LulzSec hacker sentenced to a year in prison, $605,663 in restitution for Sony Pictures attack

By The Associated Press - Thursday, April 18, 2013 at 9:50 PM - 0 Comments

LOS ANGELES, Calif. – A 25-year-old hacker with the group known as LulzSec was sentenced Thursday to a year in prison and ordered to pay $605,663 in restitution for an attack on Sony Pictures computers that began in late May 2011.

Cody Andrew Kretsinger, who went by the online nickname “recursion,” was also sentenced to a year of home detention and 1,000 hours of community service.

The U.S. Attorney’s Office in Los Angeles said Kretsinger pleaded guilty last April to the attack, in which hackers breached the Sony Pictures website, stole personal data including the names, addresses, phone numbers and email addresses of tens of thousands of Sony customers and distributed it over the Internet.

Raynaldo Rivera, a 20-year-old who also pleaded guilty to the attack in October, is to be sentenced May 16.

Dawson College disgraces itself in defending ethical hacker’s expulsion

By Jesse Brown - Wednesday, January 23, 2013 at 9:38 AM - 0 Comments

They should have stuck with “no comment”.

By now you may have have heard about former Dawson College student Ahmed (Hamed) Al-Kahbaz. Just 20 years old, Ahmed proved his chops as a Computer Science student by discovering a shocking vulnerability on Dawson’s website that could allow any amateur hacker to gain access to every bit of information Dawson has on its 10,000 students. He then proved his decency by reporting the bug instead of exploiting it, and he proved his loyalty to his school by reporting it to Dawson privately, and not publicly announcing it online, which is how most white hat hackers would do it. He continued to act responsibly when he re-checked the Dawson site two days later to see if the hole had been plugged. That’s when the administration flipped from praising Ahmed to expelling him.

When this story broke in the National Post, Dawson’s initial response was to explain that they couldn’t respond without breaking their own code of ethics: their policy prevents them from discussing the personal details of any student, past or present. (Which is ironic, given that until Ahmed spoke up, they were potentially disclosing everything they knew about every one of their students.) In any event, Dawson said they were duty-bound to keep mum.

They stuck with that line for a matter of hours, then their director general, Richard Fillion, added this tid-bit in a CBC radio interview:

“The story that has been reported … was relying on an incomplete version of what had happened. The other side of the story is related to facts that we cannot divulge.”

So, a tantalizing insinuation that Ahmed was not telling the whole truth, but a steadfast dedication to hold firm to their ethical policy.

That lasted until the next morning, when Dawson faculty member Alex Simonelis’ letter to the Montreal Gazette was published. Simonelis tap-danced around Dawson’s policy by phrasing each accusation in the form of a question:

“Exactly how did the student “stumble upon” the flaw? Was it by running intrusion tests against Skytech’s website? If so, did he have Skytech’s permission to do so, given that it is unacceptable to do so otherwise?  Was the student given a cease-and-desist warning regarding such actions by our college’s administration? I believe I know the answers to those questions…”

Later that day, Dawson tossed their ethical policy completely by issuing a press release titled “Setting the Record Straight” that begins like this:

“Dawson College will address some of the issues that have arisen due to the expulsion of Computer Science student Ahmed Al-Khabaz. In some areas, it is still bound by the terms of confidentiality of student files.”

Only in some areas? That’s nice. Why are they no longer bound in other areas? No reason is given. The inference, I guess, is that they tried their darndest to be nice, but they can only stay silent so long in the face of such wild tales. The whole truth must now be heard, ethical policy be damned!

And the truth, then? The shocking revelations that “set the record straight”?

“Ahmed Al-Khabaz was not expelled because he found a flaw in the student information systems.  He was expelled for other reasons. Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.”

Wow. So, they weren’t mad that he saved their asses from a major data-leak. They were mad that he later tested their whole site to make sure the leak was plugged and that no other vulnerabilities existed, even after they told him not to.

Thanks for clearing that up.

Follow Jesse on Twitter @JesseBrown

GoDaddy hacked by Anonymous? Not likely.

