The office of NASA's Inspector General released a report this week titled "Inadequate Security Practices Expose Key NASA Network to Cyberattack," which details pretty much what it says on the tin: the International Space Station, the Hubble telescope, the space shuttle, and other key assets were made vulnerable back in 2009 when hackers penetrated the NASA computer network that controls them.

The vulnerabilities have since been addressed, but NASA still lacks a recommended cybersecurity oversight progam to reduce future risks.

From a related story in the Huntsville Times:

Also in 2009, hackers stole 22 gigabytes of export-controlled data from the Jet Propulsion Laboratory and opened links between the NASA network and 3,000 foreign IP addresses.

NASA has closed the worst holes in its system, according to the audit released Monday, but other risks will remain until NASA establishes IT safeguards for the entire agency. NASA says it will do that by the end of the fiscal year Sept. 30. NASA said in a statement Tuesday that its chief information officer will work with NASA centers, including Huntsville's Marshall Space Flight Center, to make sure computers are secure.

And more about the past intrusions, directly from the NASA Inspector General's report: Read the rest

The Guardian reports that three UK teenagers who created and ran "one of the world's largest English-language internet crime forums," described in court as "Crimebook", have been sentenced to up to 5 years in jail. Authorities estimated that losses from credit card data traded over Gh0stMarket.net totaled more than $26 million dollars. Threatening to blow up the head of the police unit in charge of internet crimes after an earlier arrest was probably an unwise move:

The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts. Nicholas Webber, the site's owner and founder, was arrested in October 2009 with the site's administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.

After seizing Webber's laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.

Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers' addresses.

Security reporter Brian Krebs has a fascinating piece up on Pavel Vrublevsky, founder of Russia's biggest online payment processor, ChronoPay. Krebs reports that this man also co-owns Rx-Promotion, an online pharmacy that sells tens of millions of US dollars worth of controlled pills to Americans each year: Valium, Percocet, Tramadol, Oxycodone, and other substances with high street resale value. Just before Krebs arrived in Russia to meet with Vrublevsky, "several truckloads of masked officers from Russian drug enforcement bureaus" raided a private party thrown for the top moneymakers of Rx-Promotion (that's their promotional banner, above). Snip:

I hadn't told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.

"Duuuuuuuudddde!," he answers. "It's 7 a.m. where you are, who died?"

I reply that I am in fact in his time zone and that we should meet. After another long "Duuuuuuuuddde!" Vrublevsky promises to send a car if I will wait in the hotel lobby. He tells me he'll be sending along with the driver his receptionist, named Vera. He proceeds to describe Vera as this grossly overweight, unattractive older lady but, hey, she speaks English and knows how to deal with Westerners, so she's coming, he says.

Fifteen minutes later, I am seated in the lobby waiting for Vera, watching incoming guests as they stomp off snow and trudge through the hotel's revolving door. I find it difficult to avoid staring at this unusually attractive, slender, dark-haired young woman standing nervously just beside the door.

This. Note the dot-mil and dot-govs, and good heavens, the affordable pricing. Fascinating story behind the screengrab over at Krebs on Security. Read the rest

Two suspects are charged with federal crimes for hacking AT&Ts website in 2010 to obtain personal data of more than 100,000 iPad users. From Kim Zetter's Wired News piece:

Daniel Spitler, 26, of San Francisco, Calif., was charged in New Jersey on Tuesday with one count of identity fraud and one count of conspiracy to access a computer without authorization. Andrew Auernheimer, 25, of Fayetteville, Ark., was charged in Arkansas for the same crimes.

The chat transcripts really do say it all:

Spitler: I hit fucking oil

Auernheimer: loooool nice

Spitler: If I can get a couple thousand out of this set where can we drop this for max lols?

