Sometimes it appears that the influence of the 1983 film “War Games” continues to hold sway with people.
Sometimes, it doesn’t end so well.
From My Fox Houston:
A 17-year-old Cy-Fair ISD student is facing a felony charge after he allegedly hacked into the district’s computer security network and caused more than $10,000 in damage.
Cy-Fair High School student Richard Alan Urban is scheduled to appear in court April 13 on a charge of computer security breach, a state jail felony.
The odd thing that I found with this article, about this apparently hapless student from Houston, was that at the end of the article it says that “The breach only slowed down the servers.” However earlier in this passage, “By the next day, more users had been deleted from the network, so the school district’s technical team began searching for a possible hacker.”
I have the distinct impression that they do not in fact have a clear grasp on what this person was allegedly able to access. I’m imagining that this will come out in the wash later.
For more on the story, read on.
Thanks to one of our readers we get word this morning of a data breach that occurred last month. This database compromise affected customers of ihomeaudio.com timexaudio.com and kiddesigns.com.
A letter was posted on January 26, 2010 informing our reader of the data breach. Upon reviewing bank transactions it became apparent that the card was compromised before January 17, 2010 when erroneous transactions began to appear on his statement. It is unclear from the letter when the breach actually took place.
The rather disconcerting aspect is that SDI Technologies, the parent company, did not offer any sort of credit services but, merely suggested to customers that they monitor their credit and links to download free copies of their reports.
Here is a screen cap thumbnail of part of the letter.
Oddly there it doesn’t appear to be any mention of the breach on their websites.
I have to admit this is the first time I’ve heard of something like this. According to an article in the NY Daily News, apparently a fight broke out on Twitter between a couple guys that spiraled out of control.
It ended with one of them dead.
From NY Daily News
It started as a simple Twitter beef, 140-character spurts of anger by two young men who grew up together.
But the tough talk exploded out of cyberspace and onto the streets of Harlem, where a college student was gunned down feet from Gov. Paterson’s home.
Now tweets sent by victim Kwame Dancy, 22, and accused killer Jameg Blake, 22, could become key evidence in a murder trial, the Daily News has learned.
My curiousity would be in whether or not the Twitter updates would hold any legal ground in court.
(Image used under CC from ableman Flickr stream)
Greed can be a real bugger.
From Reuters:
A employee of mobile phone operator T-Mobile is facing prosecution after selling personal details of thousands of British customers to rival companies in an alleged major breach of data protection laws.
So, wait. He/she sold the data to other companies? While jail is possible it appears that the individual penalties are lacking in substance. But, what of the companies receiving the illegally appropriated data?
“While it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry,” T-Mobile said on Tuesday.
Information Commissioner Christopher Graham said the data was sold for “substantial amounts of money” to brokers working for other mobile phone companies.
I would be very interested to see how this one will play out in the courts.
Here is more on the story from the Guardian.
News rolling in today that an apparent major credit card breach has surfaced in Europe. According to VISA Europe the source of the problem appears to be located in Spain.
From BBC:
Anyone who used a Visa or Mastercard credit card when in Spain may have had their card data compromised.
In Germany, as many as 100,000 cards are reportedly being recalled. UK customers will be contacted directly if they are thought to be at risk.
Card holders are being assured that they will be protected against this type of fraud, but are being advised to check their statements.
For more on the story read on for the full article.
From the “what the f*ck” files, we find that convicted murderers wants to muzzle Wikipedia and other sources as to their identity…even though it’s a matter of public record.
From EFF:
In 1990, Bavarian actor Walter Sedlmayr was brutally murdered. Two of his business associates were convicted, imprisoned for the crime, and recently paroled. Who killed Sedlmayr? Its a matter of public record, but if one of the men and his German law firm gets their way, Wikipedia (and EFF) will not be allowed to tell you. A few days ago, the online encyclopedia received a cease and desist letter from one of the convicts—represented by the aptly named German law firm Stopp and Stopp—demanding that the perpetrator’s name be taken off of the Sedlmayr article page.
What the hell? And as per the EFF article the “convicts were….“.
