According to a decision by the Frankfurt Court of Appeal the victims of WiFi theft can’t be held responsible for the thieves’ copyright infringement. The same court that previously ruled parents can’t be held responsible for the flle sharing activities of their children overturned a lower court’s decision, and potentially dealt a blow to the campaign being waged by a UK lawfirm against several hundred people for alleged copyright infringement.

Lawyers at Davenport Lyons have been sending out letters to alleged UK file sharers pointing out the German court ruling making individuals whose WiFi connection is used by others without authorization responsible for any infringement. They went on to point out that it was likely that decision would be echoed by UK courts. Don’t expect to see a similar claim about this new decision.

With the possible implications of the ruling don’t be surprised to see yet another round of arguments before things are decided for sure. Christian Solmecke, a lawyer currently defending around 500 file-sharers said “The future will show us what the highest court in Germany - the Bundesgerichtshof - says to this difficult question.”

Posted in Copyright, Hacking, eLaw | Leave a Comment | No Comments »

CHENNAI: Police on Tuesday arrested a college student for purchasing electronic goods online using credit card details of card holders from across the world.

T Bharathwaj Purohit (20), a resident of MKB Nagar and a member of a community of hackers, had been buying electronic goods online using other people’s credit cards since April.

Police recovered an electric guitar, a printer, an LCD TV, a digital camera, a weighing scale, a mobile and a laptop all worth Rs 3 lakh, and Rs 38,500 in cash from him. Purohit met Charu Sharma of Mumbai and Hathi Gogaiyan of Ahmedabad online a few months ago. They introduced him to an online hackers’ community on the net and gave him credit card details to make purchases.

“Following Sharma and Gogaiyan’s advice, Purohit tried to book an expensive mobile and i-pod using the data they provided. To his surprise, he received the items within a week. He also couriered the valuables to them as gifts. He started buying more goods online on eBay, an online auction website,” deputy commissioner of police B Vijayakumari said.

Sharma and Gogaiyan had given Purohit details of US credit card holders. Following complaints from an eBay investigation officer, the city police arrested Purohit. He had made his purchases from his personal computer. The police, with the help of the cyber crime wing, tracked down his IP address. Preliminary inquires revealed that this group of hackers got bank accounts and credit card details of people for a price.

“We have received information that the Mumbai police cornered Sharma and Gogaiyan a few days ago for another credit card cheating case in Mumbai. We have taken Purohit into custody to get more details,” a senior police officer said.

Police booked Purohit under several sections of the IPC, including 420 (cheating). He was remanded in judicial custody after being produced before the magistrate court on Tuesday.

Posted in Hacking | Leave a Comment | No Comments »

A Chilean hacker posted sensitive information about six million of his compatriots on the Internet, apparently in an act of protest against the government’s lax data security.

According to Chilean newspaper El Mercurio, details including people’s address’, phone numbers, ID numbers, email addresses and even academic records were all laid bare for the world to see on a popular technology blog called FayerWayer. Links to additional information was also posted on a website called “ElAntro”.

The information was mined from various different Chilean government and military sites, including the Ministry of Education, state telephone firms and the Electoral Service website. “Nobody bothers protecting that information”, the hacker allegedly wrote in explanation of why he felt the urge to expose six million of his countrymen to identity theft.

Chilean Police commissioner Jaime Jara told El Mercurio that the police were investigating, however, the fact that it took the slow poke Chilean authorities hours to twig what had happened, and then several more hours to get round to removing the private data, goes quite a way to proving the hacker’s point. µ

L’Inq AFP

Posted in Hacking, Security | Leave a Comment | No Comments »

Posted in Hacking, Security | Leave a Comment | No Comments »

Hackers continue trying to exploit a patched vulnerability in Microsoft’s Graphic Display Interface (GDI), researchers said this week.

Craig Schmugar, threat researcher at McAfee, reported that the first exploit was discovered on Friday, three days after the issue was patched by bulletin MS08-021.
“One method the bad guys use is to take the patch and reverse engineer it,” Schmugar said on Tuesday. “They look at the files on the computer prior to installing the patch and then after, and try to compare the two and see how they can take advantage of the change.”

The exploit – which can permit remote code execution if a user opens a specially crafted EMF or WMF image file – does not affect customers who have installed the updates detailed in MS08-021, said Bill Sisk, security response communications manager for Microsoft.

