It’s amazing how much data our cell phones provide to so many different parties.
As we noted in several stories in the past few weeks, Carrier IQ software is installed on more than 140 million phones, including various Androids and iPhones, although Apple says it is in the process of stripping it out. Carrier IQ, handset manufacturers and wireless service providers have said the software is used only for diagnostic information to improve service, and that it is not used to record keystrokes or read users’ messages. However, the companies have faced questions from Sen. Al Franken D-MN and class-action lawsuits. How much data Carrier IQ collects from smartphones and what happens to it have not been fully answered, and the FBI’s statement does not clarify whether it is investigating Carrier IQ to determine if its software violates any federal laws, or if it is using data from Carrier IQ for other investigations.
via FBI using Carrier IQ info for “law enforcement purposes,” refuses to release records.
So again: Palin’s AOL account was hacked because it used publicly-known answers for password-retrieval questions, a common/known exploit exposed users on O’Reilly’s site, and password-reuse by users exposed their other personal accounts.
On September 19, 2008, hackers from the Anonymous collective attacked the website of Fox News host Bill O’Reilly. The hackers found and immediately posted e-mail addresses, passwords, and physical addresses of 205 O’Reilly site members paying $5 a month to hear Bill’s wisdom. The next day, a distributed denial of service (DDoS) attack hit the site with 5,000 packets per second. That night, another attack flooded two O’Reilly servers with 1.5GB/s of data.
The attack itself wasn’t particularly clever, but it was effective. Billoreilly.com’s administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a “New premium member report” showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was “just an error”—but it made the new member report available outside the secure admin structure to someone who knew the location.
The attackers took the name at the top of the list, an account registered only one hour before, and used it to log into the O’Reilly site as a check of the data’s accuracy. The information was then posted to Wikileaks and discussed on 4chan. Three O’Reilly members who had used the same password on multiple other sites experienced additional fraudulent use of that information.
The article doesn’t differentiate whether the portion of Bill’s site that was hacked contained cardholder data, so I don’t know if this will be considered a breach meriting PCI DSS penalties. But it’d be quite embarrassing for Bill if his site now has to post the “We’ve been hacked!” banner.
via Exclusive: How the FBI investigates the hacktivities of Anonymous.
This sure would be an annoying way to find out:
- That your home wireless is insecure, and
- That your neighbors are perverts.
The three stories all fall along the same theme: a Buffalo man, Sarasota man, and Syracuse man all found themselves being raided by the FBI or police after their wireless networks were allegedly used to download child pornography. “Youre a creep… just admit it,” one FBI agent was quoted saying to the accused party. In all three cases, the accused ended up getting off the hook after their files were examined and neighbors were found to be responsible for downloading child porn via unsecured WiFi networks.
via FBI child porn raid a strong argument for locking down WiFi networks.
A happy update to the OpenBSD / FBI Backdoor story:
OpenBSD project leader Theo de Raadt disclosed an e-mail earlier this month in which former NETSEC CTO Gregory Perry claimed that his company was paid by the FBI to plant a “backdoor” in the OpenBSD IPSEC stack. The allegations led to a thorough code review and historical analysis of the relevant code.
In a follow-up e-mail published this week, de Raadt outlined his current perspective on the controversy and his interpretation of the findings that have emerged from the ongoing code audit. Reviews are being conducted on the history and provenance of code in the IPSEC stack as well as the current implementation. Reviewers have uncovered several bugs that could have security implications, but the nature of the bugs suggests that they were not intentional, nor were they intended to facilitate a backdoor.
via OpenBSD code audit uncovers bugs, but no evidence of backdoor.
Perry says that his nondisclosure agreement with the FBI has expired, allowing him to finally bring the issue to the attention of OpenBSD developers. Perry also suggests that knowledge of the FBI’s backdoors played a role in DARPA’s decision to withdraw millions of dollars of grant funding from OpenBSD in 2003.
“I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI,” wrote Perry. “This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn’t want to create any derivative products based upon the same.”
via FBI accused of planting backdoor in OpenBSD IPSEC stack.
Interesting tidbit on how the FBI tracked down a Russian spammer:
So how did the FBI get its man this time around? By busting the US-based distributor of fake Rolex watches who used Mega-D to send a good chunk of his spam. That led them on a trail that culminated in ePassporte, a money transfer service, and they found Nikolaenka’s name and e-mail addresses attached to his account.
Nikolaenko had made another mistake: the e-mail accounts were Gmail addresses, and it was no trouble at all for the US to get a subpoena, forcing Google to cough up the account information. FBI agents found copies of the botnet software and much else of interest among the e-mails.
via How the FBI nabbed a Russian spam king in Las Vegas.