Black Hat Google Hacking Goes After China – www.esecurityplanet.com

Search engines aren’t just for finding Web content, they can also be valuable tools for security research.

At Black Hat 2010, researchers from Stach and Liu released Google and Bing tools called GoogleDiggity and BingDiggity. Those tools enable researchers to leverage those search engines to find security vulnerabilities in websites and applications. For Black Hat 2011, the researchers are back and this time they’re expanding their tools providing new capabilities to find and indentify security risk with the help of search engines.

“This year we’re adding a whole host of tools including a Windows desktop application as well as an iPhone app,” Stach and Liu security researcher Francis Brown said.

via Black Hat Google Hacking Goes After China – www.esecurityplanet.com.

Cyber Weapons: The New Arms Race – BusinessWeek

The Pentagon, the IMF, Google, and others have been hacked. It’s war out there, and a cyber-weapons industry is exploding to arm the combatants.

Cyber attacks used to be kept quiet. They often went undiscovered until long after the fact, and countries or companies that were hit usually declined to talk about attacks. That’s changed as a steady flow of brazen incursions has been exposed. Last year, for example, Google (GOOG) accused China of spying on the company’s workers and customers. It said at the time that at least 20 other companies were victims of the same attack, nicknamed Operation Aurora by the security firm McAfee. (INTC) The hacked included Adobe Systems (ADBE), Juniper Networks (JNPR), and Morgan Stanley. (MS) Joel F. Brenner, the head of U.S. counterintelligence until 2009, says the same operation that pulled off Aurora has claimed many more victims over several years. “It’d be fair to say that at least 2,000 companies have been hit,” Brenner says. “And that number is on the conservative side.”

 

via Cyber Weapons: The New Arms Race – BusinessWeek.

U.S. questioned China about Change.org attack ( – Internet – Security – Government )

The U.S. State Department questioned the Chinese government about a cyberattack that had temporarily shutdown Change.org after the site held a petition urging Chinese authorities to release artist Ai Weiwei from custody.

The U.S. State Department questioned the Chinese government about a cyberattack that had temporarily shut down the website Change.org after the site hosted a petition urging Chinese authorities to release artist Ai Weiwei from custody.

U.S. deputy assistant secretary Daniel Baer raised concerns about the attack in April with China’s foreign ministry, according to an official letter sent from the State Department to U.S. Rep. Rosa DeLauro. Change.org obtained a copy of the letter and released it on Tuesday.

The nature of those talks is still unclear. The U.S. Embassy in Beijing said it had no current information on the matter and deferred to the State Department. China’s foreign ministry has yet to respond to a request for comment.

Change.org, an online petitioning platform, was the victim of a distributed denial of service(DDoS) attack originating from China on April 17. The attacks nearly brought down the site for days.

DDoS attacks can do this by using hundreds or thousands of hacked computers to drive enough traffic to a website. The data will become so overwhelming that the site will become inaccessible to normal users.

Change.org said the DDoS attacks from China are still ongoing and continue to bring down the site intermittently. The FBI is investigating the case, said Benjamin Joffe-Walt, an editor with Change.org.

Change.org said the DDoS attack was its first. The site’s founder Ben Rattray believed the incident was connected to an online petition calling for the release of Chinese artist Ai Weiwei, who is still under arrest. When the attack occurred in April, the petition had attracted about 100,000 people. Now the petition has more than 142,000 signatures.

Ai Weiwei’s arrest followed the detainment of other human rights activists in China after online postings were made starting this February calling for a “Jasmine revolution“ against the Chinese government. Since then, Authorities have increased their censorship of the Web, and have been quick to block searches for sensitive words relating to protest actions.

China has been named the country of origin for several other cyber attacks. This month, Google said it had disrupted a targeted phishing campaign meant to break into the Gmail accounts of government officials, political activists and military personnel. Google said the cybercampaign had originated from Jinan, China.

Previously, the search giant was the victim of another attack coming out of China back in 2009 that was aimed at accessing the Gmail accounts of Chinese human rights activists.

China, however, has denied it sponsors any cyber attacking, and claims that the country is also a victim of hacking attempts.

via U.S. questioned China about Change.org attack ( – Internet – Security – Government ).

The Alarming Growth of Global Cyber Menace – Hacking | Asian Tribune

When gmail accounts of some of the US state officials were hacked two weeks ago, the Defence Department categorized any serious cyber attack, as an act of war. Since Google had tracked down the source of the attack to a certain province in China, it was all too clear that the Pentagon was not beating about the bush while taking the cyber threat seriously. The gmail attack came hot on the heels of another high-profile attack – Lockheed Martin Corporation, the high-tech defence firm.Having been annoyed by implicit accusation, China hit back at Google by warning that the company would face the music, if it accused the Chinese government of covert involvement.