Auernheimer: dunno i would collect as much data as possible the minute its dropped, itll be fixed BUT valleywag i have all the gawker media people on my facecrook friends after goin to a gawker party

Two Charged in AT&T Hack of IPad Customer Data (Wired News)

Read the rest

Information designer Jess Bachman's latest creation explores the "financial motivations and transaction that take place in the underground malware and trojan markets." The flow chart "follows the point of infection to monetary gain of the botmasters, scammers and fraudsters who operate these nefarious lines of code." View the full image. Read the rest

I suppose I can boil down my complaints about U.S. law enforcement's attempts to do something effective about rampant and metastasizing cybercrime to two things. The first is that our guys don't have good relations with Russia and other countries that are knowingly harboring the worst criminals. And the second is that they don't have bad relations with those countries--not bad enough to blow the whistle.

Instead, U.S. authorities are the co-dependents in a perennially depressing romance, always thinking that real change in their partner is right around the corner. Think about Lucy holding the football for Charlie Brown.

After spending a couple of vacation days this week at a cybercrime conference aimed mostly at bankers--'cause hey, that's how I roll--I'm still convinced that we are in much bigger trouble than people realize. The Zeus family of financial computer trojans, which are probably on millions of PCs and often escape the notice of antivirus software, is truly impressive. Even if your bank cares enough about you to hand over a gadget with ever-changing one-time passwords, Zeus can intercept them and do other neat tricks, like redirecting you to a "down for maintenance" page while it cleans out your account. It can then do math on the fly so that when you check your balance, it appears to be right where it should be. I'm pretty sure it can walk on its hands while juggling with its feet, but you should check with one of the people who have lost or nearly lost their businesses, like Karen McCarthy. Read the rest

As a fan of BoingBoing dating from a decade ago, when it was delivered on horseback, I wanted to share something positive with fellow readers in my first guest post. Unfortunately, the thing I've been most passionate about in my reporting and writing since 1999--cybercrime and tech security--doesn't lend itself to much that's happy. What I'm offering today is a compromise. It was good news to me personally, and it will be good news to those of you who have my read my book, Fatal System Error. For the rest of you, it won't be pleasant, and I'm sorry about that.

On Friday, I got a Skype message from a longtime source of mine: "My friend got his daughter back." We spoke on Sunday, and I will tell you what I can from that talk. To begin with, though, my source uses the fake name Jart Armin of HostExploit.

Like the people who work at Spamhaus, Jart is one of those people dedicated to tracking the worst cyber gangs who works in anonymity in order to protect himself. I don't like quoting people I can't name, but I did so in the book with Jart because he has done important research and because he is entirely right to be afraid of the people he has been tracking.

To explain that in the book, I briefly told the story of a colleague of Jart's who was investigating mob activity in St. Petersburg, Russia. The colleague made the mistake of working with the local police. Read the rest

I am delighted to welcome author and journalist Joseph Menn (web / Twitter / Facebook) to Boing Boing as guestblogger. His most recent book, Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, was published this January in the US and comes out today in an updated paperback form.

From his bio:

Menn has spoken at major security conferences including RSA, Black Hat DC and DefCon on his findings, which include hard evidence that the governments of Russia and China are protecting and directing the behavior of some of the world's worst cyber-criminals. He also has given invited talks at meetings convened by the US Secret Service and Federal Deposit Insurance Corp.

"Fatal System Error accurately reveals the secretive global cyber cartels and their hidden multibillion-dollar business, proving cybercrime does pay and pays well," said Richard A. Clarke, special advisor to President George W. Bush for cyber security. The New Yorker magazine said it was "riveted" by the tale, comparing it to the novels of Stieg Larsson, while Business Week called it "a fascinating high-tech whodunit." Fatal System Error has been placed on the official reading list of the US Strategic Command and is being translated into Chinese, Japanese and Korean.

Menn has reported on technology for more than a decade at the Financial Times and the Los Angeles Times, mostly from his current base in San Francisco. His coverage areas for the FT include technology security and privacy, digital media, and Apple and the PC industry.