Security Bullet In
Communiques from the security front, sir
Thursday 30 August 2007, 5:04 PM
Bill website hacked
Security company Websense is reporting that the official website for ITV police drama The Bill has been compromised by hackers.
"Websense Security Lab has discovered that the official Web site of The Bill, the popular TV series, has been compromised and laden with malicious JavaScript code meant to infect visitors with a Trojan horse," said the Websense press release.
Fortunately for fans of The Bill, "the malicious code failed to launch due to what appears to be sloppy work by the intruder. The failure occurred because the code that was placed to execute, was improperly placed on the wrong section of the Web site," continued the release.
"Websense believes that these are the same perpetrators behind three similar compromises of a UN website, a prominent bank in India and a large industry organization website."
"At this time, the malicious code is still on the [Bill] website," said Websense -- although if the code doesn't actually do anything, it'll only be dangerous if it's undetected, and is modified by the intruder, I'd say.
I rang ITV's press office to verify if this was true, but they didn't have a clue what I was talking about. I think the combination of "website", "hacked" and "malicious code" in the same sentence flummoxed them. I was duly transfered to Talkback Thames, the company that produces The Bill. I got halfway through a sentence explaining that I was a technology journalist looking into whether there was any mal[I'll just transfer you sir] before I was transfered to Talkback Thames' third party IT support company. I patiently asked whether they administered The Bill website, and was told they didn't. They recommended I ring... Talkback Thames. I rang them back, and got a different person on the phone who also didn't have a clue what I was talking about, but who suggested I ring Merton Studios, where The Bill is filmed. Needless to say, that number seems permanently engaged -- and something tells me they wouldn't be able to help, anyway. At this point one of our editors told me that it probably wasn't worth spending any more time on, so I throw down the gauntlet to you, ITV -- if there's no malicious code on The Bill website, do get in touch.
Update: The Bill got back to me with the following statement:
"Our hosting company were quick to react and resolve the problem as soon as this came to our attention. As reported, the code did not work and has now been removed. We have protocols in place and a constant process of monitoring to try to ensure this doesn't happen again."
So it seems the site was compromised after all.
"Websense Security Lab has discovered that the official Web site of The Bill, the popular TV series, has been compromised and laden with malicious JavaScript code meant to infect visitors with a Trojan horse," said the Websense press release.
Fortunately for fans of The Bill, "the malicious code failed to launch due to what appears to be sloppy work by the intruder. The failure occurred because the code that was placed to execute, was improperly placed on the wrong section of the Web site," continued the release.
"Websense believes that these are the same perpetrators behind three similar compromises of a UN website, a prominent bank in India and a large industry organization website."
"At this time, the malicious code is still on the [Bill] website," said Websense -- although if the code doesn't actually do anything, it'll only be dangerous if it's undetected, and is modified by the intruder, I'd say.
I rang ITV's press office to verify if this was true, but they didn't have a clue what I was talking about. I think the combination of "website", "hacked" and "malicious code" in the same sentence flummoxed them. I was duly transfered to Talkback Thames, the company that produces The Bill. I got halfway through a sentence explaining that I was a technology journalist looking into whether there was any mal[I'll just transfer you sir] before I was transfered to Talkback Thames' third party IT support company. I patiently asked whether they administered The Bill website, and was told they didn't. They recommended I ring... Talkback Thames. I rang them back, and got a different person on the phone who also didn't have a clue what I was talking about, but who suggested I ring Merton Studios, where The Bill is filmed. Needless to say, that number seems permanently engaged -- and something tells me they wouldn't be able to help, anyway. At this point one of our editors told me that it probably wasn't worth spending any more time on, so I throw down the gauntlet to you, ITV -- if there's no malicious code on The Bill website, do get in touch.
Update: The Bill got back to me with the following statement:
"Our hosting company were quick to react and resolve the problem as soon as this came to our attention. As reported, the code did not work and has now been removed. We have protocols in place and a constant process of monitoring to try to ensure this doesn't happen again."
So it seems the site was compromised after all.
Tuesday 28 August 2007, 5:18 PM
New Zealand to outlaw spam
New Zealand is to pass a law to make spamming illegal, according to NZ news site TV3.
"Next month the Unsolicited Electronic Messages Act will take effect - meaning spammers in New Zealand can be prosecuted," said the article.
"But the vast majority of spam coming from overseas will be just as bad as ever," the author gloomily pointed out.
Globally there is a complex patchwork of laws. The US CAN-SPAM act has been criticised for being too soft on spammers, especially due to the recipient having to opt out of receiving more spam. The majority of spam comes from the USA and Asia.
In Europe the Privacy and Electronic Communications Directive is supposed to have been enacted right across the board, but countries have enacted the Directive with varying degrees of penalty for spamming. In the UK, companies can be fined up to £5000 for spamming -- however, at the time of writing the Information Commissioner's Office had not prosecuted any UK spammers.
"Next month the Unsolicited Electronic Messages Act will take effect - meaning spammers in New Zealand can be prosecuted," said the article.
"But the vast majority of spam coming from overseas will be just as bad as ever," the author gloomily pointed out.
Globally there is a complex patchwork of laws. The US CAN-SPAM act has been criticised for being too soft on spammers, especially due to the recipient having to opt out of receiving more spam. The majority of spam comes from the USA and Asia.
