Prison website breached, Infraguard website breached.

LONDON — The website of an international prison contractor was defaced by hackers who on Friday replaced the company’s home page with a hip-hop homage devoted to former death row inmate Mumia Abu Jamal.

Hackers allied to the loose-knit Anonymous movement claimed responsibility for vandalizing the site of Boca Raton, Florida-based GEO Group Inc., which manages some 60 custodial facilities in Europe, North America, Australia and South Africa.

Anonymous said in a statement posted to the stricken website that its hack was “part of our ongoing efforts to dismantle the prison industrial complex.”

Geo Group Inc. spokesman Pablo Paez said in an email to The Associated Press that no information on its staff or operations was accessed.

He said: “Our public website is hosted by an external offsite third-party vendor — therefore no such information was compromised.”

Earlier Friday, Anonymous claimed credit for defacing the website of a Dayton, Ohio-based chapter of Infragard, a public-private partnership for critical infrastructure protection sponsored by the FBI. The group’s site was replaced by a video of Coolio’s 1995 rap hit, “Gangsta’s Paradise.”

The FBI declined to comment on that attack.

Anonymous, an amorphous collection of activists and Internet mischief-makers, has increasingly focused its energy on military, police and security companies in recent months. Among its most spectacular coups: The interception of a conference call between FBI and London police cyber-investigators working to track them down.

At least one element within the group has promised weekly attacks on government-linked targets.

Porn Website Data Breach Exposes Usernames, Emails

Attention Online Porn Users: Your habit may not be a secret...beware!

Thousands of usernames and emails from members of porn site YouPorn were posted online on Wednesday.

The breach occured at an outsourced service within YouPorn called YP Chat, according to an official statement from YouPorn's parent company, Luxemburg-based Manwin Holding SARL. The chat feature has been disabled until investigations are complete, but the main website is still up and running.

"The investigation revealed that poor security practices resulted in YP Chat's unencrypted daily user logs being left in an unsecured public directory," Brad Black, vice president of YouPorn operations, said in a blog post. "As the logs maintained daily records, users that accessed their YP Chat accounts on a recurring basis would have their activity appear in countless log files. This resulted in some media outlets over inflating the number of affected users, where in actual fact the number of unique users affected was several thousand, not millions [as initially reported]."

The attacker posted 6,433 usernames and emails on Pastebin, a popular dumping ground for cyber attackers. No credit card information was compromised, and some of the user information appears to be duplicated.

Black recommended that users immediately change their username/password combo for any other website on which they used the same data as their YP Chat account. Why? As Sophos' Graham Cluley notes at Naked Security, "If your YouPorn password is now known, hackers might try that same password against your email address, your PayPal account, your Amazon account, and all many of other online resources."

Embarrassingly, about 10 days earlier another Manwin-owned porn site, Brazzers, was breached to expose the emails, usernames, and encrypted passwords of more than 350,000 of its users. The attack was claimed by a 17-year-old living in Morocco who allied himself with Anonymous, AP reports. 

But if you think you're safe surfing porn as long as you don't become a member of any particular website, think again. YouPorn is also being sued in California for allegedly tracking user information and browsing history, via a JavaScript code known as "sniffing history."

Symantec's pcAnywhere Woes May Be Worse Than We Thought

Symantec advised users of its compromised pcAnywhere software to disable the remote-access tool about a month ago, but a security firm said this week that as many as 200,000 computers out in the wild may still be exposed to hijacking by hackers, including some 5,000 systems used to collect and process credit card data.

Symantec first advised pcAnywhere users to uninstall the software in late January after an anonymous party published the software's 2006 source code on the Internet. The security software vendor then issued patches for versions 12.0, 12.1 and 12.5 of the product, which enables users to remotely access their PCs from other computers and devices.

The security software vendor said at the time that customers who patched their software with those updates should be protected from possible attacks stemming from the hackers' access to the source code, which security experts warned could include remote commandeering of vulnerable computers.

But weeks after the patches were issued, Rapid7, a Boston-based a vulnerability management and penetration testing company, reported that it had identified between 150,000 and 200,000 PCs running unpatched versions of pcAnywhere after scouring the Internet this past weekend.

Between 3,450 and 5,000 of those systems were also running point-of-sale software that's often used by small businesses in computers tied to cash registers, according to Rapid7.

Meanwhile, an anonymous security researcher posting on the InfoSec Institute website reported Wednesday that even patched versions of pcAnywhere may be vulnerable to attack.

The researcher claimed that "core functionality in the product has and continues to exist today from the same code used for years," adding, "[f]rom the included design plans for 12.5 (current shipping version) there were no plans for an entire code base rewrite, and developer resources were kept to the same budgeted man hours for the previous release. 12.5 is simply a continuation of this same code base."

The InfoSec poster went on to issue a chilling warning for users of even a patched version of the software.

"For hackers, the sky is the limit as hackers now have all of the juicy details of the pcAnywhere product as well as accompanying source code for all related components," the anonymous researcher wrote. "PcAnywhere is now pcEverywhere."

Iran developing Cyber Army

The director of the Iranian passive defense organization, brigadier general Gholamreza Jalali, has been discussing a new Iranian cyber army.

According to the Mehr News Agency this morning, Jalali declared in a televised press conference, “The US is downsizing its army for bigger cyber defense infrastructure. So countries like Iran also have to set up and upgrade their cyber defense headquarters and even [build] a cyber army.”

