Chinese Hack 101

Let me introduce three basic terminologies as they are commonly used in various China hacking forums:

肉雞 (Chicken) - It means machine trojaned with malware and backdoor.

網頁掛馬/挂马 (Injected iframe) - it is about injected iframe with malicious code in web page.

免杀 (Prevented to be killed) - It means a software is with anti-debugging technique.

攻击 - Attack

I simply captured a piece of attack service advertisement from a Chinese blog (URL:http://tieba.baidu.com/f?z=650017145&ct=335544320&lm=0&sc=0&rn=30&tn=bai...). You could feel free to translate it via Google translator:

免杀制作,网马挂马 入侵挂马 QQ空间挂马 视频传播木马

-> Anti-debugging, inject malicious iframe, trojans for QQ messenger, spreading trojan via video media.

Military asserts right to return cyber attacks

The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress.

he U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress.

Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

For more info check http://bit.ly/cH8wsn and http://bit.ly/bzo2TX

US Investigators Pinpoint Author Of Google Attack Code

The big news over the past few months were the Aurora attacks and how they seemed to originate from China, last month Microsoft took the unusual step and released an Out-Of-Band patch for the IE6 0-Day vulnerability used in the attacks.

Within the last few days the origin of the code was traced to 2 Chinese schools which both claimed they had no knowledge of the exploit.

It was always thought the exploit originated from China due to parts of the code only being discovered on Chinese language sites, the latest news is that the actual origin of the code has been discovered by US investigators.

US investigators have pinpointed the author of a key piece of code used in the alleged cyber attacks on Google and at least 33 other companies last year, according to a new report.

Citing a researcher working for the US government, The Financial Times reports that a Chinese freelance security consultant in his 30s wrote the code that exploited a hole in Microsoft’s Internet Explorer browser. The report also says that Chinese authorities had “special access” to this consultant’s work and that he posted at least a portion of the code to a hacking forum.

The story follows another report from The New York Times that traced the attacks to a pair of Chinese schools – Shanghai Jiaotong University and Lanxiang Vocational School – claiming that the latter had ties to the Chinese military. A day later, representatives of both schools denied involvement to the Chinese state news agency, and the Lanxiang representative denied ties to the military.

It all sounds like a conspiracy from the TV show 24 with schools tied to the Chinese military and ’special’ access to underground forums.

It’ll be interesting to watch which direction it heads after this and if it’s going to increase the tension between the US and China governments. The whole cyberwar has been going on for quite a while now with both sides trying to covertly steal information from each other.

So far the author of the code has not been named and his real identity or purpose is also a little vague.

If I understand correctly what is being implied above, the author of the code posted a PoC (proof of concept) type exploit to a hacking forum.

Someone took this PoC, turned it into a working exploit and attacked 33 US based companies. If the conspiracists are right this ’someone’ would be the Chinese government and they used to the exploit to steal commercially valuable data from some big US players.

In Digital Combat U.S. Finds No Easy Deterrent

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.

There is, in fact, an intense debate inside and outside the government about what the United States can credibly threaten. One alternative could be a diplomatic démarche, or formal protest, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.

Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack — something the president would have to authorize. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.

“We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb,” said Joseph Nye, a professor at the Kennedy School at Harvard. “It won’t have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers.”

Fighting Shadows

When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan. 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack — a battle unlike any they had engaged in.

Participants in the war game emerged with a worrisome realization. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defense Department’s advanced capabilities may not be brought to bear short of a presidential order.

“The fact of the matter,” said one senior intelligence official, “is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.”

William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America’s concepts for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre-World War II France.

Mr. Lynn, one of the Pentagon’s top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America’s banks, businesses and military installations provide a similarly illusory sense of security.

“A fortress mentality will not work in cyber,” he said. “We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us.”

The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate.

“We are looking beyond just the pure military might as the solution to every deterrence problem,” said Gen. Kevin P. Chilton, in charge of the military’s Strategic Command, which defends military computer networks. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.”

But first you would have to figure out who was behind the attack.

Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a “Trojan horse” — a backdoor entryway to attack — in Google’s search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. China’s denials, American officials say, are one reason that President Obama has said nothing in public about the attacks — a notable silence, given that he has made cybersecurity a central part of national security strategy.

“You have to be quite careful about attributions and accusations,” said a senior administration official deeply involved in dealing with the Chinese incident with Google. The official was authorized by the Obama administration to talk about its strategy, with the condition that he would not be named.

“It’s the nature of these attacks that the forensics are difficult,” the official added. “The perpetrator can mask their involvement, or disguise it as another country’s.” Those are known as “false flag” attacks, and American officials worry about being fooled by a dissident group, or a criminal gang, into retaliating against the wrong country.

Nonetheless, the White House said in a statement that “deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start,” citing work in the past year to protect networks and “international engagement to influence the behavior of potential adversaries.”

Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Mr. Obama’s thinking on the issue, said: “Like most operational things like this, the less said, the better.” But he added, “there are authorities to deal with these attacks residing in many places, and ultimately, of course, with the president.”

Others are less convinced. “The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,” said James A. Lewis, director of the Center for Strategic and International Studies program on technology and public policy.

In its final years, the Bush administration started a highly classified effort, led by Melissa Hathaway, to build the foundations of a national cyberdeterrence strategy. “We didn’t even come close,” she said in a recent interview. Her hope had been to recreate Project Solarium, which President Dwight D. Eisenhower began in the sunroom of the White House in 1953, to come up with new ways of thinking about the nuclear threats then facing the country. “There was a lot of good work done, but it lacked the rigor of the original Solarium Project. They didn’t produce what you need to do decision making.”

Ms. Hathaway was asked to stay on to run Mr. Obama’s early review. Yet when the unclassified version of its report was published in the spring, there was little mention of deterrence. She left the administration when she was not chosen as the White House cybersecurity coordinator. After a delay of seven months, that post is now filled: Howard A. Schmidt, a veteran computer specialist, reported for work last week, just as the government was sorting through the lessons of the Google attack and calculating its chances of halting a more serious one in the future.

Government-Corporate Divide

In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cellphone networks, neutralizing its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.

So part of the problem is to calibrate a response to the severity of the attack.

The government has responded to the escalating cyberattacks by ordering up new strategies and a new United States Cyber Command. The office of Defense Secretary Robert M. Gates — whose unclassified e-mail system was hacked in 2007 — is developing a “framework document” that would describe the threat and potential responses, and perhaps the beginnings of a deterrence strategy to parallel the one used in the nuclear world.

The new Cyber Command, if approved by Congress, would be run by Lt. Gen. Keith B. Alexander, head of the National Security Agency. Since the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be in charge of both finding and, if so ordered, neutralizing cyberattacks in the making.

But many in the military, led by General Chilton of the Strategic Command and Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the United States to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation.

Mrs. Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harbored groups that conduct cyberattacks could be ostracized. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.

That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.

An Obama administration official who has been dealing with the Chinese mused recently, “You could argue that Google came up with a potential deterrent for the Chinese before we did.”

Secret mobile phone codes cracked

A German computer scientist has published details of the secret code used to protect the conversations of more than 4bn mobile phone users.
Karsten Nohl, working with other experts, has spent the past five months cracking the algorithm used to encrypt calls using GSM technology.
GSM is the most popular standard for mobile networks around the world
The work could allow anyone - including criminals - to eavesdrop on private phone conversations.
Mr Nohl told the Chaos Communication Congress in Berlin that the work showed that GSM security was "inadequate".
"We are trying to inform people about this widespread vulnerability," he told BBC News.
"We hope to create some additional pressure and demand from customers for better encryption."
The GSM Association (GSMA), which devised the algorithm and oversees development of the standard, said Mr Nohl's work would be "highly illegal" in the UK and many other countries.
"This isn't something that we take lightly at all," a spokeswoman said.
Mr Nohl told the BBC that he had consulted with lawyers before publication and believed the work was "legal".

GSM encryption was first introduced in 1987

Mr Nohl, working with a "few dozen" other people, claims to have published material that would crack the A5/1 algorithm, a 22-year-old code used by many carriers.

The code is designed to prevent phone calls from being intercepted by forcing mobile phones and base stations to rapidly change radio frequencies over a spectrum of 80 channels.

It is known to have a series of weaknesses with the first serious flaw exposed in 1994.
Mr Nohl, who describes himself as an "offensive security researcher", announced his intention to crack the code at the Hacking at Random (HAR) conference in The Netherlands in August this year.
"Any cryptographic function is a one way street," he told BBC News. "You should not be able to decrypt without the secret key".
To get around this problem, Mr Nohl, working with other members of the encryption community, used networks of computers to crunch through "every possible combination" of inputs and outputs for the encryption code. Mr Nohl said there were "trillions" of possibilities.
Using the codebook, a "beefy gaming computer and $3,000 worth of radio equipment" would allow anyone to decrypt signals from the billions of GSM users around the world, he said."It's like a telephone book - if someone tells you a name you can look up their number," he said.
Signals could be decrypted in "real time" with $30,000 worth of equipment, Mr Nohl added.
'Not practical'
It has previously been possible to decrypt GSM signals to listen in on conversations, but the equipment cost "hundreds of thousands of dollars," experts said.
According to Ian Meakin, of mobile encryption firm Cellcrypt, only government agencies and "well funded" criminals had access to the necessary technology.
He described Mr Nohl's work as a "massive worry".
"It lowers the bar for people and organisations to crack GSM calls," he told BBC News.
"It inadvertently puts these tools and techniques in the hands of criminals."
However, the GSMA dismissed the worries, saying that "reports of an imminent GSM eavesdropping capability" were "common".
It said that there had been "a number" of academic papers outlining how A5/1 could be compromised but "none to date have led to a practical attack".
The association said that it had already outlined a proposal to upgrade A5/1 to a new standard known as A5/3 which was currently being "phased in".
"All in all, we consider this research, which appears to be motivated in part by commercial
considerations, to be a long way from being a practical attack on GSM," the spokeswoman said.

Cybercrooks stalk small businesses that bank online

From a usa today article comes a cybercrime trend I have been talking and working on for more than a year.

A rising swarm of cyber-robberies targeting small firms, local governments, school districts, churches and non-profits has prompted an extraordinary warning. The

American Bankers Association

and the

FBI

are advising small and midsize businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking.

The reason: Cybergangs have inundated the Internet with "banking Trojans" — malicious programs that enable them to surreptitiously access and manipulate online accounts. A dedicated PC that's never used for e-mail or Web browsing is much less likely to encounter a banking Trojan.
And the bad guys are stepping up ways to get them onto PCs at small organizations. They then use the Trojans to manipulate two distinctive, decades-old banking technologies: Automated Clearing House (ACH) transfers and wire transfers.
ACH and wire transfers remain at the financial nerve center of most businesses. ACH transfers typically take two days to complete and are widely used to deposit salaries, pay suppliers and receive payments from customers. Wire transfers usually come into play to move larger sums in near-real time.
"Criminals go where the money is," says Avivah Litan, banking security analyst at

Gartner

, a technology consulting firm. "The reason they're going here is the controls are antiquated, and a smart program can often get the money out."

Internet-enabled ACH and wire transfer fraud have become so acute that the FBI, which is usually reticent to discuss bank losses or even acknowledge ongoing cases, has gone public about the scale of the attacks to bring attention to the problem. The FBI, the Federal Deposit Insurance Corp. and the

Federal Reserve

have all issued warnings in the past two months.
The FBI says it has investigated more than 200 cases, mostly in 2008 and 2009, in which cyber-robbers executed fraudulent transfers totaling about $100 million — and successfully made off with $40 million.
The victims are mostly small to midsize organizations using online bank accounts supplied by local community banks and credit unions, FBI analysis shows. "The bad guys are still out there breaking into customers' computers," says Steven Chabinsky, deputy assistant director of the FBI's Cyber Division.
Banking and tech security experts say many more cases of ACH and wire transfer fraud are going unreported mainly because the attacks are new and there are no laws setting forth the rights of online business account holders, the way consumer-rights laws protect accounts held by individuals. The result: Many cases end in civil disputes in which small businesses often lose.
"Our nation's legislators are not doing their job in affording the same protections for business account holders that they do for consumer account holders," says Litan.

Risky business

Several developments make this new form of fraud irresistible for cybercriminals. In a race to win more online business customers, many banks offer high limits on ACH and wire transfers, even though their systems lack modern technologies for detecting fraud, says Terry Austin, CEO of security firm Guardian Analytics.
"Many banks rely heavily on their online channels but fail to implement the necessary protections," says Austin. "Cybercriminals are capitalizing on this opportunity."
Meanwhile, stealthy, malicious programs borne by corrupted Web links lurk everywhere on the Internet: in e-mails, social-network postings, online ads, even search query results. Click on a tainted link, and you could get infected by a cyber-robber's banking Trojan. Hundreds of new banking Trojan variants appear on the Internet every day. The number should top 200,000 in 2009, up from 194,000 in 2008, according to PandaLabs.
The likelihood of any ordinary person getting his or her PC infected by a banking Trojan is so great that Gartner's Litan tells acquaintances who run small businesses to switch from commercial online accounts to an individual consumer account.
That's because consumer-protection laws require banks to fully reimburse individual account holders who report fraudulent activity in a timely manner. However, banks have taken to invoking the Uniform Commercial Code — a standardized set of business rules that have been adopted by most states — when dealing with fraud affecting business account holders. Article 4A of the UCC has been interpreted to absolve a bank of liability in cases where an agreed-upon security procedure is in place and a theft occurs that can be traced to a compromised PC controlled by the business customer.
"It's time for small business to wake up and understand the true risk of online banking," says Litan. "If the bank thinks you were negligent, they do not have any obligation to pay you back."
The Western Beaver County School District in Pennsylvania, for one, is testing this stance. It is suing ESB Bank for executing 74 unauthorized cash transfers totaling $704,610 over four days during Christmas break a year ago. Court records show cash moved into 42 receiving accounts in several states and Puerto Rico. The bank retrieved $263,413 but did not recover $441,197.
ESB's attorney, Joseph DiMenno, says the bank is confident it will be "fully exonerated" but declined to discuss the lawsuit in detail. In a court filing, the bank denied any liability and said the district's "failure to secure and protect" its computers and network were to blame for any damages.
"They were able to reverse some of the transfers, but for others, the money apparently was already gone," says the district's attorney, Brian Simmons, of the Pittsburgh law firm Buchanan Ingersoll & Rooney. "We're not entirely sure who ended up with the funds. But the school district would like its money back."
So, too, would officials in

Bullitt

County, Ky. Over seven days in June, unauthorized transfers totaling $415,989 were moved out of the payroll account the county kept at First Federal Savings Bank of Elizabethtown. In a resolution authorizing a lawsuit against First Federal, county officials noted that "$105,813.06 of the people's money" had been recovered, while "$310,176.11 remains in the hands of the thieves throughout the country and abroad."
Gregory Schreacke, the bank's president, said in an interview that Bullitt County's "net loss" was actually $299,684. He said the bank stands by its decision not to make the county whole.
"No, we are not going to give it back," says Schreacke. "The county's network did not have an effective firewall, its virus protection software was woefully out of date and the county's treasurer and (chief) executive did not follow internal controls that would have prevented the unauthorized transfers."
The county's attorney, Larry Zielke, says First Federal should have stopped payroll transfers to other states and countries, something Bullitt County, population 75,000, never does. "Customers shouldn't have to protect the banks," says Zielke. "Banks should protect their customers."
Banking analyst Litan says it is unrealistic for the banking industry to promote Internet banking as safe based on the expectation that account holders will continually secure their PCs against cyberintrusions. "Banks should at least put a large disclaimer on their home Web pages advising customers that they bank online at their own risk," she says.
Indeed, any organization that cannot survive a sudden five- or six-figure loss should consider shunning Internet banking altogether, says Amrit Williams, chief technical officer of security firm BigFix. "Online is a very dangerous place for any small organization to be right now," he says. "The guidance for most of them should be, 'Don't bank online unless you absolutely have to.' It is too risky, and there are too few controls to support you if you fall prey to a malicious incident."

