Hackers strike Malaysian websites for a second day

The attacks followed a warning by Internet vigilante group Anonymous, which said it planned to target the Malaysian government's official portal www.malaysia.gov.my to punish it for censoring WikiLeaks.

In the attacks, which started in the early hours of Thursday, 91 Malaysian websites were hit, including 51 government webpages. Fewer attacks were reported on Friday.

The official government website was back online on Friday and most other websites had recovered, said Husin Jazri, chief executive of CyberSecurity Malaysia, which is responsible for protecting the country's cyberspace borders.

"Our focus now is to halt the attack and to help the victims to get their websites up and running as usual," Husin said in a statement. "The attack is still ongoing but at a reducing rate compared to yesterday."

Husin did not say how many websites were attacked on Friday.

Local media reported that Malaysian hackers also participated in the attack that was first announced this week by Anonymous, which frequently tries to shut down the websites of businesses and other organizations it opposes.

Husin said police had identified some of the hackers but gave no further details. Police officials were not immediately available to comment.

State news agency Bernama quoted Science, Technology and Innovation Minister Maximus Ongkili as saying 90 percent of the hackers were Malaysians.

Anonymous gained notoriety when it temporarily crippled the websites of MasterCard and Paypal that cut off financial services to WikiLeaks, the website that aims to hold governments and corporations to account by leaking secret documents.

Hackers have also struck multinational firms and institutions, from the U.S. Central Intelligence Agency to Citigroup to the International Monetary Fund.

Anonymous members cripple websites by overwhelming them with traffic in what are commonly known as "denial of service" attacks. The hacking group has also brought down websites in Syria, Tunisia, Egypt and India for political reasons.

The spate of attacks by Anonymous and other groups has raised concerns that governments and the private sector may unprepared to defend themselves.

Read More

Legislation criminalizing creation of computer viruses enacted

TOKYO (Kyodo) -- Japan's parliament enacted legislation Friday criminalizing the creation or distribution of computer viruses to crack down on the growing problem of cybercrimes, but critics say the move could infringe on the constitutionally guaranteed privacy of communications.

With the bill to revise the Penal Code passing the House of Councillors by an overwhelming majority, the government intends to conclude the Convention on Cybercrime, a treaty that stipulates international cooperation in investigating crimes in cyberspace.

Japanese investigative authorities have so far had trouble pursuing a series of cyberattacks on government offices, corporations and individuals in the absence of a domestic law specifically designed to punish virus creation and other harmful acts on computer networks.

The legislation makes the creation or distribution of a computer virus without a reasonable cause punishable by up to three years in prison or 500,000 yen in fines, and the acquisition or storage of one punishable by up to two years in prison or 300,000 yen in fines.

It also makes it punishable to send e-mail messages containing pornographic images to a random number of people.

The law controversially allows data to be seized or copied from computer servers that are connected via online networks to a computer seized for investigation.

It also enables authorities to request Internet service providers to retain communications logs, such as the names of e-mail senders and recipients, for up to 60 days.

Because of concerns that keeping such communication logs could violate the privacy of communications guaranteed under the Constitution, the upper house's Judicial Affairs Committee attached to the legislation a resolution calling for the authorities to apply the law appropriately.

The government submitted similar legislation to the Diet in 2003 and 2005, but the move failed each time because of strong opposition to a concurrently proposed clause that sought to make it an act of conspiracy for a group of people to simply conceive of committing a crime.

The latest legislation has no such clause, which had originally been intended to combat organized crimes.

The Convention on Cybercrime, which was adopted by the Council of Europe in November 2001, took effect in 2004, with 31 countries having ratified it so far. It requires parties to make it criminal to have unauthorized access to computer systems, store images of child pornography and infringe on copyrights, among others.

Japan approved the convention at the Diet in 2004, but has not concluded the treaty in the absence of a domestic law.

