Tag Archives: Hackers

Hackers Have Figured Out How to Steal Millions from ATMs

Hackers Have Figured Out How to Steal Millions from ATMs

 

GIZMODO
by Adam Clark Estes
April 3, 2014

 

 

A woman withdraws money from an ATM in the Cypriot capital of Nicosia, on March 16, 2013. Eurozone finance ministers agreed on a bailout for Cyprus, the fifth international rescue package in three years of the debt crisis. AFP PHOTO/BARBARA LABORDE        (Photo credit should read BARBARA LABORDE/AFP/Getty Images)
A woman withdraws money from an ATM in the Cypriot capital of Nicosia, on March 16, 2013. Eurozone finance ministers agreed on a bailout for Cyprus, the fifth international rescue package in three years of the debt crisis. AFP PHOTO/BARBARA LABORDE (Photo credit should read BARBARA LABORDE/AFP/Getty Images)

 

Federal regulators just alerted banks across the country of a very dangerous new skill ATM hackers have picked up. They can trick ATMs into spitting out unlimited amounts of cash, regardless of the customer’s balance. Not only that, but also schedule the illicit withdrawals for holidays and weekends, when the ATMs are extra flush.

We’ve heard of crazy ATM hackers before, but this really takes the cake. It’s a triple threat, really. The ability to skirt around daily ATM withdrawal limits is bad enough, since the hackers isn’t limited to $500 or whatever the limit is on any single account. But the fact that the hackers can now extract more than what’s in a customers account combined with the scheduling method means that any given ATM theft could now be an all out heist. That’s why the Secret Service is calling this strategy Unlimited Operations.

Heists are exactly what’s happening, too. “A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts,” said the Federal Financial Institutions Examination Council in its alert to banks. The regulators believe that the hackers have actually been targeting bank employees with phishing scams in order to get their malware installed on the banks’ computer systems. The Los Angeles Times explains how it’s done:

Criminals use the malware to obtain employee login credentials and to determine how the institution accesses ATM control panels, often based online, that allow changes to be made in the amount of money customers may withdraw, geographic usage limits and how fraud reports are generated.

After hacking the control panel, criminals withdraw funds by using fraudulent cards they create with account information and personal identification numbers stolen through separate attacks, the regulators said. The PINs may be stolen by malicious software or scanning programs at merchant sales terminals or ATMs, or by hacking into computers.

It also doesn’t help that the recent Target breach put millions upon millions of card numbers out in the open, giving hackers even more fraudulent cards to work with.

For those that’ve been hit by one of these attacks, federal insurance will kick in, but it’s a huge pain in the ass for everyone. So in a twisted sort of way, these ATM hackers are inevitably taking your tax dollars. That mobile payments revolution everyone keeps talking about can’t come soon enough, can it? [LAT]

** RELATED ARTICLE: 

Hackers Can Force ATMs to Spit Out Money With a Text Message

 

Direct Link:  http://gizmodo.com/atm-hackers-have-figured-out-how-to-withdraw-unlimited-1557714644

US government releases draft cybersecurity framework

US government releases draft cybersecurity framework

NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches.

 

C/NET News
by Dara Kerr
October 22, 2013

 

According to NIST, all levels of an organization should be involved in cybersecurity. (Credit: The National Institute of Standards and Technology)
According to NIST, all levels of an organization should be involved in cybersecurity.
(Credit: The National Institute of Standards and Technology)

 

The National Institute of Standards and Technology released its draft cybersecurity framework for private companies and infrastructure networks on Tuesday. These standards are part of an executive order that President Obama proposed in February.

The aim of NIST’s framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats. Adopting this framework would be voluntary for companies. NIST is a non-regulatory agency within the Department of Commerce.

The framework was written with the involvement of roughly 3,000 industry and academic experts, according to Reuters. It outlines ways that companies could protect their networks and act fast if and when they experience security breaches.

“The framework provides a common language for expressing, understanding, and managing cybersecurity risk, both internally and externally,” reads the draft standards. “The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.”

Obama’s executive order in February was part of a government effort to get cybersecurity legislation in place, but the bill was put on hold after the National Security Agency’s surveillance program was revealed.

Some of the components in Obama’s order included: expanding “real time sharing of cyber threat information” to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a “review of existing cybersecurity regulation.”

Critical infrastructure networks, banks, and private companies have increasingly been hit by cyberattacks over the past couple of years. For example, weeks after the former head of Homeland Security, Janet Napolitano, announced that she believed a “cyber 9/11” could happen “imminently” — crippling the country’s power grid, water infrastructure, and transportation networks — hackers hit the US Department of Energy. While no data was compromised, it did show that hackers were able to breach the computer system.

In May, Congress released a survey that claimed power utilities in the U.S. are under “daily” cyberattacks. Of about 160 utilities interviewed for the survey, more than a dozen reported “daily,” “constant,” or “frequent” attempted cyberattacks on their computer systems. While the data in the survey sounded alarming, none of the utilities reported any damage to their facilities or actual breaches of their systems — but rather attempts to hack their networks.

While companies are well aware that they need to secure their networks, many are wary of signing onto this voluntary framework. According to Reuters, some companies are worried that the standards could turn into requirements.

In an effort to get companies to adopt the framework, the government has been offering a slew of incentives, including cybersecurity insurance, priority consideration for grants, and streamlined regulations. These proposed incentives are a preliminary step for the government’s cybersecurity policy and have not yet been finalized.

NIST will now take public comments for 45 days and plans to issue the final cybersecurity framework in February 2014.

 

Direct Link:  http://news.cnet.com/8301-1009_3-57608834-83/us-government-releases-draft-cybersecurity-framework/

 

 

Network Solutions reports more DNS problems

Network Solutions reports more DNS problems

 

PC World / IDG News Service
by Jeremy Kirk
October 22, 2013

 

Network Solutions reports more DNS problems
Network Solutions reports more DNS problems

 

Network Solutions said Tuesday it was trying to restore services after another DNS (Domain Name System) problem.

The latest issue comes two weeks after a pro-Palestinian hacking group redirected websites belonging to several companies whose records were held by Network Solutions, owned by the company Web.com.

Efforts to reach a company spokesperson were not immediately successful.

“We apologize for the issues our customers have experienced as a result of an incident on the Network Solutions DNS,” the company wrote on Facebook. “We’re in the process of restoring services, and we appreciate your patience as we work toward resolution.”

The DNS is a distributed address book for websites, translating domain names such as idg.com into an IP address that can be called into a Web browser. In the past few months, hackers have targeted companies that register domain names and their partners.

A successful DNS hijacking attack can cause thousands of Web surfers to a high-profile website to be redirected to another site even though they’ve typed in or browsed to the correct domain name.

Avira, a security company affected by the attacks two weeks ago, said hackers gained access to its Network Solutions account via a fake password-reset request. Claiming responsibility was a group calling itself the “Kdms Team,” which also attacked the hosting provider LeaseWeb about two days before.

In a separate problem, Network Solutions said Monday some customers could not send email after it was blacklisted by a security company, Trend Micro, and other anti-spam services.

In July, Network Solutions fought off a distributed denial-of-service attack (DDoS) that knocked websites offline and problems with MySQL databases.

 

Direct Link:  http://www.pcworld.com/article/2056920/network-solutions-reports-more-dns-problems.html

 

Microsoft to patch zero-day IE bug now under attack

Microsoft to patch zero-day IE bug now under attack

Eight updates will plug holes in IE, Windows, Office, SharePoint and Silverlight

 

ComputerWorld
by Gregg Keizer
October 3, 2013

 

Microsoft to patch zero-day IE bug now under attack
Microsoft to patch zero-day IE bug now under attack

 

 

Computerworld –

Microsoft today said it will ship eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), with the one aimed at IE plugging the hole attackers have been exploiting for months.

“The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505,” confirmed Dustin Childs on the Microsoft Security Response Center (MSRC) blog today.

Security experts identified the IE update as the one to deploy first, citing the fact that one of the vulnerabilities has been used by cyber criminals in targeted attacks against users in Japan and Taiwan.

“IE is always top of the list,” said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, in an interview today.

On Sept. 17, Microsoft confirmed that hackers were exploiting a critical unpatched vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9). The bug, however, existed in all versions of the browser, including the 12-year-old IE6 and the newest IE11.

Over the next two weeks, security companies reported that attacks had been aimed at Japanese and Taiwanese organizations since July. And earlier this week, exploit code went public as a working module was added to the open-source Metasploit penetration framework. Researchers predicted that the Metasploit appearance would result in an increase in attacks as less-capable hackers copied the code and added it to their weaponized toolkits.

“Once it went into Metasploit, I anticipated an early release of a patch by Microsoft,” said Storms today. “Obviously the patch is done, but Microsoft’s and its partners’ telemetry must have shown that there were no reasons to go out-of-band.”

Historically, Microsoft has issued “out-of-band” updates — those outside the normal monthly release schedule — only when it believes large numbers of its customers are at risk. The company has never publicly disclosed how it decides when to ship an out-of-band security update.

The early date of October’s Patch Tuesday — always the second Tuesday of the month — may have played a part in Microsoft’s decision to hold the update and not go out-of-band, Storms said.

The IE update was just one of four rated “critical” by Microsoft. The remaining three critical updates were all aimed at Windows, including one that applied to the newest Windows 8, Windows RT, Windows 8.1 and Windows RT 8.1, according to Microsoft’s advanced notification distributed today.

Experts recommended that customers install the Windows updates as soon as possible after their release. “Bulletins 2 and 3 are through the stack and might end up rating more attention than the IE update,” warned Storms.

Microsoft said Bulletin 3 did not affect Windows 8.1 or Windows RT 8.1, but that Bulletin 2 did.

The other four updates will patch vulnerabilities in Excel, other pieces of Office, the SharePoint collaboration server software and Silverlight, a media format Microsoft seems to have discarded or at least isn’t interested in developing further.

Because the Office-related vulnerabilities were ranked as “important” even though Microsoft said hackers could exploit them to plant malware on customers’ PCs, Storms said it was probable that any attack code required considerable user interaction to work, such as downloading files, opening shared folders or clicking through multiple warnings.

“Being exploited via a drive-by is not going to happen,” said Storms, referring to the most dangerous attacks, which only require a user to visit a malicious website to trigger exploits.

Microsoft will release next week’s security updates on Oct. 8 around 1 p.m. ET.

 

Direct Link:  http://www.computerworld.com/s/article/9242950/Microsoft_to_patch_zero_day_IE_bug_now_under_attack

FBI spooks use MALWARE to spy on suspects’ Android mobes – report

FBI spooks use MALWARE to spy on suspects’ Android mobes – report

Spear-phishing: It’s not just for the bad guys

The Register / UK
by Bill Ray
August 2, 2013

 

FBI spooks use MALWARE to spy on suspects' Android mobes - report
FBI spooks use MALWARE to spy on suspects’ Android mobes – report

 

The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects’ Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.

That’s according to “former officers” interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian’s presentation at hacker-conflab Black Hat later today.

The FBI’s Remote Operations Unit has been listening in to desktop computers for years, explains the paper, but mobile phones are a relatively new target.

It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the “former officers”, who noted that in other cases it had proved hugely valuable.

Such actions do require judicial oversight, but if one is recording activities rather than communications, the level of authorisation needed is much reduced. A US judge is apparently more likely to approve reaching out electronically into a suspect’s hardware than a traditional wiretap, as the latter is considered a greater intrusion into their privacy.

Gaining control of that hardware still requires a hole to crawl through; ideally a zero-day exploit of which the platform manufacturer is unaware.

The WSJ cites UK-based lawful spook spyware supplier Gamma International as selling such exploits to the Feds. The company was recently in the news after allegations that it was also supplying dodgy governments with kit – allegedly including malware disguised as the Firefox browser.

Given the convergence of mobile and desktop, it’s no surprise to see desktop techniques being applied to mobile phone platforms by both hackers and law enforcement agencies.

The usual techniques of not opening unknown attachments or unsigned downloads should protect you against the FBI, just as it would against any spear-phishing attempt. But then again, if you know that, they probably wouldn’t try using it against you.

 

Direct Link:  http://www.theregister.co.uk/2013/08/02/fbi_staff_admit_hacking_android/