By Jesse Brown - Tuesday, September 11, 2012 at 4:35 PM - 0 Comments

(John Harrelson/Getty Images)

Yesterday the massive Internet registrar/lowbrow advertiser GoDaddy went down, taking millions of web sites offline with it. Breaking news reports attributed the trouble to a hack by Anonymous. Later, these items were corrected to say that the hack was not the work of Anonymous as a whole, but that Twitter user @AnonymousOwn3r was claiming responsibility. Mashable called @AnonymousOwn3r ”the security leader of Anonymous,” which must be true because @AnonymousOwn3r calls themself “the security leader of Anonymous” on his or her Twitter profile (and an “official member” to boot).  CNN went with the more measured description of @AnonymousOwn3r as “a person affiliated with Anonymous.”

Continue…

Hooligans hit Yahoo, steal passwords and compromise web service security

By macleans.ca - Friday, July 13, 2012 at 3:05 PM - 0 Comments

Gmail and Hotmail users should probably update their passwords. Hackers have managed to steal 400,000 Yahoo passwords, as well as information about users of other services like Gmail, AOL, MSN and Live sites.

Yahoo is having a rough year. It has already churned through two CEOs this year. Now many of its Hotmail users will have to change their personal passports to protect their privacy.

This leak follows the news last month that 6.4 member passwords for the networking website LinkedIn were stolen.

Hilarious tweets on the LinkedIn hack, a selection

By Luke Simcoe - Wednesday, June 6, 2012 at 6:15 PM - 0 Comments

Luke Simcoe is a guest blogger. He contributes the occasional post on web culture, the various kooks and cranks who inhabit the Internet, as well as copyright matters. Today (among other things)  he put together this Storify. 

E-pirates draft a statute on best practices

By Luke Simcoe - Wednesday, April 4, 2012 at 2:00 PM - 0 Comments

Isaac Brekken/AP Photo

Luke Simcoe is a guest blogger. He contributes the occasional post on web culture, the various kooks and cranks who inhabit the Internet, as well as copyright matters.

Try to picture an Internet pirate in your head.

Maybe it’s some guy in his parent’s basement, swathed in blue light and surrounded by cables linking his PC to his television. Maybe it’s Kim Dotcom, dividing his time between yachting in the Mediterranean and playing Modern Warfare 3. Heck, maybe it’s even Angelina Jolie from Hackers. Whatever your picture entails, chances are your personal pirate doesn’t spend his time engaged in a lot of consensus building and debates about best practices.

And yet, it would seem that’s exactly what many of them do.

Continue…

Selling Google’s weaknesses to the government

By Jesse Brown - Thursday, March 22, 2012 at 2:11 PM - 0 Comments

mediafury/Flickr

The world of hackers has largely been conceived of as a world of black and white. When a “black hat” hacker discovers a security vulnerability in a piece of software or a website–say, a method for intercepting emails or accessing strangers’ bank accounts,  he exploits it for personal gain, often breaking the law in doing so. When a “white hat” hacker makes the same discovery, he reveals it–either to the company that makes the technology or to the public (the latter is usually a better way of making sure the company in question actually fixes the problem).

Now, a fascinating piece in Forbes reveals a third kind of hacker, who exploits security vulnerabilities for a hefty profit, but does so without breaking the law. But don’t call them “grey hat” hackers–the results of their work may actually be more destructive than your typical act of black-hat cyber fraud.

Continue…

Hackers spy on home security cameras

By Jesse Brown - Friday, February 10, 2012 at 2:30 PM - 0 Comments

Is there some wise old saying about not carrying a weapon that you don’t understand, lest it be used against you? (By wise old saying, yes, I do mean something said in an 80s action movie.)

If such a movie exists outside of my imagination, it should be played on an endless loop to the customers of TRENDnet, a company that unfortunately chose the slogan “Networks People Trust.” TRENDnet makes, among other products, the SecurView series of Internet-connected security cameras. This is also an unfortunate choice of words, because it seems that SecurView cameras are not secure.