Getting the cash

The banking industry acknowledges that online banking is risky and is doing all it can to address those risks without impairing development of electronic banking, says Doug Johnson, senior risk management adviser at the American Bankers Association. He says small businesses should heed the ABA's advice to use a dedicated PC for online banking.
"The fraudulent transactions represent a very small portion of the millions of safe and successful ACH transactions conducted daily by businesses across the country," says Johnson.
The ABA's position is that each bank sets its own policy for how much liability to assign to business account holders when unauthorized transfers occur. In general, "Banks urge business customers to be aware of their responsibility to keep computers used for online banking free of malicious programs," Johnson says.
Meanwhile, cyber-robbers continue to orchestrate online heists of increasing sophistication. Getting the money out is not easy; it requires careful planning and meticulous coordination. According to interviews with law enforcement officials and security researchers, here's how a typical theft unfolds:
First, a researcher spends some time on

Google

locating the public Web pages of small businesses, local agencies and smaller organizations in the habit of posting names — and sometimes e-mail addresses — of a comptroller or a senior executive. Next, a graphic designer crafts an official-looking message purporting to come from the IRS or a shipping company addressed to the targeted employee. This is what's known as "spear phishing," a ruse to get the employee to click on a tainted Web link. Clicking on the link swiftly and silently installs a banking Trojan.
One spear-phishing template in wide circulation purports to come from the target's own tech department, says Amit Klein, CTO of security firm Trusteer. It instructs the recipient to click on a link to ensure continued access to the company's Outlook e-mail system. "It's well-crafted and very effective," says Klein.
Banking Trojans can be simplistic. One common variety readily for sale on the Internet installs keystroke loggers that record banking account log-ons typed by the PC user. The robber later uses the log-on to access the account. Others are intricate, crafted to defeat the single-use PIN codes, smart cards, security certificates and biometric scanners some banks require for ACH transfers and wire transfers.
One such Trojan discovered by Trusteer set up a special chat channel to alert the attacker whenever the victim began to type in a key-fob-issued PIN code, which remains valid for 60 seconds. Acting quickly, the robber would then log on and set up a transfer, undetected, while the employee carried on other banking transactions.
"The problem is growing, and the sophistication is increasing," Klein says.

Micropayments

Randy Vanderhoof counts himself lucky. The executive director of Smart Card Alliance, a Princeton Junction, N.J., non-profit advocacy group, moved quickly when he noticed suspicious wire transfers from the group's

Bank of America

online banking account in July.
The first two transfers were two micropayments, for 95 cents and 31 cents, that went to the same account at

ING Direct

, an online-only bank. That was followed two days later by a transfer of $25,000 into the ING account, followed by three more transfers for $25,000 and one of $24,800 in the ensuing four days, one transfer a day.
Vanderhoof alerted Bank of America quickly enough for it to recover all of the transfers. He figures the micropayments were tests and that the subsequent big transfers indicate that the robber was being frustrated in attempts to convert the deposits into cash.
He figures ING probably had the account under surveillance. But he doesn't know because he says the banks did not satisfy his requests for a detailed explanation. ING declined to comment. Bank of America follows industry practice of not discussing customer cases, says spokeswoman Tara Burke. The bank takes security seriously and offers customers a wide array of security tools and services, she says.
Vanderhoof closed the breached account and opened a new one, begrudgingly agreeing to pay Bank of America $125 more a month in fees for a service that permits transfers only from pre-approved parties. The service recently has blocked unapproved transfers of 12 cents, 25 cents and 38 cents.
He concludes would-be cyber-robbers have obtained the log-on details to the new account and are testing whether the bank will make unauthorized transfers.
"Our account is still out there, still getting hit with these probe transfers," he says. "I guess the only thing the bad guys haven't figured out is that they're not on our approved list."

Bank Login-Stealing Botnet Found Hiding in Amazon Cloud

We've all heard security researchers flail about the vulnerabilities of cloud computing; well, here's some interesting news.

Black-hat hackers got into an unnamed website hosted on Amazon's servers then proceeded to install an illegal command and control infrastructure. Named America's number one most wanted botnet, Zeus was discovered on Amazon's Elastic Compute Cloud (EC2) by security researchers yesterday.

The Zeus Trojan is a keylogger designed to steal data such as login credentials, account numbers and credit card information. It creates fake HTML forms on banking login pages to allow hackers to steal user data. This particular botnet has been linked to around $100 million in bank fraud in 2009.

Although we don't yet have details on exactly how the website in question was hacked, we have learned that the software has been removed from the Amazon cloud. This incident is the first example of malware being found on AWS' infrastructure.

As we were warned by black hats in April this year, cloud computing carries certain risks and opportunities for exploitation. Our own Sarah Perez wrote:

In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on EC2... While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.
As John Pescatore told the Financial Times, "The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."

Will hackers continue to employ web services to carry out their schemes in 2010? Twitter, Facebook, Google Apps, and now Amazon Web Services have all been used for evil this year. How can websites, corporations, and end users be smarter about online security to avoid personal and financial loss next year? Let us know what you think in the comments.

Lawsuit: A Heartland Manager Resigned Because Of PCI Compliance Issues

As the lawsuits involving Heartland’s massive data breach move through the court system, an unusual claim was inserted into a court filing. The Sept. 23 filing in the U.S. District Court for the Southern District of Texas was trying to raise questions about Heartland’s post-breach conduct. It then shared the following anecdote without further explanation.
“On the day after the data breach, Heartland conducted a webinar about the data breach for its high-level employees, sales representatives and/or relationship managers. Upon information and belief, Heartland relationship managers were told that PCI compliance was not a big deal. One of Heartland’s relationship managers resigned on or around April 23, 2009, in part because of Heartland’s statements regarding its PCI compliance. A Referee’s Decision in a Delaware Department of Labor proceeding reached the conclusion that this relationship manager had “good cause” to leave her position at Heartland based, in part, on Heartland’s conduct.” That might prove quite significant or it could be an irrelevant red herring. Either way, it’s not the kind of detail we see very often.

NATO’s Rasmussen on Cyber Risks

On 1 October, NATO Sec Gen Anders Fogh Rasmussen

addressed Lloyd’s of London

on the emerging security risks of piracy, cyber and climate change. Most of his

speech

concerned the latter but he had this to say about responding to cyber threats:
Cyber security – our second topic today – is another case in point.  Government and private companies launch cyber-attacks.  Governments and industry suffer the consequences, in terms of lost revenue, lost data and lost services.  And it will take cooperation between the public and private sectors to build real defences.
We also want to do better at cyber defence.  NATO’s Cyber Defence Centre is a good step in the right direction.  But the sustained, directed cyber attacks Estonia suffered a couple of years ago shows that the problem is much bigger than that.  On both subjects, I’m very much looking forward to the discussions today.
But there is a fundamental difference between, one the one hand, piracy and cybersecurity, and climate change on the other.  In the first two cases, the threat is very clear.  We know what a pirate looks like – and no, I’m not thinking of someone with an eye patch and parrot on his shoulder.  I’m thinking of someone well armed and ruthless.  The kidnapping and ransom is taking place now.  The costs to industry and Governments are easily calculated.  And while implementing them might be difficult, we have a pretty good idea of what the right solutions might be.
The same is true of cyber defence.  Attacks on industry and government websites and information systems are already a daily occurrence.  Again, the costs are pretty easy to calculate.  And while we are certainly able to do better, we have a general idea of the steps we should take. The challenge is figuring out how to do it.
Although referring principally to climate change, his concluding comments were also applicable to cyber:
This cannot be done by the defence people alone.  It has to be a true team effort: civilian and military, public sector and private companies as well – all talking together, and working out mutually reinforcing efforts.  That might seem unrealistic, to those of us who have been in politics a few years.  No glacier is as imposing, no desert so impassable as the stovepipes within Governments.  Then again, sailors never thought the mythical North-West Passage would ever open. But it is opening.  Anything’s possible.
Rasmussen’s right – the door is opening (the North-West Passage metaphor, if it was meant as a metaphor, is a curious one; I thought it was a bad thing, what with the Arctic ice melting like billy-o ‘n all) but not very wide.