Read More

Hackers Target CIA Website, Among Others

Hacker group LulzSec yesterday took down the CIA's website, in a bold move to provoke the U.S. government "for laughs" while adding to a string of recent worldwide cyber-crimes.

The group, which attacked cia.gov, didn't gain access to any sensitive data on the agency's internal networks. They also hacked the Senate's website again, in addition to flooding the FBI with forwarded calls.

The CIA has deemed the attacks merely an annoyance, but say they are investigating.

"We are looking into the matter," said CIA spokesman Preston Golson.

Breaching governmental websites is a federal crime punishable by fines and up to 20 years in prison, but LulzSec is laughing over its allegedly simple CIA break-in.

"People are saying our CIA attack was the biggest yet, but it was really a very simple packet flood," the hacking group stated. LulzSec is on the FBI's wanted list, though thus far its members have evaded law enforcement officials.

The hacker group's latest exploit may not be its biggest by volume -- that prize goes to its attack on Bethesda Software -- but this hack is akin to hitting a hornet's nest. The CIA is unlikely to sit idly by and let itself be targeted again.

LulzSec's admission of the CIA and Senate hacks is especially unusual given that hackers regularly boast of smaller exploits, but few come forward to claim responsibility for serious attacks.

The recent hacks against Lockheed Martin, Citigroup, International Monetary Fundand Epsilon, among others, remain anonymous.

No one has claimed responsibility for Sony's initial and biggest security breach, which exposed 100 million users' information, but hackers have perpetrated and acknowledged multiple, smaller breaches against the company since then.

LulzSec has hit Sony multiple times, plus attacking Nintendo, PBS, a porn site, World of Warcraft and various gaming sites.

The organization is not alone in its mission to wreak destruction on official and corporate sites. The hacktivist group Anonymous, which some believe gave birth to LulzSec, recently downed police sites in Spain after authorities arrested three of its members.

The group is well-known for recently launching distributed denial-of-service, or DDoS, attacks against the likes of Turkey's government, Sony, and major credit card companies like Visa and MasterCard after they denied payments to WikiLeaks' leader Julian Assange.

Highly-publicized online attacks on governmental institutions and major corporations have become almost commonplace in the months since Sony's initial debacle, as hackers spin off of others' exploits. If this trend suggests anything, it's that such hacks will remain in the news for some time to come.

In more hijinks, LulzSec also released online 62,000 emails and passwords of users of Gmail, Yahoo, PayPal, Hotmail and other sites.

Read More

Institute head held for cyber fraud

CUTTACK: The Crime Branch has arrested chairman of a Balasore-based technical institute along with an employee on charges of committing fraud to divert students to his own college during e-counselling for diploma in engineering courses for the 2010 academic session.

The chairman of Jhadeswar Institute of Engineering and Technology, Balasore, Pramananda Samantray had allegedly hacked the accounts opened by the aspirants in a cyber cafe and fraudulently changed their preferences for institutes. Samantray and an employee of the institute have been arrested, ADG, CID-CB, Abhay said on Tuesday.

With several cases of such frauds coming to light, the investigation had been handed over to the Cyber Crime Cell of the CID-CB. The investigations revealed that the computers at the Jhadeswar Institute and a private internet cafe were used to illegally change the preference of six candidates in its favour.

As per the e-counselling procedure, students had to register their accounts in the website and submit their choice of stream and colleges of preference in a priority order. The submissions would then be locked in and they would be intimated on the availability in order of their preference. The institute had devised a novel method to track the applications of the students. It had allegedly taken a cyber cafe at Balasore on rent and deployed its own staff there. When a student would come in, the staff on the pretext of assisting him would remember the password and the account details. When the candidate would leave, they would then log in and change the choice list of the colleges in their favour. They had done this in many cases but six have been established.

The Cyber Crime Police has registered a case under sections 418/419/420 IPC/66 (C) of IT Act and forwarded the duo to court. A DSP is heading further investigations into the case.

