British Crackers Demand Millions in Inforansom

RuntimeError writes "The Times of UK report that a group of British Cr/Hackers have broken into the computer systems of atleast 12 multinational companies, stolen confidential files, and are holding the companies to ransom." One of the companies is Visa, as in credit cards. I believe this has far more hysteria potential than the recent CDuniverse inforansom scandal. Expect the usual pundits to be all over this story within the next few days.

Latex gloves with "prints" on the fingertips.

A specialty item now, but widespread biometric scanners could change this. Worse would be relying solely on the thumb scanner. Just copy a print off of the Mercedes door handle, use it to make a thunmglove and make all sorts of charges. Fingerprints can be found everywhere. You won't my PIN or CC numbers on stairway rails or doorknobs in public places.

The Average IQ of those who embrace Technology

The fundamental problem here (albeit with the story's inaccuracies and (said) security flaws at Visa) is the general public.

A vast quantity of the population of our planet have embraced the computer in it's many forms and what it provides. How many of them know any more than what it would take to fill up a postage stamp about this technology? ---- 0.1% (educated guess). Yet they all use this powerful technology and know nothing about it! Would you point a gun at your head without knowing how and when it fires?

Companies and people need to educate themselves, else this will happen again and again, and scare stories will work, again and again!

Cr/Hackers are just people who know this and exploit it. Until people who use computers 'wise up' to what happens to information, how it is held and who has access to it, the door is wide open to anyone with a good understanding of these facts.



Never underestimate the stupidity of the general public.

Re:Critical "source codes"?

The best part about the Times' online edition is the cookie it feeds you.

"The server ads.newsint.co.uk wishes to set a cookie that will be sent to any server in the domain .co.uk"

I don't have anything against cookies. But .co.uk serves more or less the same purpose in Britain as .com does in the US. There's a *huge* number of servers that could see that cookie. What's the point, other than bragging rights for the Times as to how many people see their site?

Re:Critical "source codes"?

The Times does not have any "official" status as a record. You seem to be suffering from a Y2K issue and have rolled over to 1900.

Re:Bring on the defenders of crime!

> I'm not sure what to make of the fact that Visa didn't tell the public, though. That's a bit disturbing.

Noone likes to announce their weaknesses.
You should take a business course, it's very helpful to understand why things happen the way they happen nowadays.


Free Slash !(tm)

This is a good thing really

This is good in that hopefully companies will get serious about protecting their information systems.

Re:I wouldn't trust "The Times" with a bargepole

I agree! See the links under 'Re:Critical "source codes"?' for details of previous scare-stories from The Times, and see Stand for details on the legislation.

Visa not telling earlier..

Why do people keep asking why visa didn't tell earlier. Think about it, would you tell earlier? I know that I would want a complete assessment of the situation and control the situation as much as possible, and not tell until I ready to say i've won, or until information starts leaking out anyway.
Would you tell everyone you have have security holes before they're fixed?

JohnFlux
A realistic view of life

Clueless

So instead of the target being killed, a family member or friend could be executed. Give up, or they pop another a day. Or they could go the simple route and torture the subject. Do not cling to illusions that you hold some sort of power that can't be broken.

Re:Inforansom...

Hear hear, well said. For awhile I was wondering if anyone see that there are two parties involve in issues such as these. Cranking up security for cards and like are no excuse for poor security on the part of those who hold this information. As was probably said the technology and procedures exist that can make this sort of crime abit rarer.

Re:Inforansom...

Could be though this was just one of those unqualified rants, rated insightful for some arcane reason

If its the first comment in a thread, and its not posted by an AC...its informative, insightful or funny.

Maybe they should add that to the moderator guidelines? ;)

Why do we still use CC# when we have public-key?

Credit Card fraud is a weakness of the Credit Card Authorization Protocol. It makes the *stupid* assumption that anyone who can replay a cleartext numeric sequence and/or some well-known personal account data (address, etc.) then that someone is the person named on the account.

Can we have a statement from Phil Zimmermann saying NAI/PGP will sell those stupid stodgy bank fat-cats a (relatively) fraud-proof system? I bet they or RSA or any other crypto company would do it for less than 1/10 what all the credit card companies claim they lose to fraud.

Really: here's the real reason. Why be concerned about fraud (not PR *concern* mind you) when you can get the cops to run amok yelling "TERRORIST! E-TERRORISM! FUND US FUND US TO STOP THIS *WAVE* OF CYBERCRIME!" at the ig-ner'nt popular press. They make it look like it's not your fault for being a stupid bank executive. No red marks on your executive career!

---
Anonymous Coward says:
$anonymity == $impunity

Email Security through Procmail

First of, they all need a computer-staff, and their own "computer security officer". There should of course be password security - but more important - people should be educated about email attachments, trojan horses, and so forth.

While not a solution, here's some help in weeding out these problems on the server side;

ftp://ftp.rubyr iver.com/pub/jhardin/antispam/procmail-security.ht ml

This will take care of some security issues with email, and since it's Procmail it's fairly easy to tune it to your site's preferences.

NOTE: I definately agree with you that the users need to take more responsibility and must be taught what the issues are and why they are important. Email Security through Procmail is yet another useful tool, nothing more.

Re:Consider the source

When did you last visit Britain, 20 years ago? It is a tabloid with a larger form factor. The only thing Murdoch hasn't done with it is put nudes on page 3. It is pap. The Sunday Times is worse. As for the guy that wrote this article, every article I pull up by him on their site is based on unattributed sources. It makes sense that this site chooses the Times as a favoured source of Slashdot's standard brand of unsubstantiated rumours.

come on

how likely is the average, or even above average, credit card thief to do something like this? How much CC fraud would there be if every time a number was stolen, the victims finger print also had to be lifted and a latex cast of it made?

Re:come on

I'm not so sure that's far fetched. A few years back there was a furor over so-called shoulder surfers at Penn Station here in NYC: guys who spent all day trying to read your calling card number as you dialed the phone. They used handheld video cameras and persistence to great effect. If it's worth it, thieves will do it, regardless how tedious it might seem.

Re:Encrypt your data!!!

In addendum to my last comment: regardless of whether this story is bullshit or not, I believe the reason why similar situations have the potential to occur is because big corporations are forgetting about the #1 rule of audit: due diligence!!! Corporations are not taking even the most basic precautions to protect your privacy! Too many companies are not taking a minute to asess their flow of sensitive data and ensure that integrity is preserved!!! Security must become an integral part of the audit process!!!

Firewalls - Humbug - be worried

When Management that allowed this fiasco to happen, fail to state that they now have a security policy in place. When they say they have firewalls on firewalls, and have the hide to think this is a cure- and all ok - are idiots. If you say you have three or four firewalls on, then the idiot light comes on and I am more worried than ever All firewalls have holes in them. Come out and say 'our methodology was all wrong, and we employed chimps'. The old 'manager' was fired, and we have employed at least 3 full time dedicated techos whose sole job is security. A statement like this is far more impressive.

Minute of FAME - Embarrasing INJUNCTIONS

Notice: More concerned with a gag order and bad press. If a cracker/hacker wants to be famous, go to a small claims court with an INJUNCTION to have a statement inserted into the companys annual report detailing slipshod computer security, and specific mention made at AGM and difficult questions made by shareholders. Ask for $30 compensation for your troubles, after buying a few shares in that company. Now you have a chance at good money for your silence. The police and the govt are your friends, because everything is above board, and the local magistrate cant see the harm in having a harmless injunction . The only dishonesty comes from the company wanting to smother the truth. In Europe, a inclusion - failed to meet EU privacy guidelines - which may disqualify directorship if it happens again.

What about a password?

I always thought a password or some additional info sent using some type of heavy encryption would help ease online credit fraud. If someone steals your ATM card and doesn't have your PIN they can't do much. Why not do the same for credit cards> It would get cracked eventually, but at least it's an additional layer of protection.

Re:Bring on the defenders of crime!

Visa doesn't gain anything by informing the public. The type of corporate openess that you seem to be advocating doesn't exist. According to popular anecdotes, this type of corporate blackmail happens more frequently than we know.

Re:We need a word for this.

I don't know about you, but I do find these stories alarming. We entrust these huge corporations with all of our information. We don't, however, ask them how they protect our information. Would we keep our money at a bank that kept it's money under a huge mattress? We're all guilty of falling victim to the quest to get everything online in record time. We've sacrificed control of a significant aspect of our lives in doing so.

A lot of people think Clifford Stoll is a crackpot for speaking out the internetizing of all aspects of our lives. I'm starting to think he's on to something.

Re:We need a word for this.

How about "Hacksploitation"? (From "Blaxploitation", the term applied to films like Shaft and Superfly).

By the way, you're right; The Times has printed several reports like this before. It seems to be one of their staples.

"Hey, Jonathan, we've got a couple of column inches to fill up in the Sunday edition. Got anything for us?"

"How about an unsubstantiated scare story about computer crime?"

"What, another one? Come on, Jon, we need more than that..."

"Yes, but this one has actual 'facts' from an entirely unrelated case over six months ago that lends it credibility to the uneducated eye!"

"Oh... all right, then."

Re:I wouldn't trust "The Times" with a bargepole

It wouldn't surprise me in the least if this were some part of a larger plan to get the backing of the less-computer savvy parts of British society for the proposed bill.

Hmmm, sounds just like the method they used to get the "criminal justice bill" through.

Re:Critical "source codes"?

Personally I reckon whatever credibility the Times had went out of the window (no pun intended ;-) when they allowed Microsoft to buy up their entire print run for a day and give it away free to advertise the launch of Win95...

Long long before that. The last drops of credibility vanished when Rupert The Bad (Murdoch) bought the paper. Although the year-long hiatus in production due to a printers' strike didn't exactly build up the credibility points either. Nowadays The Times mostly seems to run rehashed News of the World material or adverts for Sky TV.

Your loving cousin

AC

Source code not valuable

Why would anyone think this source code is so valuable? It's the VISA service which is valuable. All you could do with the source code is make it easier to set up a credit card company, but that requires a lot more than just a little accounting code.

Unless VISA is depending upon security through obscurity, and they're depending upon people not knowing how to talk to their network. An erroneous assumption with so many merchants and member banks. So VISA should fix such problems anyway...which again makes the source code of little value.

Re:Critical "source codes"?

Better watch your choice of words. The NAACP might come after you.

Re:Securing systems.

HR = Human resources.

Re:Hackers attack!

John Grant, the main subject of the story, lives down the road from me. No, seriously.

General security

I do not know that the credit card companies should allow e-commerce people to send goods to an address that is not linked to the underlying card. In the old world version of the high street, transactions above a certain level used to require telephone authorisation. It would be reasonably trivial for the credit card peeople to implement a similar check in a technology environment. You send me a card-address pair, and I will tell you either yes or no. Whilst it would still be possible for "crackers" to obtain this information, there would be a restricted number of areas in which this can be used. When a pile of CD's arrive at my address, I can send them back and not pay. The casino and porno sites generate money by the provision of a service that is not delivered by conventional means. For these areas we could also adopt a "cooling-off" effect where I order today but then need to confirm via soem other trusted media such as the post. The web site can fire off a letter with my membership details, part of which provides me with an access code. This would then integrate the somewhat trusted postal services and provide the link to my postal address. Whilst there may be an assortment of "privacy" issues with this, there is an overriding mandate to protect the customer base. One assumes that for a restricted element of the more gullable types out there this kind of checking could be "turned-off" by request. The default should however be that security is turned-on by default.

Yawn

Since when is this news ?
This sort of thing happens all the time.


Free Slash !

Jon Ungoed-Thomas

Do a search of www.ntk.net's back issues for more 'colour' on Mr U-T. He always writes bulls**t like this.
J U-T even ran a story a while back on 'software drugs' available over the Web. I seem to remember one of the sources claimed to be close to the FBI. ;) Yeah right.
Most of it is pushed by the likes of Mi2G and GCHQ's PR flacks. Read J U-T's old stories. they all read like this and in the UK at least he's a bit infamous in media circles (or at least the trade press - of which I am a member) for using somewhat interesting sources for his stories. Which 9 times out of ten are rubbished by techies at the relevant banks.
Check Computing and Computer Weekly's coverage. nothing. This is a story for people who don't use Computers and think the Web is evil.

biometric identification

I was talking with someone in the card industry not too long ago and he said the industry would like to implement some sort of biometric ID. He said they have been testing a thumb print system for some time and it works great. The only problem is that people are scared to death of it. I think it is funny that people don't care that the card companies know their shopping and travel habits intimately, mine the hell out of that data and sell it all over the place, but scream that big brother is coming if they want a thumb print that is of little value other then for ID purposes.

Re:biometric identification

Thumbprint is less secure against merchant fraud/crackers than smartcards. It is more or less fixed data. It is only as secure as the POS system (not very). With smartcards and electronic wallet, it doesn't matter how compromised the POS terminal is.

On the other hand, if your electronic wallet has a thumbprint scanner and sends that data (encrypted) along with the transaction information, it might provide extra security. In this case, in addition to physically stealing the card (and possibly also the wallet, depending on how the system works), the thief must aquire a fingerprint. This makes it far harder in situations where the thief doesn't know the victim's identity (say, he's broken into a gym locker).

If thumbprint scanners can be made small and inexpensive enough, it might be a viable idea.

Re:biometric identification

[sansbury]

Biometric systems are problematic because once your thumbprint has been cracked, the cracker owns you for life.

And do not forget that everything Orwell's Big Brother was ostensibly for our own (or "the children's") protection.

-cwk.

Re:biometric identification

[sjames]

If thumbprint scanners can be made small and inexpensive enough, it might be a viable idea.

Under my proposal, the thief needs the card and the passphrase. I do like your thumbprint idea as an additional measure since people seem to have a habit of picking stupid passwords.

With all of that, stolen credit cards would be completely useless. Add in digital cash (with similar security) and mugging becomes useless.

Re:biometric identification

[sjames]

but scream that big brother is coming if they want a thumb print that is of little value other then for ID purposes.

Thumbprint is less secure against merchant fraud/crackers than smartcards. It is more or less fixed data. It is only as secure as the POS system (not very). With smartcards and electronic wallet, it doesn't matter how compromised the POS terminal is.

Re:Inforansom...

Don't be a knob. Your examples completely sidestep his point. Yes, they're guilty, Mr. Satire, but the point is that in addition to being punished (if they are caught), it should be brought to light how poor systems security is at these sites. For example, in #2, it would be analogous to the bank having no security guards on hand and no alarm system. Sure, the robbers would still be guilty of bank robbery, but don't you think the public should know that bank had *lousy* security precautions?

Most people would assume a bank robbery involved such features as security and alarms and precautions, and would be surprised to know the bank didn't (or in this case, the companies)...

Your post is a prime example of how caustic satire can make people think you have an excellent point, when in reality you haven't refuted the original arugment at all.

Re:From the Article . .

>Rogue mathematicians who want data to help try to guess the number generators might go for it. OK, so perhaps that's a bit silly...

Not at all. In one of the 2600 issues you'll find a (valid) credit card number generator for a Texas Instuments handheld calculator. It's already been done... :-(

Re:Bring on the defenders of crime!

You people are so dense. This is such a poor analogy that I wonder why I am ever bothering to reply. Most of the time web-page vandals do this:

cp index.html index.html.bak

... So breaking into your house, robbing you and spraypainting your walls is a POOR ANALOGY, unless you can undo all that with a few keystrokes like the sysadmins of defaced sites can. "Web Vandalism" is not anywhere *NEAR* the same level as actual vandalism.

Like I said, I don't know why I'm wasting my time responding to this.

RE: Credit card companies....

Great!! More power to the crackers!! The credit card companies have been slipping it to the consumer for decades and I think it is a perfectly wonderful use of the power of the computer to choke the bastards till thier tongues flap out of their heads like so many dead carp. 18% THIS, mo'fo......

Alarmist terminolgy. Like "ripping" CDs/DVDs.

I'm surprised they didn't say "source codez". Oh well, maybe "source code" will go the way of "hacker" in negative meaning. Like "ripping" CD seems to imply a violent illegal act (i.e. copyright infringement through copying).

Have to ask...

"Expect the usual pundits to be all over this story within the next few days."

Meaning JonKatz? :->

Counter story

Bank Teller: "I'm sorry sir, but I cannot process your withdrawl. A passerby stole all of our money last night."

Customer: "How could that happen?"

Bank Teller: "The bank's policy is to keep all cash in large cloth bags, tied at the top and sitting on the lawn out front. Since it *is* on our land, and it would be illegal to steal it, we saw no problem."

Customer: "That's crazy!"

Bank Teller: "But the theft is wholly the fault of the thief. How can you imply that we are al all responsible?"

Customer: "By golly, I never saw it that way... and on second thought, I'd like to deposit some more money into my account instead!"

Re:What to do next...

c) Have the hacker group(s) actually stolen credit card numbers, or gained access to some other part of the system?

AHEM......"Cracker" groups.

I'm not a troll. I'm just pointing out what terms need to be reinforced as correct, and which are incorrect.

Re:Inforansom...

[konstant]

Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it. Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life. DEFENDANT: Your honor, I only killed that man to demonstrate how extremely poor most people are at self defense! Consider it an act of charity to society at large. JUDGE: I never saw it that way! I will enroll in a Tai Jitsu Kata class immediately! Case dismissed!!!! --- ATTORNEY: And so you see ladies and gentlemen of the jury, my client did not rob the bank as an act of theft per se, but rather as valiant display of public zeal! How many of you slept easy last night entrusting your money to the poorly secured bank vaults of the neo-syndicalist dogs at First National Savings?!!?! JURY FOREMAN: This man is a hero! I am going to stuff my money into my mattress forthwith! Down with the WTO! Case dismissed!!!! --- JUDGE: For your crimes against society, I hereby sentence you to hang by the neck until dead! DEFENDANT: But your honor, by poisoning the water supply of the local KiddieCare Nuture Center, I indicated strikingly the need for higher quality water filtration. And by ransoming the life of 2 year old Phiddeas Quilch (whom I knew already to be dead) I displayed the ironic certainty that a society designed around monetary transactions is inherently debased with greed and treachery! JUDGE: You are a wonderful person!!! Thank you!!! Cased dismissed!!!
-konstant
Yes! We are all individuals! I'm not!

Here we go..

[They_Call_Me_Spanky]

I think these "terrorists" have traded in their machine guns for compilers.

An old rule about demanding money:

Never ask for more than it would take to have you killed by a professional.

Hope these kids really know what they're doing...

Or not. :)

Re:An old rule about demanding money:

[earwicker]

Ah. You seem to have read the National Socialist Dummy's Guide to Nietzche. Untermensch. :P

Re:An old rule about demanding money:

[Score+Whore]

Interesting take on the whole situation. But if they have the ability to kill you they have the ability to grab you. After hundreds of years of experience in hurting people, traditional intelligence agents have developed techniques to break anybody. They don't have to kill you in the end, just hurt you bad enough that you can't even see mention of the company's name in the papers without breaking into a cold sweat knowing that the wrong actions on your part will return you to the intimate embraces of some sadistic bastard.

I'd bet that given a future of six months (or more) of daily torture any would-be cyber-protectionist will rat out his compatriots with rapid alacrity.

Re:An old rule about demanding money:

[aphor]

You seem to be oblivious to the distributed dead-man switch of internet data release/publication.

I die. I forget to log into any one of many "magic" accounts out there, or something. A script in several places on the net times out, and lets the cat out of the bag on Usenet.

ask for *WAY* more than it would take to kill you professionally. *WE* of technologically endowed brain, beyond good and evil are the masters here.

Re:Critical "source codes"?

They're about as technically competent as your average dead-for-three-weeks trout. This may seem like a wanton troll but if you check out these resources you will see that Mr. Ungoed-Thomas and his associates have something of a reputation for poor IT reporting:

Displaying lack of technical knowledge

An example of shoddy reporting...

...and an analysis of the 'expert opinion' on which it was based

Trundling out the same ol' tired junk

This doesn't mean there isn't at least some truth to the reports of attack, but, it does suggest you should take what they say with more than a pinch of salt; in fact, I'd recommend sprinkling on a heavy layer of skepticism and critical thought.

Slashdot Reliability

I have not heard a single thing about this on any other news sources, not saying its not true, but /. should do more indepth reporting than just cutting and pasting headlines.

Re:Inforansom...

Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.

Since you seem to know what environment and software is being in use and how to improve things off with you, time to apply for a job.

Could be though this was just one of those unqualified rants, rated insightful for some arcane reason.

Citizen VS Corporation again?

I have read most of the articles on this list and I must say that there is one constant:
Either people support cr/hackers in their attack or they defend corporations. I'd like to compare the views.

But first of all consider the medium used to bring you the information: Media. I think it is fair to say that the media nowadays (at least those who are funded/run by corporations) behave in a corporate way and take sides with the corporations (because they cannot go against the grain; that would be suicide). So we have to assume that whatever is said in the medias about this subject IS slanted towards the general corporate view of the internet: "It is dangerous, we must gain complete control in order to make it secure for the ordinary citizen". This is made, as usual, with the most altruistic concerns (sarcasm).

So on with the comparison...

Pro-cr/hacker: It is important for the people who are subjected to corporative decisions to be able to defend themselves. Although breaking and entering IS against the law, much can be said about how corporations circumvent different laws to impose unwanted condition upon the ordinary citizen. Furthermore, consider the economic cage in which every citizen has been framed; there is ample cause for alienation and that alone is sufficient to excuse the hacking/cracking of the VISA database.

Pro corporation/economy: The law has been broken. We need to apply the law. If we don't then these corporations that create jobs will be hurt and this in return will cause loss of revenue, loss of dividends and loss of jobs. These acts of vandalism are unnaceptable and should not be tolerated at all. The government must stand strong and help find the individuals that did this crime. Who cares how long it took for VISA to tell the world about the crack? It's a private company, it can do whatever it wishes.

We can see that what is really a stake with this story is this world division we are seeing more and more. It has two sides that are self excluding (in most cases), either you're for economy, or you're against. Either you're for the people or you're a traitor. This is not very constructive.

It is my personnal opinion that we need to understand inter-dependancies. Corporations need to work with ordinary people without alienating them. People need jobs and a source of revenue to survive.

It is also my personnal opinion that big corporations have been pushing too hard lately, forcing states and countrys to let down social services, let down the population without significantly alleviating the tax burden. They have thus, created a breed of angry citizens that are unsatisfied with the current state of things. I should not be surprised, if the trend continues, to see more and more cr/hacking, more violence and more theft.

How much are we willing to pay to keep driving with our eyes closed and only one hand on the steering wheel?

Umm, no fuck you.....

[Jonathan+Hamilton]

Personally I don't think that these people sould be let off or anything but I don't think they sould be killed. Damn if you start killing crackers, where does it stop? I sure as hell don't think that I sould be shot just because I smoke mirijuana. I'm sure that when these people are caught the prosecuting authorities will throw the book at these people, and make a example out of them. But kill them?

I don't really thing this could be called terrorism either. Go look up the defenition and I think that you'll agree with me it's not. Usally terroism involves hurting/killing/maming innocent bystandards in order to get a Political View across to some organization that the people might be involved in. This is just a case of theft.

hehe, "secure"

[crayz]

Ever seen "Demolition Man"? Personally I'd rather someone just stole my credit card.

Re:hehe, "secure"

[sjames]

Ever seen "Demolition Man"? Personally I'd rather someone just stole my credit card.

Yes, good movie, and AGREED!

I read specs on a thumbprint scanner once that included infrared scan as well. It claimed to be able to detect duress as well as dismemberment/death and refuse access under those conditions. I doubt the commercial scanners are that good though.

Ungoed-Thomas...

[nstrug]

...is a well-known cretin and I would take any article with his name in the byline with a very large pinch of salt. His problem is that he doesn't actually understand what the internet is or how it works, and is firmly of the opinion that it is simply a haven for anarchists, animal rights activists, left-wingers and any other group that he despises. He could be dangerous if he wasn't so incompetent. One of his favourite tactics is to approach organisations via email using an assumed name (strangely he usually choses a female identity.) Unfortunately, his understanding of email is so limited that it doesn't occur to him to spoof the From: and Reply-to: headers. See NTKs passim or do a google search on his name for a really good laugh.

Nick

Re:Ungoed-Thomas...

[nstrug]

Huh, why did I get moderated as offtopic? I post regarding the credibility of the cited author and look what happens. Either the moderator didn't read the article so doesn't know who Ungoed-Thomas is or *gasp* Ungoed-Thomas has moderator access!!! :-)

Enough whining for now...

Nick

Re:Ungoed-Thomas...

[anticypher]

Ungoed-Thomas has moderator access!!! :-)

Stop that! Just the thought that JU-T might ever read our precious slashdot and use it as a source for future works of fiction is going to lose me some sleep tonight. :-)

I'm going to chant over and over again, the moderator didn't read the article, and didn't understand who double-plus-ungoed is, and why all the higher moderated posts in this thread are all about the Times, JU-T, and...

the AC

Re:Wow! That is just plain evil

[six809]

... an encrypted ext2 file system which allows for plausable deniability, i.e. you can give them the password to a lower encryption level and they will have no way to prove higher encryption levels exist, thus there is nothing they can do to make you give up you encrypted data

Not sure about this - as the legislation basically allows them to imprison you on an accusation, could they not simply accuse you of having two keys?

Re:The question we all want to ask:

[Skim123]

And the second question is, if these companies had been running Linux, would the crackers have been able to get in?

Well, I don't know what computer OS they hacked into. I would assume all of the important information at Visa (credit card #'s, customer info) is sitting on some ancient main frame computer that fills a room.

We need a geek tabloid

[Skim123]

Imagine a geek tabloid, that would rule. Instead of stories about aliens, we'd have stories about upcoming Star Wars plots. Instead of articles on celebrities, there would be articles on Linus, RMS, and ESR. :)

The question we all want to ask:

[edgy]

Did the crackers use Linux to break into these companies?

And the second question is, if these companies had been running Linux, would the crackers have been able to get in? (edgy ducks and runs while the M$ and Linux zealots fight it out)

Re:The question we all want to ask:

[Tim+C]

I've heard it time after time, and I never stop to wonder. Why on earth do people think Linux equals cracking-tool ?

Probably because they've bought ino the popular misonception that hacker = crackr, then hear someone refer to Linux as being "more a hacker's OS". (As opposed to being suitable for someone who thinks that they're using Windows 97, because that's the version of Office they've got installed :o) )

Just a thought.

Tim

Re:The question we all want to ask:

[arcade]

Did the crackers use Linux to break into these companies?

Sorry to disappoint you, but linux isn't a tool to crack into other peoples machines, even though a lot of kids these days seem to think so.

And the second question is, if these companies had been running Linux, would the crackers have been able to get in?

That depends on the configuration, as does it with Windows NiceTray.


I've heard it time after time, and I never stop to wonder. Why on earth do people think Linux equals cracking-tool ?


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:How reliable is this news source

[Bruce+Stephens]

Ungoed-Thomas has had a few mentions in NTK, too. Try a search on his (or her) name.

Hit the 'Next Page' link, much more interesting

[ragnarok]

Hit the Next Page link at the bottom. It's a story about a guy crashing his car into anti-terrorist gates at Downing Street and the police kicking in the window and dragging him out. Of course cops here in the states would probably have shot the guy...

Anyway, it's more interesting than this tripe about contract cracker data thieves.

Re:From the Article . .

[Thrakkerzog]

Secondly, it would apear that they suspect a competitor (or someone with an interest in seeing them lose money) is behind the hack. Interesting, don't you think ??

Crackers. They don't take American Express. Visa - Your information is everywhere you don't want it to be!

We can help...

[Croaker]

Sure... uh... just send us your name, credit card #, and expiration date and we'll take care of the rest... really.

OK, to be serious for a second, if someone charges stuff to your VISA card without your approval you will only be responsible for the first $50 of charges. (Disclaimer, this is true in the U.S., not sure about other countries.)

Now, given that VISA itself is the one who screwed the pooch here, I'm willing to bet that you wouldn't have to pay a dime. Assuming, that is, that the misuse of your card could be traced back to this breakin. I've heard that often times the issuer of the card will not even charge you the $50 in cases of fraud. They'll just eat it.

Reality-wise, you don't really need to worry. Since the breakin happened last July, any compromise to your account probably would have been exploited by now.

#include the obligatory "credit cards are really, really a stupid way to exchange funds" rant.

Re:We can help...

[Jim+Morash]

Hmmm, ok, that's pretty much what I figured.

>#include the obligatory "credit cards are really, really a stupid way to exchange funds" rant.

What obligatory rant would that be? A "there's a better way which currently exists" or a "there's a better way that could be implemented"?
Oh, and it's not really a credit card, but a debit card. Not that that's a huge improvement.

Re:We need a word for this.

[Cally]

Indeed, my first reaction is "hoax !" just like the "crackers hijack spy satellite" story from '99 ...

search the archives of Need To Know for more details (see also Sunday Times)

Also interesting that none of the mainstream media have picked up this enormous scoop ...

OTOH !!! there are attributed quotes in there -- so if theyr'e wrong, they'll get the arse sued off 'em. And then it really will be the end for the editor, can't remember his name now ...

--

Re:Security by obscurity doesn't work!

[Detritus]

The time required to brute force a 128-bit key exceeds reasonable comprehension on any normal time scale.

A brute force attack is the upper bound. More sophisticated attacks may be possible. A simple substitution cipher has approximately 88 bits of key.

Re:The Guardian's rather good though, innit?

[meridian]

well i think the last thing to happen is the govt has gone forward with requesting all "r rated" andover content to be removed off all australian sites, but there is still legal access to r rated content and over on overseas sites. Until they figure out how to firewall and filter the whole country i guess. Slowly but surely wins the race?

Re:Securing systems.

[arcade]

No! Security by filtering out dangerous ports does not work. Rather, one should filter unknown ports by default and specifically let "safe" ports through the firewall. Look at Hotmail/other webmail providers' problems with embedded javascript in email that are supposed to be escaped out or removed.

I disagree. By "default deny" - you deny your own workers the freedom they should enjoy. Your workers will not like the fact that they cannot sit at their office 'after hours' and IRC (and DCC) all they want. If you by default deny UDP, then they cannot use ICQ all they want. And so forth.

Of course, one doesn't want the workers to use IRC in the day -- but by denying them access to it - you make them "pissed". The employees won't like to be 'limited'. They feel untrusted then.

I know that if I was at a workplace where the policy was "default deny" - then I would either try to crack the system, or I would find myself a new job - since they obviously didn't trust me.

The filtering of default netbus/bo/other ports, is because the standard-scanners only scan for standard-open ports. Nobody would take the time to scan a large corporation on every port on every host. That would send the alarmclocks of the firewalls chiming all day and night. A single probe for one machine on one port - wouldn't trigger very much.

No, block all ports known trojans reside on, and continue blocking new ports, when new trojans use new ports. But don't do a "default deny" - since that would block to much.


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:Securing systems.

[arcade]

In order to hire competent staff in this area, you have to already have staff in place that knows how to hire competent people. Can HR do this?

What is HR ?
But, as long as they have a server admin, they have someone that knows a BIT about security, not necessarily MUCH. But I would say that most server admins are competent to find the people who can secure the systems.

When time to market is the most crucial factor, "Security? we can just add that on later".

I know, the system I admin (kvinesdalsnett), was cracked 24.des'98 . It was the worst christmas of my life. Stupid me had overlooked the bufferoverflow in qpopper2.2. Boy, did I learn that I needed to read bugtraq everyday (Ohyes, I did.. :-)

We didn't rush things to the market though. It was just (then) incompetent little me who forgot to check all daemons.

Would you now buy from CD Universe with a credit card?

Of course I want to. They're bound to have tighter security than fort knox about now. Their sysadmin is probably having nightmares about people breaking into their system, and using most of his spare time digging into more books about securing their sites, and so forth. I'll bet their site is one of the safer sites on the net about now. :)


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:How reliable is this news source

[Fishy]

>a) How reliable is this news source

Not very, The Times is well known for printing rubbish regarding computers. It seems they have no tech editor, and often print press releases as stories (falling for every lie), and stories full of dubious facts.

In fact they once printed an urban myth as a true story.

Best not to believe any tech stories in The Times.

F

I plead ignorance

[Jim+Morash]

Ok, so, I have a Visa card.

What should I do? Anything?

Not only quoting them, taking on their habits

[bafful]

Referring to the previous story as the "CDuniverse inforansom scandal" fits in quite well. I really hope Slashdot can stand the temptation to become the geek tabloid.

Re:Bring on the defenders of crime!

[0xdeadbeef]

Because you're a clueless wannabe script kiddie?

Because you don't realize that you can't trust any compromized system, because you have no way of knowing if trojans and backdoors have been installed. That these systems must be repaired from backups, and the effort involved can take hours and cost thousands of dollars on large production systems.

Good point.

[Tony-A]

But consider the pansies in the planters in front of the building. They don't put them in the vault overnight. A few things, banks and such, need to be rather secure. For most things, it seems better to depend on a rational and trustworthy populace.

Re:We need a word for this.

[ScaryPhil]

I think the next thing we need a word for, after "benchcrafting", is "hacksationalism" (or maybe "cracksationalism" before people flame me) to cover all these media stories trying to spread panic about cracks amounting to nothing.

I can't be bothered to look it up now, but I'm almost convinced that The Times has featured a number of stories like this before, all of which indeed did lead to end of civilisation as we knew it (or maybe not...)

This particular journalist has a penchant for these type of stories. You get the general idea by searching for "ungoed" from NTK.

Slashdot should stop quoting tabloids

[Jered]

I have seen a half-dozen questionable or blatantly wrong stories from the Sunday Times in the past month. It's quite clear that they're a tabloid, not a newspaper. Slashdot should stop picking up stories from them...it's like if we were getting tech news from the Weekly World News!

"Three Headed Baby Hacks Government Computer System! CIA Stunned!"

Re:Slashdot should stop quoting tabloids

[OAB]

So, how long till the first Slashdot/News Of The World cross over?

Re:Inforansom...

[dr_strang]

That was really not my point, and you really had to try very hard to take it out of context to get that slant on it. Great job, smartypants.

I'm not saying that those people aren't guily of a pretty heinous crime, they ARE.

What I'm saying is this (analogically): If you leave the front door of your house open, people will most certainly eventually come into your house, and due to some people's lack of morals (or whatever you wish to call it), things will get stolen. If you have a house full of Picassos and Rembrandts, instead of a couple of ripped posters on the walls, be prepared to have bare walls.

This doesn't exonerate the thieves by any means, it simply exposes what is the darker underbelly of human nature. It is the online company's DUTY to make sure that their client's confidential information stays that way.

I was not commenting on the thieves' guilt or innocence, in fact, you'd have to be pretty fucking confused to think that they are not guilty of malicious network intrusion, not to mention extortion. So do us all a favor, konstant, and get off your ethical high horse. No one said they were innocent.

duh.

dr_strang

Re:Inforansom...

[Foogle]

You aren't a sysadmin are you? It doesn't matter *where* you put information or what software you use to protect it, it will still be insecure. It's just a matter of the degree of security. Certainly there are more or less secure systems than others, but it is very difficult to make a system extremely secure, and still usable. In these company's cases, I'm sure the crackers were very good, or had some kind of inside knowlege. It's too bad, but it happens to even the best companies.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Consider the source

[Brown]

Here in the UK, The Times is considered one of the most respectible broad-sheet newspapers, if slightly pro-conservative. Their sources are usually good.

That doesn't mean they have a clue about technology of course.

media still suffers from idiocy

[tao.ca]

i think more and more of these types of stories will continue, that is, until the media get their respective heads out their asses.

how many years has it taken us to seperate hackers from crackers? and even then, there are so many shades within each of these rather obscure identities.

i mean would we call a bankrobber a 'renegade teller'?

sure computer (network) security is a serious issue, for business, and society, but to demonize all criminal activity within what is really an obscure genre (cracking) is just useless.

instead of creating an empowered and informed citizenry, it seems all the media are generally interested in, is nurturing fear, at the expense of broader internet comprehension.

when will the media grow up i wonder?

Could be for the best...

[Jestrzcap]

Maybe now, people who don't know what they are doing will stay off of computers. Maybe those of us in tech support will stop having to deal with the shallow of the gene pool (and maybe we lose jobs). Maybe people will see this as a reason to get educated about computers before using them. Maybe monkeys will fly out of my ass. This isn't going to change anything for one reason. People are lazy. As long as they can sit on their asses and pump cash into things that they want they will do it. Maybe if we hijack their computers......

~Jester

Re:The reason you know it's rubbish...

[gilgongo]

I can confirm that Mr Ungodly-Tomas is indeed a complete fool.

He mailed me pretending to be a young student wanting to "get into" animal rights and hacking *weeks* after his psudonym and mailhost details were blown away by NTK, one of the most widely-read mailing lists in the UK.

G

Unprotected dialins...

[Myself]

Excellent point, and I'd certainly say there's a good chance of it. You'd be surprised what kind of equipment has modems just dangling off it without any thought to security.

Back in the day, when dialing was the only way in, people gave it more consideration. But now they think of the internet as the big security threat, and dialins are left open.

I wonder what sort of big iron Visa uses. Probably some Vax that hasn't been touched in 12 years. Heh.

Re:Wow! That is just plain evil

[Mr_Ceebs]

try here he'll probably have a go

http://www.mtcp.co.uk/

if you look at his past record on messing with these people it seems just the sort of thing he'd enjoy

Re:Critical "source codes"?

[tialaramex]

It's a/the major UK paper, considered the official text record of events for some purposes but of course that doesn't mean this story went to a tech guy.
I'm sure The Times employees at least a couple of journalists who can tell the difference between Java and Javascript, say, but are they working on a Sunday? I don't think so.

What you've got here is probably a local (ie UK) police release or statement from VISA rehashed for the live edition. The printed version will presumably have a competent tech. journalist (anyone know if this was in The Sunday Times?)

Re:Inforansom...

[konstant]

I don't believe anyone feels that the people taking the information are not guilty. Whats at issue here is the security the companies are using to prevent theft. If you leave your car alone, running out in a parking lot with the doors unlocked, someone will steal it. No one says the person doing it is not guilty, but it was also your fault for not providing good security.

I agree. That wasn't what I was getting at. The real question is, how much of security is necessary to stop "real" criminals, and how much of it is necessary to stop egotistical crusaders bent on proving a point about computer security?

I don't take Kung Fu lessons because I can walk down my street without being attacked. But if you start attacking people to make the point that they are defenseless, then suddenly those lessons are necessary after all....

Seems kind of stupid after a point, doesn't it?

-konstant
Yes! We are all individuals! I'm not!

Re:I wouldn't trust "The Times" with a bargepole

[samantha]

But if the blinking data was all well-encrpyted to start with the hackers wouldn't have jack to threaten anyone with. So the government pushes more holes in encryption coverage to "protect" us from what we could only be protected from with really strong encryption? This is really twisted.

Re:Sounds like peanuts to me

[Stonehand]

Would it cost Visa less than ten million to hire investigators followed by a hit team? {jk}

But really, the higher one goes, the greater the chances that it'll be cost-effective not to pay, or that the discrepancy will attract some accountant's (or worse, reporter's) attention.

'sides, how does one pick up 10 million US$ untraceably, let alone perhaps 100 million?

Critical "source codes"?

[Stonehand]

Does anybody know about how cognizant of tech foo that paper is? Niggling details like the implication that "source codes" are something primarily used for breaking into computer security make me a bit twitchy about trusting the article.

Re:Critical "source codes"?

[pnot]

It's a/the major UK paper, considered the official text record of events for some purposes but of course that doesn't mean this story went to a tech guy.

Personally I reckon whatever credibility the Times had went out of the window (no pun intended ;-) when they allowed Microsoft to buy up their entire print run for a day and give it away free to advertise the launch of Win95...

Re:From the Article . .

[Stonehand]

It need not be a competitor.

Having access to easy credit could be useful to many, many folks. A decently organized crime ring might be able to find a way to skim small amounts of money off of each of many numbers, or perhaps somehow use 'em for money laundering.

Disreputable businesses might be willing to charge innocent people for services not rendered, figuring that most would be too embarassed to fight in court, and those that do might still be unwilling to cash the refund check.

Rogue mathematicians who want data to help try to guess the number generators might go for it. OK, so perhaps that's a bit silly...

Point is, a lot of the perps probably don't have much of use for a huge number of CC#'s, if they even got any. Most, if they order stuff, will simply get busted as they wouldn't have a clue about getting the packages untraceably. And so forth. However, there are folks who COULD use the numbers, and might not have the skills req'd to get them.

Re:Security by obscurity doesn't work!

[runestar]

After having worked in retail for 7 years, and then for one of the first Internet Content Providers (Delphi if you must know), I can tell you you are one of the few that checks their statements. I've seen people call up to my pervious employer, and want to cancel their service that they signed up for 2 years prior, and forgot about. Oh and please refund everything you charged to the card. Legally we were only required to give back 3 months and, then only if the account was not logged into at all.

Most people don't check their statements. Its true. If something is being billed regularly and is not more than 30 dollars a month they will never notice it. It is sad but true. I watch my accounts like a hawk personally. I still dish out my CC to most secure servers, when I want to buy something online. My browser is as secure as the mainstream browsers come. I try and protect myself but I know the only real way to be protective is to be vigilant, like yourself.

Frank

Sounds like peanuts to me

[Smeg}{ead]

Attempting to blackmail a company like Visa for ten million seems a little lame. If the crackers had anything major you would think they would shoot for a bit more than that from a company who does in the trillions of dollars of business a year.

Also the fact that this breach happend last July would point to the probability that Visa isn't particularly worried.

I'd say this is just another case of the media trying to make a frenzy out of a minor security infraction.

Just my 2 pence.

Re:Sounds like peanuts to me

[swordgeek]

Well, that 'trillions of dollars a year' is basically their throughput. Their gross income will be substantially less than that. (and their net income less than that, etc.)

But the thing is, $10 million is big enough to be HUGE for the average band of thieves, but maybe small enough for Visa to consider paying instead of hunting for blood. If it was only $1 million, they almost definitely would have paid. If it were $100 million, then the crackers would be hunted to the ends of the earth.

As it is, it sounds like they erred a bit too close to the $100 million mark. Too bad for them.

Oh god ...

[Dijital]

... Excuse me whilst I groan out loud. This is the type of thing that made my parents say NO to getting internet access. Poeple are going to blow this way out of proportion thinking that out there, is some cracker waiting to get there stuff. Ever since I heard the question posed in my "PC Operating Systems and Utilities" class, I have worried... "Can someone hack into my computer and steal my data?" to which my instructor answered, "Frankly my dear, Mr J Random Hacker out there could care less for your computer and your data, he wants big business."

The world Accoring to DIJ.
Dijital

Re: Credit card companies....

[MattXVI]

to choke the bastards till thier tongues flap out of their heads like so many dead carp.

Tongues like so many dead carp? I'm assuming you've seen a tongue. But have you seen a dead carp?

LEFT FIELD. Way out of context.

[Rares+Marian]

Get wit da program

You cannot kill people by destroying computers.
There's no reason a dialysis machine or heart monitor needs to be connected to the internet.

You refuse to make the distinction between knowledge, the ability to use that knowledge, and information.

Information: pure stored data
Knowledge: data organized into concepts or school subjects
The ability to use information: This is why the security by obscurity model fails. You'd have to knife people's eyes out, cut their tongues, chop off their limbs blow their eardrums, or you could just subject them to a weekly frontal labotomy.

To give you an example. As ridiculous as it sounds, a plumber who really knows his work can become a cracker in no time. It's not the information that counts it's not abnout the concept of ports it's about the concept of pipes.

Same for a heart surgeon. You just have to know your shit.
Think about it. I don't need to know the source code for an application in order to break it. I only need the source code to fix it.

These Guys Better Hope They Get Caught By Cops

[flyneye]

Think about it.Big corps.have big security needs
and lotsa money.Unlike the cops it would be no
big deal if the suspects "checked out"during
tort...err i mean interrigation.Once they're out
of the way,it could be said the whole thing was a
hoax,thus saving the corps.security reputation with no-one to dispute it.Info will be safer about
two crackers worth and the world will keep on spinnin'.(Of course theres no such thing as the
mafia and if there were why would they have anything to do with big business?)

Re:Moderate thus up!

[Money__]

I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.
These comments are right on the mark!
_________________________

Re:We need a word for this.

[Paolo]

It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system.
-Washington Post
Now that is good journalism! Don't bother explaining that "code" has two meanings in computers, and that the "source code" has nothing to do with accessing the site (unless it was broken to begin with, but...)
-Hobbex

At least they didn't try to claim it was part of their "Open Source" Initiative! :)
As for the vocab, I prupose putting the acroynm FUD (fear, uncertainty and doubt) in the dictionary.

Cyber-Criminals??

[BMIComp]

I don't want to start another trendy annoying buzzword, but that is what this is, crime. I mean, lets just say they broke into they system, or even took this information information, I don't have much of a problem with that. But, when people start to actually do this these type of things, they're crossing a line, and its not just playing around anymore. Even though journalists try to make everyone who uses a computer out to be a criminal, this feeds this true-lifeish evil-hacker-sensationalism.

I really hope this online credit card, or any type of information ransom, doesn't start to become a trend.

