Hackers in the Philippines attack AT&T's network
Nov. 28, 2011
The FBI and law enforcement officials in the Philippines have arrested four suspects all living in the Philippines who were allegedly paid by terrorists to hack into AT&T's network. However, AT&T said its network wasn't breached in any way.
The hackers, who were arrested Nov. 23 in Manila, were paid by the same Saudi Arabian-based terrorist group identified by the FBI as funding the 2008 attack on Mumbai, India, the Philippines' Criminal Investigation and Detection Group (CIDG) said in a statement.
The coordinated attacks in India's largest city claimed 164 lives and wounded at least 308. "The hacking activity resulted in almost $2 million in losses incurred by AT&T," the CIDG said in a statement.
The suspects hacked the PBX (private branch exchange) phone lines of different telecommunications companies, including AT&T, the CIDG said. Money stolen in the hacks was diverted to bank accounts belonging to the terrorists, who paid the Filipino hackers on commission, the group said.
The four allegedly worked for a group originally run by Muhammad Zamir, a Pakistani arrested by the FBI in 2007 who was associated with Jemaah Islamiah, a Southeast Asian militant group with links to Al Qaeda.
"Zamir's group, later identified by the FBI to be the financial source of the terrorist attack in Mumbai, India, on November 26, 2008, is also the same group that paid Kwan's group of hackers in Manila," Police Senior Superintendent Gilbert Sosa said in the statement.
An AT&T representative said that it "ended up writing off some fraudulent charges that appeared on customer bills" but did not comment on the $2 million figure.
"AT&T and its network were neither targeted nor breached by the hackers," AT&T spokeswoman Jan Rasmussen said. "AT&T only assisted law enforcement in the investigation that led to the arrest of a group of hackers."
The FBI requested the CIDG's assistance in March after discovering the hacking group had targeted AT&T in the U.S., the CIDG said.
Earlier in the week, AT&T said it thwarted an attempt to steal mobile customer data and that no accounts were breached.
In other internet security news
It looks like Google has been victimized on its own domain. A company based in the Netherlands appears to have issued a digital certificate for Google.com to someone other than Google itself who may be using it to try to re-direct Internet traffic of users based in Iran (of all places).
On Sunday, someone reported on a Google support site that when attempting to log in to Gmail the browser issued a warning for the digital certificate used as proof that the site is legitimate, according to a thread on a Google support forum site.
"Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome," someone using the screen name "alibo" wrote. "I think my ISP or my government did this attack because I live in Iran and you may hear something about the story of a Comodo hacker!"
Alibo then posted a screenshot and the text of the SSL certificate. The screenshot page was not accessible, however.
In this particular case, the browser of the person reporting the issue warned that there was a problem with the digital certificate. But it's unclear what triggered the warning in the first place while other browsers may not trigger anything.
In such an event, a user could end up on a site that purports to be google.com but isn't. The digital certificate definitely is fraudulent. This posting details how to verify that a certificate is real and notes that it was issued in mid-July.
The SSL certificate was issued by DigiNotar, based in the Netherlands. Representatives from the company did not immediately respond to an email seeking comment yesterday, and an automated message said the offices were closed for the evening and offered no voice-mail option.
A phone call and email to Vasco Data Security, parent company of DigiNotar, were not immediately returned either.
The situation is similar to one that happened last March in which spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites and they were traced back to Iran. In that incident, the fraudulent digital certificates were acquired through reseller partners of certificate authority Comodo.
These attacks further illustrate a fundamental weakness with the current website authentication system in which third parties issue certificates that prove that a site is legitimate when making an "https://" connection. And yes, the 'padlock' is closed, signaling a secure internet connection.
The list of rogue certificate issuers has increased significantly over the past few years to approximately 650 organizations, which may not always follow the strictest security procedures. Furthermore, each one has a copy of the Webmaster's keys.
There is no automated process to revoke fraudulent certificates either, nor is there a public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys.
Worse, there are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance.
Today's flawed system gives browser makers a large amount of responsibility towards end users. Any list of so-called 'certificate authorities' they include will be trusted by billions of Web browsers around the world, unless users take the time to change the settings.
In other internet security news
A suspect has been charged by police investigating various Internet attacks allegedly carried out by hacking collective Anonymous against companies and organizations deemed to have acted against the whistleblower website Wikileaks.
Scotland Yard has named 22-year-old student Peter Gibson of Castleton Road, Hartlepool, Cleveland as one of the suspects alleged to have orchestrated DDoS (distributed denial of service) attacks on PayPal, Amazon, Mastercard and Bank of America in December of last year.
Gibson has been charged with conspiracy to do an unauthorised act in relation to a computer, with intent to impair the operation of a computer system or prevent or hinder access to a program or data held in a computer or to impair the operation of any such program or the reliability of such data, said Scotland Yard.
Those are actions that are contrary to Section 1(1) of the Criminal Law Act of 1977, it added.
