Kuji Media Corporation Ltd.

Hi-tech hackers have started to produce malicious programs that target the latest bugs in Microsoft’s Windows.
A worm has been spotted online that tries to use the vulnerabilities to hijack home computers.

Any computer compromised by the worm will become part of a large network set up to send out junk mail.

At the same time Microsoft is re-issuing a recent security patch which has made the Internet Explorer browser crash on some computers.

Spam sender

On 8 August Microsoft released a bumper collection of security patches for 23 separate flaws in Windows and programs in the Office software suite.

One of the problems identified in the August update was deemed so serious that the US Department of Homeland Security (DHS) issued a warning urging users to download the patch and apply it as soon as possible. The DHS has a role in securing America’s critical infrastructure which includes the internet.

Now security companies have caught copies of a worm travelling the net that tries to infect Windows machines via this loophole.

The Mocbot worm attacks machines running Windows 2000 or XP that only have Service Pack 1 installed.

“As Microsoft only issued a patch against this vulnerability last week, many Windows computers probably remain unpatched and vulnerable to these threats,” said Carole Theriault, senior security consultant at Sophos in a statement.

Computer security firms have seen two variants of this worm circulating online. Analysis by Joe Stewart at security firm Lurhq show that, once installed, it tries to download a trojan known to act as a spam proxy.

These are networks of compromised machines that junk mailers have been forced to use because so few net service firms will host companies that send out millions of unwanted messages.

Microsoft said it would be re-issuing one of the security patches because, in certain circumstances, it can cause the Internet Explorer browser to crash.

The problem occurs with the MS06-42 update which tried to fix eight separate vulnerabilities in the IE browser.

Relatively few users are thought to be suffering from the clash between IE and the security patches. Microsoft said it affected IE with Service Pack 1 installed but only if visiting websites that use data compression and the widely used version 1.1 of the HTTP web protocols.

Microsoft said it expected to have the new version of the MS06-42 update ready by 22 August. However, a “hotfix” has been made available but Microsoft said this should only be installed on those computers crashing because of the update.

The authorities in Chile have arrested four people who the police say are members of one of the world’s most successful groups of computer hackers.
The men are accused of breaching more than 8,000 websites, including that of US space agency Nasa.

One of the men, who has used the alias “Net Toxic”, is alleged to be one of the most prolific hackers in the world.

The men were detained in simultaneous raids in three cities in Chile, including the capital Santiago.

The Chilean police carried out the operation in co-ordination with Interpol and intelligence services from the US, Israel and several Latin American nations. The arrests came after an investigation lasting eight months, Chilean officials said.

The four men also allegedly managed to infiltrate the websites of the Chilean finance ministry and University of California at Berkeley in the US.

And they are accused of gaining access to government websites from a range of other countries, including Venezuela, Turkey and Israel.

Police in Moscow have arrested a group of hackers led by a 63-year old retired computer programmer, who they said was bitter about his small pension.

Police said the hackers worked from internet cafes in Moscow to steal numbers from credit cards belonging to clients in foreign countries.

Police said they then used the cards to make false purchases, using an online company they had created.

The hackers could face up to 10 years in prison, if convicted under Russian law.

According to police, computer fraud in the Russian capital costs businesses at least $12m a month.

The verdict in the Gary Mckinnon extradition trial was really no shock to me considering the political climate. Lets face it, this is not about hacking or security this is about politics and money. Cynical? You bet I am, having been through an almost identical situation, very similar computer intrusions and similar motives – the only difference was I was pre-terrorism mania where everything and everyone is a suspect.

Think about this, almost a decade ago machines belonging to the military, navy, army etc were broken into and this was the proof Congress needed to show that cyber terrorism existed. An unknown spy running rings of computer hackers to steal secrets for foreign governments. The fact that I was not a spy, and certainly not “possibly the single biggest threat to world peace since Adolf Hitler” didn’t really make much of a difference to the fear machine that was put in place selling the idea that cyber terrorism was a real threat.