It's their own fault in a way...

[geeKing]

They should have been more secure with their confidential files. I know, some holes can't be avoided, but if it's that important, why wouldn't they just keep it on C.D. or something, instead of on the hard drive. Oh well, it's their problem now...

Re:It's their own fault in a way...

[aliebrah]

They should have been more secure with their confidential files.

In all likelihood, this isn't something that was planned or intended by Visa to happen. There is only so much security one can put on a system without the functionality of the system being compromised. Visa doesn't like getting hacked into, who would? Its not right to assume that lax security is the reason for all security holes.

but if it's that important, why wouldn't they just keep it on C.D. or something, instead of on the hard drive

I'm not sure it even needs to be explained why this is so absolutely ridiculous!

What if someone walks off with the CD? In any case, the fact that the CD is in the computer makes the situation no different from having it on a hard disk.

Hmm...

[Chompster]

This sounds very interesting, but did it really happen? It's very possible for something to get blown out of proportion...

Still. It is amusing to see corporations get a bit of their just deserts. Has the era of cyber-terrorists began? or is it cyber-revolutionaries? (your choice)

Can I laugh at the corporations again?

Chompster
Unexpected Kernel Trap at 101010
Don't Panic!

Re:From the Article . .

[radish]

Errr...billions of their dollars. Why should I care if my CC company lose money?? The contract states you are not liable for any loss due to fraud unless you are directly responsible through negligence.

I'd rather they did keep it to themselves to avoid this kind of anti-net hysteria.

Re:Visa.com's Web Server is...

[aphor]

aliebrah got all stupid before posting by assuming that because the Times article mentioned the Internet and the web that visa.com's web server must be implicated somehow. How do we know this guy wasn't war-dialing for modem pool numbers (no Internet involved, just the POTS PSTN)?

I'm from Chicago where they used to say "If your mother tells you something CHECK IT OUT!" Shame on you for magnifying the noise!

"Source Codes?"

[Ravagin]

"It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system.
What? Call me Mr. Mentally Unstable, but I thought "source code" meant the code to a program...did these bums delete VISA's OS or something? No, of course not, because VISA is still in business. So I'm betting they broke into the system, found security flaws in the source code, and are now threatenting to exploit them.
Or maybe I'm just crazy.
===
-Ravagin

Uh oh Cookies

[xanderrs]

Of course this has nothing to do with cookies or anything even close, but how much would you bet that the anti-cookie advocates are going to try and use this somehow? The media's willingness to purposely scare the public is obvious as was shown by y2k. Hopefully they avoid the temptation this time and say what it really means for the safety of online transactions, not much.

Re:Inforansom...

[Username]

I really am sorry, i can see how my previous post could have meen misinterpreted.

Obviously standards are going to be implemented, the needs of information demand it.

But if any government currently had to legislate on a messaging standard, the winner would be aol instant messenger, not because it's better, (i have no opinion in this actually, i use three different ones because my relationships demand it) but because it has siginificant financial backing, and would be put up over icq which iirc, was bought by aol, but doesn't have the ready space for ads.

Re:Inforansom...

[Username]

as long as you are relying on a central authority to propose, promote, and enforce standards, you're losing any freedom you yourself have in such matters.

What happens when the standards and the laws aren't secure enough, and they've been implemented? You're stuck with them.

Re:No it's not

[Username]

What the crackers in this story did is wrong, obviously.

But this is an example of how security holes should be seen and demonstrated by people who won't use them for their own advantage.

If, a couple months prior to these attacks, someone had broken into the system, and emailed a nice letter to the sysadmin while logged in as root, this whole incident could have been avoided.

Re:Bring on the defenders of crime!

[swordgeek]

Yeah, I guess I do know why they do stuff like that. It doesn't help them in any obvious way, and might "shake consumer confidence." Then again, there's still a (small) part of me that gets outraged when companies cover things up.
I'm getting better, though. :-)

Re:Securing systems.

[Signail11]

There is no such thing as being too restrictive by denying by default. I know exactly what daemons should be running on the machines behind the firewall and as such, I know exactly which ports which processes should have access to. Any outside user should not be randomly trying to access ports, regardless of their number. Even script kiddies can figure out how to change the default port: end of story. Any other security approach requires far more proactivity to acheive a lesser level of protection.

Re:Security by obscurity doesn't work!

[Signail11]

Well yes. A skilled cryptanalyst can break a monoalphabetic substitution cipher in about 30 letters, much less if he/she can do crib dragging. Nonetheless, there are no publicly known practical attacks on modern, widely used cryptographic algorithms that use reasonable amounts of text. Even the best non-brute force DES attack needs 2^4? work and about the same number of *chosen* text. Shannon entropy theory dictates that any block cipher can be broken if he amount of information available to the analyst is larger than the unicity distance of the plaintext; that doesn't mean the only practically secure system is the OTP.

Re:Security by obscurity doesn't work!

[Signail11]

>As far as data encryption is concerned, allow me to throw in my two cents. Keep in mind that
>encryption algorythms are all breakable. Sure some can take a while to break, but they are ALL
>breakable. Anyone remember the name of that Israeli optical box that broke a 512 bit crypto
>key in something like 48 hours?

They may be breakable, but not within the life of the universe. The time required to brute force a 128-bit key exceeds reasonable comprehension on any normal time scale. Factoring a 1024-bit RSA key or extracting discrete logs modulo a large prime of similar size is a bit "easier", but would require a couple thousand terabytes of memory and about as much computer time as required to brute force an 80-bit symmetric key.

Re:Securing systems.

[Signail11]

They do need to be configured correctly, and block out common "trojan-ports" (12345 (netbus), 31337 (bo), and so forth). This to ensure that no sloppy employee gets his computer backdoored -- and the rest of the net gets access to it.

No! Security by filtering out dangerous ports does not work. Rather, one should filter unknown ports by default and specifically let "safe" ports through the firewall. Look at Hotmail/other webmail providers' problems with embedded javascript in email that are supposed to be escaped out or removed.

Re:Security by obscurity doesn't work!

[fluxrad]

They may be breakable, but not within the life of the universe.

ahhhhh, but you must be thinking of this under current technology. What happens in a year or two when quantum computers are on the market??? technology will always be playing catch up with crypto, but it's very naieve to believe an algorithm will be made that cannot be broken in a reasonable amount of time. the Weizmann box proves this, as does the inherent imperfection of human made algorithms.

-FluX

"That vulnerability is completely theoretical." -- Microsoft
L0pht, Making the theoretical practical since 1992.

Re:Security by obscurity doesn't work!

[fluxrad]

Basically this kind of inet crap is why i try to leave my CC number off places like ebay wherever possible.

Unfortunately, people are failing to realize that the internet is an inherently unsafe place for information. Any data that can be retrieved via copper wire is a free for all (read: cracking). Example: quite a few colleges actually keep web pages of their students' social security numbers. Is this info you want made publicly available.

As far as data encryption is concerned, allow me to throw in my two cents. Keep in mind that encryption algorythms are all breakable. Sure some can take a while to break, but they are ALL breakable. Anyone remember the name of that Israeli optical box that broke a 512 bit crypto key in something like 48 hours?

-FluX: --I am the people my parents warned me about.

and once again...

[Vis]

locks only keep the honest people out.

I'm not saying we shouldn't try to make it harder for people to access information like this. We just shouldn't be surprised when they do it. Hopefully, each time it happens, we'll tighten things down more, and it will take longer for them to get in. But eventually, it'll happen again.

Odd...

[GreenGhost]

One thing I noticed in the article, and again as I reread it, is that these hackers stole this info months ago.

Why did they wait until now to issue a ransom?

how often does this happen? how often are we told?

[legLess]

So that's two big media splashes about those Evil Crackers. What do you bet that for every time we hear of this, there are many more instances where the hackers were paid off?

Re:Visa.com's Web Server is...

[aliebrah]

Just because I named the web server does not mean that I am stating that therefore the web server MUST be the culprit. It could be, but may not. You assume too much by thinking that by posting the web server type, I think that its the only way that they could have been hacked.

Visa.com's Web Server is...

[aliebrah]

www.visa.com is running Netscape-Enterprise/3.6 SP2 on Solaris

You can check this out at:
http://www.netcraft.com/whats/?hos t=www.visa.com

Don't blame it on Microsoft, its not always their fault. Sure doesn't look like it in this case.

Encrypt your data!!!

[Phuzzy+L0gik]

When will people learn that encrypting their data (hell, even with a *weak* encryption algorithm) will stump 100% of the script kiddie population!????

The Guardian's rather good though, innit?

[jbrw]

Hopefully all UK net users have already seen the following, but it's worth pointing out just the same:

Gasp in awe as you watch Jack Straw, Home Secretary of the UK (ie, important government chap), find himself liable for two years imprisonment (if this law was to pass) because someone sent him an encrypted message that he can't decrypt.

This law is really so incredibly fscked, and demonstrates a completely lack of understanding, on par with the 'net filtering legislation that's just come in to effect in Australia (Oz /.'ers: what's happening down there?).

...j
(an Australian living the UK)

Re:The Guardian's rather good though, innit?

[quonsar]

Gasp in awe as you watch Jack Straw, Home Secretary of the UK (ie, important government chap), find himself liable for two years imprisonment (if this law was to pass) because someone sent him an encrypted message that he can't decrypt.

[an american sighs] Why is all the really useful legislation overseas? There are more than a few politicians I would rather gleefully remove via such a practical ordinance!

:-)

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:Securing systems.

[sterwill]

If your clients can't have access to all ports outbound without opening up all ports inbound, you need better firewall software. It's called "stateful packet filtering", "keeping state", or "shortcuts". It's common in NAT, where the translation host needs to keep track of the TCP/UDP/ICMP connections it supports.

All machines except for those in a DMZ should be denied all incoming packets by default. Opening up all ports on all hosts (as default) is just plain stupid--why even have a firewall?

--

Re:Inforansom...

[sjames]

but it is very difficult to make a system extremely secure,

That is true, but many businesses don't even seem to try. The CDuniverse case is a perfect example, the card numbers were apparently stored as plaintext on the web server (NT running Microsoft-IIS/4.0).

To be fair, various encryption export laws don't help matters any. If strong encryption could be freely exported, it would be used in a lot more software. That would go a long way (but not all the way) to preventing these problems.

Re:Security by obscurity doesn't work!

[sjames]

Nice idea but I can't see that this is much better suited to the Internet than standard cards. It's not what this is designed to do, either - this is a digital replacement for hard currency.

Most people allready shell out for a wallet to hold cash, DL, and credit cards. They don't have to cost all that much more. Since they'd be no smarter than a 4 function calculator which can be had for $1.99.

I am also aware that the Mondax system is for hard currency. What I propose is added functionality based on the same hardware. Since smart cards are smarter now than they were when Mondax was first proposed, I don't see any reason they can't serve both purposes.

For people who won't buy a wallet, they can use the keypad at the POS terminal and take their chances. They're still more secure than the current system.

Re:Security by obscurity doesn't work!

[Masem]

This is not true, based on a similar scam by an American company. (I was a victim, so I know this.)

A US group was randomly generating card numbers, and then tried to charge around $20 to the card via standard means. They didn't have any expery data, but apparently, the one checker they used did NOT require this information. The result: the company got about $20 charged (one time only) to a number of accounts, and collected that cash for themselves. They are still in operation, as far as I can tell, and are rather 'small time' for both credit card companies (who tend to only chase after $100 or more PER CARD scams) and the US govt (who tends to need $100k or more to put down the smack). Yes, they're illegal, but considered small time by the 'authorities'. At least, if you are smart enough to watch your CC statement, you'll notice the odd $20 charge and can dispute it.

Re:Security

[Zemran]

By "do not ask me to explain", I really meant that it was not anything to do with me and that I can see the stupidity of the situation. It arose from the sort of thing that I was writing about. The firewall was set up when the percieved threat of Jave (and there are ways of using Java to get data out) were known and ActiveX was not yet common. Since its installation the only work that has been done is to install the software updates. No changes have been made to the configuration.

I think this type of security problem is common. Especially when consultants are used to install firewalls etc. Once the consultant has gone home and the budget is spent then the problem is forgotten. In our situation it is even more stupid as I work at a university and we have some great people working here but the computer services department is run by winders kiddies that do not understand the Sparcs (or anything much harder than installing Office) and therefore leave them to the consultants. Budget cuts mean that they can only offer 18,000 UKP for a sysadmin and therefore they can't get one.

Are they going to take responsibilty

[Zemran]

I hope that these companies will take responsiblity for the flaws in their security and not, as most do, claim that it is all the fault of the evil cr/hackers. Visa should be so secure that no one could get in. Sensitive data should not be accessible from the outside.

What often happens is that a supposedly secure system is put in and the opperators are so happy that they do not look at security again until, a few years down the road, someone breaches that security.

Security is a developing science. What was secure last year is transparent this year. I work behind 2 firewalls, yet because they are too restrictive we pierce holes through them so that we can use things like UDP. They were not designed to stop activeX but they do stop all Java (do not ask me to explain).

Over-hyped, again.

[cjsnell]

If you want credit card numbers, go to the dumpster of any restaurant and start digging. Want good gold/platinum card numbers? Go to the good restaurants.

These stories are so damned stupid. People get all up in arms about giving their credit card numbers to online merchants yet they give them to complete strangers at restaurants, bars, and retail stores everyday. I trust amazon.com more than I trust most of the restaurant workers around here to my credit card number.

Hackers attack!

[Ektanoor]

This article is a typical tabloid boom. It starts with a "It has issued ransom demands of up to £10m and is also suspected of hiring out its services" and later talks about "Visa confirmed last week that it had received a ransom demand last month, believed to have been for £10m."

In general this thing looks much like a bad plot for another Hollywood blockbuster. There is only some lack of green color and antenas over the head of the baddies...

I can see it now..

[redled]

The media has always said: "Be very careful using your credit cards online." That's good advice, but it should have been mentioned that you should be equally careful using it in a resaurant, over the phone, etc.. In the last while in the news some people have gone so far as to say: "Don't use your credti card online." So, now Visa's security has been comprimised. Now what? "Destroy all you credit cards."? Sure, it's clear that now, just as always, we should all be careful with our credit cards. But c'mon, the situation is not THAT dire. I've never seen a newscaster mention to viewers that credit card holders are generally only liable for the first $50 of purchases made, should your card or number be stolen. Perhaps if this were mentioned, the hysteria would calm down somewhat.

--

Re:I can see it now..

[swordgeek]

"The media has always said: "Be very careful using your credit cards online." That's good advice, but it should have been mentioned that you should be equally careful using it in a resaurant, over the phone, etc.."

This is something I've been fighting with for a while. On the one hand, it's far easier to steal a credit card number in a restaurant or store than it is online. On the other hand, the persistence of information online makes it a more tempting target. You can dig and hack away at (for instance) the Visa site for ages, and if you're careful, not be noticed. If you're successful, you can get a lot more card numbers than in a month of working at a store, and less tracably.

Given that, where are your numbers really safer? The answer is deep in your pocket, unused. Doesn't do a lot of good, does it? That's one of the reasons that the card companies put that $50 liability ceiling in place--to defray the (percieved) risks to the consumer, and encourage use of the cards. If you can prove that the number was stolen through no negligence on your part, then you can usually get that $50 waived.

Media be damned. You are not directly at risk of the consequences of credit card theft. Security breaches and other expensive problems are reflected in the interest rates you pay on the cards. Use your cards in good conscience, keep tabs on your statements (to spot possible theft), and pay your bill off every month, and you'll be about as safe as possible.

Re:Scary, but convenience is worth it - but why no

[Rilke]

I'd say it's pretty transparently a reaction to Y2K.

The "computers are going to destroy us" articles sell a fair amount of newspapers. That space was well-filled with Y2K articles over the last few months, but since that whole issue obviously went nowhere, the space needs to be filled with something else. IOW, we're back to the hacker/cracker stories, except we can expect to see the focus on "professional hacker groups" rather than kids in their bedrooms.

Re:I wouldn't trust "The Times" with a bargepole

[Tim+C]

It wouldn't surprise me in the least if this were some part of a larger plan to get the backing of the less-computer savvy parts of British society for the proposed bill.

Unless they can swing popular opinion behind it, there is little chance that it will be passed. Why? Those who don't understand it or care about it will do nothing, while those of us that do understand it, and oppose it, will do everything we can to ensure that it never comes into force.

On the other hand, if there are enough high-profile, "your money is in danger, even your most personal details!" kind of stories, Jo Public is going to sit up and take notice, and call for the bill's introduction without ever knowing that there is anything bad about it. The majority will buy the party line that it is necessary for their protection, just like the cameras on our streets and public transoprt are. (Not that I'm totally opposed ot them, but there are an awful lot of them these days...)

From the article:
"The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.

Well, duh. I bet they've been using 'phones and even meeting face to face, too. Maybe I'm reading far too much into this, and letting my paranoia run away with me, but why was this comment even necessary? They've (allegedly) cracked the compuer systems of 12 multinational companies, of course they were using sophisticated techniques!! (To say otherwise would be to imply that it was easy.) Being computer savvy, and net connected, of course they've been communicating via email and "internet chat".

If this isn't part of some conspiracy to get popular support for one of the most potentially dangerous bills that has ever come to my attention, then someone somewhere is probably unable to believe their luck that such a fine supporting story has been handed to them on a plate.


Cheers,

Tim

Re:Bring on the defenders of crime!

[Skinka]

Well if past records are anything to go on, any second now someone will post here about how we should be thanking the crackers for forcing the companies to get their acts together. This will come despite the fact that the crackers are thieves, blackmailers, and dealers (of illegally obtained information).

_These_ crackers are thieves, but not all crackers are. If some group hacks Hotmail and replaces the main page with a message saying "Your security sucks. Hacked by F00fc8C7" then I say more power to them. When someone defaces a web page, it, like you said, forces the company to get their act together. It is a PR loss to the company, but having a secure site is much more important than that. Everyone wins.

Securing systems.

[arcade]

Its time for companies to start securing their systems. First off, *really* important information should not be on computers hooked up to the internet. But, a lot of computers need to be on the net - so here we go.

First of, they all need a computer-staff, and their own "computer security officer". There should of course be password security - but more important - people should be educated about email attachments, trojan horses, and so forth.

Servers should be under constant surveilance. The admins should always know every single program, which version it is, and so forth. They should keep their eyes open, reading bugtraq and other sources every single day.

A firewall is also a very good idea, for these kind of companies. They do need to be configured correctly, and block out common "trojan-ports" (12345 (netbus), 31337 (bo), and so forth). This to ensure that no sloppy employee gets his computer backdoored -- and the rest of the net gets access to it. If anybody gains access on ANY of the hosts behind the firewall, the entire network is "compromised" (to a certain degree).

They should also have a fully switched network, or preferably, implement encrypted protocolls for data transfers internally, so that even if ONE host got cracked, packetsniffing would do no good.

Ohwell, the list goes on and on and on. The important things is -- every big company should tighten up their security REALLY good. They should have their own staff looking after it.

Smalltime companies should do their very best too -- but they don't have that many computers to protect - and therefore don't need that big a staff.


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:Securing systems.

[arcade]

No. The sysadmins should know *as much as possible*, and in bigger companies, there should be *several* of them. There will always be the risk of an inside job - but the sysadmins SHOULD be trusted people. Only then can they do their job the way it should be done.

The sysadmins should have full access to everything, and know as much as possible, so that they can squash a bug if they find one, without delay.

If an article about a bug in program foo is published tomorrow, it should be fixed as soon as the first sysadmin reads about it. He should not need to call sysadmin 4, so that he can fix it. Especially not if sa.4 is on vacation..


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:Securing systems.

[paled]

In order to hire competent staff in this area, you have to already have staff in place that knows how to hire competent people. Can HR do this?

When time to market is the most crucial factor, "Security? we can just add that on later".

Such places aren't going to deploy enough security the first time around. They can only react to this matter after the crack happens.

Security is always someone else's problem until it becomes their problem - on the front page of major news sites.

Would you now buy from CD Universe with a credit card?
probably not.
Should you?
I'll be that within a month, they'll have the most secure setup in their business market. They will have thrown tons of money at the security hole, and try to market their newly increased security as a strength, not a weakness.
So I'll look for their "check out our new, improved site, now with 'Security' coupons" soon.

If they're still around.

Paul

Re:Securing systems.

[Stonehand]

And don't forget the risk of an inside job, by greedy or disgruntled [ex-] employees, contractors and anybody else that has access. This might be a good argument against any one sysadmin knowing too much about the system, actually; if one compartmentalizes, this restricts the damage that any one person can do.

I'm idly curious to see whether the Gartner Group's predictions about a backdoor-enabled heist by "Y2K" consultants were ever borne out...

Re:Securing systems.

[sjames]

The sysadmins should have full access to everything, and know as much as possible, so that they can squash a bug if they find one, without delay.

Not necessarily. For example, the sysadmin only needs to know where and how credit card numbers are stored, not the passphrase needed to decrypt them. Or the threat could be reduced by using a capabilities based system where most admin duties are performed with only a subset of root capabilities. Full root could require a valid login from two sysadmins. That wouldn't preclude insider fraud, but it would be less likely and harder to get away with.

No it's not

[drox]

This is good in that hopefully companies will get serious about protecting their information systems.

No it's not. Companies should be serious about protecting their information systems because it's the right thing to do, not because some criminals (albeit clever ones) have made it necessary.

Analogy time! Would you be thankful for criminals who break into your house and steal valuable things? Even if they stole nothing, but merely left a note saying that they'd be back to steal your property later, if you don't pay them a big ransom? Hell no. You'd be angry, and rightly so. You might add better security, and that might be a Good Thing(tm) but it's still not good that some thugs threatened you or your property.

Security by obscurity doesn't work!

[Hoonis]

I've always thought that simple access to the card itself being protected is pretty unreasonable (ie if you have the number & epiration date, you have the keys to the store).

Isn't it time now in this day of ease of access to information to add something smarter to credit cards for security?

Re:Security by obscurity doesn't work!

[GregWebb]

... and I'm the guy who moaned to the bank when 60ish pence (around $1 US) disappeard without permission :) For UK users, The Woolwich happily dealt with this and changed my card.

Seriously, what security methods are there on credit/debit cards? Two. The signature on the back to stop you nicking someone else's card and using it due to your inability to convincingly duplicate the signature, and the hologram on the front to stop you making your own (fake) cards and using them illegally. Both rely on eyesight and retailer, card and user being together.

What we need is for someone to recognise that cards are simply not suitable for the purposes they're being used for now - remote ordering - and setting up something stronger, like sending out encryption keys for use with online transactions.

But this is relatively expensive and makes spending money harder, so isn't going to happen all that soon...

Greg

Re:Security by obscurity doesn't work!