Continue…

Online gaming funds North Korean nukes

By Alex Ballingall - Wednesday, August 17, 2011 at 9:44 AM - 0 Comments

Cash-strapped North Korea has found a unique way to stock its dwindling foreign reserves. The famously isolated Communist country is allegedly training an army of hackers in Pyongyang’s IT institutes, with some taking to South Korean gaming websites to rake in millions of dollars, according to U.S. and South Korean officials.

Police in South Korea revealed last week that they arrested five people in connection with one such operation. North Korean hackers, working for Chinese programmers, were reportedly creating automated software that allowed unmanned computers to amass points in online games like Lineage and Dungeon and Fighter, investigators said. The hackers then traded the points for cash with human players who wanted to use them to upgrade their in-game personas. Over the past year and a half, they made about US$6 million, say police, much of it funnelled to a multi-purpose slush fund in Pyongyang believed to be worth billions.

Despite widespread reports of starvation and malnutrition in the country, money from the fund, managed by an obscure agency called Office 39, is allegedly used to fund North Korea’s nuclear program, buy the support of high-ranking officials, and to smuggle in luxury goods for Pyongyang’s elite, who favour Hennessy cognac, Armani accessories and Rolex watches. Last year, the regime tried to purchase two luxury yachts that were built at Italy’s famed Azimut-Benetti shipyard, but at the last minute, Rome blocked the sale, according to Reuters. Thanks to the hacking scheme, Kim Jong Il might have another go at procuring a luxury boat.

Hacking your house key

By Jesse Brown - Wednesday, July 6, 2011 at 1:15 PM - 24 Comments

Photo by Pulpolux !!!

Here’s something as cool as it is concerning:

If these guys have a photograph of your house key, even one taken with a cellphone camera from 200 feet away, they can feed it into a piece of software called SNEAKEY and load the resulting file into a $400 3D printer which will then spit out a duplicate key that can open your front door.

Now that’s some Mission Impossible shizz.

Turns out, there aren’t a lot of variables with most house keys: a handful of standard types and brands, and then five or six cuts of varying depths. SNEAKEY can identify your brand and type and then measure the depths of the cuts, regardless of the angle the photo is taken at. It then uses other visual reference points in the photo to calculate the size of the key, and voila! A 3D file that can be shaved layer by layer out of a block of wood or plastic with an increasingly affordable object printer.

3D printing is still more or less the realm of hobbyists—it works, but on a slow and small scale. Complicated objects must be printed out one piece at a time over the course of hours and then assembled like toys. But keys are simple, one-piece objects that suggest a new, more practical use for 3D printers—burglary!

With the recent rash of hack attacks, one senses a loss of public confidence in assets that exist in purely digital form. But before you convert those abstract pixels on your online banking statement into cold hard cash and stuff it all under your mattress, keep in mind that the physical world is increasingly accessible through digitization.

Do hackers need to just grow up?

By Jesse Brown - Tuesday, June 21, 2011 at 5:51 PM - 0 Comments

Aaron Crayford was a high school hacker who attacked the Pentagon’s computers, got caught by the FBI, and wasn’t allowed to touch a computer for a decade. His digital exile ended a few years ago, and now he makes a chat app called Mighty. Last week he offered some advice on TechCrunch to the new generation of hackers, those high-profile no-goodniks of Anonymous and LulzSec. His message: don’t hack ‘em, join ‘em. In his words:

“What Lulzsec and Anonymous don’t realize is these companies aren’t their enemies…there is a much more difficult system to hack…becoming the guy at the head of the board. So when you’re the 40-something-year-old CEO who hears that some kid, some guy in his garage, is tearing your product apart and doing amazing things with it that is hitting your top line revenue…go find that guy, pay him and let’s see what he can do…That’s a real hack worth touting and it ends with you sleeping in a king-sized bed in a mansion on the hill and few can claim it’s been done before.”

I guess that’s also advice for the brass at Sony (and the CIA and PBS and the CPC). But you get the idea: change the system from within and get rich doing it. It’s not the most original idea—hackers have been switching sides and trading black hats for white for years. It’s got a certain poetry to it and is a genuine win-win; for companies, who better to employ than the geeks who would otherwise destroy them? And for the hackers, well, at some point most will take a paycheque over lulz.