Read More

Russian anti-virus guru predicts future passports for internet access

EUOBSERVER / BRUSSELS - A global internet police force, digital passports in order for users to go online, cyber crime as an 'integrated part' of virtual reality - this is how Russian anti-virus expert Eugene Kaspersky sees the future of the online world.

"It is not possible to eliminate cyber crime just as you can't eliminate football hooliganism without forbidding football or forbidding humans," the 45-year old CEO of Kaspersky Labs, which produces anti-virus software, said Tuesday (14 June) at a cyber security conference organised by the Business Software Alliance, a Brussels-based lobby group.

A contested product in the cyber security world, anti-viruses detect only known and rather simplistic bugs, but are incapable of preventing targeted attacks or sophisticated infiltration schemes.

Kaspersky admitted that his programme cannot offer complete security for internet users, but maintains that many of the people behind a computer screen - even highly trained ones - can often become victims of very simple malware.

Trained in the late 1980s at an institute for computer science and cryptography, which was co-sponsored by the Russian ministry of defence and the sceret srevices, the then KGB, Kaspersky likes to provoke his audience with jokes and ironic comments about the state of cyber crime around the world.

"The last five years have been a 'golden age' for cyber criminals. They have expensive cars and highly valued property - at least those who have been caught and that we know of," he said, noting that the talent of Russian hackers gives them the upper hand in exploiting vulnerabilities of mostly Western-designed software.

"They don't see it as a crime. I often read their blogs and they say they only target people outside the country, which means that the profits are some sort of an 'investment' in the local economy," he said.

Asked how he assesses the Russian government's attitude towards cyber crime, Kaspersky said: "The Russian government has oil and gas. They're not after cyber crime. And judges still don't understand the cyber world, which makes cyber police very frustrated when they see someone whom they put a lot of effort in catching walk away with three years on probation."

He claims that his vision - global policing, uniform laws and online passports which can be revoked for abusive users - will one day become reality, since "crime is integrated in the cyber world just as much as it is in the real one."

His view of crime and of police dominating the internet is rather simplistic, experts say however.

"There is no doubt that internet security has to be based on international co-operation of law enforcement. But I would be very cautious when asking for a passport to access the internet. Increasing identification brushes against privacy, a fundamental principle in the EU," said Chris Gow, a privacy policy officer with Cisco Systems, a US giant in computer technology.

Jesus Villasante from the EU commission, also present at the conference, replied that while Kaspersky is focusing on cyber crime only, "we are just at the very beginning and have no idea how technology will evolve in 20-50 years."

"Twenty years ago there were no mobile phones. So technology will drive changes," he added.

On the passport issue, Villasante noted that while traditional IDs contain the name and birth date of a person, digital passes already exist when it comes to someone access to a bank account or to a secure communication line.

"My identity on the internet will not be so much about name and address, but rather about what I do, what services I use, whom I talk to, what books I read. And legislation will have to reflect this," he said.

Read More

Principal caught for cyber crime

CUTTACK: If you are an engineering aspirant seeking a seat in any technical institute of the state through e-counseling, beware. Chances are you will be in for a nasty surprise, finding yourself offered a seat in a college that was not necessarily what you had opted for. The suspicion that private engineering colleges across the state were engaged in cheating students by tweaking student preferences during the e-counselling process in their favour, was confirmed by police crime branch on Tuesday.

Crime branch arrested the chairman of Jhadeswar Institute of Engineering and Technology (JIET) of Balasore, Parmanand Samantray, and a clerk of the institution on charges of changing the original preferences of the students illegally in favour of their institution. During the e-counselling of diploma engineering in 2010, the college authorities approached many students to facilitate them in the e-counselling process and then hacked their usernames and passwords, informed crime branch sleuths. Taking advantage of the stolen password, the college authorities later changed the original preference of college of the students in favour of JIET, as a result of which the students were awarded seats in JIET.

The e-counselling process is common to all students appearing for the Orissa Joint Engineering Entrance Examination (OJEEE), the common entrance test for all engineering colleges affiliated to Biju Patnaik University of Technology, the umbrella organization for all private engineering colleges.

"The chairman of the engineering college along with one of its employee carried out the entire cyber crime. Computers of JIET engineering college were used to change the preferences of at least six students in favour of the particular college," said crime branch additional director general, Abhay. Cyber crime cases have been lodged against the duo under section 418, 419 and 420 (cheating) of IPC and section 66 (c) of Information Technology Act (password theft).

In 2010 at least 33 diploma engineering aspirants had complained about such illegal change in preferences. The department found some truth in these allegations during an inquiry and had handed over the case to crime branch in October, 2010. Crime branch said many more colleges may also come under the purview of the investigation. "Investigation of the case is still in progress. We have arrested only two persons but the number can also increase in the future," said Abhay.

The officials have cautioned the students not to share their password with any unknown person. "Students should remain extra vigilant and alert if any individual or engineering college official approaches to help them in the e-counselling process," said a crime branch officer.

Read More

Recent hacker attacks have more companies eyeing cyber risk coverage

NEW YORK (Reuters)—The recent string of sensational hacker attacks is driving companies to seek “cyberinsurance” worth hundreds of millions of dollars, even though many policies can still leave them exposed to claims.

Companies are having to enhance not just their information technology practices but also their human resources and employee training functions just to get adequate coverage against intrusion—and in some cases, they also are accepting deductibles in the tens of millions of dollars.

Insurers and insurance brokers say demand is soaring, as companies try to protect themselves against civil suits and the potential for fines by governments and regulators, but also as they seek help paying for mundane costs like “sorry letters” to customers.

“When you have a catastrophic type of data breach, then yes...the phones ring off the hook,” said Kevin Kalinich, co-national managing director of the professional risk group at Chicago-based insurance broker Aon Corp.

In the past few weeks, the U.S. Senate, the International Monetary Fund, defense contractor Lockheed Martin Corp., banking concern Citigroup Inc., technology giant Google Inc. and consumer electronics group Sony Corp. are among those who have disclosed hacker attacks of various kinds.

In the days after Sony disclosed it had more than 100 million customer accounts compromised, the company said its insurance would help cover the costs of fixing its systems and providing identity theft services to account holders.

That helped drum up business for the still-growing segment of the industry, and the demand has only intensified since a more recent breach at Citigroup, which security experts said was the largest direct attack on a U.S. bank to date.

Some insurers say this is the moment the industry has been waiting for as the tide of bad news becomes so overwhelming that customers have no choice but to seek coverage. On Tuesday, The Travelers Cos. Inc. became the latest insurer to launch a package of policies covering various fraud and expense liabilities.

Aon’s Mr. Kalinich said fewer than 5% of data breaches lead to costs of more than $20 million, and yet more and more companies are seeking to be insured for that and more to protect themselves against the shifting risk.

Large customers are going to extremes, taking out coverage for data breach liabilities of as much as $200 million, while also taking $25 million deductibles to keep their premiums down.

Good risk

As with any kind of insurance, data breach policies carry all sorts of exclusions that put the onus on the company. Some, for example, exclude coverage for any incident that involves an unencrypted laptop. In other cases, insurers say, coverage can be voided if regular software updates are not downloaded or if employees do not change their passwords periodically.

“Insurers are all looking for good risks, whether it is a fire insurance company that wants a building that is sprinklered and doesn’t have oily rags laying around—this is the equivalent in the IT area. They want good systems, they want good protection, they want good risk,” said Don Glazier, a principal at Integro Insurance Brokers in Chicago.

Given that the average data breach cost $7.2 million last year, according to a March study from the Ponemon Institute, hundreds of millions of dollars of cover may seem extreme. But with the scale and scope of hacking attacks growing daily, some companies can not be cautious enough.

Of course, the risk they face is a moving target, for them and for the insurance companies. After 10 years of writing policies, industry experts say a consensus is building on what “cyberinsurance” covers.

Generally, such policies now cover third-party liability, like suits filed by customers whose accounts have been hacked; direct costs like notification letters sent to affected customers; and, increasingly, fines and penalties associated with data breaches.

What is missing from the equation, however, is standards. Insurers can try to standardize the risk from hacking attacks, but cyberinsurance still is not auto insurance, where carriers can make their customers wear seat belts as a condition of a policy.

“One day the industry will actually be so robust that...we’ll have the leverage to actually create standards,” said Tracey Vispoli, a senior vp at insurer Chubb Group of Insurance Cos. “We’re not there yet but that to me is a win to the industry.”

Read More

Senate Server Hacked by LulzSec

Infamous hacker group Lulz Security, or LulzSec as they are commonly known, has identified its latest victim as none other than the United States Senate. Authorities have confirmed that the server that contains the data for the Senate’s public website was compromised, but insists that the private Senate files are intact and untouched. A spokesperson for the Senate described the attack as being inconvenient, but ultimately harmless, as no staff private records were accessed, nor was any private information from user accounts. LulzSec posted the files they accessed to prove that the breach was real and that they had in fact accessed the Senate server, but none of the files they posted appeared to be of a sensitive nature.

The hacking appeared to be an attempt to mock the US government for its claims that it would consider cyber attacks as an act of war. The government said it would have the right to respond to any hacking with force if the attacks were discovered to be the work of a foreign nation. In a press release on the LulzSec website, the group took responsibility for the breach, saying “We don’t like the US government very much… their sites aren’t very secure… this is a small, just-for-kicks release of some internal data from Senate.gov – is this an act of war, gentlemen?”

Senate technology staff have taken action to fix their security issues, and have indicated that law enforcement authorities have been informed about the breach and will be taking appropriate action. This latest LulzSec attack follows similar ones on PBS, Fox, and Sony, none of which have resulted in any kind of legal retribution. The Senate has now said it will review the security on all its servers, public and private, and will take the necessary steps to ensure no further hacking attempts are successful.

Read More

Yahoo! Mail Accounts Hacked

Singapore. Send money over, I'm in Spain and I'm in trouble...


For two days in late May, a maths teacher was inundated with calls from all over the world asking if she had run into trouble in Spain. Zita Loh, 60, who was all the while in Singapore, then learnt that her Yahoo! e-mail account had been hacked.

More than 50 former students and friends had called from as far as the United States, Canada, China, Hong Kong and Indonesia to ask if she was all right. They were responding to an e-mail sent from her Yahoo! account asking for money to be wired to her as she had run into trouble in Spain.

They, and Loh, were victims of the latest Internet scam making its rounds.

The 'stranded-in-Spain' scam hit other Yahoo! Mail users here too, although it is not known how widespread the problem is as Yahoo! declined to reveal how many accounts were compromised, or what the hackers did.

Some affected users said they saw unauthorized entries from overseas like Nigeria and the Philippines through a feature on Yahoo! Mail that tracks recent login activities.

Two weeks ago, Google discovered and disrupted a similar effort to steal hundreds of Gmail passwords and monitor accounts of prominent people around the world, including government officials.

In the latest scam, the contacts of hacked Yahoo! Mail account victims received a two-paragraph e-mail message saying the victim had misplaced his or her wallet in Spain and needed €2,450 for hotel bills and a flight home.

None of Loh's contacts sent money. 'But my cellphone and house phone rang non-stop,' the freelance Math Olympiad teacher said. She was locked out of her Yahoo! account for two days as the hacker had changed her password. But she recovered her account on June 1 after several unsuccessful attempts at resetting the password.

Loh recalled having logged into a public computer in Changi Airport in March to check her e-mail and was unsure if she had logged off.

Fortinet, a security software firm, cautioned users against using public terminals. Keylogging software may be put into public computers by hackers to record keystrokes, including strong passwords, said its senior security strategist Derek Manky. The captured information can then be sent surreptitiously to a remote location. He said it was possible someone could have installed a keylogging software in the public computer at Changi Airport.

A Changi Airport spokesman said the airport takes proactive steps to ensure public computers are secured against malicious software. These include locking the central processing units to prevent tampering and installing up-to-date security programs to detect the presence of such software.

'When using public computers, users should remember to log out from the computer immediately after use. This will prevent another user from gaining access to the data if the session is still active,' the spokesman added.

Passwords might also be leaked through phishing, a practice where users are tricked into revealing sensitive details by a seemingly legitimate e-mail sender, such as a Yahoo! Mail administrator.

Late last month, a 59-year-old housing agent who wanted to be known only as G. C. Lee, was unable to log into her e-mail account for several hours. She only recovered the account a few hours later after resetting the password. As in Loh's case, her friends received e-mail from the compromised account asking for money to be wired to Spain. Luckily, no money was sent. However, her contact list was completely wiped out.

Using a feature that tracks recent login activities, she found that someone had accessed her account from Nigeria and the Philippines.

A Yahoo! spokesman in Singapore urged users to change, and use, stronger passwords with a mix of upper and lower cases as well as numbers if they believed their accounts were compromised.

The Straits Times understands that no one has yet been charged with hacking into the accounts of Singapore users from overseas. The Computer Misuse Act can only be enforced on crime committed in Singapore. Offenders face fines of up to $5,000 and/or jail terms of up to two years.

Read More

Hacker crims plant fake news to discredit security researchers Blackhanded compliment

Criminal hackers hacked into a specialist news outlet to plant a fabricated story falsely suggesting security researchers Mikko Hypponen and Brian Krebs had been arrested after they were supposedly caught selling stolen credit card details.

The bogus "news item" on fraud-news.com this weekend claimed that Krebs and his "boyfriend" Hypponen had traded 1.5 million compromised accounts causing losses of $75m in the process while all the while operating as respected security researchers. The article included a photoshopped extract from an underground forum featuring a fabricated dialogue between Krebs (AKA BlazinKrabz) and Hypponen (AKA WhiteHippo) discussing the sale of stolen credit card numbers.

All these claims are entirely untrue. In reality the fake article is a modified version of a real article by Krebs he wrote four years ago for the Washington Post. The fake screenshot is based on a doctored extract from a real cybercrime forum, omerta.cc.

"Let me just state it for the record that I'm not arrested and I have not been involved in selling stolen credit cards," Hypponen said, adding that the suggestion of a romantic relationship between himself and Krebs is also codswallop. "I like Brian, but not like that," he writes.

The fake news item was indexed by Google and picked up by a few surfers as a result. Despite its implausibility Krebs and Hypponen have been obliged to set the record straight with a few individuals who took the story at face vale.

The fact that cybercrooks went out of their way to discredit Hypponen and Krebs suggests the duo are hurting black market crooks by publicly exposing their strategies and shady business dealings. This can have a real effect on cybercrime operations.

For example, last Friday Hypponen reported that the authorities has frozen the Swiss bank account of a pair of fake anti-virus (AKA scareware) distributors, Sam Shaileshkumar and Björn Sundin. The duo have each been indicted in the US and placed on the wanted list by Interpol over an scareware operation called Innovative Marketing Ukraine. Shaileshkumar holds a US passport while Sundin is Swedish.

The US indictment against the duo facilitated the freezing of a bank account linked to the pair holding a cool $14.8m, presumed proceeds of IMU's scareware racker, which involves tricking users into buying worthless software on the pretence that its the only way of removing fictions malware from their systems.

Krebs recently named and provided addition information on the business dealings of two Rustock botnet suspects, Vladimir Alexandrovich Shergin and Dmitri Sergeev.

The duo - suspects because Webmoney accounts registered in their name were used to hire servers used as command and control nodes for the Rustock spam distribution botnet - also appear in a leaked database of infamous pharmacy spam outfit SpamIt, Krebsreported. ®

Read More