Again Ehud Tenenbaum, aka “The Analyzer,” is off to jail. This time for a $10 million dollar heist. The funny part was that it was the Canadian authorities that caught him. The US filed for extradition almost immediately. I find it odd that Canada caved in when we had him dead to rights for theft here.
From Wired:
The Israeli hacker was arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks. But before Canadian authorities could prosecute him, U.S. officials filed an extradition request to bring him to the States.
Prosecutors alleged in an extradition affidavit that Tenenbaum hacked into two U.S. banks, a credit- and debit-card distribution company and a payment processor, in what they called a global “cash-out” conspiracy. But he was only charged with one count of conspiracy to commit access-device fraud and one count of access-device fraud.
One count? My radar is suddenly up and sweeping the area. Was a deal cut? I guess we’ll see when the sentence is handed down November 19, 2009. He could get up to 15 years but, I have a hunch that won’t play out that way.
With the flurry of articles about the indictment of the Albert Gonzales and two supporting cast members in the Heartland and Hannaford breaches its nice to see a nice succinct piece that hits on the items learned. Rich Mogull was good enough to provide exactly that.
From Securosis:
The indictment today of Albert Gonzales and two co-conspirators for hacking Hannaford, 7-Eleven, and Heartland Payment Systems is absolutely fascinating on multiple levels. Most importantly from a security perspective, it finally reveals details of the attacks. While we don’t learn the specific platforms and commands, the indictment provides far greater insights than the speculation of those like myself. In the “drama” category, we learn that the main perpetrator is the same person who hacked TJX (and multiple other retailers), and was the Secret Service informant who helped bring down the Shadowcrew.
For the full article read on.
Here’s another piece from Chris Wysopal on the technical aspects of the breaches.
(Image used under CC from fosforix Flickr feed)
On the plane to Las Vegas for the annual pilgrimage to hacker con in the desert. Defcon, now in its 17th year, has been a chance for me to renew my batteries since I first started attending at Defcon 8. This has now become a chance for me to interact with kindred spirits in the industry as well as the “smarter than me” crowd that will be putting on some great presentations. One presentation that I won’t be able to see is Barnaby Jack’s ATM presentation. The interesting part was that he was apparently going to jackpot the ATM on stage during his talk. Sadly, the ATM vendor lawyered up.
The reason I was thinking about this presentation is due to a chance encounter on my flight. A person sitting with me started to engage me in conversation. I tend to be quiet (no, really) and while travelling. I more often than not just jam my headphones on and tune out my surroundings. A chance to relax. But, not today. As we talked my seat mate started to talk about various projects that they had worked on over the years. Now retired, the need to chat about the “war stories” seems to be a little too much to ignore.
I oblige.
As the stories unfold we discover a mutual past and coworkers/projects that we had been 6 degrees from. Then one conversation touched on a particular banking crime from the 80s. It reminded me of “Catch Me If You Can”. Apparently some character had gone around to banks in the Toronto and taken some deposit slips. Innocuous on the face of it. However, this guy then changed the routing numbers on the slips to set the any deposits to route into his own bank account. Then he apparently printed out the slips en masse and then took them bank to the bank branches.
Now bear in mind this was the 80s. No one in the branches even took notice of the person dropping the new slips into the racks. For two and a half weeks people all over the city of Toronto paid into this person’s account.
While the criminal may have shown some ingenuity in the execution he, blew it when he let the scheme run. Brilliant in its simplicity but, greed makes criminals dumb. Still an interesting tale.
A shame we won’t be able to see Barnaby’s talk. I’m imagining there will be more stories about ATM’s jack potting as the ne’er do wells exploit the bug(s). Sadly, the bad guys won’t be hampered by the lawyers…at least not for a presentation to help people understand the problem.
(Image used under CC from Steve Rhodes‘ Flickr Stream)
Network Solutions has joined the data breach hit parade potentially adding another 573,000 credit and debit accounts into the mix that may have been potentially compromised.
From The Washington Post:
Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services – a package that includes everything from Web hosting to payment processing — to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.
Wade said the company is working with federal law enforcement and a commercial data breach forensics team to determine the cause and source of the break-in. The payment data stolen was captured from transactions made between March 12, 2009 and June 8, 2009.
Great (/sarcasm)
Excuse me while I go off to check something.
