US man stole 130m credit card numbers


US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards. Officials say it is the biggest case of identity theft in American history.

They say Albert Gonzales, 28, and two unnamed Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain.

Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzales faces up to 20 years in jail for wire fraud and five years for conspiracy. He would also have to pay a fine of $250,000 (£150,000) for each of the two charges.

Gonzales used a complicated technique known as an “SQL injection attack” to penetrate networks’ firewalls and steal information, the US Department of Justice said.

According to the indictment, the group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The data could then be sold on, enabling others to make fraudulent purchases, it said.

Read the full story on the BBC News website.


Smartphones open to SMS attacks


Mobile handsets including iPhones and those using Windows Mobile or Google’s Android operating system are vulnerable to text-based attacks, say experts.

Software code that arrives in a text message can hijack the phones, said Charlie Miller and Collin Mulliner at the Black Hat conference in Las Vegas. The malware could knock phones off the network or access data and programs.

The team say that hackers could develop programs to exploit the weakness in as little as two weeks. The pair said that publicising the means of attack was necessary to ensure the problem was addressed.

“If we don’t talk about it, somebody is going to do it silently. The bad guys are going to do it no matter what,” Mr Mulliner, an independent security expert, said.

The hack works by slightly modifying the data that arrives with an SMS message. The system that processes such messages is similar across different operating systems and can, once compromised, gain access across a range of applications including a phone’s address book or camera.

The approach is particularly dangerous because messages are delivered automatically, and users cannot tell that they have received the malicious code.

Read the full story on the BBC News website.

Google targets Microsoft with new OS


Google has issued its clearest challenge to rival Microsoft so far, by announcing its plans to create a new computer operating system aimed at laptop users. The Californian internet company said it is working on a lightweight system that is based on the Chrome web browser it launched last year.

“It’s our attempt to re-think what operating systems should be,” said the company on the Official Google Blog.

The first version of the system, which will be targeted at netbook computers – the small, portable laptops that have become popular in recent years – is due to be made available in the second half of 2010.

“Speed, simplicity and security are the key aspects of Google Chrome OS,” said the announcement. “We’re designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web.”

It added that there would be a heavy focus on creating a system that would not require users to worry about security holes and virus warnings.

Although the company was keen to keep expectations low by suggesting a focus on netbook computers, it will undoubtedly be hoping that it can make inroads against Microsoft, the software giant that has dominated the operating system market for more than a decade with Windows.

Read the full story on the The Guardian website.

Missile data found on hard drives


Sensitive information for shooting down intercontinental missiles as well as bank details and NHS records was found on old computers, researchers say.

Of 300 hard disks bought randomly at computer fairs and an online auction site, 34% still held personal data. Researchers from BT and the University of Glamorgan bought disks from the UK, America, Germany, France and Australia.

The information was enough to expose individuals and firms to fraud and identity theft, said the researchers. Professor Andrew Blyth said: “It’s not rocket science – we used standard tools to analyse the data”.

The research involving the Welsh campus was led by BT’s Security Research Centre and included researchers at Edith Cowan University in Australia and Longwood University in the US.

In addition to finding bank account details and medical records, the work unearthed job descriptions and personal identity numbers as well as data about a proposed $50bn currency exchange through Spain.

Read the full story on the BBC News website.

Botnet ensnares government PCs


Almost two million PCs globally, including machines inside UK and US government departments, have been taken over by malicious hackers.

Security experts Finjan traced the giant network of remotely-controlled PCs, called a botnet, back to a gang of cyber criminals in Ukraine.

Several PCs inside six UK government bodies were compromised by the botnet.

Finjan has contacted the Metropolitan Police with details of the government PCs and it is now investigating.

A spokesman for the Cabinet Office, which is charged with setting standards for the use of information technology across government, said it would not comment on specific attacks “for security reasons”.

“It is Government policy neither to confirm nor deny if an individual organisation has been the subject of an attack nor to speculate on the origins or success of such attacks.”

He added: “We constantly monitor new and existing risks and work to minimise their impact by alerting departments and giving them advice and guidance on dealing with the threat.”

Read the full story on the BBC News website.

GhostNets in the machine


It wasn’t until last Sunday that Scott Henderson knew he’d been duped. The former US army intelligence officer, along with his colleague “Jumper” had been tracking an alleged Chinese hacker, nicknamed Lost33, who had promised him an interview. “Lost33 did not make contact with Jumper last night.

In fact, it seems he spent the night changing his QQ number” – QQ is a popular Chinese instant messaging service – “and deleting all info from his blog. The website is now completely empty, except for a change to his personal data,” said Henderson on his blog.

Henderson had been tracking Lost33 after his email address – – turned up in an investigation called GhostNet. GhostNet started when Information Warfare Monitor (IWF), a team of cyberwarfare researchers created by Toronto University and the Canadian security thinktank SecDev, had been asked to conduct a security audit for the Tibetan government in exile. It had found malicious software on the Dalai Lama’s most sensitive computers.

The investigation found links back to command and control servers located mainly in China. From there, the IWF found infected computers under the control of those servers in 103 countries.

Read the full story on the Guardian website.

Why URL shorteners suck


Delicious founder Joshua Schachter says that URL shorteners like TinyURL are a bad idea, because they make the web more fragile, dependent on the shortener services as central points of failure. They also assist spammers, undermine googlejuice, and expose users to security vulnerabilities.

I agree – and I like Kottke’s suggestion: “With respect to Twitter, I would like to see two things happen: 1) That they automatically unshorten all URLs except when the 140 character limit is necessary in SMS messages. 2) In cases where shortening is necessary, Twitter should automatically use a shortener of their own.”

The transit’s main problem with these systems is that a link that used to be transparent is now opaque and requires a lookup operation.

“From my past experience with Delicious, I know that a huge proportion of shortened links are just a disguise for spam, so examining the expanded URL is a necessary step. The transit has to hit every shortened link to get at the underlying link and hope that it doesn’t get throttled. It also has to log and store every redirect it ever sees.”

Read the full story on the Boing Boing website.