British Crackers Demand Millions in Inforansom 190
RuntimeError writes "The Times of UK report that a group of British Cr/Hackers have broken into the computer systems of atleast 12 multinational companies, stolen confidential files, and are holding the companies to ransom." One of the companies is Visa, as in credit cards. I believe this has far more hysteria potential than the recent CDuniverse inforansom scandal. Expect the usual pundits to be all over this story within the next few days.
An old rule about demanding money: (Score:1)
Never ask for more than it would take to have you killed by a professional.
Hope these kids really know what they're doing...
Or not. :)
Re:Critical "source codes"? (Score:1)
Displaying lack of technical knowledge [ntk.net]
An example of shoddy reporting... [sunday-times.co.uk]
Trundling out the same ol' tired junk [ntk.net]
This doesn't mean there isn't at least some truth to the reports of attack, but, it does suggest you should take what they say with more than a pinch of salt; in fact, I'd recommend sprinkling on a heavy layer of skepticism and critical thought.
Slashdot Reliability (Score:1)
Re:Inforansom... (Score:1)
Since you seem to know what environment and software is being in use and how to improve things off with you, time to apply for a job.
Could be though this was just one of those unqualified rants, rated insightful for some arcane reason.
Re:biometric identification (Score:1)
On the other hand, if your electronic wallet has a thumbprint scanner and sends that data (encrypted) along with the transaction information, it might provide extra security. In this case, in addition to physically stealing the card (and possibly also the wallet, depending on how the system works), the thief must aquire a fingerprint. This makes it far harder in situations where the thief doesn't know the victim's identity (say, he's broken into a gym locker).
If thumbprint scanners can be made small and inexpensive enough, it might be a viable idea.
Citizen VS Corporation again? (Score:1)
Either people support cr/hackers in their attack or they defend corporations. I'd like to compare the views.
But first of all consider the medium used to bring you the information: Media. I think it is fair to say that the media nowadays (at least those who are funded/run by corporations) behave in a corporate way and take sides with the corporations (because they cannot go against the grain; that would be suicide). So we have to assume that whatever is said in the medias about this subject IS slanted towards the general corporate view of the internet: "It is dangerous, we must gain complete control in order to make it secure for the ordinary citizen". This is made, as usual, with the most altruistic concerns (sarcasm).
So on with the comparison...
Pro-cr/hacker: It is important for the people who are subjected to corporative decisions to be able to defend themselves. Although breaking and entering IS against the law, much can be said about how corporations circumvent different laws to impose unwanted condition upon the ordinary citizen. Furthermore, consider the economic cage in which every citizen has been framed; there is ample cause for alienation and that alone is sufficient to excuse the hacking/cracking of the VISA database.
Pro corporation/economy: The law has been broken. We need to apply the law. If we don't then these corporations that create jobs will be hurt and this in return will cause loss of revenue, loss of dividends and loss of jobs. These acts of vandalism are unnaceptable and should not be tolerated at all. The government must stand strong and help find the individuals that did this crime. Who cares how long it took for VISA to tell the world about the crack? It's a private company, it can do whatever it wishes.
We can see that what is really a stake with this story is this world division we are seeing more and more. It has two sides that are self excluding (in most cases), either you're for economy, or you're against. Either you're for the people or you're a traitor. This is not very constructive.
It is my personnal opinion that we need to understand inter-dependancies. Corporations need to work with ordinary people without alienating them. People need jobs and a source of revenue to survive.
It is also my personnal opinion that big corporations have been pushing too hard lately, forcing states and countrys to let down social services, let down the population without significantly alleviating the tax burden. They have thus, created a breed of angry citizens that are unsatisfied with the current state of things. I should not be surprised, if the trend continues, to see more and more cr/hacking, more violence and more theft.
How much are we willing to pay to keep driving with our eyes closed and only one hand on the steering wheel?
Umm, no fuck you..... (Score:1)
I don't really thing this could be called terrorism either. Go look up the defenition and I think that you'll agree with me it's not. Usally terroism involves hurting/killing/maming innocent bystandards in order to get a Political View across to some organization that the people might be involved in. This is just a case of theft.
hehe, "secure" (Score:1)
Ungoed-Thomas... (Score:1)
Nick
Re:Wow! That is just plain evil (Score:1)
Not sure about this - as the legislation basically allows them to imprison you on an accusation, could they not simply accuse you of having two keys?
Re:The question we all want to ask: (Score:1)
Well, I don't know what computer OS they hacked into. I would assume all of the important information at Visa (credit card #'s, customer info) is sitting on some ancient main frame computer that fills a room.
We need a geek tabloid (Score:1)
The question we all want to ask: (Score:1)
Did the crackers use Linux to break into these companies?
And the second question is, if these companies had been running Linux, would the crackers have been able to get in? (edgy ducks and runs while the M$ and Linux zealots fight it out)
Re:How reliable is this news source (Score:1)
Hit the 'Next Page' link, much more interesting (Score:1)
Anyway, it's more interesting than this tripe about contract cracker data thieves.
Re:From the Article . . (Score:1)
Crackers. They don't take American Express. Visa - Your information is everywhere you don't want it to be!
We can help... (Score:1)
OK, to be serious for a second, if someone charges stuff to your VISA card without your approval you will only be responsible for the first $50 of charges. (Disclaimer, this is true in the U.S., not sure about other countries.)
Now, given that VISA itself is the one who screwed the pooch here, I'm willing to bet that you wouldn't have to pay a dime. Assuming, that is, that the misuse of your card could be traced back to this breakin. I've heard that often times the issuer of the card will not even charge you the $50 in cases of fraud. They'll just eat it.
Reality-wise, you don't really need to worry. Since the breakin happened last July, any compromise to your account probably would have been exploited by now.
#include the obligatory "credit cards are really, really a stupid way to exchange funds" rant.
Re:We need a word for this. (Score:1)
search the archives of Need To Know [ntk.net] for more details (see also Sunday Times)
Also interesting that none of the mainstream media have picked up this enormous scoop ...
OTOH !!! there are attributed quotes in there -- so if theyr'e wrong, they'll get the arse sued off 'em. And then it really will be the end for the editor, can't remember his name now ...
--
Re:Security by obscurity doesn't work! (Score:1)
A brute force attack is the upper bound. More sophisticated attacks may be possible. A simple substitution cipher has approximately 88 bits of key.
Re:The question we all want to ask: (Score:1)
Probably because they've bought ino the popular misonception that hacker = crackr, then hear someone refer to Linux as being "more a hacker's OS". (As opposed to being suitable for someone who thinks that they're using Windows 97, because that's the version of Office they've got installed
Just a thought.
Tim
Re:The Guardian's rather good though, innit? (Score:1)
Re:Securing systems. (Score:1)
I disagree. By "default deny" - you deny your own workers the freedom they should enjoy. Your workers will not like the fact that they cannot sit at their office 'after hours' and IRC (and DCC) all they want. If you by default deny UDP, then they cannot use ICQ all they want. And so forth.
Of course, one doesn't want the workers to use IRC in the day -- but by denying them access to it - you make them "pissed". The employees won't like to be 'limited'. They feel untrusted then.
I know that if I was at a workplace where the policy was "default deny" - then I would either try to crack the system, or I would find myself a new job - since they obviously didn't trust me.
The filtering of default netbus/bo/other ports, is because the standard-scanners only scan for standard-open ports. Nobody would take the time to scan a large corporation on every port on every host. That would send the alarmclocks of the firewalls chiming all day and night. A single probe for one machine on one port - wouldn't trigger very much.
No, block all ports known trojans reside on, and continue blocking new ports, when new trojans use new ports. But don't do a "default deny" - since that would block to much.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Re:Securing systems. (Score:1)
What is HR ?
But, as long as they have a server admin, they have someone that knows a BIT about security, not necessarily MUCH. But I would say that most server admins are competent to find the people who can secure the systems.
When time to market is the most crucial factor, "Security? we can just add that on later".
I know, the system I admin (kvinesdalsnett), was cracked 24.des'98 . It was the worst christmas of my life. Stupid me had overlooked the bufferoverflow in qpopper2.2. Boy, did I learn that I needed to read bugtraq everyday (Ohyes, I did..
We didn't rush things to the market though. It was just (then) incompetent little me who forgot to check all daemons.
Would you now buy from CD Universe with a credit card?
Of course I want to. They're bound to have tighter security than fort knox about now. Their sysadmin is probably having nightmares about people breaking into their system, and using most of his spare time digging into more books about securing their sites, and so forth. I'll bet their site is one of the safer sites on the net about now.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Re:The question we all want to ask: (Score:1)
Sorry to disappoint you, but linux isn't a tool to crack into other peoples machines, even though a lot of kids these days seem to think so.
And the second question is, if these companies had been running Linux, would the crackers have been able to get in?
That depends on the configuration, as does it with Windows NiceTray.
I've heard it time after time, and I never stop to wonder. Why on earth do people think Linux equals cracking-tool ?
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Re:How reliable is this news source (Score:1)
Not very, The Times is well known for printing rubbish regarding computers. It seems they have no tech editor, and often print press releases as stories (falling for every lie), and stories full of dubious facts.
In fact they once printed an urban myth as a true story.
Best not to believe any tech stories in The Times.
F
Re:We can help... (Score:1)
>#include the obligatory "credit cards are really, really a stupid way to exchange funds" rant.
What obligatory rant would that be? A "there's a better way which currently exists" or a "there's a better way that could be implemented"?
Oh, and it's not really a credit card, but a debit card. Not that that's a huge improvement.
I plead ignorance (Score:1)
What should I do? Anything?
Re:An old rule about demanding money: (Score:1)
Not only quoting them, taking on their habits (Score:1)
Re:Bring on the defenders of crime! (Score:1)
Because you don't realize that you can't trust any compromized system, because you have no way of knowing if trojans and backdoors have been installed. That these systems must be repaired from backups, and the effort involved can take hours and cost thousands of dollars on large production systems.
Good point. (Score:1)
Re:We need a word for this. (Score:1)
Slashdot should stop quoting tabloids (Score:1)
"Three Headed Baby Hacks Government Computer System! CIA Stunned!"
Re:An old rule about demanding money: (Score:1)
I'd bet that given a future of six months (or more) of daily torture any would-be cyber-protectionist will rat out his compatriots with rapid alacrity.
Re:Inforansom... (Score:1)
I'm not saying that those people aren't guily of a pretty heinous crime, they ARE.
What I'm saying is this (analogically): If you leave the front door of your house open, people will most certainly eventually come into your house, and due to some people's lack of morals (or whatever you wish to call it), things will get stolen. If you have a house full of Picassos and Rembrandts, instead of a couple of ripped posters on the walls, be prepared to have bare walls.
This doesn't exonerate the thieves by any means, it simply exposes what is the darker underbelly of human nature. It is the online company's DUTY to make sure that their client's confidential information stays that way.
I was not commenting on the thieves' guilt or innocence, in fact, you'd have to be pretty fucking confused to think that they are not guilty of malicious network intrusion, not to mention extortion. So do us all a favor, konstant, and get off your ethical high horse. No one said they were innocent.
duh.
dr_strang
Re:Inforansom... (Score:1)
-----------
"You can't shake the Devil's hand and say you're only kidding."
The Guardian's rather good though, innit? (Score:2)
Gasp in awe [stand.org.uk] as you watch Jack Straw, Home Secretary of the UK (ie, important government chap), find himself liable for two years imprisonment (if this law was to pass) because someone sent him an encrypted message that he can't decrypt.
This law is really so incredibly fscked, and demonstrates a completely lack of understanding, on par with the 'net filtering legislation that's just come in to effect in Australia (Oz
...j
(an Australian living the UK)
Re:Securing systems. (Score:2)
All machines except for those in a DMZ should be denied all incoming packets by default. Opening up all ports on all hosts (as default) is just plain stupid--why even have a firewall?
--
Re:biometric identification (Score:2)
If thumbprint scanners can be made small and inexpensive enough, it might be a viable idea.
Under my proposal, the thief needs the card and the passphrase. I do like your thumbprint idea as an additional measure since people seem to have a habit of picking stupid passwords.
With all of that, stolen credit cards would be completely useless. Add in digital cash (with similar security) and mugging becomes useless.
Re:biometric identification (Score:2)
but scream that big brother is coming if they want a thumb print that is of little value other then for ID purposes.
Thumbprint is less secure against merchant fraud/crackers than smartcards. It is more or less fixed data. It is only as secure as the POS system (not very). With smartcards and electronic wallet, it doesn't matter how compromised the POS terminal is.
Re:Inforansom... (Score:2)
but it is very difficult to make a system extremely secure,
That is true, but many businesses don't even seem to try. The CDuniverse case is a perfect example, the card numbers were apparently stored as plaintext on the web server (NT running Microsoft-IIS/4.0).
To be fair, various encryption export laws don't help matters any. If strong encryption could be freely exported, it would be used in a lot more software. That would go a long way (but not all the way) to preventing these problems.
Re:hehe, "secure" (Score:2)
Ever seen "Demolition Man"? Personally I'd rather someone just stole my credit card.
Yes, good movie, and AGREED!
I read specs on a thumbprint scanner once that included infrared scan as well. It claimed to be able to detect duress as well as dismemberment/death and refuse access under those conditions. I doubt the commercial scanners are that good though.
Re:Security by obscurity doesn't work! (Score:2)
Nice idea but I can't see that this is much better suited to the Internet than standard cards. It's not what this is designed to do, either - this is a digital replacement for hard currency.
Most people allready shell out for a wallet to hold cash, DL, and credit cards. They don't have to cost all that much more. Since they'd be no smarter than a 4 function calculator which can be had for $1.99.
I am also aware that the Mondax system is for hard currency. What I propose is added functionality based on the same hardware. Since smart cards are smarter now than they were when Mondax was first proposed, I don't see any reason they can't serve both purposes.
For people who won't buy a wallet, they can use the keypad at the POS terminal and take their chances. They're still more secure than the current system.
Re:Security by obscurity doesn't work! (Score:2)
A US group was randomly generating card numbers, and then tried to charge around $20 to the card via standard means. They didn't have any expery data, but apparently, the one checker they used did NOT require this information. The result: the company got about $20 charged (one time only) to a number of accounts, and collected that cash for themselves. They are still in operation, as far as I can tell, and are rather 'small time' for both credit card companies (who tend to only chase after $100 or more PER CARD scams) and the US govt (who tends to need $100k or more to put down the smack). Yes, they're illegal, but considered small time by the 'authorities'. At least, if you are smart enough to watch your CC statement, you'll notice the odd $20 charge and can dispute it.
Re:Ungoed-Thomas... (Score:2)
Enough whining for now...
Nick
Re:Security (Score:2)
I think this type of security problem is common. Especially when consultants are used to install firewalls etc. Once the consultant has gone home and the budget is spent then the problem is forgotten. In our situation it is even more stupid as I work at a university and we have some great people working here but the computer services department is run by winders kiddies that do not understand the Sparcs (or anything much harder than installing Office) and therefore leave them to the consultants. Budget cuts mean that they can only offer 18,000 UKP for a sysadmin and therefore they can't get one.
Are they going to take responsibilty (Score:2)
What often happens is that a supposedly secure system is put in and the opperators are so happy that they do not look at security again until, a few years down the road, someone breaches that security.
Security is a developing science. What was secure last year is transparent this year. I work behind 2 firewalls, yet because they are too restrictive we pierce holes through them so that we can use things like UDP. They were not designed to stop activeX but they do stop all Java (do not ask me to explain).
Over-hyped, again. (Score:2)
These stories are so damned stupid. People get all up in arms about giving their credit card numbers to online merchants yet they give them to complete strangers at restaurants, bars, and retail stores everyday. I trust amazon.com more than I trust most of the restaurant workers around here to my credit card number.
Hackers attack! (Score:2)
In general this thing looks much like a bad plot for another Hollywood blockbuster. There is only some lack of green color and antenas over the head of the baddies...
I can see it now.. (Score:2)
--
Re:Scary, but convenience is worth it - but why no (Score:2)
The "computers are going to destroy us" articles sell a fair amount of newspapers. That space was well-filled with Y2K articles over the last few months, but since that whole issue obviously went nowhere, the space needs to be filled with something else. IOW, we're back to the hacker/cracker stories, except we can expect to see the focus on "professional hacker groups" rather than kids in their bedrooms.
Re:I wouldn't trust "The Times" with a bargepole (Score:2)
Unless they can swing popular opinion behind it, there is little chance that it will be passed. Why? Those who don't understand it or care about it will do nothing, while those of us that do understand it, and oppose it, will do everything we can to ensure that it never comes into force.
On the other hand, if there are enough high-profile, "your money is in danger, even your most personal details!" kind of stories, Jo Public is going to sit up and take notice, and call for the bill's introduction without ever knowing that there is anything bad about it. The majority will buy the party line that it is necessary for their protection, just like the cameras on our streets and public transoprt are. (Not that I'm totally opposed ot them, but there are an awful lot of them these days...)
From the article:
"The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.
Well, duh. I bet they've been using 'phones and even meeting face to face, too. Maybe I'm reading far too much into this, and letting my paranoia run away with me, but why was this comment even necessary? They've (allegedly) cracked the compuer systems of 12 multinational companies, of course they were using sophisticated techniques!! (To say otherwise would be to imply that it was easy.) Being computer savvy, and net connected, of course they've been communicating via email and "internet chat".
If this isn't part of some conspiracy to get popular support for one of the most potentially dangerous bills that has ever come to my attention, then someone somewhere is probably unable to believe their luck that such a fine supporting story has been handed to them on a plate.
Cheers,
Tim
Re:Bring on the defenders of crime! (Score:2)
_These_ crackers are thieves, but not all crackers are. If some group hacks Hotmail and replaces the main page with a message saying "Your security sucks. Hacked by F00fc8C7" then I say more power to them. When someone defaces a web page, it, like you said, forces the company to get their act together. It is a PR loss to the company, but having a secure site is much more important than that. Everyone wins.
Securing systems. (Score:2)
First of, they all need a computer-staff, and their own "computer security officer". There should of course be password security - but more important - people should be educated about email attachments, trojan horses, and so forth.
Servers should be under constant surveilance. The admins should always know every single program, which version it is, and so forth. They should keep their eyes open, reading bugtraq and other sources every single day.
A firewall is also a very good idea, for these kind of companies. They do need to be configured correctly, and block out common "trojan-ports" (12345 (netbus), 31337 (bo), and so forth). This to ensure that no sloppy employee gets his computer backdoored -- and the rest of the net gets access to it. If anybody gains access on ANY of the hosts behind the firewall, the entire network is "compromised" (to a certain degree).
They should also have a fully switched network, or preferably, implement encrypted protocolls for data transfers internally, so that even if ONE host got cracked, packetsniffing would do no good.
Ohwell, the list goes on and on and on. The important things is -- every big company should tighten up their security REALLY good. They should have their own staff looking after it.
Smalltime companies should do their very best too -- but they don't have that many computers to protect - and therefore don't need that big a staff.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Re:Securing systems. (Score:2)
The sysadmins should have full access to everything, and know as much as possible, so that they can squash a bug if they find one, without delay.
If an article about a bug in program foo is published tomorrow, it should be fixed as soon as the first sysadmin reads about it. He should not need to call sysadmin 4, so that he can fix it. Especially not if sa.4 is on vacation..
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
No it's not (Score:2)
No it's not. Companies should be serious about protecting their information systems because it's the right thing to do, not because some criminals (albeit clever ones) have made it necessary.
Analogy time! Would you be thankful for criminals who break into your house and steal valuable things? Even if they stole nothing, but merely left a note saying that they'd be back to steal your property later, if you don't pay them a big ransom? Hell no. You'd be angry, and rightly so. You might add better security, and that might be a Good Thing(tm) but it's still not good that some thugs threatened you or your property.
Security by obscurity doesn't work! (Score:2)
Isn't it time now in this day of ease of access to information to add something smarter to credit cards for security?
Can you say "Jon Ungoed-Thomas " (Score:2)
They have been covering his misreporting and his bumbling attempts to infiltrate direct action groups in the UK by "fakemailing" them for some time now.
Please, do not even consider believing a word that this buffoon says. How he still holds a post at the Times is quite beyond me.
http://www.ntk.net/index.cgi?back=archive99/now
http://www.ntk.net/index.cgi?back=archive99/now
Re:Securing systems. (Score:2)
When time to market is the most crucial factor, "Security? we can just add that on later".
Such places aren't going to deploy enough security the first time around. They can only react to this matter after the crack happens.
Security is always someone else's problem until it becomes their problem - on the front page of major news sites.
Would you now buy from CD Universe with a credit card?
probably not.
Should you?
I'll be that within a month, they'll have the most secure setup in their business market. They will have thrown tons of money at the security hole, and try to market their newly increased security as a strength, not a weakness.
So I'll look for their "check out our new, improved site, now with 'Security' coupons" soon.
If they're still around.
Paul
Re:Security by obscurity doesn't work! (Score:2)
Seriously, what security methods are there on credit/debit cards? Two. The signature on the back to stop you nicking someone else's card and using it due to your inability to convincingly duplicate the signature, and the hologram on the front to stop you making your own (fake) cards and using them illegally. Both rely on eyesight and retailer, card and user being together.
What we need is for someone to recognise that cards are simply not suitable for the purposes they're being used for now - remote ordering - and setting up something stronger, like sending out encryption keys for use with online transactions.
But this is relatively expensive and makes spending money harder, so isn't going to happen all that soon...
Greg
Re:Security by obscurity doesn't work! (Score:2)
Nice idea but I can't see that this is much better suited to the Internet than standard cards. It's not what this is designed to do, either - this is a digital replacement for hard currency.
Greg
Re:Security by obscurity doesn't work! (Score:2)
Forgot to preview it AND forgot to account for a slow communal computer overunning the text buffer as I typed while it was locked
Plus, it makes them harder to use as you've go it to your computer, so I can't see the average user being all that keen, either.
should have read:
Plus, it makes them harder to use as you've got to connect it to your computer, so I can't see the average user being all that keen, either.
Sorry
Greg
Silly crackers... (Score:2)
But they've (supposedly) got thousands of credit card numbers! They could squeeze far more money out of those credit cards than £10 million, and if they did it carefully, it would be very difficult to catch them at it. Silly crackers...learn how to play the game before you start.
--
Haxploitation (Score:2)
Scary, but convenience is worth it - but why now? (Score:2)
However, I must ask - why now? We've seen two stories like this in the last week, and they both seem to have been planned for a while. Is there some sort of reason this is suddenly more prevalent?
Inforansom... (Score:2)
Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.
Private email doesn't work (Score:2)
Vandalism is petty crime, and far more people are hurt by incompetent companies that don't find they have reason enough to care about the security levels they inflict upon their patrons. A pointy reckoning to them all!
Re:Ungoed-Thomas... (Score:2)
Stop that! Just the thought that JU-T might ever read our precious slashdot and use it as a source for future works of fiction is going to lose me some sleep tonight.
I'm going to chant over and over again, the moderator didn't read the article, and didn't understand who double-plus-ungoed is, and why all the higher moderated posts in this thread are all about the Times, JU-T, and...
the AC
Wow! That is just plain evil (Score:2)
Wow! That is just plain evil. This means someone should start a campaign to get Linux boxes in the UK to use StegFS [cam.ac.uk]. StegFS (Steganographic File System) is an encrypted ext2 file system which allows for plausable deniability, i.e. you can give them the password to a lower encryption level and they will have no way to prove higher encryption levels exist, thus there is nothing they can do to make you give up you encrypted data (it also wipes unused blocks so none of this taking the disk to find shit you deleted).
Now, the requiring you not to tell anyone is a seperate issue. I donno what to do about this. I suppose you could just tell people anyway.. maybe someone could run a web page which publishes lists of incedents where they have used this power? Is anyone tring to fight this?
Jeff
Re:Security by obscurity doesn't work! (Score:2)
You people need to learn about smartcards. Start at Schlumberger [slb.com] and Litronic [litronic.com] (they have a good intro [litronic.com] to smartcards.) and go from there. The people at ZeitControl [zeitcontrol.de] have this cool programmable card [basiccard.com] that you should look into.
This is your brain on e-commerce (Score:2)
It never fails fry my brain when I hear the indignation expressed by the technically clueless in response to tabloid -esque puffery [zdnet.com] like this. These are the same people who, after thier meal at Olive Garden, think nothing of handing thier card to an unknown person who disappears with it for five minutes. The same people who think nothing of pulling out thier cards and receiving cash at an ATM in a dark, empty parking lot at night. The same people who never even perceive the strangers jammed into the supermarket checkout lane behind them as they whip out thier card and pay for groceries.
These people seem think that the idea that some 'evil haxor' may come along seeking your card number successfully is somehow more repugnant than knowing that management at Best Buy has reports listing the zillion or so numbers thier checkout computers recorded over the holidays just sitting around on desks all day.
Anybody know how many lost Mars probes ZDNet helped recover today...?
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Re:The Guardian's rather good though, innit? (Score:2)
Gasp in awe as you watch Jack Straw, Home Secretary of the UK (ie, important government chap), find himself liable for two years imprisonment (if this law was to pass) because someone sent him an encrypted message that he can't decrypt.
[an american sighs] Why is all the really useful legislation overseas? There are more than a few politicians I would rather gleefully remove via such a practical ordinance!
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Re:Bring on the defenders of crime! (Score:2)
Defacing a web-page is a little different. It's closer to putting a post-it note on the inside of your door saying "eY3 0wN u!" or something. Scary but not necessarily all that much work to clean up.
Re:Securing systems. (Score:2)
I'm idly curious to see whether the Gartner Group's predictions about a backdoor-enabled heist by "Y2K" consultants were ever borne out...
A Tale of Jack Straw, An Expedient Man (Score:2)
Some of his recent accomplishments include:
1) allowing Colonel Pinochet, the Chilean dictator and alleged perpetrator of crimes against humanity, to escape justice on the grounds that he is too frail to face the hardships of a court trial. This decision is further to a private medical report on Pinochet's condition, which by its nature seems pretty difficult to challenge.
What exactly about his mind/body is unable to sit through a trial? What are the odds of his staging a "miraculous" recovery upon arrival back to Chile, where he has immunity from prosecution?
2) then there's the case of his letting Mike Tyson, former heavyweight champion boxer, rapist of a teenager and ear gourmet into Britain. The UK law says that aliens convicted of a crime that would carry a prison sentence of 12 months in Britain are denied entry, unless on extreme compassionate grounds. Compassion towards Tyson not towards the British businesses who had invested in the fight!