The disturbing cyber nuisance did not end there. The servers of

Sony

, the entertainment giant, were subjected to two successive hacking within a matter of days. On the first occasion – the more serious one – the accounts of millions of had been hacked into and then details were stolen; the servers of

Nintendo

suffered the same fate. On June 3, the servers of

Codemasters

, the largest UK game publisher, were hacked. The hackers did not spare even the

National Health Service

of the UK; there has been a breach of security in some servers, according to media reports.

The spate of attacks has pushed millions of online users, not necessarily the folks who play games, into a state of perpetual anxiety. Since the hackers have been able to stay a few rungs above the security experts along the learning curve, it’s high time the threat was treated as something against the whole online community, not just selected strata of it.

The companies, which have been affected, are counting the cost in terms of loss of both revenue and reputation. Although, they assure the customers of better security mechanisms in future – and when the horse had left the barn, of course – restoring customer confidence is going to be an uphill struggle for the companies in question.

According to the details that came out so far, the hacking had been performed by duping the customers into web pages which looked identical to what they normally had been familiar with; once signed in, they had been taken for a ride, to say the least.

So, the companies affected implied that the customers should not have done that; well, how do ordinary folks distinguish between a real one and a fake one, when they look almost similar? The explanations have not gone far enough to address the serious side of the issue; all they can say is warning the public to be on their guard at all times – and they already are.

These high profile hackings are not the works of adventurous individuals, carried out in their bedrooms as a way of fighting boredom. Nor are they the works of teenagers, who could spare hours on computers in typing in endless combinations of characters into login names and passwords, in the hope that one of them would make them lucky by pure chance – one day. The nature of sophistication clearly shows the involvement of highly organized individuals – perhaps, with a substantial technical background – who are prepared to break hell lose, if they can get away with it.

The two groups, which are at the forefront of hacking, are Anonymous and LulzSec. The former claims to be a ‘leaderless structure’ while the latter introduces itself as the ‘world’s leaders in high-quality entertainment at your expense.’ Who can disagree with them?

Anonymous has been in the habit of hacking into government websites in order to teach them a ‘lesson’; it was at its peak of activities, known as ‘hacktivity’, when Wikileaks were coming out in dribs and drabs. LulzSec, meanwhile, claims that since fun is restricted to Fridays, they are going to extend it beyond that – and to the weekend. Whether what is fun for LulzSec, is certainly fun for everyone, remains to be seen in the days ahead!

In addition, there are clumsy hackers too. I keep getting an email from one such stupid hacker, who is in the habit of urging me to collect a parcel from a well-known courier service while clicking on a link provided. However, he could not completely conceal the tentacles of idiocy: the ‘To’ field of the email consists of a chain of email addresses, not just mine. So, I decided to keep getting the emails for academic purposes, without diverting them into a spam folder.

If a user can be duped by such an email, then of course, big companies cannot be blamed for mistakes of that kind. In short, users have to be a bit responsible too while login into similar-looking web sites and opening unsolicited emails.

As the menace of hacking reached fever pitch, some countries in South East Asia have started cracking down on potential hackers – finally. The arrests have been made in Malaysia, Indonesia and Taiwan. However, this is just the tip of the colossal iceberg.

The geography of the places where hackers were found, the time taken before the action being carried out and the abundance of other regional criminal activities, do not paint a serene picture for the online community in particular, and the law-abiding global citizens in general.

If the governments in question keep treating the threat as trivial or non-existent, the trend can easily give a cumulative nasty shock for all of us at an unexpected time – something from which we may not recover without paying a heavy collective price.

via The Alarming Growth of Global Cyber Menace – Hacking | Asian Tribune.

The Alarming Growth of Global Cyber Menace – Hacking | Asian Tribune

When gmail accounts of some of the US state officials were hacked two weeks ago, the Defence Department categorized any serious cyber attack, as an act of war. Since Google had tracked down the source of the attack to a certain province in China, it was all too clear that the Pentagon was not beating about the bush while taking the cyber threat seriously. The gmail attack came hot on the heels of another high-profile attack – Lockheed Martin Corporation, the high-tech defence firm.Having been annoyed by implicit accusation, China hit back at Google by warning that the company would face the music, if it accused the Chinese government of covert involvement.

The disturbing cyber nuisance did not end there. The servers of

Sony

, the entertainment giant, were subjected to two successive hacking within a matter of days. On the first occasion – the more serious one – the accounts of millions of had been hacked into and then details were stolen; the servers of

Nintendo

suffered the same fate. On June 3, the servers of

Codemasters

, the largest UK game publisher, were hacked. The hackers did not spare even the

National Health Service

of the UK; there has been a breach of security in some servers, according to media reports.

The spate of attacks has pushed millions of online users, not necessarily the folks who play games, into a state of perpetual anxiety. Since the hackers have been able to stay a few rungs above the security experts along the learning curve, it’s high time the threat was treated as something against the whole online community, not just selected strata of it.

The companies, which have been affected, are counting the cost in terms of loss of both revenue and reputation. Although, they assure the customers of better security mechanisms in future – and when the horse had left the barn, of course – restoring customer confidence is going to be an uphill struggle for the companies in question.

According to the details that came out so far, the hacking had been performed by duping the customers into web pages which looked identical to what they normally had been familiar with; once signed in, they had been taken for a ride, to say the least.

So, the companies affected implied that the customers should not have done that; well, how do ordinary folks distinguish between a real one and a fake one, when they look almost similar? The explanations have not gone far enough to address the serious side of the issue; all they can say is warning the public to be on their guard at all times – and they already are.

These high profile hackings are not the works of adventurous individuals, carried out in their bedrooms as a way of fighting boredom. Nor are they the works of teenagers, who could spare hours on computers in typing in endless combinations of characters into login names and passwords, in the hope that one of them would make them lucky by pure chance – one day. The nature of sophistication clearly shows the involvement of highly organized individuals – perhaps, with a substantial technical background – who are prepared to break hell lose, if they can get away with it.

The two groups, which are at the forefront of hacking, are Anonymous and LulzSec. The former claims to be a ‘leaderless structure’ while the latter introduces itself as the ‘world’s leaders in high-quality entertainment at your expense.’ Who can disagree with them?

Anonymous has been in the habit of hacking into government websites in order to teach them a ‘lesson’; it was at its peak of activities, known as ‘hacktivity’, when Wikileaks were coming out in dribs and drabs. LulzSec, meanwhile, claims that since fun is restricted to Fridays, they are going to extend it beyond that – and to the weekend. Whether what is fun for LulzSec, is certainly fun for everyone, remains to be seen in the days ahead!

In addition, there are clumsy hackers too. I keep getting an email from one such stupid hacker, who is in the habit of urging me to collect a parcel from a well-known courier service while clicking on a link provided. However, he could not completely conceal the tentacles of idiocy: the ‘To’ field of the email consists of a chain of email addresses, not just mine. So, I decided to keep getting the emails for academic purposes, without diverting them into a spam folder.

If a user can be duped by such an email, then of course, big companies cannot be blamed for mistakes of that kind. In short, users have to be a bit responsible too while login into similar-looking web sites and opening unsolicited emails.

As the menace of hacking reached fever pitch, some countries in South East Asia have started cracking down on potential hackers – finally. The arrests have been made in Malaysia, Indonesia and Taiwan. However, this is just the tip of the colossal iceberg.

The geography of the places where hackers were found, the time taken before the action being carried out and the abundance of other regional criminal activities, do not paint a serene picture for the online community in particular, and the law-abiding global citizens in general.

If the governments in question keep treating the threat as trivial or non-existent, the trend can easily give a cumulative nasty shock for all of us at an unexpected time – something from which we may not recover without paying a heavy collective price.

via The Alarming Growth of Global Cyber Menace – Hacking | Asian Tribune.

China Cyber Attack Fallacies

2) 115.160.146.16: Hong Kong (Wharf TT Ltd)

4) 218.56.239.206: Beijing (China Unicom)

Google recently announced a spear phishing campaign that had been going on for over a year and which appears to originate from Jinan, China that targeted the personal Gmail accounts of hundreds of various persons of interest, presumably to the Chinese government.
The proof to support the headline was that Chinese IP addresses were involved. What both Google and Siobhan Gorman, who reported on the story for the Wall Street Journal, failed to disclose was that other countries IP addresses were used as well, including South Korea and the United States. Copies of the spoofed emails, along with the originating IPs, were disclosed back in February on the Contagio blog. Of the six IP addresses used in the military and government employee phishing scheme, two were from Hong Kong, two were from Beijing, one was from Seoul, and one was from New York:
2) 115.160.146.16: Hong Kong (Wharf TT Ltd)
4) 218.56.239.206: Beijing (China Unicom)