[GregWebb]

These wallets, nice as they are, aren't free. Someone has to pay for them and I can't see the card companies and banks being all that keen to shell out until they absolutely have to. Plus, it makes them harder to use as you've go it to your computer, so I can't see the average user being all that keen, either.

Nice idea but I can't see that this is much better suited to the Internet than standard cards. It's not what this is designed to do, either - this is a digital replacement for hard currency.

Greg

Re:Security by obscurity doesn't work!

[GregWebb]

Whoops...

Forgot to preview it AND forgot to account for a slow communal computer overunning the text buffer as I typed while it was locked :(

Plus, it makes them harder to use as you've go it to your computer, so I can't see the average user being all that keen, either.

should have read:

Plus, it makes them harder to use as you've got to connect it to your computer, so I can't see the average user being all that keen, either.

Sorry :(

Greg

Re:Security by obscurity doesn't work!

[Myself]

TWINKLE - The Weizmann INstitute's Key Locating Engine

You people need to learn about smartcards. Start at Schlumberger and Litronic (they have a good intro to smartcards.) and go from there. The people at ZeitControl have this cool programmable card that you should look into.

Re:Security by obscurity doesn't work!

[Signail11]

Come on. QC will not be practical for at least a couple of decades; quantum decoherence and other interference effects will be very difficult to surmount as the number of qubits increases (search xxx.lanl.gov for the precise references). Normal computers, regardless of how small the process technology and architectural design, will never be able to brute force a 128-bit key. Period.

Shamir's device is an advanced photoelectronic computer that performs the sieving phase of the NFS or MPQS factoring algorithms several orders of magnitude more cost-effective. However, the major obstacle is not the sieving phase, which is easily distributed, but rather the matrix reduction phase which must be done on a machine with immense ammounts of memory and low latency. Even with SGE and block Lancos methods, it's inconceivable that enough memory will ever be built to accomodate reducing the matrix from a 768-bit RSA key. The situation is even worse for discrete log systems by a couple orders of magnitude.

Re:Security by obscurity doesn't work!

[sjames]

But this is relatively expensive and makes spending money harder, so isn't going to happen all that soon....

It shouldn't be all that expensive when reduced fraud losses are considered. What is needed is a smart card and an electronic wallet more or less like the Mondex wallet. The card would contain an encrypted signature key. The card owner enters password and total amount into the card through the wallet. Card then goes into slot in the POS terminal. The terminal gives the card a transaction record in plain text. The card compares the amount, and if it matches, signs the record and hands it back.

When that signed record is submitted to the credit card company, there can be little doubt that the customer authorized the transaction. Since the secret key is itself passphrase encrypted, it is useless to anyone but the owner. Entering the passphrase on the wallet eliminates fraud at the POS terminal. A simple serial connection to the wallet (like that on a Palm) enables it to be used for internet transactions. Phone orders can be handled by the cardholder entering the merchant's info into the wallet and calling out the signature value OR by accoustic modem. Recurring charges could be set up by a customer using the card to sign an authorization which names the company, maximum charge/month and duration of the agreement. Early cancellation can be managed by the cardholder sending a cardsigned termination to the credit card company.

Really, all of that is only slightly harder than calling out the credit card number (or handing it over to a clerk), and is many times more fraud proof. It would also aviod the annoyance of having to get a new card every few years.

A side benefit of all of that is that semi-anonymous charges could be made. the cc company would still know all, but the retailer would not need to know anything about you at all.

The system could be given even more value by making the same card/wallet capable of electronic cash and secure ATM transactions.

The interim peroid could be handled by placing a standard magstrip and number on the new card so it can be used the old way. Hopefully, that period wouldn't last TOO long.

Can you say "Jon Ungoed-Thomas "

[Ratface]

This so called "reporter" is a menace and a proven liar. If you would like to read more about his so called journalistic coups, take a look at the very very good British newsletter Need To Know.

They have been covering his misreporting and his bumbling attempts to infiltrate direct action groups in the UK by "fakemailing" them for some time now.

Please, do not even consider believing a word that this buffoon says. How he still holds a post at the Times is quite beyond me.

http://www.ntk.net/index.cgi?back=archive99/now0 827.txt&line=52#l

http://www.ntk.net/index.cgi?back=archive99/now0 820.txt&line=48#l

Silly crackers...

[Wonko42]

They only want £10 million ransom? Are they crazy? If they get £10 million in ransom, they'll have to jump through some really insane hoops to get that money laundered so the Scotland Yard, FBI, and whoever else can't find them. In fact, if they take that £10 million, it's almost guaranteed they'll be caught.

But they've (supposedly) got thousands of credit card numbers! They could squeeze far more money out of those credit cards than £10 million, and if they did it carefully, it would be very difficult to catch them at it. Silly crackers...learn how to play the game before you start.

--

Haxploitation

[Tony-A]

Seems to conjure up the right sort of negative connotations.

Scary, but convenience is worth it - but why now?

[Patman]

As a recent victim of credit card fraud(from a "legit" company), I gotta say that this scares me a little. However, it is the price I pay for convenience. The time that I spent working out my last credit card fraud problem is nothing compared to the time I save by not having to stop for cash, not having to write a check, etc. The convenience of being able to whip out my card is nice. In addition, it's nice to be able to order things online/over the phone without having to mail them a check of some sort.

However, I must ask - why now? We've seen two stories like this in the last week, and they both seem to have been planned for a while. Is there some sort of reason this is suddenly more prevalent?

Inforansom...

[dr_strang]

Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.
Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.

Re:Inforansom...

[RubberMan]

I don't believe anyone feels that the people taking the information are not guilty. Whats at issue here is the security the companies are using to prevent theft. If you leave your car alone, running out in a parking lot with the doors unlocked, someone will steal it. No one says the person doing it is not guilty, but it was also your fault for not providing good security.

Re:Inforansom...

[jilles]

As long as there is no standard we'll just have use our credit card. We have a standard for networking (TCP/IP), we have a few standards for mail (pop3, smtp, imap, etc.).

While I agree that not every standard is as good as it could be, having a standard means that you've got something to work with. If a standard for exchanging money is not good enough the credit card companies have to pay for it. If their losing a lot of money they'll have to fix the standard or accept their loss. It isn't their customers problem.

For that reason I'm not so afraid for bad standards. I can't stress this point enough: standardization is what made the industrial revolution happen. We'll need standardization on the internet too. Hell, the internet is all about standards. Bad standards are outcompeted (gopher) by other standards or fixed (IP).

Right now there isn't any standard for something very obvious: exchanging money. The only thing you can do is exchange credit card numbers. It's not a technical problem it's standardization problem.

Your post sounds very anarchistic. You're afraid of losing your freedom and you assume a central authority. I can't take away the first but the lack of the second thing is the whole problem. In a way the software community is way beyond the banking world in that they've recognized that it is more profitable to agree with your competitors than to compete with an incompatible 'standard' (recent example: internet messaging).

Re:Inforansom...

[jilles]

I don't agree with you on this. Sure absolute security is difficult but it should at least be possible to get more or less the same level of security we had before the internet (which was adequate most of the time).

For that to happen we need two things:
1 - a global standard on how to exchange money. Such a standard would need to include encryption + a protocol to establish a secure connection + a protocol to exchange the money over the connection + a secure way to allow both sides to identify each other

2 - Adequate laws to warrant the rights of both parties involved in a transaction similar to what applies to conventional ways of exchanging money and a more relaxed encryption policy of for instance the US government.

The technology to do all this has been around for a couple of years and things like this newsitem will make it more likely that banks and credit card companies will actually make this happen.

Re:Inforansom...

[konstant]

Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.
Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.


DEFENDANT: Your honor, I only killed that man to demonstrate how extremely poor most people are at self defense! Consider it an act of charity to society at large.

JUDGE: I never saw it that way! I will enroll in a Tai Jitsu Kata class immediately! Case dismissed!!!!

---

ATTORNEY: And so you see ladies and gentlemen of the jury, my client did not rob the bank as an act of theft per se, but rather as valiant display of public zeal! How many of you slept easy last night entrusting your money to the poorly secured bank vaults of the neo-syndicalist dogs at First National Savings?!!?!

JURY FOREMAN: This man is a hero! I am going to stuff my money into my mattress forthwith! Down with the WTO! Case dismissed!!!!

---

JUDGE: For your crimes against society, I hereby sentence you to hang by the neck until dead!

DEFENDANT: But your honor, by poisoning the water supply of the local KiddieCare Nuture Center, I indicated strikingly the need for higher quality water filtration. And by ransoming the life of 2 year old Phiddeas Quilch (whom I knew already to be dead) I displayed the ironic certainty that a society designed around monetary transactions is inherently debased with greed and treachery!

JUDGE: You are a wonderful person!!! Thank you!!! Cased dismissed!!!

-konstant
Yes! We are all individuals! I'm not!

Private email doesn't work

[/]

One of the few things that large corporations listen to is public embarassment. When people privately tell microsoft of a security flaw they've discovered, MS just sits on its hands until it gets leaked publicly.

Vandalism is petty crime, and far more people are hurt by incompetent companies that don't find they have reason enough to care about the security levels they inflict upon their patrons. A pointy reckoning to them all!

Re:Private email doesn't work

[swordgeek]

"One of the few things that large corporations listen to is public embarassment. When people privately tell microsoft of a security flaw they've discovered, MS just sits on its hands until it gets leaked publicly."

True 'nuff. OK, how about a week grace period after the private mail, and then public disclosure on Bugtraq or the like? There are perfectly acceptable ways of letting the victim and the community know about security breaches, other than defacement. Let's be honest; How many crackers are going to say to themselves (regardless of what they say to the media), "I feel morally required to deface this page to illustrate serious security bugs that took me three weeks of work to discover." Now how many are going to say, "C00l! I br0k3 it! I AM 31LEET D00DZ!!!" (As an aside, I suspect that they really talk like that, even internally :-)

In other words, the end (better security) doesn't justify the means (cracking and vandalism), especially when other equally effective means exist.

Wow! That is just plain evil

[Weezul]

Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.

Wow! That is just plain evil. This means someone should start a campaign to get Linux boxes in the UK to use StegFS. StegFS (Steganographic File System) is an encrypted ext2 file system which allows for plausable deniability, i.e. you can give them the password to a lower encryption level and they will have no way to prove higher encryption levels exist, thus there is nothing they can do to make you give up you encrypted data (it also wipes unused blocks so none of this taking the disk to find shit you deleted).

Now, the requiring you not to tell anyone is a seperate issue. I donno what to do about this. I suppose you could just tell people anyway.. maybe someone could run a web page which publishes lists of incedents where they have used this power? Is anyone tring to fight this?

Jeff

This is your brain on e-commerce

[quonsar]

It never fails fry my brain when I hear the indignation expressed by the technically clueless in response to tabloid -esque puffery like this. These are the same people who, after thier meal at Olive Garden, think nothing of handing thier card to an unknown person who disappears with it for five minutes. The same people who think nothing of pulling out thier cards and receiving cash at an ATM in a dark, empty parking lot at night. The same people who never even perceive the strangers jammed into the supermarket checkout lane behind them as they whip out thier card and pay for groceries.

These people seem think that the idea that some 'evil haxor' may come along seeking your card number successfully is somehow more repugnant than knowing that management at Best Buy has reports listing the zillion or so numbers thier checkout computers recorded over the holidays just sitting around on desks all day.

Anybody know how many lost Mars probes ZDNet helped recover today...?

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:Bring on the defenders of crime!