In Europe the Privacy and Electronic Communications Directive is supposed to have been enacted right across the board, but countries have enacted the Directive with varying degrees of penalty for spamming. In the UK, companies can be fined up to £5000 for spamming -- however, at the time of writing the Information Commissioner's Office had not prosecuted any UK spammers.
Thursday 23 August 2007, 5:17 PM
Alleged TJX data trafficker arrested
A Ukrainian man has been arrested outside a Turkish nightclub for allegedly trying to flog credit card details online, lifted from the victims of the TJX hack, reports the Associated Press.
The man, Maksym Yastremskiy, was arrested weeks ago on suspicion of trafficking data. Recently American law enforcement officials became interested in the case.
The arrest follows the Florida arrests of 10 people suspected of trafficking TJX data.
TJX, the parent company of clothing retailer TK Maxx in the UK and Marshalls in the US, reportedly used WEP encryption to transmit sensitive customer details around one of its Minnesota stores.
WEP encryption is widely recognised as being very easy to crack -- researchers from Darnstadt technical university cracked it in under three seconds in April using a standard laptop.
The man, Maksym Yastremskiy, was arrested weeks ago on suspicion of trafficking data. Recently American law enforcement officials became interested in the case.
The arrest follows the Florida arrests of 10 people suspected of trafficking TJX data.
TJX, the parent company of clothing retailer TK Maxx in the UK and Marshalls in the US, reportedly used WEP encryption to transmit sensitive customer details around one of its Minnesota stores.
WEP encryption is widely recognised as being very easy to crack -- researchers from Darnstadt technical university cracked it in under three seconds in April using a standard laptop.
Wednesday 1 August 2007, 5:25 PM
Russian hackers steal over $500,000 from Turkish banks
Two Russian hackers have allegedly stolen over $500,000 from bank accounts in Turkey, according to Russian newswire Ria Novosti.
The hackers, who came from the Russian city of Togliatti on the Volga:
"purchased a dedicated server with remote access to a desktop hosted in a U.S. data center, and a special application capable of infecting banking computers in Turkey with a Trojan virus to obtain information on bank accounts, investigators said. One of the hackers has been arrested, and the other is on a [Russian] federal wanted list.
After processing the obtained information, the hackers transferred money to accounts of Turkish collaborators, who in turn cashed the money in and later transferred it to Togliatti via Western Union.
The Interior Ministry's investigation committee said there were a total of 265 registered money transfers totaling $508,000 between February 2005 and April 2007," according to Ria Novosti.
Herman Zampariolo, chief executive officer of Wabisabilabi, the controversial online auction house for software vulnerabilities, said:
"Based on the limited information released so far by the authorities in both countries, it is no wonder the Russian Interior Ministry has spent a lot of time and resources investigating the activities of these two men."
The hackers, who came from the Russian city of Togliatti on the Volga:
"purchased a dedicated server with remote access to a desktop hosted in a U.S. data center, and a special application capable of infecting banking computers in Turkey with a Trojan virus to obtain information on bank accounts, investigators said. One of the hackers has been arrested, and the other is on a [Russian] federal wanted list.
After processing the obtained information, the hackers transferred money to accounts of Turkish collaborators, who in turn cashed the money in and later transferred it to Togliatti via Western Union.
The Interior Ministry's investigation committee said there were a total of 265 registered money transfers totaling $508,000 between February 2005 and April 2007," according to Ria Novosti.
Herman Zampariolo, chief executive officer of Wabisabilabi, the controversial online auction house for software vulnerabilities, said:
"Based on the limited information released so far by the authorities in both countries, it is no wonder the Russian Interior Ministry has spent a lot of time and resources investigating the activities of these two men."
Tuesday 31 July 2007, 4:50 PM
PNR data not reduced, just squashed
The reduction of the number of data fields handed to US security services announced by the European Union was achieved by squeezing almost the same amount of data on to fewer lines, according to Out-Law.com.
Not really much of a concession by the US then.
According to Out-Law.com:
"A new passenger name records (PNR) deal was announced this week by the EU and the US. It covers how much information can be handed to US authorities about passengers on flights from Europe to the US and the conditions on which it was kept.
The US won major concessions from the EU, winning its demands to keep data for far longer and the ability to pass it on to other US agencies. The EU appeared to win one argument, reducing the amount of data transferred.
But the number of actual pieces of data asked for only reduced by two, to 32, and some extra information was asked for. The new PNR deal lists 19 data fields which will be collected on every passenger. Many of the fields include multiple pieces of information."
Virtually the same amount of data will be sent to the US, to do with as it likes.
Not really much of a concession by the US then.
According to Out-Law.com:
"A new passenger name records (PNR) deal was announced this week by the EU and the US. It covers how much information can be handed to US authorities about passengers on flights from Europe to the US and the conditions on which it was kept.
The US won major concessions from the EU, winning its demands to keep data for far longer and the ability to pass it on to other US agencies. The EU appeared to win one argument, reducing the amount of data transferred.
But the number of actual pieces of data asked for only reduced by two, to 32, and some extra information was asked for. The new PNR deal lists 19 data fields which will be collected on every passenger. Many of the fields include multiple pieces of information."
Virtually the same amount of data will be sent to the US, to do with as it likes.