In 2010, Telegeograhy rated China Telecom (55 million customers) and China Unicom (40 million customers) as the two largest ISPs in the world, serving 20 percent of all broadband customers on earth. And neither company restricts its customer base to residents of the Peoples Republic of China. Anyone can buy server time on any of these mainstream Chinese ISPs:China Telecom;China Mobile;China Unicom; andHiChina Zhicheng Technology Ltd.
Payment per year ranges from 5,000 yuan to 25,000 yuan ($770 to $3,860), and can be made via bank online transfer, domestic and international wire, Alipay (China’s Paypal), and even cash in certain cities such as Beijing and Guangzhou. In other words, no matter where in the world you live, you can lease server time and set up an email account that will resolve to China. And if you use it to phish the Gmail accounts of your targets, youve hit the gold standard of mis-direction because theres almost no alternative analysis done anymore when it comes to attacks that geolocate to an IP address in China.
Google may have chosen to focus on the two IP addresses that resolved to Jinan, the capital of Shandong Province, because its home toLanxiang Vocational School, which was associated with the Google attacks of December 2009 to January 2010 and because it has a PLA regional command centre. The problem with this is that Jinan is a high-tech industrial zone with more than 6 million people and more than a dozen universities. Sourcing an email to Jinan is like sourcing a fruit shipment to California’s Central Valley. It wasnt good evidence back in January, 2010 and its no better now.
There are at least a dozen foreign governments that I can think of who have a vested interest in reading the personal email accounts of US China policy makers, military leaders, government officials, etc. and all of them are standing up Cyber Commands and enjoy the benefit of their own nationalistic hacker crews from time to time.
None of this rules China out as the responsible party, of course. Im simply arguing for a higher bar of evidence before making the leap that China did it. One alternative method, for example, is to try to answer why the spear phishing attack was done. Once you have a clear grasp as to why, you can move on to creating a list of those who would benefit, and then look for reasons that might exclude each member of that list. The discipline of alternative analysis has been a difficult one to adopt even among those who do it for a living within the intelligence community because our individual perceptions are highly biased in favour of something called mirror-imaging; i.e., we imagine that everyone sees things as we do.
Another obstacle to alternative analysis is fear: the feat of being wrong; of looking silly; of taking an unpopular stand and suffering the consequences; and so on. Now that the Pentagon has determined that a cyber attack may be sufficient to justify a kinetic response, its imperative that corporate leaders like Google, government leaders like the US Secretary of State, and influential media exercise more due diligence before leaping to conclusions that may have harmful, possibly irreversible, international repercussions.

via China Cyber Attack Fallacies.

Lockheed Martin hacked, cyber crime steps up to major leagues – International Business Times

 

Lockheed Martin just recently admitted that it was hacked on May 21, 2011.  It managed to stop the “tenacious” attack before any critical data was stolen.

Back in October 2008, Lockheed Martin launched its cyber-defense operations.  It bragged that it wanted a piece of the red-hot cyber security industry.

 

It’s shocking, therefore, that hackers are now bold enough to target a company that specializes in defending against them.

The cyber security industry is worth $40 billion in 2010, according to Federated Networks, a player in that industry. After several incidents in the last two years, however, it’ll probably get even bigger.

In late 2009, Google and other high profile tech companies like Adobe Systems were hacked fromChina.  The purpose of the attack was reportedly to steal intellectual information and access certain Gmail accounts.

In late 2010, a loose-organized internet vigilante group called Anonymous organized an attack on Visa and MasterCard for their anti-Wikileaks stance.  The attacks brought down the two companies’ websites.

In April 2011, Sony‘s PlayStation Network was hacked, forced to shut down for weeks, and user credit card numbers were likely stolen.  Sony was hacked by either internet vigilantes affiliated with Anonymous or thieves looking to steal credit card numbers.

These instances of hacking teach us two things: hacking can do serious damage to society and it’s surprisingly easy to perpetrate.

Hacking Google, for example, means gaining access to the most private information of individuals.  Hacking tech companies in general means gaining key intellectual information, which is their lifeblood.

Hacking defense contractors like Lockheed Martin is a matter of national military security.

The hacking of MasterCard and Visa demonstrates the utter unpreparedness of major corporations.  It shows that a group of rule-breaking enthusiasts can trump Fortune 500 companies.  In the physical/real world, something like that would be unimaginable.

Corporations, governments, universities, and consumers in general aren’t prepared for cyber attacks.

Many experts had predicted the rising importance of cyber security ever since it became clear that cyberspace would be an integral part of modern society.

Hackers, however, haven’t really done too much damage until the last two years because criminals and other rule-breakers (e.g. unscrupulous government agencies) didn’t seriously incorporate cyber attacks into their repertoire.

Now, they have and are finally giving hacking the organizational backing it needs to do some serious damage.  In other words, hacking has changed from being a crime perpetrated by loose-organized operators for petty gains to an operation backed by major crime syndicates and other powerful organizations for more nefarious and impactful purposes.

Society at large, therefore, needs to beef up its cyber security.  It needs to resemble the robustness of security in the physical world.

The US, for example, has a network of police force at every single municipality and state to deal with local criminal threats.  On the national level, it has the FBI and a standing army.

As cyber crimes have moved to the major leagues, cyber security needs to do the same.

 

Lockheed Martin hacked, cyber crime steps up to major leagues – International Business Times.