[Cuthalion]

Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?

Defacing a web-page is a little different. It's closer to putting a post-it note on the inside of your door saying "eY3 0wN u!" or something. Scary but not necessarily all that much work to clean up.

A Tale of Jack Straw, An Expedient Man

[voidzero]

Aren't the good people of Britain proud to have such a principled politician as Jack Straw, Home Minister, in the New Labour government?

Some of his recent accomplishments include:
1) allowing Colonel Pinochet, the Chilean dictator and alleged perpetrator of crimes against humanity, to escape justice on the grounds that he is too frail to face the hardships of a court trial. This decision is further to a private medical report on Pinochet's condition, which by its nature seems pretty difficult to challenge.

What exactly about his mind/body is unable to sit through a trial? What are the odds of his staging a "miraculous" recovery upon arrival back to Chile, where he has immunity from prosecution?

2) then there's the case of his letting Mike Tyson, former heavyweight champion boxer, rapist of a teenager and ear gourmet into Britain. The UK law says that aliens convicted of a crime that would carry a prison sentence of 12 months in Britain are denied entry, unless on extreme compassionate grounds. Compassion towards Tyson not towards the British businesses who had invested in the fight!

3) there's the example of the alleged Nazi war criminal Konrad Kalejs who is accused of killing >30,000 civilians in Latvia during World War II. He was found living in a residential countryside home. Instead of prosecuting him, Straw allowed his deportation from the UK as he had *gasp* overstayed his 6 month visa.

It makes me *so* proud to be a part of such an ethical government. *sob* I'm choking up here.

Re:From the Article . .

[FlightTest]

Well, acutally, VISA _DID_ inform those people whose accounts were affected. Or, at least, they informed their banks, and I happen to bank at a "good" bank (a credit union, actually), that in turn informed me. They cancelled my existing VISA card, and sent me a new one. They did say that the card number had been compromised at VISA, and that VISA had alerted them. At the time, I thought it odd that I had not heard of numbers being compromised at VISA, so I thought it must have been a small scale leak.

SO, if you were not informed of the compromise either (1) your card was not affected or (2) your bank chose not to tell you. Door number 2 is a black eye for your bank, not VISA.

Does VISA really have an obligation to tell the whole world that some of their numbers were compromised? IMHO, No. They do have an obligation to tell those people who were affected, and I think they did a good job there, at least in my case. Perhaps they chose not to tell the whole world because their investigation (along with whoever else) was on-going. Perhaps (more likely) they chose not to tell the whole world for fear of a mass canceling of VISA cards prior to Christmas. As long as the affected people were notified, which seems to have happend, I really don't think they screwed up here.

Re:Slashdot Reliability - hacked again

[anticypher]

I suppose if Taco and Hemos had posted this under a humour heading we would understand we should all laugh at it. But they are just re-posting drivel in the hopes of getting their failing andover stock to go up in price :-)

The article is by one of the most ridiculed "journalists" in Britian, which puts him out in front of a large pile of pathetic scandal-mongers. JU-T has been pointed out to the /. community several times before as a creator of the worst lies about computing we have seen. His job is to create shocking headlines to try and sell a few more papers in an overcrowded market. His dishonoured name makes a regular appearance on www.ntk.net, I would suggest you go on over there and do a search on double-plus-ungoed.

Some of the "stories" which only he has uncovered lately include one whereby his "highly placed source at the FBI" confirms that drug lords all over the world are hiring thousands of programmers to write software drugs, and then they can download them to cyber-junkies and make trillions of $$$ untraceably over the evil internet. Another story regurgatated the claim by a far right wing US research group that 70% of all material on the internet was hard-core pr0n.

The reason you don't see any other newspaper cover these stories or run more truthful versions is that these articles are completely works of fiction, and even the other scandalsheets in Britian won't stoop low enough to answer the Times garbage.

This story first broke last summer, when some kids tried to extort money from VISA. They were stupid, they even made the phone call from their home phone. Scotland Yard closed that case out without blinking. Now the Times pulls it up along with a few hints of other cases, but offers no facts or details, to prove to their readership the internet is a big evil thing which needs strong government regulation.

I can see there are a few other /.ers laying this one open as well. Its amusing how most /.ers are blaming VISA security, when the real story is in tearing apart this piece of "journalism" as the fiction it is.

the AC

Re:From the Article . .

[fpepin]

From their point of view there's no reasons to tell it, you avoid the panic and anyway, you're going to pay for whatever happens so the public doesn't loose anything by not knowing.

They stole corporate secrets and things like that, they didn't steal credit cart numbers, so this is more of an internal matter and all it does is make them seem incompetent, which I'm really not sure if it's true or not.

Companies have the right to have a little privacy too, maybe not much, but enough that they don't need to tell the public if it doesn't effect it (and Visa would need to loose a lot more than 10 millions of pounds before the customers see a difference).

Re:Security

[Money__]

They were not designed to stop activeX but they do stop all Java (do not ask me to explain).
ummm ok I realize you've asked not to be asked to explain this novel aproach to security, but I would like to point out (for the benifit of other readers) how un-informed this decision is. Java has a wonderfull security model and stays in it's own sandbox.

ActiveX, on the other hand, is like a drunken super-model on crack. Sure, it's sexy, but you never know what it's going to do next.

I would favor blocking the later, and letting through the former.
_________________________

Consider the source

[Money__]

After many posters voiced concern over the reliability of "The Times UK", I took it upon myself to investigate some of their other headlines. First of all, we have the one being discussed here today:

Hacker gang blackmails firms with stolen files
£10m ransom demands sent out

Along with the story we're discussing here, we have this little jem:
Pollution set to rip giant hole in ozone layer
More than half the ozone is likely to disappear by March, climatologists warn
Rip a hole? March is 2.5 months away!

Along with that little story, we have more "all the news that's fit to spit":
Call girl fights Vat man's bill for £500,000
Flesh-coloured stockings not claimable - but lacy ones might be
Is this hard news? I think not.

And this little tidbit about Mr. big lips:
Do not arise Sir Mick Jagger
Downing Street blocks planned honour because of errant ways
looks like a gossip rag to me, but then again, I'll let you be the judge.
_________________________

From the Article . .

[Money__]

. . Visa confirmed last week that it had received a ransom demand last month, believed to have been for £10m.

"We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI."

Also . . "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation.

First of all, the initial Hack was way back in July? Shouldn't there be better disclosure on these matters? Keeping their customers uninformed is by far the worst offence here. Months and months passed before this was finaly disclosed, and in that time billions of dollars were at risk.

Secondly, it would apear that they suspect a competitor (or someone with an interest in seeing them loose money) is behind the hack. Interesting, don't you think ??
_________________________

Visa: Everywhere you don't want it to be

[Money__]

1 port scanner: $25.
1 cable modem: $200.
Knowing you're bringing down the worlds largest financial transaction institution?: Priceless.
_________________________

Re:Bring on the defenders of crime!

[swordgeek]

Like I said, "bring on the defenders...."

OK, so what if they copied the file?! How about if I change my analogy to use water soluble paint instead?

What, on the other hand, if the crackers decided to rootkit the system, then cp index.html to index.html.bak, so it _appeared_ to be a harmless prank?

If a site has been compromised, the usual (and proper) course of action is to rebuild from trusted tapes. None of this affects the original point, though, which is this:

Vandalism, regardless of the financial consequences, is still vandalism. Similarly, theft is still theft. Both cause harm, both destroy trust, and both break down open and free dialog.

Re:Bring on the defenders of crime!

[swordgeek]

While not all crackers are thieves, most are criminals in some form. The hotmail crackers you mention are vandals. If they want to be known as something other than criminals, then they could privately email Hotmail with the details of their security flaw. Even this would be in a grey area.

Honestly, my apartment security sucks compared to, say, Intel's fab plants. Does that mean that I should thank thieves and vandals for breaking in, stealing my stereo, and destroying my records? Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?

There's no reason we should accept that security less than NSA levels is an acceptable invitation to invasion, either physically or cybernetically. Criminal Trespass is indefensible no matter where it takes place.

What to do next...

[aliebrah]

We need to ask ourselves the usual questions:

a) How reliable is this news source?
b) What is the potential for harm to Visa customers?
c) Have the hacker group(s) actually stolen credit card numbers, or gained access to some other part of the system?
d) What can Visa do about it in terms of guaranteeing that IF card numbers have been stolen, that customers will not be liable for any charges made illegally (or is this already provided for)?

Before we start to create mass hysteria and hype over this, we need to assess the actual potential for damage so that we do not let this get blown out of proportion.

I mean taking a realistic view, Visa is going to be damn well careful to keep their data secure, this hack is most certainly not due to negligence on their part. They're probably working their asses of right now to fix it. IF card numbers have been stolen, Visa has to pay for illegal purchases - and you can be sure that they're making every effort to avoid this.

The reason you know it's rubbish...

[Gerv]

... is the author. Jon Ungoed-Thomas has managed to embarrass himself several times in the past, once by e-mailing Earth First! pretending to be an anti-corporation activist called "Jo", trying to provoke them into letting him in on something illegal. He sent the e-mail from the address jonathan.ungoed-thomas@sunday-times.co.uk!

More details at NTK - search for "Ungoed".
Gerv

We need a word for this.

[Hobbex]

I think the next thing we need a word for, after "benchcrafting", is "hacksationalism" (or maybe "cracksationalism" before people flame me) to cover all these media stories trying to spread panic about cracks amounting to nothing.

I can't be bothered to look it up now, but I'm almost convinced that The Times has featured a number of stories like this before, all of which indeed did lead to end of civilisation as we knew it (or maybe not...)

So what about this one, well:

"The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.

Wow, malicous hackers that can use email and IRC! They have got to be a dangerous threat!

It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system.

Now that is good journalism! Don't bother explaining that "code" has two meanings in computers, and that the "source code" has nothing to do with accessing the site (unless it was broken to begin with, but...) But then we do know how expensive it is when a hacker gets your source code, look at poor Sun who had to recode Solaris from scratch after Mitnick looked at its source (what? Didn't they? They must have since they claimed the entire cost of it in damages.)

Also, in both this and the CDUniverse case, the hackers are (apparently) trying extortion as a way of making money off their cracks. Extortion is a really, really, really, bad way of committing crimes without getting caught. Unless you happen to have serious underworld money laundering connections, you are going to get caught when you try to get your hands on the money - for sure. If these guys think they can walk a way with a suitcase of "100 thousand quid in unmarked twenties" they have watched too many movies.

-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

I wouldn't trust "The Times" with a bargepole

[kojak]

The Times was, a very long time ago, the paper of the elite in the UK. Then Murdoch bought it and took it downmarket in the search for sales after its traditional userbase migrated to the Telegraph / FT / Independent / Guardian.

Hence they're a bit clueless now. This story has been going for a few days in the UK, but no details are apparent, no arrests have been made, no evidence shown. I'm sure somebody has made some threats, but then there's always somebody out there who'll make threats.

Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.

Bring on the defenders of crime!

[swordgeek]

Well if past records are anything to go on, any second now someone will post here about how we should be thanking the crackers for forcing the companies to get their acts together. This will come despite the fact that the crackers are thieves, blackmailers, and dealers (of illegally obtained information).

I wonder how culpable Visa really is in this. I suspect that they had good solid security in place, and that the criminals broke in through some actual code bugs. (i.e. some new buffer overflow, rather than something like poor/no password selection)

I'm not sure what to make of the fact that Visa didn't tell the public, though. That's a bit disturbing.