Millions of dollars in budget increases, that is where the difference occurred. If you take the threat to be real (which it certainly wasn’t back then and highly unlikely to exist today) then this raises questions, namely;

1. Where have the mega budgetary increases actually been spent?

Education cannot be one of them, as if machines are left in a state of ‘unpatched since install’, with unpassworded points of entry – I cannot see that the money has gone to the improvement of sysadmin skills or awareness of the problems of being online.

If you compare the awareness by consumers of security threats, people have seriously woken up to the fact that unprotected they are just sitting ducks to the onslaught of manual and automated attacks.

Phishing, hacking, spam, bots, virii, worms – the majority of home users now have firewalls, anti virus software, spyware checkers etc – all of which have a much lower budget than the military. I suspect that as governments, unlike corporate entities do not have shareholders to answer to. They do not have to explain why their machines were offline and money was lost, that in fact they can just blame budget instead of actually being proactive and moving with the times.

2. If in this case as in mine, there were clearly many other hackers

with access to the same systems at the same time, why have they not been prosecuted or even mentioned?

This seems to me to be more proof of my theory that so-called super hackers are hauled in front of the courts when it is convenient for their cases to be used for ore proof of computer insecurity and the need for greater budgetary increases..

3. Where are the administrators and their bosses in this case?

In this political climate, one of the dark looming threat from the bad men all around us (as we are constantly reminded), to not secure machines properly they have committed federal offences. It is surely not good practice to have machines, sitting on the Internet, unfirewalled, unpassworded containing alleged sensitive information – and most likely a direct violation of their contract and training.

This is a sysadmins first job, to change any default passwords or to set ones where they are not needed – and certainly ensure that those machines are sitting behind a firewall. I am not trying to say that Gary was attempting to test their security, but if this was a corporate environment the sysadmin would have some major explaining to do.

4. Is the fact that the USA are fighting so hard for extradition a dig at our legal system?

Gary has admitted his guilt and wants his trial to be in the UK, so why can’t he be tried here? Could this be to do with the fact that most computer crime here (financial gain notwithstanding) is dealt with by means of fines. Do the USA see us as a soft touch? This brings the idea of two scenarios;

– Gary being tried by a jury of his peers. They hear the evidence and consider the fact that the machines were badly administrated and this is taken into consideration when sentencing.

– Gary being tried in a foreign country by a jury that hears he has ‘attacked their country’ this is bound to have a bearing on the sentencing.

A possible 70 years in prison, for what exactly? showing that in a decade the USA military have not learned, or at worst, blatantly ignored the security threats around them when it is they who tell us every day that we should be afraid.

In my case I was never debriefed by any of the authorities that I hacked, never asking how I did what I did – never asking me to comment on my peers or related community. Gary says he is guilty, why are we going to punish this man further by sending him to a foreign jail which are known for brutality against inmates: [http://www.hrw.org/reports/2001/prison/report.html]

– where is the leniency for admission of guilt? Let this guy talk to kids about how this trial has affected his life. Let this guy talk to governments.. Let this guy talk and discuss and explain.. don’t send him to a punishment likely to be worse than he would receive in this country for murder.

The extradition bill is being tested right in front of your eyes, it is a blatant decline in our civil liberties and a worrying step forward for our so-called democratic society.

Mathew Bevan
www.kujimedia.com

Criminal gangs taking over from amateur hobbyists

Owen Bowcott, Saturday June 11, 2005, The Guardian

Gary McKinnon is deemed to be so deviously manipulative at the keyboard that he has been banned from using the internet. He is not even allowed a passport. The peculiar bail conditions imposed this week on the 39-year-old computer systems administrator from Wood Green, north London, suggest that the law enforcement community stands in awe of his technological prowess.

Until his next court appearance, due on July 27, the tousle-haired programmer, who is fighting extradition to the United States, has been ordered to stay away from any computer connected to the web.

Mr McKinnon has gained international notoriety for his alleged ability to break into scores of sensitive US defence computers, steal secret passwords, sabotage email systems and delete military files. In the hi-tech world of online hacking, however, he is perceived as one of a dying breed of amateur hobbyists – those the Americans deride as “script-kiddies”.

Despite US prosecution claims that he perpetrated “the biggest military computer hack of all time”, Mr McKinnon’s supposed achievements are by no means unique. The attempt to extradite him to answer charges in Virginia and New Jersey is far more unusual. Systems run by Nasa, the Pentagon and the Department of Defence have long been hackers’ trophy targets. His misfortune, apparently, was to get caught, and to have carried out his explorations shortly after September 11.

According to security experts, US military sites are not the most heavily protected on the internet. They rely on the deterrent threat of legal action rather than deploying highly sophisticated software or enforcing best practice among military personnel.

Mathew Bevan, another British hacker arrested for breaches of security at Nasa and US Air Force sites, found himself similarly demonised by US lawyers as “the single biggest threat to world security since Adolf Hitler” back in 1994. The case against him eventually collapsed. Like Mr McKinnon, he was also hunting for evidence about UFOs hidden on military installations.

Mr Bevan, now 30, is an IT consultant and living in Wiltshire. “The security on US military machines is probably not much better than it was back then,” he said. “There were plenty of military machines with sensitive information that had account names with no passwords. Others had been left with the standard default passwords used by the manufacturers.

“University systems and corporations are much harder to break into than military machines: universities because there are always students testing their skills, and companies because they have shareholders demanding better security.”

In Britain, the hacking subculture that nurtured Mr McKinnon’s talents has been driven underground by diligent enforcement of the Computer Misuse Act, which since 1990 has criminalised those who gain unauthorised access to computer systems.

Mr Bevan typifies the career trajectory once pursued by teenage hackers. After years hunched alone over a computer screen, and an infamous brush with the law, he has graduated to running his own company, the Kuji Media Corporation, which offers security and technology advice.

“Hackers are a dying breed,” said Mr Bevan. “Organised criminals have cottoned on to the potential rewards. There’s viruses and trojan programs flooding out of places like Russia and Bulgaria these days.

“I get people asking, ‘Why is my machine running slowly?’ And when you look, there are 300 viruses, bits of adware [advertising programs] and trojans mucking up the system. Internet service providers should really be doing deals with security firms to provide virus-free connections.”

Mr Bevan said he spoke to Mr McKinnon in 2002, “after he was first busted”.

“He’s only been selected by US prosecutors because he’s an excellent scapegoat. Maybe the amount of recreational hacking is the same, but the volume of people on the net means far more are involved in genuinely nefarious activities.”

“Pharming”, for example, is the latest threat to the integrity of internet banking services. It has emerged from Estonia in the past few months. This cunning electronic fraud may force banks to issue customers with a new generation of identity devices.

Unlike “phishing” scams – which rely on the gullibility of those who receive emails urging them to log on to sites purporting to be their online bank and confirm passwords and account details – pharming is more insidious.

Customers’ computers are infected by a trojan program – either delivered through an innocent-looking email or inadvertently downloaded from a fake advert on the internet. When the user tries to log on to the online account, the hidden program diverts the web browser to a seemingly identical site operated by criminal gangs in eastern Europe. Their electronic identities are captured, then used to empty the accounts.

“There’s discussions about whether banks will eventually have to give out security devices for customers to plug into their computers,” said Sandra Quinn of APACS, the banking industry’s payments organisation. “Barclays have already carried out trials.”

Last year, online fraud cost British banks ?12m, an increase on previous losses. That figure was dwarfed, however, by the ?150m taken via what is known as “card not present” frauds, where goods are purchased over the telephone using stolen credit cards or simply their numbers.

The array of online threats grows all the time. Denial of service (DoS) attacks, where firms’ email systems are bombarded into overload, are frequently accompanied by blackmail demands for cash to switch off the onslaught. Last year, the bookmaker William Hill was targeted and then received a demand for $50,000 (?28,000).

“Bot” programs enable computers across the net to be hijacked by remote users who in effect turn them into “zombie” machines which can be used in DoS attacks. Keylogging programs can infiltrate computers and record the keystrokes customers make in typing in credit card numbers or passwords. The criminals behind these attacks are based mainly in eastern Europe, it is believed, because law enforcement there is relatively slack and there is a plentiful supply of skilled but poorly paid programmers.

“It’s a classic low-risk crime,” said Ms Quinn. “We have seen some police action, however, and now we are getting phishing attacks coming from China.”

Threats have also been made to call-centre staff working in the financial services sector in Britain, in an attempt to force them to record and hand over customer account details. Many companies now prevent staff from using pens or paper when they sit at their screens.

The difficulty in penetrating banks has encouraged gangs to combine online techniques with strongarm tactics. The reported theft of computer backup tapes from US financial institutions while in transit to storage facilities has generated concerns about the security of millions of customers’ accounts.

An attempt earlier this year to steal ?220m by electronic transfers from the London headquarters of the Japanese bank Sumitomo was foiled, but it sparked alarm about criminals infiltrating banks to carry out insider robberies.

“Gary McKinnon appears to be an example of the type of hacking that people have moved away from,” said Felicity Bull of the National Hi-Tech Crime Unit, which investigates major computer crime in Britain. “We know that organised crime is now hiring IT-literate workers.”

Some law enforcement agencies now question whether the Computer Misuse Act needs to be overhauled, enabling it to be used to prosecute those involved in DoS attacks.

In Washington, the secret service is the force responsible for combating online fraud and hacking. “There are still plenty of script-kiddies out there bragging about what they’re doing,” one agent, Jim Dobson, told the Guardian. Some were still at high school, he said, adding: “There’s a huge amount of information out there.”

Other threats, such as gangs in Russia targeting financial institutions, or those in Asia carrying out intellectual property thefts, have eclipsed the old-style hacker community, he acknowledged.

The rise of mobile phone technology has provided fresh opportunities for a new generation of hackers.

Meanwhile, wireless computer networks have been found to be particularly vulnerable, said Paul Carratu, whose Surrey firm carries out penetration testing to assess security systems. “People are not using the encryption devices they should.”

Last month, two British hackers, Jordan Bradley, from Darlington, and Andrew Harvey, from Durham, who belonged to an Anglo-US group called the “Thr34t Krew”, pleaded guilty in Newcastle to computer crime offences. The TK worm they released exploited a weakness in web servers and caused up to ?5.5m damage to companies using the net. They now face possible prison sentences.

It may be too soon to write off the perverse ingenuity of British hackers.

The lingo and what to look out for

Trojan (horse) An innocent-looking program concealing destructive intentions.

Pharming Hijacking online bank customers by infecting web browsers. They are redirected to fake internet sites and asked to disclose account details.

Phishing Sending out emails telling online account customers they must reconfirm IDs and passwords. When they hit reply they are sent to a cloned web page.

Key logging Programs which record keystrokes and can be used to retrieve credit card and PIN numbers.

Malware Umbrella term for assorted malicious software programs which sabotage your computer.

Zombies Online computers that have been infected by trojans and can then be remotely controlled to churn out spam emails at targeted sites.

Bots Programs used to infect and control computers which are then turned into zombies.

By Margaret Ryan – BBC News

As a Briton faces possible extradition to the US for alleged computer crime, a former hacker, whose prosecution collapsed, talks about the lure of breaking into systems.

Matthew Bevan had stood accused of mounting a determined “information warfare” campaign against the US air force and leading defence contractors in 1994.

The case against Mr Bevan collapsed
US Senate hearings were initially told the security breaches were the work of highly skilled foreign agents.

Mr Bevan, whose hacker alias was Kuji, was charged with conspiracy and faced accusations of being an Eastern European spy.

But the truth was somewhat more prosaic, said the 30-year-old computer consultant.

“I was just a kid in my bedroom hunting for UFO information.”

Then a computer programmer for an insurance firm, he says he had previously been bullied and had felt ostracised by his peers.

“But the computer system was a place where I was king and showed power.

“In the real world I had none and I was quite defenceless. I didn’t deliberately cause any damage.”

Thrill of the chase

But the amateur hacker’s pastime landed him in court in the UK after his activities came to the attention of the US authorities and the British police tracked him down.

Mr Bevan can only talk about his own experiences – but his case, he believes, was overblown from the start as he was portrayed in the States as a spy running rings of spies.

It’s like a parent finding their child’s diary. You know you shouldn’t look at it but you just can’t help yourself

“At the time I was ‘the single biggest threat to world security since Adolf Hitler’,” he said.

By the time his case came to court the allegations made against him had died down.

The case against him finally collapsed in 1997 after the judge was told he posed no threat to security.

Another, a 16-year-old defendant, was fined £1,200 after admitting breaking into a number of US military systems.

Mr Bevan, who now lives in Wiltshire, freely admits that, for hackers, successfully breaking into systems provides an ego boost.

Reports claiming that UFO were being held secretly at American military installations had set the young hacker down the path of trying to find out more.

“It’s an adrenalin rush. It’s like a parent finding their child’s diary.

“You know you shouldn’t look at it but you just can’t help yourself.

“You know it’s wrong but you still do it. It becomes addictive,” he explained.

Competitive element

More than a decade on Mr Bevan understands the havoc hackers can cause in compelling companies to install more security, but resents the suggestion his actions were done out of malice.

“It’s like a spider’s web – once you break into one machine you can compromise a few accounts.

The search for UFOs prompted Mr Bevan’s hacking

“You may go into a machine not with the intent to find anything but just as a staging ground for another computer system.”

“It’s a case of ‘how many computers can I hack into in two hours?’ We used to have competitions.”

But he claimed hackers had been “tainted” by the rise in identity theft and viruses.

For the hacker, he argued there is an ethical code that information should be free and there are strict rules about using that information.

He believes companies have to accept some responsibility for hacking, arguing insurance firms would not generally pay out on insurance claims if it could be shown that not enough care had been taken in guarding against it.

To this day he believes his arrest was politically motivated, suggesting hacking cases make headlines when companies want funding to fight cyber crime.

“In my cynical view the powers that be decided ‘we’ll have you two and make a good example of you'”, he said.

Childhood pursuit

He says he had already left hacking behind him before the day he was arrested at work.

Since his case was dropped the world of hacking has changed but he believes the potential for disruption remains stronger than ever as young people become ever more computer literate.

“When I was doing it people didn’t have net access in the UK. I was dialling up to the States,” he said.

For many hacking is a young person’s pursuit that they eventually grow out of, he suggested, but before they do the potential for disruption is incalculable.

“They [children] are smart and can develop skills that adults can’t keep up with,” he said.

A British man who allegedly hacked into US military and Nasa computer networks has been arrested, say Scotland Yard.

Gary McKinnon, 39, of Wood Green, north London, faces extradition proceedings over claims he hacked into 53 military and Nasa computers in 2001 and 2002.

The US government believe tracking and correcting the alleged problems has cost around $1m (?570,000).

Mr McKinnon is being held at a central London police station and will appear at Bow Street Magistrates Court.

Mr McKinnon was arrested by officers from the Metropolitan Police Service Extradition Unit on Tuesday night around 1830BST.

Mr McKinnon is charged with the biggest military computer hack of all time

The unemployed computer systems administrator, who is known on the internet as `Solo’, is due to appear in court on Wednesday.

He is accused of hacking into computer networks operated by Nasa, the US Army, US Navy, Department of Defence and the US Air Force.

One of the networks belonged to the Pentagon.

If he is extradited and found guilty, Mr McKinnon faces a maximum penalty of five years in prison and a ?157,000 fine.

The Briton was indicted in 2002 by a Federal Grand Jury on eight counts of computer-related crimes in 14 different states.

It claimed that he hacked into an army computer at Fort Myer, Virginia, obtained administrator privileges and transmitted codes, information and commands.

Unauthorised access

He is accused of then deleting around 1,300 user accounts.

The indictment alleged Mr McKinnon also “deleted critical system files” on the computer, copied a file containing usernames and encrypted passwords for the computer, in addition to installing tools to gain unauthorised access to other computers.

A loss of over $5,000 (£2,725) to the Army stemmed from the alleged damage, according to the indictment.

At the time of the indictment, Paul McNulty, the US Attorney for the Eastern District of Virginia, said: “Mr McKinnon is charged with the biggest military computer hack of all time.”

http://news.bbc.co.uk/1/hi/uk/4071708.stm

Channel 4 – The Heist.. got 1.7 million viewers for each episode..

Wasn’t quite what I had hoped for, but hey.. you do the show you put your life in the hands of the directors and editors… wasnt too bad.. but apparently most of what I said and did had to be cut out for “legal reasons”… bah…. Look out for some snippets on this site someday of the bits “too hot for tv”… 80)

Ok, so I may be lazy and not update this site (All you studying A Levels– work harder than I did heh) I have been busy, and there is a three part channel 4 programme due soon.

Channel 4 broadcast date (may change) of Mon.July 12th 9pm. Programme will be called ‘Cat and Mouse’ or ‘The Heist Society’..

Basically a group of ‘experts’ are brought together and set a task of performing a robbery under strict conditions and as real life as possible. Very similar to performing penetration exercises, only the top brass know whats going on.. so essentially it *IS* a real life test of the organisation.

Each episode covers a different robbery/task… and in each I am the technology guru / hacker…. tune in and let me know… nothing like a bit of James bond — (G.Morgan would be proud !!)

Apart from that there are sure to be some interesting things popping up after that… I might digitise some of the older progs I have done and put them up, for old time’s sake..

By Ted Bridis, The Associated Press Apr 29 2003 2:08PM
British authorities arrested a man Tuesday believed to head a group of hackers known as “Fluffi Bunni,” which used a stuffed pink rabbit to mark attacks that humiliated some of the world’s premier computer security organizations.

Fluffi Bunni captured the attention of the FBI just days after the Sept. 11 terror attacks, when thousands of commercial Web sites were vandalized with a single break-in that included the message, “Fluffi Bunni Goes Jihad.”

The FBI characterized the act in a November 2001 report as an anti-American cyberprotest against the war on terrorism.

Lynn Htun, 24, was arrested by Scotland Yard detectives on outstanding forgery charges while attending a prominent trade show in London for computer security professionals, InfoSecurity Europe 2003, authorities said.

British authorities did not mention of Htun’s alleged hacking. A U.S. official, speaking on condition of anonymity, said Htun is wanted in America in connection with a series of high-profile hacking cases blamed on Fluffi Bunni. Investigators believe Htun was the group’s leader and referred to himself as Fluffi Bunni, the official said.

Authorities in London indicated they would release more information Wednesday about Htun’s arrest, although the continuing investigation into Fluffi Bunni hackers was sensitive and other arrests could be possible.

Fluffi Bunni embarrassed leading Internet security organizations by breaking into their own computers and replacing Web pages with a message that “Fluffi Bunni ownz you” and a digital photograph of a pink rabbit at a keyboard. The attacks, which began in June 2000, lasted about 18 months, then stopped mysteriously and created one of the Internet’s most significant hacker whodunits in years.

“I thought he’d never be caught,” said Jay Dyson, a consultant who formerly helped run one of the victim Web sites. “He was clever and had the patience of a saint. The targets he chose were ones that were really high profile, and ones you’d think would be above reproach when it comes to issues of security.”

Victims have included the Washington-based SANS Institute, which offers security training for technology professionals; Security Focus, now owned by Symantec Corp.; and Attrition.org, a site run by experts who formerly tracked computer break-ins. Other victims included McDonald’s Corp. and the online security department for Exodus Communications Inc., now part of London-based Cable & Wireless plc.

“The guy was playing a game of `gotcha.’ He wanted to prove that even firms that specialize in security can be hacked,” said Mark Rasch, chief security counsel for Solutionary Inc. and a former Justice Department cybercrime prosecutor. “It’s like someone who robs banks to prove that banks can be robbed.”

Brian Martin, who ran the Attrition site with Dyson and others, said Fluffi Bunni quickly generated a fearsome reputation across the underground because of the group’s choice of targets. Martin determined that a hacker broke into another user’s computer, allowing him to assume that person’s digital identity and briefly take over the Attrition site with a Fluffi Bunni message.

“He would break into companies that are there to secure you,” said Martin, who never reported the crime to the FBI. “It’s a challenge, and there’s some irony behind it.”

Targets frequently were attacked indirectly. Instead of trying to break into the heavily protected Security Focus Web site, someone hacked an outside computer that displayed advertisements on the site. The ads were replaced with taunting messages and images of the pink rabbit at the keyboard.

Copyright 2003 Associated Press. All rights reserved.
This material may not be published, broadcast, rewritten, or redistributed.

http://www.securityfocus.com/news/4320