Slashdot Mirror
British Crackers Demand Millions in Inforansom
RuntimeError writes "The Times of UK report that a group of British Cr/Hackers have broken into the computer systems of atleast 12 multinational companies, stolen confidential files, and are holding the companies to ransom." One of the companies is Visa, as in credit cards. I believe this has far more hysteria potential than the recent CDuniverse inforansom scandal. Expect the usual pundits to be all over this story within the next few days.
But this is relatively expensive and makes spending money harder, so isn't going to happen all that soon....
It shouldn't be all that expensive when reduced fraud losses are considered. What is needed is a smart card and an electronic wallet more or less like the Mondex wallet. The card would contain an encrypted signature key. The card owner enters password and total amount into the card through the wallet. Card then goes into slot in the POS terminal. The terminal gives the card a transaction record in plain text. The card compares the amount, and if it matches, signs the record and hands it back.
When that signed record is submitted to the credit card company, there can be little doubt that the customer authorized the transaction. Since the secret key is itself passphrase encrypted, it is useless to anyone but the owner. Entering the passphrase on the wallet eliminates fraud at the POS terminal. A simple serial connection to the wallet (like that on a Palm) enables it to be used for internet transactions. Phone orders can be handled by the cardholder entering the merchant's info into the wallet and calling out the signature value OR by accoustic modem. Recurring charges could be set up by a customer using the card to sign an authorization which names the company, maximum charge/month and duration of the agreement. Early cancellation can be managed by the cardholder sending a cardsigned termination to the credit card company.
Really, all of that is only slightly harder than calling out the credit card number (or handing it over to a clerk), and is many times more fraud proof. It would also aviod the annoyance of having to get a new card every few years.
A side benefit of all of that is that semi-anonymous charges could be made. the cc company would still know all, but the retailer would not need to know anything about you at all.
The system could be given even more value by making the same card/wallet capable of electronic cash and secure ATM transactions.
The interim peroid could be handled by placing a standard magstrip and number on the new card so it can be used the old way. Hopefully, that period wouldn't last TOO long.
As long as there is no standard we'll just have use our credit card. We have a standard for networking (TCP/IP), we have a few standards for mail (pop3, smtp, imap, etc.).
While I agree that not every standard is as good as it could be, having a standard means that you've got something to work with. If a standard for exchanging money is not good enough the credit card companies have to pay for it. If their losing a lot of money they'll have to fix the standard or accept their loss. It isn't their customers problem.
For that reason I'm not so afraid for bad standards. I can't stress this point enough: standardization is what made the industrial revolution happen. We'll need standardization on the internet too. Hell, the internet is all about standards. Bad standards are outcompeted (gopher) by other standards or fixed (IP).
Right now there isn't any standard for something very obvious: exchanging money. The only thing you can do is exchange credit card numbers. It's not a technical problem it's standardization problem.
Your post sounds very anarchistic. You're afraid of losing your freedom and you assume a central authority. I can't take away the first but the lack of the second thing is the whole problem. In a way the software community is way beyond the banking world in that they've recognized that it is more profitable to agree with your competitors than to compete with an incompatible 'standard' (recent example: internet messaging).
Jilles
I don't agree with you on this. Sure absolute security is difficult but it should at least be possible to get more or less the same level of security we had before the internet (which was adequate most of the time).
For that to happen we need two things:
1 - a global standard on how to exchange money. Such a standard would need to include encryption + a protocol to establish a secure connection + a protocol to exchange the money over the connection + a secure way to allow both sides to identify each other
2 - Adequate laws to warrant the rights of both parties involved in a transaction similar to what applies to conventional ways of exchanging money and a more relaxed encryption policy of for instance the US government.
The technology to do all this has been around for a couple of years and things like this newsitem will make it more likely that banks and credit card companies will actually make this happen.
Jilles
I suppose if Taco and Hemos had posted this under a humour heading we would understand we should all laugh at it. But they are just re-posting drivel in the hopes of getting their failing andover stock to go up in price :-)
/. community several times before as a creator of the worst lies about computing we have seen. His job is to create shocking headlines to try and sell a few more papers in an overcrowded market. His dishonoured name makes a regular appearance on www.ntk.net, I would suggest you go on over there and do a search on double-plus-ungoed.
/.ers laying this one open as well. Its amusing how most /.ers are blaming VISA security, when the real story is in tearing apart this piece of "journalism" as the fiction it is.
The article is by one of the most ridiculed "journalists" in Britian, which puts him out in front of a large pile of pathetic scandal-mongers. JU-T has been pointed out to the
Some of the "stories" which only he has uncovered lately include one whereby his "highly placed source at the FBI" confirms that drug lords all over the world are hiring thousands of programmers to write software drugs, and then they can download them to cyber-junkies and make trillions of $$$ untraceably over the evil internet. Another story regurgatated the claim by a far right wing US research group that 70% of all material on the internet was hard-core pr0n.