“By default, Microsoft Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 customers will have this update applied automatically through Automatic Updates,” Sisk said.

Microsoft encourages all customers to apply its most recent security updates to help ensure that their computers are protected from attempted criminal attacks.

Schmugar said that GDI has had vulnerability issues in the past. The fact that Microsoft credited three researchers with discovering the flaw suggests that multiple people were looking for potential problems and more problems could be on the way.

Posted in Hacking, Microsoft, Windows | Leave a Comment | No Comments »

Thousands of chief executives in the United States were targeted Monday by new round of phishing emails that claim to contain a subpoena ordering recipients to testify in federal court.

Instead, the executable file said to contain the subpoena actually is an information-stealing trojan, John Bambenek, a handler at the SANS Internet Storm Center and an information security researcher at the University of Illinois in Champaign, told SCMagazineUS.com.

“The idea was a very good one,” he said. “People see a subpoena and they’re like, ‘Oh crap,’ especially a CEO.”

The malicious executable creates a browser-helper object (BHO) and opens a hidden window in Internet Explorer, which communicates with a command-and-control center in Singapore and can install malware such as a keylogger, Bambenek said. The BHO also steals digital certificates installed on the recipient’s computer.

“Since you’re talking about CEOs of companies, that could potentially be big,” he said. “People can authoritatively send out emails or notifications as a CEO of a company and digitally sign them.”

The scammers behind this digital assault were the same individuals responsible for fake emails purporting to be from the Better Business Bureau, he said. However, the senders were sloppy in their latest run.

“If you paid attention, there were lots of clues this wasn’t kosher,” Bambenek said. “The biggest one is that you’re not going to get served over email. The court would simply not take it seriously. You have to be served the old-fashioned way.”

Other giveaways that the email is a hoax include invalid headers, bogus case numbers and grammatical and spelling errors, he said.

The emails, though, come packed with social engineering tactics, including the recipient’s full name, company name and work phone number, which distinguish them from run-of-the-mill junk mail, said Sam Masiello, director of threat management at MX Logic.

“By targeting C-level executives, the technique used in this type of attack is called ‘whaling,’” he said. “It is called whaling because they are trying to get the largest fish that they can on the hook, people who are generally more affluent and stand more to lose, both personally and professionally.”

Posted in Hacking | Leave a Comment | No Comments »

Hackers attacked the websites of two organisations campaigning against the smoking ban last week, redirecting UK users to the NHS Smokefree site.

The attack, which targeted British organisation Freedom2Choose and Forces International, lasted 11 hours. Freedom2Choose webmaster Steven Cross said the redirect appeared to have been caused by a DNS poisoning attack.

“One hour after the attack we received a phone call about what was happening, but there was not much we could do since it was not our server that had been attacked,” he explained.

Freedom2Choose vice chairman Andy Davis said (without apparent irony): “It appears that Freedom2Choose has annoyed someone high up - it seems they don’t want the truth to get out.”

Both groups claim the smoking bans are based on fraudulent scientific claims about passive smoking. “Five out of six studies show second-hand smoke to be entirely harmless,” says Davis.

A spokeswoman for Freedom2Choose said that the organisation was funded by members and run by volunteers. It has 85 members who pay £10 to join.

Forces International president Stephanie Stahl said: “To redirect our UK visitors to an anti-smoking website shows that the anti-smoking movement must be very nervous about the information our pro-freedom groups provide. Domain names are sacred on the free-spirited information super highway - we trust that those responsible for this serious violation will be identified and held accountable.”

No one has been fingered as the author of the attack but, much to the relief of the tobacco-fanciers, both sites are working now. No matter how healthy the NHS Smokefree site may be, its content will never be as amusing as reading the claims that the smoking ban is a case of “social engineering”, or that the ban in NY is “causing all kinds of problems [and] ‘bad vibes’”

Posted in Hacking | 2 Comments | 2 Comments »

A team of experts headed by security guru Ira Winkler was hired by an anonymous power company to test the security of a power grid’s network. The door was practically held open for them.

In a matter of hours, the team infiltrated the grid’s supervisory, control and data acquisition (SCADA) networks using simple phishing tools: social engineering and browser exploits.

Social Engineering is seen by many as a glamorized confidence trick. The penetration team checked distribution lists for SCADA user groups, harvested appropriate email addresses, and then employed a simple trick to gain the targeted user’s access. Employees were sent an e-mail about a plan to cut their benefits which included a link to a Web site with “more information.” The address linked to a malware that granted the hackers remote access. The trick was effective within minutes.What could be done given the level of access these white hats obtained would not be limited to simply shutting down a grid, like a group of hackers managed to do for 17 days to a “practice network” in California in 2001. In comments to CNN last year regarding a leaked video of a staged hack that resulted in the self-destruction of a power generator, Joe Weiss of Applied Control Solutions said, “What people had assumed in the past is the worst thing you can do is shut things down. And that’s not necessarily the case. A lot of times the worst thing you can do, for example, is open a valve — have bad things spew out of a valve.”

Winkler says that these SCADA systems suffer the same vulnerabilities any system does that runs on the same standard operating system and server hardware. Companies have perpetuated the weakness of these systems by not performing important software upgrades because they would force downtime.

But a scheduled downtime is no doubt preferable to suffering the consequences of an exploit. Winkler stressed the seriousness of security in these systems while maintaining a lighthearted air to his job, “We had to shut down within hours,” Winkler says, “because it was working too well. We more than proved that they were royally screwed.”

Ten years ago Wired published an article called Hacking the Power Grid, which included the following: “With deregulation, there is an increasing interest in energy futures trades at the commodities exchange on Wall Street. [IBM senior consultant Nick] Simicich said hackers might use social engineering techniques to obtain passwords to computers with access to the networks containing sensitive information from these sources.”

Apparently little has changed in a decade.

Posted in Hacking | 1 Comment | 1 Comment »

Posted in Hacking | Leave a Comment | No Comments »

Dmitri Galushkevich, a 20-year-old Estonian student, launched the DoS (denial-of-service) attacks from his own PC last year. Although he’s a native Estonian, Galushkevich was angry over his government’s plans to move the statue, and launched the attack as a means of protesting the decision. The fact that a single angry student was able to impact international relations between two countries is an startling development. Understanding why Estonia and Russia got into a tiff about a war memorial statue in the first place, however, requires that we take a trip down history lane.

American history tends to focus its coverage of World War II on the theaters of combat we participated in. This makes logical sense—but it leaves the story of the eastern front largely untold, and doesn’t begin to explain why the Russians would be upset over Estonia’s movement of a statue nearly 63 years after the war’s end—or why the Estonians would want to move it in the first place.

The Soviet Union occupied Estonia in 1940 as part of the 1939 German-Soviet Nonaggression Pact. Once it held the country (Russia, to this day, insists the USSR was invited into Estonia and did not “occupy” it), extraordinary elections were held with the ballots restricted to pro-Communist choices. The country became a member of the USSR in August 1940—and was promptly invaded and occupied by the Germans in 1941 when that country opened the Eastern Front of the war.

Germany’s eastern front with the USSR was both the longest and the deadliest in worldwide military history. Contemporary estimates on how many Soviet soldiers and civilians died can vary widely, but the median figures suggest that the Red Army lost approximately 10 million men, with an additional 20 million civilian casualties. Soviet casualties and losses dwarfed those of any other nation, and the conflict left an indelible imprint on Russian society.

The war memorials built in Soviet-occupied territories after the war ended weren’t just monuments to the millions of soldiers and civilians killed in the conflict—they were Soviet ideological bulwarks and physical representations of what the Great Patriotic War had cost the motherland.

The majority of Estonians, however, have a different view. To them, the Bronze Soldier was a symbol of 50 years of Soviet and communist oppression—many Estonians, in fact, voluntarily enlisted and fought with the Germans in 1944 once it became apparent that the Soviets were about to reoccupy the country. Combine the two viewpoints with a significant minority of ethnic Russians who still identify with the memorial as a reminder of Soviet sacrifice, and you’ve got a pile of tinder just waiting for a spark.

The fact that a single student was able to trigger such events is particularly ominous when you consider just how many potential flashpoints exist between various countries all over the world. The DoS attack against Estonia is an excellent example of how a cyberattack carried out by a 20-year-old student in response to real-life events further exacerbated an existing problem between two nations.

Posted On Arstechnica By Joel Hruska

Posted in Hacking | Leave a Comment | No Comments »