Tuesday, 19 April 2011

Cybersecutity Expert Creat Program That Steals Text Messages !

Two cybersecurity researchers have just taught smartphones a lesson by developing a program that can eavesdrop and steal text messages from any phone on a GSM network – all in about 20 seconds.


The Guardian reported that Karsten Nohl and Sylvain Munaut spent a year honing their technology, which starts by sending a text message to a target phone; called a “ghost” message, the text doesn’t show up on the recipient’s phone, but enables the hackers to obtain the handset’s unique identification number.

Once that identification number is stolen, Nohl and Munaut were able to record phone conversations and texts from the hijacked phone. Their proof-of-concept hack can be deployed on any phone running on a GSM (Global System for Mobile Communications) network.

That’s a pretty big focus group – about 80 percent of the world’s phones run on a GSM network.

“Any GSM call is fair game,” Nohl told the BBC. He and his partner in cybercrime demonstrated their data-grabbing technology at last week’s Chaos Computer Club Congress (a gathering of the hacker organization) in Berlin.

Despite its mischievous nature, there is no devious design behind their hacking technology.

Nohl said he and Munaut do not plan to make the eavesdropping kit available for others to use. He said they developed it in the hopes it would serve as a wake-up call to the mobile security industry.

“This is all a 20-year-old infrastructure, with lots of private data and not a lot of security,” Nohl said of the GSM network. “We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.”

Stolen data may be sold on cyber black market !

Hackers behind what computer security experts believe could be the biggest data theft in US history may be planning to sell the information to cyber criminals for targeted scams.

And while the tens of millions of names and email addresses swiped from online marketing firm Epsilon do not appear to have been used yet for cyber crime, the experts said it may just be a matter of time.

Major US banks, hotels, retail outlets and other companies have been warning customers to be wary of fraudulent emails after Epsilon acknowledged last week that hackers had gained access to the Texas-based company's email system.

Epsilon, which provides email services for some 2,500 companies around the world, has said that customer data for about two per cent of its total clients was exposed in what it called an "unauthorized entry."

Epsilon, which sends out over 40 billion emails a year, did not identify the firms whose customers' names and email addresses were taken but dozens of US companies have come forward over the past few days.

"It's basically a who's who from the retail and banking space," said Nicholas Percoco, head of Trustwave's SpiderLabs. "Some of the top brands in the world."

They include Hilton and Marriott hotels, telecom giant Verizon, drugstore chain Walgreens, the Home Shopping Network and retailers Best Buy, Kroger, New York & Co. and Target.

Among the banking and financial firms that have notified customers of the breach are Citigroup, JPMorgan Chase, Capital One, US Bank, Barclays Bank of Delaware and Ameriprise Financial.

Security experts said the data theft at Epsilon could be the largest ever in terms of sheer volume, comparable to the exploits of Albert Gonzalez, one of the most prolific US commercial hackers ever.

Gonzalez is serving 20 years in prison for stealing tens of millions of debit and credit card numbers from firms supporting major US retailers and financial institutions.

Percoco said the Epsilon data theft may involve as many as 100 million unique email addresses and "could end up being the largest breach ever of raw personal data, consumer data."

Marian Merritt, Internet Safety Advocate at Symantec, the maker of Norton anti-virus software, said data breaches occur frequently but "all indications are this could be the biggest one in history."

It is unlikely to prove as damaging, however, as the Gonzalez scams.

"The good news is it's just the names and the email addresses and the affiliation of the company that you did business with," said Joris Evers, a security expert at McAfee.

"It's not your credit card number or your social security card number or your home address... information that could be more personal and used in more nefarious ways immediately," Evers said. "There's a lot of work to do before you can convert this into cash."

The Epsilon data does not appear to have been used yet for any cyber crime.

"We have been looking around since this news broke for spam and scams and scammy websites that potentially take advantage of this breach and we haven't seen anything just yet," Evers said.

That may be because the hackers who carried out the Epsilon attack intend to sell the information to other cyber criminals, the experts said.

"They may be people who are buying and selling stolen data bases of user names and email addresses," said Symantec's Merritt.

