[ISN] Indonesia to create its own “cyber army”

http://news.xinhuanet.com/english/world/2013-05/29/c_132416837.htm By Abu Hanifah English.news.cn 2013-05-29 JAKARTA, May 29 (Xinhua) — In a move to keep the country’s sovereignty in the cyber age, the Indonesian defense ministry is planning to create a special force called “cyber army” to tackle attacks by Internet hackers against the state’s Internet portals and websites that could endanger the security of the state. A senior official at the ministry said that it would propose a law to legalize the operation of the “cyber army.” The plan to set up the special force was hatched after rampant attacks against government Internet portals and websites have been reported during the last three years. “The only law that we have to address cyber crime is the IITE law,” Pos M. Hutabarat, director general of security potentials at the ministry, said on Tuesday, referring to the law that regulates online information and transactions for civilians that carries up to 1 billion rupiah (about 102,000 U.S. dollars) fine for the violators. Pos said that there is an urgent need for a law to create the “cyber army” in Indonesia. According to Pos, the “cyber army” will be manned by uniformed soldiers particularly trained on information technology and possessed the skills and techniques on how to prevent cyber attacks. He said that similar cyber units are already operational in several countries, including the United States, China, South Korea and Iran. Indonesian Defense Minister Purnomo Yusgiantoro said earlier that establishment of the task force would need the full support of the Communication and Information Ministry. The ministry is expected to provide telecommunication infrastructure management system, equipment and trainers for the members of the proposed “cyber army,” Purnomo added. “The Communication and Information ministry has the capacity to build up the cyber security,” he said, adding that the “cyber army” unit is planned to be embedded in the navy, the army and the air force. Communications and Information Minister Tifatul Sembiring said earlier that websites of Indonesia’s state ministries and agencies have received more than 36.6 million cyber attacks from hackers in the last three years. He said that his ministry is in a process of building a system called “National Cyber Security” to protect websites of government institutions and agencies. To make the system effective, the ministry has sought the cooperation of other government agencies, including the national intelligence body (BIN), the national narcotics body (BNN), and the military and government’s anti-terrorism desks (BNPT). ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet

http://news.techworld.com/applications/3449583/hackers-exploit-ruby-on-rails-vulnerability-to-compromise-servers-create-botnet/ By Lucian Constantin Techworld.com 29 May 2013 Hackers are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a botnet. The Ruby on Rails development team released a security patch for the vulnerability, which is known as CVE-2013-0156, back in January. However, some server administrators haven’t yet updated their Rails installations. Ruby on Rails is a popular framework for developing Web applications based on the Ruby programming language and is used by websites including Hulu, GroupOn, GitHub and Scribd. “It’s pretty surprising that it’s taken this long [for an exploit] to surface in the wild, but less surprising that people are still running vulnerable installations of Rails,” said Jeff Jarmoc, a security consultant with security research firm Matasano Security, Tuesday in a blog post. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] NYPD cop arrested, accused of paying $4,000 to hack fellow officers’ e-mail

http://arstechnica.com/tech-policy/2013/05/nypd-cop-arrested-accused-of-paying-4000-to-hack-fellow-officers-e-mail/ By Cyrus Farivar Ars Technica May 29 2013 It’s no surprise that many computer crimes have stupid criminals behind them. But it’s not every day that you have cops getting caught at their workplace. A New York City Police Department (NYPD) officer has been arrested and accused of paying more than $4,000 via Paypal for “e-mail hacking services.” The officer used this service to gain access to “at least 43 personal e-mail accounts and one cellular phone belonging to at least 30 different individuals, including 21 who are affiliated with the NYPD; of those 21, 19 are current NYPD officers, one is a retired NYPD officer, and one is on the NYPD’s administrative staff.” NYPD Detective Edwin Vargas was charged last week with one count of conspiracy to commit computer hacking and one count of computer hacking—each count carries a maximum sentence of one year in prison. He has since been suspended with pay by the NYPD as per normal department policy. The complaint was sent to Ars by the United States Attorney’s Office. It alleges the Bronx-based detective hired an “e-mail hacking service” to reach those 43 accounts between March 2011 and October 2012. He is believed to have accessed “at least one personal e-mail account belonging to a current NYPD officer after receiving the account’s log-in credentials from the hacking service. Vargas also accessed the [National Crime Information Center], a federal database, to obtain information about at least two of those NYPD officers without authorization to do so.” […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Drupal resets account passwords after detecting unauthorized access