But there’s more to it than that. In the case of LulzSec, their tweets and taunts describe something of a manifesto. To summarize, they hack for two reasons: (1) Lulz (duh). And (2) to teach us a lesson about entrusting private companies with our information. LulzSec sez:

“Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn’t silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off? You are a peon to these people.”

As “grey hat” hackers, Lulzsec, I have argued, provide a public service. They infiltrate systems for fun, not profit, and then they brag about it. Sometimes they publicly dump the data they’ve scraped, just to prove that they have it.  In doing so, they hope to humiliate companies into fixing vulnerabilities, and to teach the public a lesson about  protecting personal data. The first part is working. The second part isn’t.

After years of breathless, fear-mongering news coverage about the scourge of hackers, the public still doesn’t give a whit about Internet security. No one is really afraid of getting hacked, because so few have paid a tangible price for it. Yes, hacks happen all the time. They’ve happened to me—I had a few thousand dollars mysteriously disappear from my bank account. Did I destroy my bank cards, leave all my social networks and line my hat with tinfoil? No, I called my bank and they reimbursed the cash in 24 hours.

It’s true that no computer system is 100% secure, but neither is any bank. The credit card industry, the insurance industry—both suffer billions of dollars of fraud every year. But all the above make enough profit to absorb these losses easily, and the public continues to use their services. So goes Internet security. The lesson hackers keep trying to teach the public will never be learned.

So what will the real outcome of this new wave of hacking be on the public? An erosion of their digital rights. We can expect more government surveillance of the Internet and harsher penalties for “cyber-crimes.”

Hacker attack

By Chris Sorensen - Friday, June 17, 2011 at 11:50 AM - 5 Comments

Yoshikazu Tsuno/AFP/Getty Images

Visitors to the Conservative Party of Canada’s website last Tuesday were confronted with a shocking message: the Prime Minister had been rushed to hospital in Toronto after choking on a hash brown. Media outlets scrambled to unearth more details about the breakfast-hour emergency only to learn that it was all a big joke. The party’s website had been hacked.

It didn’t take long to find out who was behind the prank. A group calling itself LulzRaft claimed responsibility on Twitter, and later followed up by breaking into the party’s donor database and posting names and emails of more than 5,000 people online. Why did they do it? “The Conservative party was really just a hack of opportunity,” wrote someone purporting to be the hacker in an anonymous email to Maclean’s. “We noticed the vulnerability and realized we could easily create some lulz, and draw some media attention without hurting anyone.” For the uninitiated, “lulz” is Web-slang for laughs—derived from the abbreviation LOL, for “laugh out loud.”

But the Tories aren’t laughing. Nor should they be. It’s an embarrassing breach of security for a governing party that, just a few months earlier, assured Canadians that it had a cyber-security strategy in place. It’s also the latest in a string of brazen attacks on high-profile targets around the globe, ranging from Sony Corp. and Google Inc. to defence contractor Lockheed Martin and the International Monetary Fund. In addition to attention-seekers like LulzRaft, experts say many more hackers are quietly working on behalf of organized crime and even foreign governments—so much so that Washington is now talking about cyberattacks as a potential “act of war.”

Continue…

What will the Sony data breach change? Probably nothing, possibly everything

By Jesse Brown - Friday, April 29, 2011 at 11:52 AM - 3 Comments

Now, a moment of tense silence following Sony’s massive data breach. In all, 77 million users had their personal data exposed to malicious hackers: names, addresses, email addresses, birthdates, passwords, logins, credit card numbers (encrypted?), and perhaps most disturbingly, security questions and answers, which could be used to gain access to any number of other online services, including bank accounts. After ordering a new credit card and scrambling to change passwords and settings on as many sites as possible as quickly as possible, what can an exposed PlayStation user do but hold their breath, sue Sony, and hope for the best?