3) there's the example of the alleged Nazi war criminal Konrad Kalejs who is accused of killing >30,000 civilians in Latvia during World War II. He was found living in a residential countryside home. Instead of prosecuting him, Straw allowed his deportation from the UK as he had *gasp* overstayed his 6 month visa.
It makes me *so* proud to be a part of such an ethical government. *sob* I'm choking up here.
Re:From the Article . . (Score:2)
SO, if you were not informed of the compromise either (1) your card was not affected or (2) your bank chose not to tell you. Door number 2 is a black eye for your bank, not VISA.
Does VISA really have an obligation to tell the whole world that some of their numbers were compromised? IMHO, No. They do have an obligation to tell those people who were affected, and I think they did a good job there, at least in my case. Perhaps they chose not to tell the whole world because their investigation (along with whoever else) was on-going. Perhaps (more likely) they chose not to tell the whole world for fear of a mass canceling of VISA cards prior to Christmas. As long as the affected people were notified, which seems to have happend, I really don't think they screwed up here.
Re:Inforansom... (Score:2)
Re:Sounds like peanuts to me (Score:2)
But the thing is, $10 million is big enough to be HUGE for the average band of thieves, but maybe small enough for Visa to consider paying instead of hunting for blood. If it was only $1 million, they almost definitely would have paid. If it were $100 million, then the crackers would be hunted to the ends of the earth.
As it is, it sounds like they erred a bit too close to the $100 million mark. Too bad for them.
Re:I can see it now.. (Score:2)
This is something I've been fighting with for a while. On the one hand, it's far easier to steal a credit card number in a restaurant or store than it is online. On the other hand, the persistence of information online makes it a more tempting target. You can dig and hack away at (for instance) the Visa site for ages, and if you're careful, not be noticed. If you're successful, you can get a lot more card numbers than in a month of working at a store, and less tracably.
Given that, where are your numbers really safer? The answer is deep in your pocket, unused. Doesn't do a lot of good, does it? That's one of the reasons that the card companies put that $50 liability ceiling in place--to defray the (percieved) risks to the consumer, and encourage use of the cards. If you can prove that the number was stolen through no negligence on your part, then you can usually get that $50 waived.
Media be damned. You are not directly at risk of the consequences of credit card theft. Security breaches and other expensive problems are reflected in the interest rates you pay on the cards. Use your cards in good conscience, keep tabs on your statements (to spot possible theft), and pay your bill off every month, and you'll be about as safe as possible.
Re:Security by obscurity doesn't work! (Score:2)
Shamir's device is an advanced photoelectronic computer that performs the sieving phase of the NFS or MPQS factoring algorithms several orders of magnitude more cost-effective. However, the major obstacle is not the sieving phase, which is easily distributed, but rather the matrix reduction phase which must be done on a machine with immense ammounts of memory and low latency. Even with SGE and block Lancos methods, it's inconceivable that enough memory will ever be built to accomodate reducing the matrix from a 768-bit RSA key. The situation is even worse for discrete log systems by a couple orders of magnitude.
Re:Security by obscurity doesn't work! (Score:3)
But this is relatively expensive and makes spending money harder, so isn't going to happen all that soon....
It shouldn't be all that expensive when reduced fraud losses are considered. What is needed is a smart card and an electronic wallet more or less like the Mondex [mondex.com] wallet. The card would contain an encrypted signature key. The card owner enters password and total amount into the card through the wallet. Card then goes into slot in the POS terminal. The terminal gives the card a transaction record in plain text. The card compares the amount, and if it matches, signs the record and hands it back.
When that signed record is submitted to the credit card company, there can be little doubt that the customer authorized the transaction. Since the secret key is itself passphrase encrypted, it is useless to anyone but the owner. Entering the passphrase on the wallet eliminates fraud at the POS terminal. A simple serial connection to the wallet (like that on a Palm) enables it to be used for internet transactions. Phone orders can be handled by the cardholder entering the merchant's info into the wallet and calling out the signature value OR by accoustic modem. Recurring charges could be set up by a customer using the card to sign an authorization which names the company, maximum charge/month and duration of the agreement. Early cancellation can be managed by the cardholder sending a cardsigned termination to the credit card company.
Really, all of that is only slightly harder than calling out the credit card number (or handing it over to a clerk), and is many times more fraud proof. It would also aviod the annoyance of having to get a new card every few years.
A side benefit of all of that is that semi-anonymous charges could be made. the cc company would still know all, but the retailer would not need to know anything about you at all.
The system could be given even more value by making the same card/wallet capable of electronic cash and secure ATM transactions.
The interim peroid could be handled by placing a standard magstrip and number on the new card so it can be used the old way. Hopefully, that period wouldn't last TOO long.
Re:Inforansom... (Score:3)
While I agree that not every standard is as good as it could be, having a standard means that you've got something to work with. If a standard for exchanging money is not good enough the credit card companies have to pay for it. If their losing a lot of money they'll have to fix the standard or accept their loss. It isn't their customers problem.
For that reason I'm not so afraid for bad standards. I can't stress this point enough: standardization is what made the industrial revolution happen. We'll need standardization on the internet too. Hell, the internet is all about standards. Bad standards are outcompeted (gopher) by other standards or fixed (IP).
Right now there isn't any standard for something very obvious: exchanging money. The only thing you can do is exchange credit card numbers. It's not a technical problem it's standardization problem.
Your post sounds very anarchistic. You're afraid of losing your freedom and you assume a central authority. I can't take away the first but the lack of the second thing is the whole problem. In a way the software community is way beyond the banking world in that they've recognized that it is more profitable to agree with your competitors than to compete with an incompatible 'standard' (recent example: internet messaging).
Re:Inforansom... (Score:3)
For that to happen we need two things:
1 - a global standard on how to exchange money. Such a standard would need to include encryption + a protocol to establish a secure connection + a protocol to exchange the money over the connection + a secure way to allow both sides to identify each other
2 - Adequate laws to warrant the rights of both parties involved in a transaction similar to what applies to conventional ways of exchanging money and a more relaxed encryption policy of for instance the US government.
The technology to do all this has been around for a couple of years and things like this newsitem will make it more likely that banks and credit card companies will actually make this happen.
Re:Slashdot Reliability - hacked again (Score:3)
The article is by one of the most ridiculed "journalists" in Britian, which puts him out in front of a large pile of pathetic scandal-mongers. JU-T has been pointed out to the
Some of the "stories" which only he has uncovered lately include one whereby his "highly placed source at the FBI" confirms that drug lords all over the world are hiring thousands of programmers to write software drugs, and then they can download them to cyber-junkies and make trillions of $$$ untraceably over the evil internet. Another story regurgatated the claim by a far right wing US research group that 70% of all material on the internet was hard-core pr0n.
The reason you don't see any other newspaper cover these stories or run more truthful versions is that these articles are completely works of fiction, and even the other scandalsheets in Britian won't stoop low enough to answer the Times garbage.
This story first broke last summer, when some kids tried to extort money from VISA. They were stupid, they even made the phone call from their home phone. Scotland Yard closed that case out without blinking. Now the Times pulls it up along with a few hints of other cases, but offers no facts or details, to prove to their readership the internet is a big evil thing which needs strong government regulation.
I can see there are a few other
the AC
Re:From the Article . . (Score:3)
They stole corporate secrets and things like that, they didn't steal credit cart numbers, so this is more of an internal matter and all it does is make them seem incompetent, which I'm really not sure if it's true or not.
Companies have the right to have a little privacy too, maybe not much, but enough that they don't need to tell the public if it doesn't effect it (and Visa would need to loose a lot more than 10 millions of pounds before the customers see a difference).
Re:Security (Score:3)
ummm ok I realize you've asked not to be asked to explain this novel aproach to security, but I would like to point out (for the benifit of other readers) how un-informed this decision is. Java has a wonderfull security model and stays in it's own sandbox.
ActiveX, on the other hand, is like a drunken super-model on crack. Sure, it's sexy, but you never know what it's going to do next.
I would favor blocking the later, and letting through the former.
_________________________
Consider the source (Score:3)
Hacker gang blackmails firms with stolen files
£10m ransom demands sent out
Along with the story we're discussing here, we have this little jem:
Pollution set to rip giant hole in ozone layer
More than half the ozone is likely to disappear by March, climatologists warn
Rip a hole? March is 2.5 months away!
Along with that little story, we have more "all the news that's fit to spit":
Call girl fights Vat man's bill for £500,000
Flesh-coloured stockings not claimable - but lacy ones might be
Is this hard news? I think not.
And this little tidbit about Mr. big lips:
Do not arise Sir Mick Jagger
Downing Street blocks planned honour because of errant ways
looks like a gossip rag to me, but then again, I'll let you be the judge. [the-times.co.uk]
_________________________
From the Article . . (Score:3)
"We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI."
Also . . "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation.
First of all, the initial Hack was way back in July? Shouldn't there be better disclosure on these matters? Keeping their customers uninformed is by far the worst offence here. Months and months passed before this was finaly disclosed, and in that time billions of dollars were at risk.
Secondly, it would apear that they suspect a competitor (or someone with an interest in seeing them loose money) is behind the hack. Interesting, don't you think ??
_________________________
Visa: Everywhere you don't want it to be (Score:3)
1 cable modem: $200.
Knowing you're bringing down the worlds largest financial transaction institution?: Priceless.
_________________________
Re:Private email doesn't work (Score:3)
True 'nuff. OK, how about a week grace period after the private mail, and then public disclosure on Bugtraq or the like? There are perfectly acceptable ways of letting the victim and the community know about security breaches, other than defacement. Let's be honest; How many crackers are going to say to themselves (regardless of what they say to the media), "I feel morally required to deface this page to illustrate serious security bugs that took me three weeks of work to discover." Now how many are going to say, "C00l! I br0k3 it! I AM 31LEET D00DZ!!!" (As an aside, I suspect that they really talk like that, even internally
In other words, the end (better security) doesn't justify the means (cracking and vandalism), especially when other equally effective means exist.
Re:Bring on the defenders of crime! (Score:3)
OK, so what if they copied the file?! How about if I change my analogy to use water soluble paint instead?
What, on the other hand, if the crackers decided to rootkit the system, then cp index.html to index.html.bak, so it _appeared_ to be a harmless prank?
If a site has been compromised, the usual (and proper) course of action is to rebuild from trusted tapes. None of this affects the original point, though, which is this:
Vandalism, regardless of the financial consequences, is still vandalism. Similarly, theft is still theft. Both cause harm, both destroy trust, and both break down open and free dialog.
Re:Bring on the defenders of crime! (Score:3)
Honestly, my apartment security sucks compared to, say, Intel's fab plants. Does that mean that I should thank thieves and vandals for breaking in, stealing my stereo, and destroying my records? Should I appreciate the message they sent my by spray painting my wall with, "Your locks SUCK DOOD!!!"?
There's no reason we should accept that security less than NSA levels is an acceptable invitation to invasion, either physically or cybernetically. Criminal Trespass is indefensible no matter where it takes place.
What to do next... (Score:3)
a) How reliable is this news source?
b) What is the potential for harm to Visa customers?
c) Have the hacker group(s) actually stolen credit card numbers, or gained access to some other part of the system?
d) What can Visa do about it in terms of guaranteeing that IF card numbers have been stolen, that customers will not be liable for any charges made illegally (or is this already provided for)?
Before we start to create mass hysteria and hype over this, we need to assess the actual potential for damage so that we do not let this get blown out of proportion.
I mean taking a realistic view, Visa is going to be damn well careful to keep their data secure, this hack is most certainly not due to negligence on their part. They're probably working their asses of right now to fix it. IF card numbers have been stolen, Visa has to pay for illegal purchases - and you can be sure that they're making every effort to avoid this.
Re:Securing systems. (Score:4)
The sysadmins should have full access to everything, and know as much as possible, so that they can squash a bug if they find one, without delay.
Not necessarily. For example, the sysadmin only needs to know where and how credit card numbers are stored, not the passphrase needed to decrypt them. Or the threat could be reduced by using a capabilities based system where most admin duties are performed with only a subset of root capabilities. Full root could require a valid login from two sysadmins. That wouldn't preclude insider fraud, but it would be less likely and harder to get away with.
The reason you know it's rubbish... (Score:4)
More details at NTK [ntk.net] - search for "Ungoed".
Gerv
We need a word for this. (Score:4)
I can't be bothered to look it up now, but I'm almost convinced that The Times has featured a number of stories like this before, all of which indeed did lead to end of civilisation as we knew it (or maybe not...)
So what about this one, well:
"The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator.
Wow, malicous hackers that can use email and IRC! They have got to be a dangerous threat!
It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system.
Now that is good journalism! Don't bother explaining that "code" has two meanings in computers, and that the "source code" has nothing to do with accessing the site (unless it was broken to begin with, but...) But then we do know how expensive it is when a hacker gets your source code, look at poor Sun who had to recode Solaris from scratch after Mitnick looked at its source (what? Didn't they? They must have since they claimed the entire cost of it in damages.)
Also, in both this and the CDUniverse case, the hackers are (apparently) trying extortion as a way of making money off their cracks. Extortion is a really, really, really, bad way of committing crimes without getting caught. Unless you happen to have serious underworld money laundering connections, you are going to get caught when you try to get your hands on the money - for sure. If these guys think they can walk a way with a suitcase of "100 thousand quid in unmarked twenties" they have watched too many movies.
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Re:Inforansom... (Score:4)
Even more unfortunately, the media will skew and distort this to the point where the spoonfed masses won't see the real point (which is that better security is needed at these online companies). Such is life.
DEFENDANT: Your honor, I only killed that man to demonstrate how extremely poor most people are at self defense! Consider it an act of charity to society at large.
JUDGE: I never saw it that way! I will enroll in a Tai Jitsu Kata class immediately! Case dismissed!!!!
---
ATTORNEY: And so you see ladies and gentlemen of the jury, my client did not rob the bank as an act of theft per se, but rather as valiant display of public zeal! How many of you slept easy last night entrusting your money to the poorly secured bank vaults of the neo-syndicalist dogs at First National Savings?!!?!
JURY FOREMAN: This man is a hero! I am going to stuff my money into my mattress forthwith! Down with the WTO! Case dismissed!!!!
---
JUDGE: For your crimes against society, I hereby sentence you to hang by the neck until dead!
DEFENDANT: But your honor, by poisoning the water supply of the local KiddieCare Nuture Center, I indicated strikingly the need for higher quality water filtration. And by ransoming the life of 2 year old Phiddeas Quilch (whom I knew already to be dead) I displayed the ironic certainty that a society designed around monetary transactions is inherently debased with greed and treachery!
JUDGE: You are a wonderful person!!! Thank you!!! Cased dismissed!!!
-konstant
Yes! We are all individuals! I'm not!
I wouldn't trust "The Times" with a bargepole (Score:4)
Hence they're a bit clueless now. This story has been going for a few days in the UK, but no details are apparent, no arrests have been made, no evidence shown. I'm sure somebody has made some threats, but then there's always somebody out there who'll make threats.
Interestingly, the UK government has laws going through, as I'm sure everybody knows, that would allow law enforcement to demand encryption keys from anyone without the need for judicial oversight or reasonable grounds, and also to then require you not to tell anyone. I'm sure the promulgation of stories like this one is supported by the agencies that stand to benefit.
Re:An old rule about demanding money: (Score:4)
I die. I forget to log into any one of many "magic" accounts out there, or something. A script in several places on the net times out, and lets the cat out of the bag on Usenet.
ask for *WAY* more than it would take to kill you professionally. *WE* of technologically endowed brain, beyond good and evil are the masters here.
Bring on the defenders of crime! (Score:4)
I wonder how culpable Visa really is in this. I suspect that they had good solid security in place, and that the criminals broke in through some actual code bugs. (i.e. some new buffer overflow, rather than something like poor/no password selection)
I'm not sure what to make of the fact that Visa didn't tell the public, though. That's a bit disturbing.