https://www.computerworld.com/s/article/9239613/Drupal_resets_account_passwords_after_detecting_unauthorized_access By John Ribeiro IDG News Service May 29, 2013 Drupal.org has reset account passwords after it found unauthorized access to information on its servers. The access came through third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal, the open source content management software provider said in a security update late Wednesday on its website. The information exposed includes user names, email addresses, and country information, as well as hashed passwords. The breach has affected user account data stored on Drupal.org and groups.drupal.org, and not on sites running Drupal software. Drupal.org is the volunteer-run home of the Drupal project, which keeps track of the Drupal code and contributed work, while Drupal Groups is used by the community to organize and plan projects. Investigations are still going on and Drupal may learn about other types of information that may have been compromised, wrote Holly Ross, executive director of (Drupal Association, which maintains the Drupal.org site. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Liberty Reserve arrests are causing ‘pain’ to criminals

http://www.bbc.co.uk/news/technology-22699871 By Leo Kelion Technology reporter BBC News 29 May 2013 The takedown of the Liberty Reserve digital cash exchange has caused “pain” to criminals who used the facility, according to a leading security expert. Brian Krebs said he had seen comments on crime-linked restricted access forums suggesting many had suffered “steep losses”. US prosecutors published an indictment against the site’s staff on Tuesday. It says they deliberately helped users “distribute, store and launder the proceeds of their illegal activity”. Costa Rica-based Liberty Reserve had essentially functioned as a “black market bank” which had “allegedly processed 55 million separate financial transactions, and laundered a staggering $6bn [£4bn] in criminal proceeds”, said Preet Bharara, Attorney for the Southern District of New York, at a press conference. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] This Pentagon Project Makes Cyberwar as Easy as Angry Birds

http://www.wired.com/dangerroom/2013/05/pentagon-cyberwar-angry-birds/ By Noah Shachtman Danger Room Wired.com 05.28.13 The target computer is picked. The order to strike has been given. All it takes is a finger swipe and a few taps of the touchscreen, and the cyberattack is prepped to begin. For the last year, the Pentagon’s top technologists have been working on a program that will make cyberwarfare relatively easy. It’s called Plan X. And if this demo looks like a videogame or sci-fi movie or a sleek Silicon Valley production, that’s no accident. It was built by the designers behind some of Apple’s most famous computers — with assistance from the illustrators who helped bring Transformers to the silver screen. Today, destructive cyberattacks — ones that cause servers to fry, radars to go dark, or centrifuges to spin out of control — have been assembled by relatively small teams of hackers. They’re ordered at the highest levels of government. They take months to plan. Their effects can be uncertain, despite all the preparation. (Insiders believe, for example, that the biggest network intrusion in the Pentagon’s history may have been an accidental infection, not a deliberate hack.) With Plan X, the Defense Advanced Research Projects Agency is looking to change all that. It wants munitions made of 1s and 0s to be as simple to launch as ones made of metal and explosives. It wants cyberattack stratagems to be as predictable as any war plan can be. It wants to move past the artisanal era of hacking, and turn cyberwarfare into an industrial effort. Across the U.S. government, there are all kinds of projects to develop America’s network offense. None are quite like this. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ By Dan Goodin Ars Technica May 27, 2013 In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do. Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered. The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99” and “7c6a180b36896a0a8c02787eeafb0e4c” are the MD5 hashes for “password” and “password1” respectively. (For more details on password hashing, see the earlier Ars feature “Why passwords have never been weaker—and crackers have never been stronger.”) While Anderson’s 47-percent success rate is impressive, it’s miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn’t disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Obama Intelligence Agency Chairman Has His E-Mail Account Hacked By “Guccifer”

http://www.thesmokinggun.com/buster/guccifer-hacks-obama-intelligence-official-567983 The Smoking Gun MAY 28, 2013 After detours targeting “Sex and the City” author Candace Bushnell and journalist Carl Bernstein, the hacker “Guccifer” has returned to his bread and butter criminality, breaking into the e-mail account of an Obama administration official who heads the National Intelligence Council. The breach of Christopher Kojm’s personal msn.com account appears to have occurred within the past week, based on screen grabs from his account that were forwarded to TSG by the hacker. Kojm, 57, is chairman of the National Intelligence Council (NIC), whose officers provide strategic assessments on future threats and trends to the Office of the Director of National Intelligence (which was formed post-September 11 to coordinate the U.S. government’s assorted intelligence agencies). Pictured at right, Kojm is a former congressional staffer who has worked as a senior adviser to the Iraq Study Group and deputy executive director of the 9/11 Commission. Following the 2008 presidential election, Kojm was named a member of Barack Obama’s transition team, focusing on national security matters. In mid-2009 he was appointed to lead the NIC. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail