Hackers take Yahoo: 453,000 login credentials nabbed

Dan Goodin at Ars: "The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what's known as a union-based SQL injection. ... To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts."

Cable hacker jailed

A good old fashioned hardware hacker is off to jail for 3 years for selling rooted modems. The boxes gave cable users actual unlimited internet. P.S. His book, Hacking the Cable Modem: What Cable Companies Don't Want You to Know, is available at Amazon.

NSA Built Stuxnet, but Real Trick Is Building Crew of Hackers

After decades of waging a scorched earth war against hackers, the US government is now complaining about a shortage of hackers it needs to conduct cyberwarfare.

Stuxnet, the worm that targeted Iran's nuclear facilities, was created by US and Israel


Iranian President Mahmoud Ahmadinejad inspects centrifuges at a uranium enrichment plant.

Reporting for the New York Times, David Sanger confirms what internet security researchers suspected all along: Stuxnet, the worm that targeted computers in Iran's central nuclear enrichment facilities, was a US/Israeli project and part of an expanded effort at cyberweaponry by the Obama administration.

Read the rest

Cyber-weapon Flame, "most complex malware ever," identified by Kaspersky Lab

The Moscow-based security firm credited with solving various mysteries around Stuxnet and Duqu today announced the discovery of Flame, a data-stealing virus said to have lurked on thousands of computers in the Mideast for as long as 5 years. A Kaspersky Lab spokesperson described it in a Reuters interview as "the most complex piece of malicious software discovered to date."

Adds Bruce Sterling, "Given that this has been out in the wild for a couple of years now, what’s five times bigger than 'Flame' and even less understood?"

Writing today at Wired News, Kim Zetter reports that Flame is believed to be "part of a well-coordinated, ongoing, state-run cyberespionage operation."

Kaspersky has a FAQ about Flame, here.

(Image: Kaspersky Labs)

New Skype malware threat reported: Poison Ivy

Dancho Danchev reports an incident in which a friend pinged him at an odd hour on Skype "with a message pointing to what appeared to be a photo site with the message 'hahahahaha foto' and a link to hxxp://random_subdomain.photalbum.org." Yup, malware. The Poison Ivy trojan is spreading across Skype. [webroot via Joseph Menn]

Fooling facial recognition surveillance cameras with cunning and crocheting


[Video Link]

Canadian yarn-lover and privacy-lover Howie Woo has developed an ingenious system for thwarting surveillance cameras that use face recognition technology. His solution involves crochet and LOLs. Here are more photos (via the Boing Boing Flickr Pool). More about Howie's playful creations here.

Anonymous rocked by revelation that top LulzSec hacker was FBI snitch

Quinn Norton has an excellent piece over at Wired:Threat Level on the reactions within "Anonymous" to the news that LulzSec frontman "Sabu" (photo above) was collaborating with the FBI. Kim Zetter's take on the arrests and secret plea deals is here.

LulzSec frontman Sabu was FBI informant, fed Stratfor docs to Wikileaks from an FBI-owned computer

The Guardian has more on the big hacking news which Fox News broke yesterday (as noted in a post by Rob). "Sabu," the trash-talking, self-appointed leader of LulzSec, has been working for the FBI for the last six months. The FBI says he helped the US and various European governments identify and arrest five alleged LulzSec members charged with participating in defacement, DDOSing, and "doxing" against high-profile government and corporate targets. Sabu (above) is, in now identified as Hector Xavier Monsegur, a 28-year-old unemployed Puerto Rican guy living in New York, and a father of two. He was charged with 12 criminal counts of conspiracy to engage in "computer hacking and other crimes" last year, pled guilty in August, 2011, then "snitched" on his LulzSec friends.

Here's the FBI news release, which notably omits the names of any prosecutors (perhaps for fear of Anonymous attack).

Snip from Guardian story:

His online "hacker" activity continued until very recently, with a tweet sent by him in the last 24 hours saying: "The feds at this moment are scouring our lives without warrants. Without judges approval. This needs to change. Asap."

In a US court document, the FBI's informant – there described as CW – "acting under the direction of the FBI" helped facilitate the publication of what was thought to be an embarrassing leak of conference call between the FBI and the UK's Serious and Organised Crime Agency in February. Officers from both sides of the Atlantic were heard discussing the progress of various hacking investigations in the call.

A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.

The indictments mark the most significant strike by law enforcement officials against the amateur hacker groups that have sprung out of Anonymous. These groups, which include LulzSec, have cost businesses millions of pounds and exposed the credit card details and passwords of nearly 1 million people.

Read the rest

Report: LulzSec members arrested

Fox News' Jana Winter reports that LulzSec's Sabu was caught and turned by the authorities last June and has been working with them since. Other members of the group were arrested today as a result, she writes; details will be unsealed today in district court. The name given, Hector Xavier Monsegur, would confirm earlier outings and doxings from the same period. Last June saw the group publicly suspend operations, if you'll recall, and suffer its earliest arrests.

Spain, South America arrest 25 in Anonymous crackdown, with Interpol assist

With help from the international police organization Interpol, Spain and three South American countries today arrested 25 people who are suspected of being Anonymous activist/hacktivist/hackers. They are accused of defacing government and corporate websites. Reuters:

Spanish police also accused one of four suspects picked up in the cities of Madrid and Malaga of releasing personal data about police officers and bodyguards protecting Spain's royal family and the prime minister.

Other arrests were in Argentina, Chile and Colombia, and 250 items of computer equipment and mobile phones were seized across 15 cities, Interpol said. Colombia's Ministry of Defence and presidential websites as well as Chile's Endesa electricity company were among the targets of the hackers, it said.

And not coincidentally, the Interpol website has been intermittently offline today.

Shit programmers say

"Shit Programmers Say" -- a worthy addition to the series and a trenchant comment on the inherent interiority of programming.

Shit Programmers Say (via Waxy!)

Newt threatens Russia, China with cyberwar

“I think that we have to treat state-based covert activities as the equivalent of acts of war. And I think that we have to respond to that and create a level of pain which teaches people not to do it.” US presidential candidate Newt Gingrich, responding to a question about countries that target U.S. corporate and government information systems.

Stratfor hacked; clients and credit card numbers exposed

Intelligence and security research group Stratfor was hacked Saturday, and a a list of clients, personal information and credit card numbers purloined from its servers.

Having exposed the group's customers, the hackers apparently used the card numbers to make donations to the Red Cross and other charities.

The New York Times' Nicole Perlroth writes that the attack was also likely intended to embarrass Stratfor. She ends with a curious quote from Jerry Irvine, a member of the Department of Homeland Security's cybersecurity task force:

“The scary thing is that no matter what you do, every system has some level of vulnerability,” says Jerry Irvine, a member of the National Cyber Security Task Force. “The more you do from an advanced technical standpoint, the more common things go unnoticed. Getting into a system is really not that difficult.”

Sure, if it's a web server, exposed to the public by design.

But Stratfor didn't just expose a website to the public. It also, apparently, put all this other stuff online, in the clear, for the taking.

It's true that websites are like storefronts, and that it's more or less impossible to stop determined people from blocking or defacing them now and again.

Here, however, it looks like Stratfor left private files in the window display, waiting to be grabbed by the first guy to put a brick through the glass.

Now, I'm not a member of the national IT security planning task force. But I'm pretty sure that putting unencrypted lists of credit card numbers and client details on public-exposed servers isn't quite explained by "no matter what you do, every system has some level of vulnerability."

UPDATE: One Anon claims that the hack was not the work of Anonymous. However, the usual caveats apply: no structure, no official channels, no formal leaders or spokespersons.

How Lord Sugar taught me to hack stuff

This piece was originally published on a now-defunct website for general audiences. It now lives on here in vaguely inappropriate perpetuity

My first computer was a Sinclair ZX Spectrum, most likely bought at Dixons in Worthing, England, circa 1986. But that's not the one I'd like to talk about, because it was defective and went right back to the store.

Dad, convinced by Clive Sinclair's legendary quality control that you get what you pay for, opted for the expensive Amstrad CPC over a replacement or a Commodore 64. Together, these three machines were the ruling triumvirate of 8-bit home computing in Thatcher's Britain. The Amstrad wasn't much different to the Commodore -- brighter graphics, tinnier sound -- but came with a built-in tape deck, a crisp color monitor, and a decent warranty.

Read the rest