"There are marketplaces on the Internet, underground markets, where people sell bulk bunches of email addresses and names," Evers added. "You can buy a million email addresses for 20 dollars or something like that.

"But that's just email addresses, mailing lists that you can then start spamming."

The information stolen from Epsilon is more valuable because it links names and email addresses with particular companies that an individual already has a trusted relationship with.

"They've got your name, not your user name, but your actual name, your email address and brands that you regularly do business with and trust in an email relationship," Merritt said.

"You've already identified yourself as willing to receive communications from those brands," she said. "So the cybercriminals have pretty good information to use against you."

Evers said such information can be a "treasure trove" for cyber attackers because now they can start personally targeting individuals, a tactic known as "spear phishing."

For example, "you might have bought something from LL Bean recently," he said. "You receive an email that says 'We want to confirm your order, please click here.'

"And you end up on a website that infects your computer with something. Or you're asked to type in your credit card number again to make sure the order goes through," he said. "And now, boom, I have your credit card information." Whatever form the attacks take, experts are certain they're coming.

"They didn't go get these email addresses and names just to get them," Percoco said. "They're going to use them."

Source : http://www.asiaone.com

China's Cyber Hackers Target Western Firms !

China's Cyber Hackers Target Western Firms !














Sky News has learnt of the growing threat Western governments and corporations are under from hackers based in China.

Cyber crime costs the UK tens of billions of pounds every year.
The attacks cannot be traced but I have gained access to some of the country's growing number of hackers to discover just how big a risk they pose:
The man I meet is 21, he has no technical training and has moved to Beijing from a small town in southern China.
But within minutes of our meeting, he's shown me how he can hack into my email account.
A few more clicks of his mouse, and he's stolen my credit card details as I make an online purchase.
He says he's a "cyber security expert" - not a hacker - but we can't use his name and he refuses to show his face.
I ask him whether he could successfully hack into more carefully guarded computer systems: those of government officials and top companies in the West.
"Even the strongest security systems have holes," he tells me. "Everyone knows that those people haven't realised that there are hackers who can attack them. They probably think they have the best security possible."
Last year, cyber attacks cost Britain £27bn. The global hub for targeted attacks is China. An estimated 1.6 billion attacks are launched from the country each month.
The Chinese government says it is cracking down on hackers. Last year authorities reportedly made several hundred arrests and closed one online hacking school that was said to have 180,000 members.
But other websites that offer the same service are still operating.
Sky News recently gained access to a conference organised by a well-known hacking group in a four-star hotel in Beijing.
The event was sponsored by a security firm with alleged connections to the Chinese military. Speakers covered topics such as Defeat Windows 7 and Virtual Viruses Infection.
The conference also highlighted the murky connections between hackers and the Chinese government.
One man who identified himself as a policeman said: "We're here to see if they have anything we can use. If there is, then we'll get in touch with them, and take the next step."
Chinese hackers are accused of breaching the computer systems of the Pentagon in the US and the French and German governments, as well as several Whitehall departments.
In 2009, investigators discovered that Ghostnet, the largest ever network of cyber attacks, could be traced back to China.
The operation's command and control had gained real time control over 1,200 computers belonging to foreign embassies, international organisations, and media groups in more than 100 countries.
However, according to experts, the biggest threat posed by attacks traced to China is the loss of industrial secrets.
Last year several attacks targeted some of the world's biggest oil and gas companies - an area of enormous strategic importance to China's economy.
It was also recently revealed that investment bank Morgan Stanley was hit by a six-month attack emanating from China.
Experts say Britain's high-tech industries are particularly vulnerable.
"Britain spends £25bn a year in these areas," says British cyber security expert Will Gilpin.
"It has a lot of specialist knowledge, abilities and plans available in its computers which are tremendously appealing to a country like China that wants to short circuit and leapfrog the Western countries in developing their economy."
But the young "cyber security expert" says there may be an even bigger threat. If the West ever came into conflict with China, he says the country's hackers would be able to inflict untold damage.
"They may be able to shut down the electrical grid," he says. "Lots of things don't function without electricity. You could stop a whole area or the entire country from working."