While these nervous individuals ponder their fate, let’s consider a larger question: what does this mean for privacy itself? Continue…

Hacking for the Man

By Jesse Brown - Wednesday, February 16, 2011 at 10:32 PM - 52 Comments

In Russia, hacking is a government gig.

Kremlin-affiliated hackers launched a crippling cyberattack against Estonia. Hackers routinely flood the comment sections of news sites that criticize the government and spread lies to discredit the journalists who write them.  When opposition parties plan rallies, hackers spread misinformation, confusing supporters with false dates and meeting places. Similar shenanigans take place in China, where PRC-linked hackers tried to infiltrate Google in retaliation for the search engine’s criticism of government censorship.

These Russian and Chinese hackers are little more than digital thugs- bullying, threatening, silencing and discrediting anyone who is deemed an enemy of the State, or of State-affiliated businesses and institutions.  They are never directly on the government payroll and are kept at an arm’s length distance for the sake of plausible deniability. They are compensated by intermediaries of intermediaries through tangled systems of kickbacks and payoffs.

As goonish as the whole practice may seem, through a certain lens it must be appreciated as a clever new kind of censorship.  In Egypt or Iran, governments simply tried to shut off the Internet when faced with dissent. Such ham-fisted acts merely strengthened the resolve of revolutionaries while attracting international rebuke.  Much subtler then to have your agents use a cocktail of digital dirty-tricks to muddy the waters and murder reputations.

You may think such a thing could never happen in the U.S., and you may be right.  But it almost did.

If you haven’t yet heard of the HBGary scandal (and if you like spy novels), you should check out these fantastic reports by Nate Anderson of Ars Technica. This is a complicated story and it’s still unfolding as thousands of hacked emails are scrutinized, but the basics suggest that a private cybersecurity firm called HBGary Federal proposed to the U.S. Chamber of Commerce and to Bank of America a dirty-tricks campaign, in order to thwart their enemies (labour unions, non-profits, and Wikileaks, who are expected to soon release incriminating information about the Bank of America). The proposed tactics include:

• Cyberattacks
• Misinformation campaigns
• Phishing emails
• Fake social network accounts
• “Disrupting” journalists who are sympathetic to Wikileaks
• Intimidating financial donors who support Wikileaks

Ironically, these hacking schemes were exposed by hackers.  HBGary’s website was attacked after its CEO picked a public fight with the Internet entity Anonymous.  Anonymous discovered major insecurities in the security firm’s website, and was able to steal and leak and thousands of HBGary emails, which expose the details recounted above. The U.S. Department of Justice is tangentially involved, as they recommended to the Chamber of Commerce the law firm that in turn hired HBGary.  It’s highly unlikely that the DoJ had any direct knowledge of HBGary’s plans.  It’s also important to note that there is no evidence that the Chamber of Commerce or Bank of America signed-off on HBGary’s proposals.

But then, I doubt that Vladimir Putin signed-off on the cyberattack against Estonia.   The point of pro-government hackers is that they get results for their masters without implicating them.

If HBGary’s foolish CEO hadn’t picked a fight with Anonymous, who knows how far he might have gone?

Vandalizing history

By Jane Switzer - Thursday, August 12, 2010 at 1:20 PM - 0 Comments

Michael Kappeler/AFP/Getty Images

On July 28, hackers attacked the Buchenwald concentration camp foundation and memorial website, and replaced it with neo-Nazi slogans and symbols. One English slogan read “Brown is beautiful,” referring to the colour of the shirts worn by Adolf Hitler’s SA storm troopers. The hackers also erased a list of Holocaust victims’ names from the website and replaced them with links to Holocaust denial websites. The website for another camp was also erased.

The Buchenwald foundation’s mandate is to preserve the camp in commemoration of the victims and promote knowledge through Holocaust research (an estimated 56,000 people were killed by the Nazis at Buchenwald). Police launched an investigation into the hacking, and both websites were restored the next day. The incident came just days after former Nazi death camp guard Samuel Kunz, 88, was charged with aiding in the murders of 430,000 Jews at Belzec during the Second World War. Kunz was indicted for crimes committed between January 1942 and July 1943, including shooting 10 people himself.