The reason you don't see any other newspaper cover these stories or run more truthful versions is that these articles are completely works of fiction, and even the other scandalsheets in Britian won't stoop low enough to answer the Times garbage.
This story first broke last summer, when some kids tried to extort money from VISA. They were stupid, they even made the phone call from their home phone. Scotland Yard closed that case out without blinking. Now the Times pulls it up along with a few hints of other cases, but offers no facts or details, to prove to their readership the internet is a big evil thing which needs strong government regulation.
I can see there are a few other
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
From their point of view there's no reasons to tell it, you avoid the panic and anyway, you're going to pay for whatever happens so the public doesn't loose anything by not knowing.
They stole corporate secrets and things like that, they didn't steal credit cart numbers, so this is more of an internal matter and all it does is make them seem incompetent, which I'm really not sure if it's true or not.
Companies have the right to have a little privacy too, maybe not much, but enough that they don't need to tell the public if it doesn't effect it (and Visa would need to loose a lot more than 10 millions of pounds before the customers see a difference).
ummm ok I realize you've asked not to be asked to explain this novel aproach to security, but I would like to point out (for the benifit of other readers) how un-informed this decision is. Java has a wonderfull security model and stays in it's own sandbox.
ActiveX, on the other hand, is like a drunken super-model on crack. Sure, it's sexy, but you never know what it's going to do next.
I would favor blocking the later, and letting through the former.
_________________________
Hacker gang blackmails firms with stolen files
£10m ransom demands sent out
Along with the story we're discussing here, we have this little jem:
Pollution set to rip giant hole in ozone layer
More than half the ozone is likely to disappear by March, climatologists warn
Rip a hole? March is 2.5 months away!
Along with that little story, we have more "all the news that's fit to spit":
Call girl fights Vat man's bill for £500,000
Flesh-coloured stockings not claimable - but lacy ones might be
Is this hard news? I think not.
And this little tidbit about Mr. big lips:
Do not arise Sir Mick Jagger
Downing Street blocks planned honour because of errant ways
looks like a gossip rag to me, but then again, I'll let you be the judge.
_________________________
"We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI."
Also . . "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation.
First of all, the initial Hack was way back in July? Shouldn't there be better disclosure on these matters? Keeping their customers uninformed is by far the worst offence here. Months and months passed before this was finaly disclosed, and in that time billions of dollars were at risk.
Secondly, it would apear that they suspect a competitor (or someone with an interest in seeing them loose money) is behind the hack. Interesting, don't you think ??
_________________________
1 port scanner: $25.
1 cable modem: $200.
Knowing you're bringing down the worlds largest financial transaction institution?: Priceless.
_________________________
"One of the few things that large corporations listen to is public embarassment. When people privately tell microsoft of a security flaw they've discovered, MS just sits on its hands until it gets leaked publicly."
:-)
True 'nuff. OK, how about a week grace period after the private mail, and then public disclosure on Bugtraq or the like? There are perfectly acceptable ways of letting the victim and the community know about security breaches, other than defacement. Let's be honest; How many crackers are going to say to themselves (regardless of what they say to the media), "I feel morally required to deface this page to illustrate serious security bugs that took me three weeks of work to discover." Now how many are going to say, "C00l! I br0k3 it! I AM 31LEET D00DZ!!!" (As an aside, I suspect that they really talk like that, even internally
In other words, the end (better security) doesn't justify the means (cracking and vandalism), especially when other equally effective means exist.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Like I said, "bring on the defenders...."
OK, so what if they copied the file?! How about if I change my analogy to use water soluble paint instead?
What, on the other hand, if the crackers decided to rootkit the system, then cp index.html to index.html.bak, so it _appeared_ to be a harmless prank?
If a site has been compromised, the usual (and proper) course of action is to rebuild from trusted tapes. None of this affects the original point, though, which is this:
Vandalism, regardless of the financial consequences, is still vandalism. Similarly, theft is still theft. Both cause harm, both destroy trust, and both break down open and free dialog.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
While not all crackers are thieves, most are criminals in some form. The hotmail crackers you mention are vandals. If they want to be known as something other than criminals, then they could privately email Hotmail with the details of their security flaw. Even this would be in a grey area.
Honestly, my apartment security sucks compared to, say, Intel's fab plants. Does that mean that I should thank thieves and vandals for breaking in, stealing my stereo, and destroying my records? Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?
There's no reason we should accept that security less than NSA levels is an acceptable invitation to invasion, either physically or cybernetically. Criminal Trespass is indefensible no matter where it takes place.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
We need to ask ourselves the usual questions:
a) How reliable is this news source?
b) What is the potential for harm to Visa customers?
c) Have the hacker group(s) actually stolen credit card numbers, or gained access to some other part of the system?
d) What can Visa do about it in terms of guaranteeing that IF card numbers have been stolen, that customers will not be liable for any charges made illegally (or is this already provided for)?
Before we start to create mass hysteria and hype over this, we need to assess the actual potential for damage so that we do not let this get blown out of proportion.