The Computer Misuse Act, which carries maximum jail sentences of ten years, was not cited by the police.
Gibson is expected to appear at the City of Westminster Magistrates' Court on September 7, 2011.
Detectives at the specialist computer-crime unit quizzed Gibson in April this year. He was one of six people arrested in connection to a U.K. police probe into "Operation Avenge Assange". The five other UK-based men – aged, 15, 16, 19, 20 and 26 were also arrested, following coordinated police raids in the West Midlands, Northants, Herts, Surrey and London, under the Computer Misuse Act in January 2011.
It is alleged that the suspects set off Distributed Denial of Service attacks using a modified piece of open source software known as the Low Orbit Ion Cannon.
The software was used to send a constant stream of data to targeted websites in an effort to greatly slow down or to completely shut down the affected sites.
In July of this year, federal law-enforcement personnel in the U.S. also arrested 16 people accused of carrying out computer crimes that damaged or breached protected systems. Fourteen of these suspects, from ten states across the U.S., were alleged to have been involved in "Operation Avenge Assange".
Anonymous's assault against PayPal, MasterCard, Visa, Amazon, and others was mounted after those companies cut off services to WikiLeaks, following publication by the whistle-blower site of classified U.S. diplomatic memos.
In other internet security news
A police investigator working on Scotland Yard's inquiry into alleged phone-hacking at the now-defunct Sunday tabloid the News of the World was arrested by senior officers from the anti-corruption unit of London's Metropolitan police late last week.
The police said that on Thursday, August 18 they arrested a serving MPS officer from Operation Weeting on suspicion of misconduct in a public office relating to unauthorized disclosure of information as a result of a proactive operation.
They didn't release the name of the officer, who was described as a 51-year-old male detective constable, and Scotland Yard only confirmed he had been arrested after releasing the man on bail until September 29, pending further investigation.
As is customary in such incidents, the officer was suspended from his job the next day. "I made it very clear when I took on this investigation the need for operational and information security. It is hugely disappointing that this may not have been adhered to," said Deputy Assistant Commissioner Sue Akers, who is in charge of Operation Weeting.
"The MPS takes the unauthorized disclosure of information extremely seriously and has acted rapidly in making this arrest," she added.
Meanwhile, a thirty-five-year-old man was also released the next day, after being in police custody on suspicion of conspiring to unlawfully intercept voicemails.
He was bailed to return at a yet-to-be-determined date in October. Reports suggest that former NotW features writer Dan Evans was the man arrested then bailed by police on Friday.
James Desborough, who joined the Sunday tabloid as a reporter in 2005 before being promoted to Hollywood editor in 2009, was also arrested last Thursday as part of the Operation Weeting probe.
In other internet security news
On August 15, and after reporting on Anonymous' hacking of BART's Web site and after the leak of user information from mybart.org, some in the Internet security community started receiving messages on Twitter and elsewhere from sources purporting to be tied to Anonymous.
They were all critical of the leak of personal info from mybart.org, pointing to dissent on Twitter and Anonymous IRC channels. "Just wanted you to know not all of Anon approves!" read one of the messages. Then today, it seems to have all become too much for one former Anonymous hacker.
Until now, he's gone by the handle "SparkyBlaze" and now he officially resigned as a Manchester, U.K., resident named Matthew who has had enough of what he calls a lot of nonsense from a group that claims to do good and no evil.
He goes on to say that "higher-up" Anons have thrown other members of the collective "to the lions," claiming that Anonymous' campaigns and leadership have been ineffective and prey on "kids" to do their dirty work and risk arrest.
Some inside the internet security community contacted SparkyBlaze and asked if the BART operation was the last straw for him. He says "That was one factor, mainly it was because I was just fed up with anon putting people's data on-line and then claiming to be the big heroes."
SparkyBlaze adds that he did find it hypocritical that Anonymous claimed to be fighting for BART users by putting their data online.
With regard to his own involvement with Anonymous, SparkyBlaze says he supported a number of operations, "and some un-ethical ones that I am not proud of but, I never exposed people's data-- and of that, I can be proud of. I want to be clear on that."
He says he was proud to be involved in attacks on sites run by Iran's government, but not so proud to have been involved in the Sony attacks a few months ago.
"If I get arrested with this I will have to deal with it. I don't care about what anon do now and I just want to say that not all anon's are bad-- just a few. Some do want change. They are just going about it in the wrong way," said SparkyBlaze.
SparkyBlaze's defection from Anonymous has made at least minor waves within the organization. A post by Commander X, purported to have led a number of recent hacks, including last week's BART operation, suggests SparkyBlaze should be considered persona non grata:
SparkyBlaze says that that posting was in response to his calling Commander X an "idiot for exposing people's data and supporting it" coupled with his Pastebin.
Source: The FBI.
You can link to the Internet Security web site as much as you like.