It has the makings of a film — but the fallout from one of the world’s most sophisticated ATM heists is very real. The New York Times is reporting that a massive team of criminals worked in concert in order to grab some $45 million in a matter of hours over the course of two operations. The sheer scope of the project is hard to wrap one’s mind around, involving trained personnel positioned in over two dozen countries. Earlier today, federal prosecutors in Brooklyn “unsealed an indictment charging eight members of the New York crew, offering a glimpse into what the authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered.” In essence, the hackers were able to infiltrate various credit card processing companies and raise withdrawal limits on prepaid accounts — from there, cashing crews hit thousands of ATMs, socking away millions in the process. Hit up the source link for the full read; it’s a wild one, for sure. Filed under: Internet Comments Source: The New York Times
Hugo Teso, a security consultant who also happens to be a trained commercial pilot, says he’s developed an Android app that can make an airliner “dance to his tune” by attacking its flight management systems. The hack was demoed at this year’s Hack In The Box conference in Amsterdam, where Teso showed how the app — called PlaneSploit — can seek out targets from the ground by infiltrating radio broadcasts between aircraft and air traffic control, and then use a second communication system to send malicious messages to that could “take full control of the plane” or indirectly affect the pilot’s behavior. PlaneSploit is proof-of-concept software, designed to work in a closed virtual environment, so it’s not like we’re going to see it pop up on Google Play any time soon, but just the fact it exists will hopefully help to keep the puppet masters out of real-world planes . And no, there’s no Windows Phone version. Filed under: Transportation , Internet , Alt Comments Via: Net Security , Computerworld Source: Aircraft Hacking: Practical Aero Series (PDF)
It’s been more than a year since the WSJ reported that Skype leaks its users’ IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone’s IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person’s home. In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name). Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel. Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states. Privacy 101: Skype Leaks Your Location
Hackers, whether they be white hat or black hat, push the envelopes of security and software design. These are 10 hackers who innovated new approaches to cyberspace.
The Internet has been groaning under the weight of a massive distributed denial of service (DDoS) attack on the Domain Name Service, apparently aimed at anti-spam vigilantes Spamhaus, in retaliation for their blacklisting of Dutch free speech hosting provider Cyberbunker. At 300 mbps, the DDoS is the worst in public Internet history. “These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of Cloudflare. “It’s so easy to cause so much damage.” The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second. “It is a real number,” Mr. Gilmore said. “It is the largest publicly announced DDoS attack in the history of the Internet.” Spamhaus, one of the most prominent groups tracking spammers on the Internet, uses volunteers to identify spammers and has been described as an online vigilante group. In the past, blacklisted sites have retaliated against Spamhaus with denial-of-service attacks, in which they flood Spamhaus with traffic requests from personal computers until its servers become unreachable. But in recent weeks, the attackers hit back with a far more powerful strike that exploited the Internet’s core infrastructure, called the Domain Name System, or DNS. As bad as this is, it could be a lot worse. An anonymous paper called Internet Census 2012: Port scanning /0 using insecure embedded devices reports on a researcher’s project to scan every IPv4 address for publicly available machines that will accept a telnet connection and yield up a root login to a default password. The researcher reports that 1.2 million such devices are available online (s/he compromised many of these machines in order to run the census). These machines are things like printers and routers with badly secured firmware, visible on the public net. They are often running an old version of GNU/Linux and can be hijacked to form part of a staggeringly large botnet that would be virtually unkillable, since the owners of these devices are vanishingly unlikely to notice that they are silently running attackware, and the devices themselves are completely unregarded. Firm Is Accused of Sending Spam, and Fight Jams Internet [NYT/John Markoff & Nicole Perlroth] ( via Hacker News )