During his civil lawsuit against the People's Republic of China, Brian Milburn says he never once saw one of the country's lawyers. He read no court documents from China's attorneys because they filed none. The voluminous case record at the U.S. District courthouse in Santa Ana contains a single communication from China: a curt letter to the U.S. State Department, urging that the suit be dismissed. That doesn't mean Milburn's adversary had no contact with him." [China Mafia-Style Hack Attack Drives California Firm to Brink]
Mat Honan of Wired has a covetableTwitter username (@mat). Recently hackers tore his digital world apart in an attempt to commandeer it. Now he reflects: The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.
British computer hacker Gary McKinnon will not be extradited to the US, Home Secretary Theresa May has announced. [bbc]. She stated that "a decision to extradite would be incompatible with Mr McKinnon's human rights." on grounds of his mental illness(es) and propensity for suicidal thoughts. On a broader level she has also indicated that a forum bar will be available in future extraditions to the USA, meaning a court will be able to consider whether it would be more appropriate for a trial to be held in the UK. [more inside]
The AntiSec hacking group claims to have released a set of more than 1 million Apple Unique Device Identifiers (UDIDs) allegedly obtained from breaching an FBI agent's laptop via a Java vulnerability. The group claims to have over 12 million IDs, as well as personal information such as user names, device names, notification tokens, cell phone numbers and addresses. There's a tool to help you check if your device is in the list. [more inside]
Phone Trips - an audio archive of the Phone Phreaking community. Phone phreaking was the practice of hacking into phone systems and networks in order to explore these networks and their connections [1 2]. Many people first heard about the phenomenon in a 1971 Esquire article, Secrets of the Little Blue Box, which included input from Captain Crunch. Crunch discovered that you could access telephone networks by blowing a 2600 Hz tone, from a whistle given away free in cereal boxes, into telephone handsets. "Have you ever heard eight tandems stacked up?" asked Crunch in the interview. Well, now we can, thanks to a large audio archive of phone phreaking. [more inside]
"When Art, Apple and the Secret Service Collide: ‘People Staring at Computers’ ": A year ago (previously on MetaFilter), Kyle McDonald created an art project that landed him in some trouble with Apple and the attention of the US Secret Service. He writes about it for WIRED. [more inside]
Brown Moses Blog curates and analyzes news regarding the Syrian uprising, the wider Arab Spring, and the UK phone hacking scandal. It is written by Something Awful forums moderator Brown Moses. Recent entries include discussion of the increasingly well armed Free Syrian Army, senior members of the Catholic Church criticizing pro-Assad clergy, and a look at the evidence of more sophisticated IEDs being used in Syria. [more inside]
Merge your body with the powers of a Kinect controller to become Ultra Seven!
In the early 80’s, personal computers were a new innovation. Films like WarGames made it seem as if a kid with a keyboard could hack into anything: a school or corporate mainframe, NORAD, the US nuclear arsenal or your neighborhood bank. Hoping to capitalize on this, in 1983 CBS premiered a show which could have been considered WarGames’ intellectual successor. It featured a group of resourceful kids who solved crimes by hacking and cracking, led by Matthew Laborteaux, child star of Little House on the Prairie, and advised by a Gavilan SC-toting, mustachioed reporter played by Max Gail, formerly of the show Barney Miller. Whiz Kids lasted only a single season: 18 episodes, but all of them live on in cyberspace, on YouTube. Complete episode links contained within. [more inside]
On the basis of the facts and evidence before the committee, we conclude that if at all relevant times Rupert Murdoch did not take steps to become fully informed about phone hacking, he turned a blind eye and exhibited wilful blindness to what was going on in his companies and publications. This culture, we consider, permeated from the top throughout the organisation and speaks volumes about the lack of effective corporate governance at News Corporation and News International. We conclude, therefore, that Rupert Murdoch is not a fit person to exercise the stewardship of a major international company. [more inside]
Machine Politics. George Hotz, Sony, and the Anonymous hacker wars.
In 1984, Congress passed a law called the Computer Fraud and Abuse Act, in the wake of some high profile incidents of hacking. Designed to prosecute hackers, the law is written vaguely enough that it has, in recent years, been used (with varying degrees of success) to prosecute people violating terms of an employer's computer usage policies, or in the infamous case of Lori Drew, a Terms of Service agreement. But today, the 9th circuit court of appeals ruled that employees can not be prosecuted under the CFAA for violating an employer's computer use policies, dealing a blow to the Obama administration’s Justice Department, which is trying to use the same theory to prosecute alleged WikiLeaks leaker Bradley Manning.
Murdoch's Scandal - Lowell Bergman (the journalist portrayed by Al Pacino in The Insider) has investigated News Corporation for PBS Frontline [transcript]. He depicts Rupert Murdoch's British operation as a criminal enterprise, routinely hacking the voicemail and computers of innocent people, and using bribery and coercion to infiltrate police and government over decades. Enemies are ruthlessly "monstered" by the tabloids. Bergman also spoke to NPR's Fresh Air [transcript]. But the hits keep coming: in recent days News Corp has been accused of hacking rival pay TV services and promoting pirated receiver cards in both the UK and Australia. With the looming possibility of prosecution under America's Foreign Corrupt Practices Act, how long will shareholders consider Rupert Murdoch irreplaceable? [Previous 1 2 3 4]
The British newspaper The Guardian has obtained a cache of 3,000 emails purported to have been exchanged between Syrian President Bashar al-Assad, his wife, and a close circle of advisers and friends. The personal emails allegedly show Assad dismissing his government's proposed reforms, mocking the efforts of Arab League monitors to spot military tanks besieging cities, as well as Assad's wife placing extravagant shopping orders, sometimes through intermediaries. [more inside]
The Kaspersky analysts over at Securelist uncovered some interesting things deep in the bowels of the code of a trojan. The hooks of the trojan are written using standard, well known languages and interfaces (C++, DLLs and such), but the payload, upon analysis, seems to be written using some heretofore unknown programming language. Can you figure out what language the Duqu trojan is written in? (via Lambda the Ultimate Programming Blog)
"Ron Paul has regularly met with many A3P members, even engaging in conference calls with their board of directors."
Hacker group Anonymous has discovered that Ron Paul is working directly with the neo-Nazi group American Third Position Party, whose members occupy key posts in Paul's campaign and whose directors have had conference calls with the Congressman and Presidential candidate. The full information release can be viewed at pirasec.org, though the interface is fairly clunky.
The holiday season isn't always relaxing for those in the computing security field. 2011's Chaos Communication Congress brought many gifts in the form of vulnerability disclosures, including: malicious documents that infect HP printers, remote control vulnerabilities in prison lock systems, and denial-of-service attacks against Web servers written in just about every scripting language.
Edwardian Era Grey Hatting. How a magician and part time inventor used griefing to expose security flaws in Marconi's radio transmission system, in 1903. [more inside]
Webcam is a short film which explores the concept (and apparent reality) of "webcam hacking." Straight link Vimeo. Warning: Vimeo comments contain spoilers.
"We’re allowing a whole new level of intelligence in the networks...We can take a copy of everything coming through our switch and dump it off to the FBI."
The Surveillance Catalog: Where Governments Get Their Spying Tools The Wall Street Journal has obtained a "trove" of documents from the secretive retail market in surveillance technology sold to world governments, and has created a searchable database for your enjoyment. "Among the most controversial technologies on display at the conference were essentially computer-hacking tools to enable government agents to break into people's computers and cellphones, log their keystrokes and access their data..." E.g., FinFisher installs malware by sending fake software updates for Blackberry and other devices; VUPEN's Exploits for Law Enforcement Agencies "aim to deliver exclusive exploit codes for undisclosed vulnerabilities" in software from Microsoft, Apple and others. [more inside]
One month ago, Électricité de France S.A. (EDF), one Europe's biggest power producers, went on trial for allegedly hiring a security firm to hack into Greenpeace's computers. Today, the sentence has come down and the security firm, EDF, and its executives (and in a separate sentence of the broader hacking trial, disgraced bicyclist Floyd Landis), will be seeing fines and jail time. Greenpeace responds.
On October 18, Wired embedded a reporter with both Anonymous and the #Occupy movement, calling both "a new kind of hybrid entity, one that breaks the boundaries between “real life” and the internet, creatures of the network embodied as citizens in the real world." The first entries in Quinn Norton's ongoing special report: Anonymous 101: Behind the Lulz were posted today. Coverage from Wired's other special report, Occupy: Dispatches from the Occupation are already online. NPR: Members Of Anonymous Share Values, Aesthetics [more inside]
The Socialbot Network - A UBC study suggests that many Facebook users will friend total strangers. Researchers said they collected 250 gigabytes of information from Facebook users by using socialbots — fake Facebook profiles created and controlled by computer code (sic). The researchers said they got the approval of UBC’s behavioural research ethics board. The data they collected was encrypted and anonymized and deleted after they completed their data analysis. [more inside]
Hacking with gestures in a 3D space is now possible, with Kinectasploit (a mashup of Metasploit and Kinect with OpenNi, in a Blender-made environment). (via Slashdot)
250 lucky attendees to a right-wing concert in Germany were given free souvenir t-shirts with the slogan "Hardcore rebels” and a skull and nationalist flags. [more inside]
Enter the Cyber-dragon. "Hackers have attacked America’s defense establishment, as well as companies from Google to Morgan Stanley to security giant RSA, and fingers point to China as the culprit. The author gets an exclusive look at the raging cyber-war—Operation Aurora! Operation Shady rat!—and learns why Washington has been slow to fight back. Related: Michael Joseph Gross goes inside Operation Shady Rat."
"Gambiarra refers to an unlikely mend, an unthinkable coupling, a solution so raw and transparent that it illustrates the problem at hand instead of eliminating it."
In Brazil, "gambiarra" is the art of improvising makeshift repairs - spontaneously solving the problem at hand with whatever is in hand. Wikipedia Brazil has a bit more on the topic and how it extends to architecture and programming. Gambilogia is an arts group exploring this DIY aesthetic. Interestingly, there's lots of discussion around gambiarra. Personally, I find the original quick fixes more compelling (examples at bottom of the article).
In-depth pieces in Vanity Fair and Wired detail the structure and impact of the Stuxnet worm, and what it means for the future of cybersecurity. (Previously)
not just to reveal their racist and corrupt nature but to purposefully sabotage their efforts to terrorize communities
"Hackers of the world are uniting and taking direct action against our common oppressors - the government, corporations, police, and militaries of the world" says LulzSec (previously) in their latest release, Chinga La Migra. "We are releasing hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement. We are targeting AZDPS specifically because we are against SB1070 (previously) and the racial profiling anti-immigrant police state that is Arizona."
#antisec is a new track from nerdcore rapper ytcracker (previously)
#antisec is a new track from nerdcore rapper ytcracker (previously)
People who use Sony don't make very good passwords. "None of this is overly surprising, although it remains alarming. We know passwords are too short, too simple, too predictable and too much like the other ones the individual has created in other locations. The bit which did take me back a bit was the extent to which passwords conformed to very predictable patterns, namely only using alphanumeric character, being 10 characters or less and having a much better than average chance of being the same as other passwords the user has created on totally independent systems." [more inside]
'The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.'