I mean taking a realistic view, Visa is going to be damn well careful to keep their data secure, this hack is most certainly not due to negligence on their part. They're probably working their asses of right now to fix it. IF card numbers have been stolen, Visa has to pay for illegal purchases - and you can be sure that they're making every effort to avoid this.
The sysadmins should have full access to everything, and know as much as possible, so that they can squash a bug if they find one, without delay.
Not necessarily. For example, the sysadmin only needs to know where and how credit card numbers are stored, not the passphrase needed to decrypt them. Or the threat could be reduced by using a capabilities based system where most admin duties are performed with only a subset of root capabilities. Full root could require a valid login from two sysadmins. That wouldn't preclude insider fraud, but it would be less likely and harder to get away with.
... is the author. Jon Ungoed-Thomas has managed to embarrass himself several times in the past, once by e-mailing Earth First! pretending to be an anti-corporation activist called "Jo", trying to provoke them into letting him in on something illegal. He sent the e-mail from the address jonathan.ungoed-thomas@sunday-times.co.uk!
More details at NTK - search for "Ungoed".
Gerv
I think the next thing we need a word for, after "benchcrafting", is "hacksationalism" (or maybe "cracksationalism" before people flame me) to cover all these media stories trying to spread panic about cracks amounting to nothing.
I can't be bothered to look it up now, but I'm almost convinced that The Times has featured a number of stories like this before, all of which indeed did lead to end of civilisation as we knew it (or maybe not...)
So what about this one, well:
"The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.
Wow, malicous hackers that can use email and IRC! They have got to be a dangerous threat!
It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system.
Now that is good journalism! Don't bother explaining that "code" has two meanings in computers, and that the "source code" has nothing to do with accessing the site (unless it was broken to begin with, but...) But then we do know how expensive it is when a hacker gets your source code, look at poor Sun who had to recode Solaris from scratch after Mitnick looked at its source (what? Didn't they? They must have since they claimed the entire cost of it in damages.)
Also, in both this and the CDUniverse case, the hackers are (apparently) trying extortion as a way of making money off their cracks. Extortion is a really, really, really, bad way of committing crimes without getting caught. Unless you happen to have serious underworld money laundering connections, you are going to get caught when you try to get your hands on the money - for sure. If these guys think they can walk a way with a suitcase of "100 thousand quid in unmarked twenties" they have watched too many movies.
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Unfortunately, as long as companies keep storing customer's/client's valuable information in insecure places with insecure software, there will always be some cr/hacker that will find a way to nab it.
Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.
DEFENDANT: Your honor, I only killed that man to demonstrate how extremely poor most people are at self defense! Consider it an act of charity to society at large.
JUDGE: I never saw it that way! I will enroll in a Tai Jitsu Kata class immediately! Case dismissed!!!!
---
ATTORNEY: And so you see ladies and gentlemen of the jury, my client did not rob the bank as an act of theft per se, but rather as valiant display of public zeal! How many of you slept easy last night entrusting your money to the poorly secured bank vaults of the neo-syndicalist dogs at First National Savings?!!?!
JURY FOREMAN: This man is a hero! I am going to stuff my money into my mattress forthwith! Down with the WTO! Case dismissed!!!!
---
JUDGE: For your crimes against society, I hereby sentence you to hang by the neck until dead!
DEFENDANT: But your honor, by poisoning the water supply of the local KiddieCare Nuture Center, I indicated strikingly the need for higher quality water filtration. And by ransoming the life of 2 year old Phiddeas Quilch (whom I knew already to be dead) I displayed the ironic certainty that a society designed around monetary transactions is inherently debased with greed and treachery!
JUDGE: You are a wonderful person!!! Thank you!!! Cased dismissed!!!
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
The Times was, a very long time ago, the paper of the elite in the UK. Then Murdoch bought it and took it downmarket in the search for sales after its traditional userbase migrated to the Telegraph / FT / Independent / Guardian.
Hence they're a bit clueless now. This story has been going for a few days in the UK, but no details are apparent, no arrests have been made, no evidence shown. I'm sure somebody has made some threats, but then there's always somebody out there who'll make threats.
Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.
You seem to be oblivious to the distributed dead-man switch of internet data release/publication.
I die. I forget to log into any one of many "magic" accounts out there, or something. A script in several places on the net times out, and lets the cat out of the bag on Usenet.
ask for *WAY* more than it would take to kill you professionally. *WE* of technologically endowed brain, beyond good and evil are the masters here.
--- Nothing clever here: move along now...
Well if past records are anything to go on, any second now someone will post here about how we should be thanking the crackers for forcing the companies to get their acts together. This will come despite the fact that the crackers are thieves, blackmailers, and dealers (of illegally obtained information).
I wonder how culpable Visa really is in this. I suspect that they had good solid security in place, and that the criminals broke in through some actual code bugs. (i.e. some new buffer overflow, rather than something like poor/no password selection)
I'm not sure what to make of the fact that Visa didn't tell the public, though. That's a bit disturbing.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban