LulzSec wreaks Havoc

LulzSec emerged in the past few months, but has quickly gained the headlines away from Anonymous. It has gained attention due to its high profile targets and the sarcastic messages it has posted in the aftermath of its attacks. Everyone is a target and very few things are off limits. At one point, the group opened up a hotline where it took hacking requests. LulzSec first got noticed when it hacked the Web sites of Fox.com and PBS. It stole Fox employee passwords and posted them online. Since the PBS and Fox.com hacks, LulzSec has also targeted SonyPictures.com; FBI affiliated Web sites, Nintendo, Bethesda Softworks and other small gaming companies, Senate.gov, and the CIA, among others.

Recently, LulzSec released the emails and passwords of 62,000 average Web users, people who had their emails hacked, Facebook accounts defaced, and Amazon accounts charged. The majority of LulzSec’s messages are sent via Twitter @LulzSec. The group does not show any signs of slowing down, and news of new hacks or targets emerges every day. For the most part, Anonymous has targeted government sites and has not focused much on stealing and posting the confidential data of the average Web user. The same can’t be said for LulzSec.

LulzSec points out, much of the trouble stems from the fact that people tend to use the same password across multiple sites, whether they’re signing up for a newsletter or paying their credit card bill. If anything, these hacks should teach people to have multiple passwords for email, banking, credit cards, and online shopping. It can be difficult to remember multiple passwords, but it’s better than having a LulzSec supporter hack into your Facebook account and change your photo to something obscene.

Top 3 Craziest Attacks of Anonymous

Anonymous has been pretty popular on technology sphere due to their attacks and they keep attacking more and more every day. The entity who does not want to be counted as a group since they call themselves a unity of hackers. They first came together in order to stop the Scientology cult and publish the truth about them.

The unity fights for freedom and they have been stealing big chunks of data from certain security companies, web sites, technology firms and even countries. In this article I have found top three craziest attacks of Anonymous.

1. Operation Payback

Date: December 2010
Target: Visa, MasterCard, Amazon, PayPal, PostFinance

Government of United States, suggested WikiLeaks to stop publishing secret documents and closed accounts and servers of WikiLeaks  that were in favor of WikiLeaks. Thus Anonymous started attacks on several companies such as Visa, MasterCard and PayPal that did not want to work with WikiLeaks. On December 8th Anonymous has hacked websites of Visa and Mastercard.

 

2. Bank of America

Date 14 2011
Target: Bank of America
Anonymous aimed to reveal unjust practices of Bank of America on mortgage and leaked internal e-mails of Bank of America.

 

3.Operation: Sony

Date: April 02 2011
Target: Sony Entertainment

Constant attacks on Sony’s web site and services , have started on second of April. Anonymous has shaped the history by totally hacking PlayStation Network, their reason for hacking PlayStation Network was the corporate decision on suing George Holtz who has hacked and made way to modify PlayStation.

 

Trojan.Mebromi is able to infect the BIOS

Every day the threat poised by malware grows greater and greater. A recently discovered trojan known as Trojan.Mebromi is able to flash itself to the BIOS of infected computer. So far it can only infect the Award bios system. Malware similar to this have been developed before called CIH, but it was last seen  in the 1990’s and only corrupted the BIOS not hide in it.

What happens is that when you turn on your computer the BIOS  loads the operating system up, among other things. What Mebromi does is alter the MBR (master boot record) of the system. This allows it to run its commands on start up before the OS. Upon booting the system it infects the system and downloads malicious files. This creates a big challenge for anti-virus developers because even if their scanners find the virus and remove it, they don’t detect it located in the BIOS. So when the user turns their computer on it again, it re-installs itself back onto the system.

So far the only way to remove it from your system is by flashing the BIOS.Flashing the BIOS is a very delicate procedure that could render your system bricked in the worst case scenario so  anti-virus developers are hesitant to do anything that could modify the BIOS in any way, preferring to leave it up to the developers of the BIOS.

For further reading:
http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/
http://www.symantec.com/connect/blogs/bios-threat-showing-again

Online security bill vs. pledge to reject cybertheft

I read two articles online recently that brought a question to mind as I read them. It’s not a new question to most of us however- What is the best way to protect private information from being stolen by hackers? More specifically who would be the most effective- based on these two articles; Is it the government or is it the hackers themselves?

My view is that some combination of the two…along with much help from the private sector, would be the most effective. Hackers would have the knowledge and be the quickest to react to new threats; we all know how slow government works. The problem there is that there are always the bad apples. Can we really rely on hackers to effectively police themselves? I don’t think that is possible. Are ethical hackers effective or do they just fuel more competition from ‘the bad guys’?

On the other side is the government with its laws and regulations. While I think that kind of thing is needed to force private corporations to be more responsible with consumer information, I also wonder where the line should be drawn. My fear is that once the government begins to regulate companies, will they stop there. Do we need to protect children and private information…of course we do. Will we soon however have laws limiting the exchange of ideas, limitations on what can be bought and sold, guidelines on what we can discuss in forums? Will we be restricted from selling certain items because a hacker may use them for malicious purposes? Will we not be able to discuss adult topics because a child may wander on a website? Will we no longer be able to discuss security on blogs such as this because it could inform a hacker of certain vulnerabilities?

My view is that while there are obvious holes that need patching, overall we are doing fine with things as things are. In the whole design of time, technology, or more pertinently- cyber security-is still a very new thing. How many people lost fingers and limbs in early industrial machinery? Did we stop using machines because of that? No we continued and made improvements as things progressed. The government didn’t step in right away, mostly the improvements were made by the users themselves. Technology is no different. We need to stay diligent, use caution and protect where we can…we should also be helping our fellow man. The bright side is…we will all have jobs waiting for us when we finish school.

So what do you think? Who is best suited to prevent hackers from stealing private information…the government or ethical hackers?

Sources:  http://www.computerworld.com/s/article/9220097/Pledge_asks_Chinese_hackers_to_reject_cybertheft?taxonomyId=17

http://bits.blogs.nytimes.com/2011/09/08/senator-introduces-new-online-privacy-bill/

bored employee by passing windows group policy restrictions with only the calculator application

http://www.watchguard.com/infocenter/editorial/18935.asp

The article above describes how a disgruntled or bored employee could by pass the restrictions on his work station set up by the system administrator. More specifically, restrictions of Windows Group Policy software. Windows group policy allows sys. admins. to control what files are accessible, applications available, web browsing settings, and configuration tool use. The hacker is able to by pass the security restrictions and view all system files, directories, access the web.

In this scenario the system administration limits application use to only allow Microsoft word and the calculator. The educated employee knows that internet explorer is highly integrated into the Windows OS and more specifically; the windows help feature cannot run without it. By opening calculator and clicking on help -> help topics -> jump to URL, the hacker has gained access to the web on a machine that was suppose to prohibit this. Next, he moves onto the system files by using his knowledge of URL handlers. Instead of entering “http://google.com/ , he enters “shell:system” and now he is able to view all system files and directories. This scenario illustrates the “why not” and “nothing to lose” principle motives of hackers. The no risk feeling and the ” costing nothing to try” mindset is what drives curious people to hack and break into systems. (as we discussed in class)

The article then goes on to explain a few tips on how these hackers can be stopped.  A layered defense using multiple programs would be your first step in a secured system. Lastly, have a written policy the employees must sign; so if they break the technical rules than at least you have a legitimate on paper reason for firing the employee