"Debt Slavery" Replaces Physical Slavery"

This form of "debt slavery" or "debt peonage" was not just an accidental development of history. It was a deliberately-planned alternative to the slave arrangement in which owners were responsible for the feeding and care of a dependent population, and it is still with us today. Although European financiers were in favor of an American Civil War that would return the United States to its colonial status, they admitted privately that they were not necessarily interested in preserving slavery. They preferred "the European plan": capital could exploit labor by controlling the money supply, while letting the laborers feed themselves. In July 1862, this ploy was revealed in a notorious document called the Hazard Circular, which was circulated by British banking interests among their American banking counterparts. It said:

Slavery is likely to be abolished by the war power and chattel slavery destroyed. This, I and my European friends are glad of, for slavery is but the owning of labor and carries with it the care of the laborers, while the European plan, led by England, is that capital shall control labor by controlling wages. This can be done by controlling the money. The great debt that capitalists will see to it is made out of the war, must be used as a means to control the volume of money. To accomplish this, the bonds must be used as a banking basis. . . . It will not do to allow the greenback, as it is called, to circulate as money any length of time, as we cannot control that

http://www.webofdebt.com/articles/debt-serfdom.php

Cyber Attacks Target Foreign Media in China

Cyber Attacks Target Foreign Media in China

A Reuters newswire

article

by Lucy Hornby, via MSNBC, reports that:

Foreign media in China have been targeted by e-mails laden with malicious computer software in attacks that appear to be tied to the run-up to the National Day military parade on October 1.

While spam and viral attacks are not uncommon, the latest wave is part of a pattern of increasingly sophisticated e-mails tailored to tempt foreign reporters, rights activists and other targets to open infected attachments.

On Oct 1, the Communist Party is celebrating 60 years of rule over mainland China with a military parade. Beijing has tightened security ahead of the anniversary, with armed paramilitary troops at subway exits during rehearsals and neighborhood residents recruited to watch over the streets.

"There is definitely a pattern of virus attacks in the run-up to important dates on the Chinese political calendar," said Nicholas Bequelin of Human Rights Watch in Hong Kong. He noted that non-government organizations are also favorite targets.

Credit card fraud might have played role in financing Mumbai terror attacks, expert suggests

ndian authorities have recovered $1,200 and several credit cards from a backpack carried by one of the terrorists

who assailed ten targets in Mumbai, killing at least 172 people and injuring hundreds of others, according to press

reports. The presence of the cards might signal that credit card fraud helped fund the terror attacks, Dennis Lormel,

an anti-money laundering consultant who once led the Federal Bureau of Investigation’s anti-terrorist financing unit,

told Complinet.

The credit cards in question reportedly were issued by Citibank, HSBC, ICICI Bank, Axis Bank, HDFC Bank and

State Bank of Mauritius.

“I’m interested in the potential credit card fraud as a funding source and operational support mechanism,” Lormel

said.

For Lormel, the possible link between credit card fraud and the Mumbai terrorist attacks is more than a fleeting

interest. He has long feared that terrorists are becoming increasingly adept at generating funds through such illicit

schemes; he recently wrote a white paper in which he dubbed credit card fraud a “growth industry” for terrorists.

“There is no empirical statistical data establishing the nexus between credit card exploitation and terrorism, but

there are ample anecdotal case studies demonstrating how extensively terrorists rely on credit card information in

furtherance of their heinous activities,” Lormel wrote in his paper.

Alternative funding sources

Lormel added that a previous Complinet article examining how the Mumbai attacks might have been funded

“presents interesting and viable possible funding sources.”

“It’s highly likely hawalas were used. Wealthy individual donors and charities could be funding sources, as pointed

out. It will be interesting to determine if drugs and other criminal activities contributed. Likewise, the nexus between

Dawood Ibrahim and the attack should be one of the highest investigative priorities,” he said.

“The attack itself will play out to be inexpensive. The overall operation will be much costlier when you factor in the

training and subsistence of the attackers and their logistical support element.”

Still, Lormel conceded that it may be some time before authorities can say with any degree of certainty how the

murderous rampage was funded.

“It’s too early to understand the scope of the funding for the attacks,” he said.