The move appears to be both a response to the Stuxnet and Duqu viruses (at least one of which seems to have been particularly targeted at the Iranian nuclear program), and the increasing cyber budgets of most western countries. But the problem with cyber defense is that it invariably also implies cyber offense.

Ash Patel, UK and Ireland manager for Stonesoft, makes just this point in advising western governments to “take the necessary protective measures to ensure their national infrastructure does not come under attack... Despite the fact,” he adds, “that Iran is saying the army will be used as a defensive measure there is no guaranteeing they won’t use it as an offensive measure as well and use it to launch cyber attacks.”

ESET’s David Harley believes that Stuxnet was an effective wake-up for most nations, but that cyberwarfare exploration has been a fact of life for many years. He suggests that the real significance of Stuxnet is that it forced governments to reassure their population that cyber security is being protected. The problem is that you cannot “realistically develop effective technology in those areas thinking purely defensively even if you wanted to.”

Harley has little time for the fictional view of future wars being fought behind computer screens. “But almost any upcoming war between any but the most technologically under-developed nations will, at this point," he warns, "be conducted making heavy use of a wide range of technical tools. Some of those tools are increasingly likely to go beyond intelligence gathering and the strategic deployment of a military solution.”

Social Media Users: Infection Inevitable

The emergence of social media as a malware attack vector means that traditional anti-virus technologies are no longer sufficient: whitelisting must now be used to supplement traditional blacklisting.

“Free stuff and sex,” says Bimal Parmar, VP of marketing at Faronics, “always attract people to click on the accompanying link.” This is particularly likely when the source is someone known and the trust factor is invoked. These factors, attractive offers and trust, come together in social networks; and are aggravated by the use of mobile devices connecting to the corporate network. This was the gist of a webinar delivered by Faronics yesterday: “The rise of cybercrime within social media.”

Most of the attacks are delivered as malicious links, disguised as shortened URLs. Social media users have no idea where the link will go, but tend to click on it because of inherent trust in the social media friend. “And that’s the problem,” explains Parmar, “because you may end up on a website and not do anything, but once you’re there, the website will drop a payload onto your machine. That’s the biggest danger in social media.”

The obvious solution, don’t join a social network, is not commercially realistic. Graham Cluley of Sophos is one security expert who has left Facebook because of his security concerns: but his company, Sophos, remains. “The traditional methods of marketing no longer work,” says Faronics. “You have to have a social media strategy. You have to encourage staff to be social, to spread the word; but then how do you protect yourself from the dangers?”

Parmar believes that there are only three defenses against social media infection: patch management, user education, and enforced acceptable use policies. Anti-virus software is necessary, and will do a sterling job, “but,” believes Parmar, “cannot stop all malware.” The growth of polymorphic viruses and effective exploit kits coupled with the social media attack vector means that companies will, not might, become infected. The blacklisting approach of anti-virus defenses can simply no longer cope with the sheer volume of new virus signatures.

The solution, says Parmar, is an additional layer of defense: whitelisting. Anti-virus products will blacklist known malware; but a whitelist of acceptable applications will prevent any malware that gets passed AV from running.

This article is featured in:
Internet and Network Security • Malware and Hardware Security

Food and beverage industry has unsavory history of data breaches

The food and beverage industry is the top target for cybercriminals for the second year in a row, according to the 2012 Global Security Report by Trustwave SpiderLabs.

The food and beverage industry made up 44% of data breach investigations conducted by SpiderLabs in 2011. The report’s findings are based on more than 300 data breach investigations and 2,000 penetration tests performed last year by SpiderLabs.

“The food and beverage industry was the top target of our investigations. That may be surprising. Most people might think that banks and governments would be at the top of the list”, said Nicholas J. Percoco, head of SpiderLabs.

“The criminal element wants to turn their criminal activity into money as quickly as they can. They go after the food and beverage industry because it tends to have high transaction volume….The criminals have found that those organizations have a low barrier to entry from an infiltration standpoint. Once they are in the environment, the lack of security awareness within those organizations affords them almost unlimited amounts of time to aggregate that data. They are then able to exfiltrate that data out of the environment and use it for fraudulent activities”, Percoco told Infosecurity.

Criminals are able to stay undetected in the breached environment for an average of 173.5 days, he noted.

Trustwave also found that franchise and chain stores are the top targets primarily because franchises often use the same IT systems across stores. If a cybercriminal can compromise a system in one location, they likely can duplicate the attack in multiple locations. More than one-third of 2011 investigations occurred in a franchise business, and this number is expected to rise in 2012.

According to the report, customer records remain a valuable target for attackers, making up 89% of breached data investigated. While trade secrets or intellectual property followed at a distant 6%, highly targeted attacks designed to go after that type of data remain a growing concern.

In addition, SpiderLabs found that global businesses still allow employees and system administrators to use weak passwords. Analyzing the usage and weakness trends of more than two million business passwords, Trustwave found that the most common password used by global businesses is "Password1" as it satisfies the default Microsoft Active Directory complexity setting.

“One of the top problems from an infiltration standpoint is remote access. This is a often the result of weak passwords”, Percoco observed.

Self-detection of compromises decreased in 2011 and only 16% of victimized organizations were able to detect the breach themselves, the report found. The remaining 84% relied on information reported to them by an external entity: regulatory, law enforcement, or the public.

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles