Cheating Website hacked hard

Bad guys hacked bad guys. Hmmm, whose side should we take?

2DAshleymadison.com got hacked. This site helps and suggests married people cheat. The hack threatens millions of users, potentially revealing their credit card information, addresses, real names, pictures and content of their chat logs.

This dating site has 37 million users and is owned by Avid Life Media. Their other sites, Established Men and Cougar Life, were also hacked.

The hackers responsible call themselves The Impact Team. They object strongly to Ashleymadison.com and had threatened to release all the hacked data unless the site closed down.

The Impact Team is especially unnerved over the site’s Full Delete service that supposedly wipes clean a customer’s profile and everything associated for $19. The Impact Team alleges that Ashleymadison.com took the money but did not delete, retaining clients’ credit card information, names and addresses.

The site denies the claims and is offering the deletion service for free. It’s also fighting to get the millions of personal data pieces removed from cyber space. If it’s already been exposed… too late.

Sounds like some spuses are going to get the frying pan for sure.

The Hacking Team might sell all this personal data for a lot of dough, but that’s a rumor. Either way, the customers are surely shaking in their boots.

A similar thing happened with another site called Adult Friend Finder. Recently, the sex life of its nearly four million users was revealed—purchased underground for $16,800.

What do these recent hacking incidents teach us? Not to cheat? Well, maybe, but more so that you risk a lot by putting your identity and other sensitive information online. Online services cannot guarantee protection from hackers. Maybe Ashleymadison.com’s customers should have used a virtual credit card number, but that wouldn’t have kept other sensitive information concealed.

Had this site used encryption, the hackers would have seen nothing but a bunch of garbled characters: zero value. But most sites don’t use encryption. And when they do, it’s often crackable.

Some sites, like Ashley Madison, have a privacy flaw: If someone knows your e-mail, they can find out if you’re registered with the site because its password reset requires only the e-mail.

If you don’t want anyone to know you have an account with a site, then create an e-mail just for that site. But that’s only one small thing you can do. Your private information may still get hacked into and revealed to the world.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Auto Hacking is a real Thing

You’ll probably be shocked to learn that last year, thousands of cars with keyless entry technology were stolen in London, says a report from wired.com.

10DBut fact is, the more connected a vehicle is to the cyber world, the more hackable the vehicle is—and the hack could be to steal the vehicle or hurt the owner.

Rule: Anything that’s connected, especially via WiFi can be hacked.

The article notes that recently, a Jeep Cherokee was hacked with a smartphone via its Internet-connected navigation and entertainment system; the hackers remotely took control of its steering and brakes while it was on a road.

But don’t panic yet; it was an experiment conducted by good-guy hackers to demonstrate the vulnerability of a connected vehicle. The flaw was corrected after Chrysler recalled 1.4 million vehicles.

But what about getting into keyless-entry vehicles? A device is sold online for $31 that can clone the “key.” The wired.com article notes that BMW, Audi, Mercedes, Saab and Land Rover are among the models at risk.

The thief plugs this device into the vehicle’s diagnostic port. The information collected is then used to reprogram a blank fob that can start the vehicle—after the thief smashes a window to get in.

To deal with this, car makers are trying to create a key whose signal is harder to copy. Security experts point out that vehicles need additional layers of protection such as encrypted communication between them and the Internet.

The Jeep mentioned above was hacked via its navigation and entertainment system, forced to go into a ditch. But another thing a hacker could do is spoof the GPS signals that emanate from satellites, and transmit altered directions to the driver, making that person go way off course. Imagine someone doing this as revenge, perhaps on his nasty boss from work.

Or they can sit back and laugh while they create traffic jams. But it won’t just be fun and games for all hackers. Imagine what terrorists or psychopaths could do. And it’s all very possible. University of Texas researchers actually steered a super yacht off course, unknown to its captain.

Hacking into cars will be even more feasible as cars become closer to being driverless, because this feature will be dependent upon being connected.

Pay close attention to any manufacturer recalls or updates that may involve a patch to correct any vulnerabilities.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Big Bad Hackers taken down

Darkode anyone? Not anymore. This underground bad hackers’ forum was recently demolished by the FBI, says a report on www.justice.gov. The dozen hackers associated with Darkode are facing criminal charges.

4DThough there are about 800 of such forums, Darkode was among the worst (or shall I say “best”?), presenting a serious threat to worldwide computers. Gone is Darkode’s ventures of buying, selling and trading malware, and exchanging hacking strategies—to actually carry out crimes, not just fun brainstorming.

The dismantling of Darkode comes as a result of infiltration also by the efforts of law enforcement representing 20 countries including Australia, Colombia, Canada, Germany, Latvia, Denmark, Finland, Romania, Nigeria, Sweden and the UK. This is the biggest bust of a black hat forum to date.

Here is the cyber smut list from the www.justice.gov article:

  • J. Gudmunds, 27. He created a botnet that stole data on 200 million occasions.
  • M. Culbertson, 20. He’s the brains behind Dendroid, malware for sale on Darkode that was supposed to steal and control data from Google Android. Clever name, too: “Dend” refers to branching out (as in neuronal dendrites).
  • E. Crocker, 29. He’s the mastermind behind a Facebook spreader that infected the computers of FB users, converting them to bots.
  • N. Ahmed, P. Fleitz and D. Watts, 27, 31 and 28, respectively. They’re behind the spam that sent out millions of e-mails intended to bypass spam filters of cell phones.
  • M. Saifuddin, 29. He tried to transfer credit card numbers to other Darkode members.
  • D. Placek, 27. He allegedly created Darkode and sold malware on it.
  • M. Skorjanc, F. Ruiz and M. Leniqi, 28, 36 and 34, respectively. They’ve been charged with conspiracy to commit wire and bank fraud, racketeering conspiracy and conspiracy to commit computer fraud and extortion.
  • Rory Stephen Guidry. He reportedly sold botnets on Darkode.

The article points out that all of these wrongdoings are accusations at this point, and that these defendants are presumed innocent until proven guilty.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

These are the Bigtime Hackers

Hackers with big skills and a big ego will be drawn to Facebook and Twitter as their targets. But they’ll also target dozens of other companies, reports an article on arstechnica.com.

11DOne group in particular stands out as the attackers, using zero-day exploits. They are known as Wild Neutron and Morpho, says the article, and have been active possibly since 2011, burrowing their way into various businesses: healthcare, pharmaceutical, technology.

It’s been speculated that the hackers want the inside information of these companies for financial gain. They’ve been at it for three or four years; we can assume they’ve been successful.

Researchers believe that these hackers have begun using a valid digital certificate that is issued to Acer Incorporated to bypass code-signing requirements that are built into modern operating systems, explains the arstechnica.com report.

Experts also have identified use of some kind of “unknown Flash Player exploit,” meaning that the hackers are using possibly a third zero-day exploit.

The report goes on to explain that recently, Reuters reported on a hacking group that allegedly busted into corporate e-mail accounts to get their hands on sensitive information for financial gain.

You’re probably wondering how these big companies could be so vulnerable, or how it is that hackers can figure out a password and username. Well, it doesn’t really work that way. A company may use passwords that, according to a password analyzer, would take nine million years to crack.

So hackers rely on the gullibility and security un-awareness of employees to bust in. They can send employees an e-mail, disguised to look like it’s from a company executive or CEO, that tricks the employee into either revealing passwords and usernames, or clicking on a malicious link that downloads a virus, giving the hacker access to the company system’s stored data. It’s like removing a dozen locks from the steel chamber door to let in the big bad wolf.

The security firms interviewed estimate that a minimum of 49 companies have been attacked by the hacking ring’s surveillance malware. The cybercriminals have, in at least one instance, got into a company’s physical security information management system.

The arstechnica.com article notes that this consists of swipe card access, HVAC, CCTV and other building security. This would allow the hackers to surveil employees, visually following them around.

This hacking group is smart. They don’t reuse e-mail addresses; they pay hosting services with bitcoins; they use multi-staged control/command networks that have encrypted virtual machines to foil forensics detectives. The only good news is that the group’s well-documented code suggests it’s a small band of hackers, not some giant one.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Meet the FBI’s most wanted Hackers

Want to earn up to $4.2 million? Then find the hackers on the FBI’s most wanted list. Or at least give the FBI information leading to their arrest and/or conviction. These snakes have stolen hundreds of millions of dollars. Here is the list from the hackernews.com:

Evgeniy Mikhailovich Bogachev (reward: $3 million)

  • Ironically, one of his aliases is one of the most common (and thus easily cracked) passwords: lucky12345.
  • He’s the brains behind the GameOver Zeus botnet and CryptoLocker Ransomware.
  • Over a million computers were infected with this malware, causing nearly $100 million in losses.

Nicolae Popescu (reward: $1 million)

  • From Romania, Popescu tricked Americans with fraudulent auction posts on various websites.
  • AutoTrader.com, Cars.com and eBay were some of these sites.
  • He was selling cars that didn’t exist. (Please, people, never, ever send money for something as grand as a car unless you have proof it exists—which includes actually test driving it!)
  • Hundreds of people sent money without ever seeing more than an ad for the cars. If you think that’s bad, it gets worse: Some of the victims handed over their money for private planes and yachts! Nearly 800 people didn’t have on their thinking caps, but this doesn’t make Popescu’s deed any less obscene.

Alexsey Belan (reward: $100,000)

  • Belan breached the cybersecurity systems of three big U.S. based e-commerce sites.
  • He then tried to sell all of these stolen databases, which included passwords.

Peteris Sahurovs (reward: $50,000)

  • His crime involved creating and selling malware by putting ads up on various websites.
  • These advertisements forced users to buy the phony antivirus software that the ads pitched.
  • If the user declined the purchase, their desktop would be bombarded with phony security alerts and pop-ups.
  • This crook from Latvia collected over $2 million with the scheme.

Shailesh Kumar Jain (reward: $50,000)

  • Despite the name, Jain is a U.S. citizen.
  • He scored $100 million in less than two years.
  • He should have quit while he was ahead (maybe after the first $10 mil?), but he just couldn’t earn enough, so he kept hacking away at unsuspecting Internet users.

With fraudulent e-mails and pop-up ads, he tricked users into thinking their computers were infected with malware, and then sold them his fake antivirus software packages for $30 to $70. Do the math: Can you imagine how many people got rooked?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Even Hackers get hacked

Burglars get burgled, muggers get mugged, and hackers get hacked. This includes a sophisticated ring of hackers: Hacking Team, hailing from Italy, specializing in selling hacking software to major governments.

10DAn article on wired.com describes how a “400 gigabyte trove” went online by anonymous hackers who gutted the Hacking Team, including source code. Even their Twitter feed was hacked, and the secret hackers tweeted HT’s cracked files.

One of the exposed files apparently was a list of HT’s customer information, spanning the Middle East, Africa and the U.S.

Hacking Team must really be the Humiliated Team now, because they refused to respond to WIRED’s request for a comment. However, one of HT’s workers tweeted that their mystery hackers were spreading lies. His tweet was then hacked.

Sudan was one of the customers, and this shows that Hacking Team believed it could sell hacking software to any government, as Sudan is noted for its ultra-high restrictions to access.

Can the selling of hacking software be equated to the sales of weapons of mass destruction? More likely this is so than not. There is an arms control pact, the Wassenaar Agreement, designed to control the sales internationally of hacking tools.

Criticisms of the Wassenaar Agreement come from hackers (not necessarily only the bad ones) because the Agreement limits security research.

Eric King, from Privacy International, points out that the Agreement is required. Wired.com quotes him: “Some form of regulation is needed to prevent these companies from selling to human rights abusers.”

The Hacking Team organization, despite what it insists, should not be considered a “good guy.” For example, Citizen Lab uncovered that customers, including the United Arab Emirates and Sudan, used tools from Hacking Team to spy on a political dissident—who just happened subsequently get beaten up.

Eric King says, as quoted in wired.com, that Hacking Team “has continuously thrown mud, obfuscated, tried to confuse the truth.” The hacking of Hacking Team will help reveal the truth behind their “deviousness and duplicity in responding to what are legitimate criticisms,” says King.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Hacker isn’t a bad Word

Did you know that the original meaning of hacker, as far as computers, was that of a person who built codes into computers? In fact, the bad guy was called a “cracker.” Somehow, “cracker” didn’t catch on. But the mainstream folk out there hears “hacker,” and right away, they think of a digital thief, often someone who breaks into governmental computer systems or Russian “hacking rings” that steal credit card numbers.

4DAn article at motherboard.vice.com mentions that Richard Stallman gets the credit for cracker. Stallman, creator of the GNU operating system, is quoted as saying, “I coined the term ‘cracker’ in the early ‘80s when I saw journalists were equating ‘hacker’ with ‘security breaker.’”

The news media began noticing hackers around 1980. Some hackers were security breakers. Security breaking is one thin slice of the pie, but the media jumped on this, creating the impression that hackers were bad guys.

The article also notes something that Biella Coleman explains. She’s a hacker expert and is quoted as stating that the American government “has tended to criminalize hacking under all circumstances, unwilling to differentiate between criminal activities, playful pursuits, and political causes.”

The reality is, is that a security breaker is no more a hacker than a home burglar is an architect.

In the 1990s were movies that portrayed hackers as cyber villains, and all along, the real hackers were trying to get the word out that “crackers” was the term of choice. But it just didn’t take.

Maybe one reason is because the word “hacker” has more of a novel sound to it. When you hear “cracker,” several possible things come to mind, including a detective who cracks a case, and something you put in your soup. But “hacker”? Wow – it has more punch. It conveys more action.

But how did innocent code writers get to be called “hackers” in the first place? Perhaps it’s because writing code is such an imperfect science—more of an art, full of bugs and crimps. Code writers must hack their way through muddle to get it right.

At this point, however, hacker is here to stay to refer to the bad guy, whether a teenager with too much time on his hands breaking into some company’s network, or an intricate Chinese cyber criminal organization that cracks into the U.S. government’s system.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Private Investigator faces Jail for Hacking

What a disgrace: A private investigator, Eric Saldarriaga, 41, got nailed for hacking into peoples’ e-mails. He may get six months in the can. Is six months reasonable for this, though?

4DA recent online New York Times article quotes a prosecutor who points out that hackers could be deterred by the threat of harsh penalties—because the mind of a hacker operates with a lot of thinking, vs. the mind of someone who impulsively pulls out a gun or knife.

So what did Saldarriaga do exactly? He paid an overseas company to get the login information for e-mail accounts: a hacker-for-hire deal. His clients included lawyers and other private investigators. He was known for gaining access to e-mail accounts without the user’s knowledge, so this is why he got some of his cases in the first place.

Breaking into e-mails is a serious crime because it can involve the accounts of big companies, revealing their trade secrets and other classified information.

One of Saldarriaga’s victims was journalist Tony Ortega, who has spent about 20 years writing about Scientology. Ortega believes that this controversial church’s reps hired Saldarriaga to get information about Ortega.

Ortega, as well as possibly most of the other victims, are adamant about learning just who hired Saldarriaga to conduct his dirty deed. One of the other victims is a professional gambler who secretly donates to charity. The Times article quotes the gambler: “For this one guy, to be sentenced today for a crime he did for other people would be a miscarriage of justice.”

Why aren’t the people who hired Saldarriaga also facing justice?

Saldarriaga’s lawyer, Peter Brill, gunned for just a three-year probationary sentence for his client because he was remorseful. In fact, his crime got him only $5,000.

Saldarriaga himself even pleaded with the judge who’s overseeing the case that he deserves some concessions because one of his actions, he claims, may have spared a woman from harm.

But that doesn’t nullify the reality that Saldarriaga intruded upon peoples’ privacy without their knowledge. And got paid for it.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Why Hacking is a National Emergency

Foreign hackers, look out: Uncle Sam is out to get you. President Obama has issued an order that allows the State Department and Treasury Departments to immobilize the financial assets of anyone out-of country suspected of committing or otherwise being involved in cyber crimes against the U.S.

7WkThis order, two years in the making, covers hacking of anything. The order refers to hacking as a national emergency. Imagine if entire power grids were hacked into. Yes, a national emergency.

Another reason hacking is a national crisis is because the guilty parties are so difficult to track down. Hackers are skilled at making it seem that an innocent entity is guilty. And a major hacking event can be committed by just a few people with limited resources.

However, the order has some criticism, including that of assigning it an over-reaction to the Sony data breach. But it seems that the government can never be too vigilant about going after hackers.

Proponents point out that the order allows our government greater flexibility to go after the key countries where major hacks come from, like Russia and China. This flexibility is very important because the U.S. has a crucial financial relationship with these countries. And that needs to be preserved.

For instance, there’d be little adverse impact to the U.S. if our government choked off the bank accounts of isolated hackers who were part of the Chinese government, vs. strangling the entire Chinese government.

In short, the activities of small hacking groups or individual hackers within a foreign government will be dealt with without penalizing the entire government—kind of like doing away with punishing the entire fourth grade class because one kid threw a spitball.

Hacking is now elevated to terrorism status; the order is based on the anti-terrorism bill. So foreign hackers, you’ve been warned; the U.S. is not reluctant to level you because the order allows for sparing your government as a whole from being sanctioned.

You can do your part to protect the Homeland simply by protecting your own devices using antivirus, antispyware, antiphishing and a firewall. Keep your devices operating system updated and uses a VPN when on public WiFi.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

3 Ways We are Tricked into Cyber Attacks

So just how are hackers able to penetrate all these huge businesses? Look no further than employee behavior—not an inside job, but innocent employees being tricked by the hacker.

9Drecent survey commissioned by Intel Security reveals that five of the top seven reasons that a company gets hacked are due to employee actions.

One of the things that make it easy to trick employees into giving up critical information is the information employees share on social media about their company.

People just freely post things and tweet all day long about company matters or other details that can be used by a hacker to compromise the company. What seems like innocuous information, such as referring to a company big wig by their nickname, could lead to social engineering (tricking users into believing the request is legitimate so the user gives up sensitive information).

Between social media and the golden nuggets of information on Facebook, Twitter, LinkedIn and other platforms, hackers have a goldmine right under their nose—and they know it.

3 Key Pathways to Getting Hacked

  1. Ignorance. This word has negative connotations, but the truth is, most employees are just plain ignorant of cybersecurity 101. The survey mentioned above revealed that 38% of IT professionals name this as a big problem.
    1. Do not click on links inside emails, regardless of the sender.
    2. Never open an attachment or download files from senders you don’t know or only know a little.
    3. Never visit a website on the job that you’d never visit in public. These sites are often riddled with malware.
  2. Gullibility. This is an extension of the first pathway. The more gullible, naive person is more apt to click on a link inside an email or do other risky tings that compromise their company’s security.
    1. It’s called phishing(sending a trick email, designed to lure the unsuspecting recipient into visiting a malicious website or opening a malicious attachment. Even executives in high places could be fooled as phishing masters are truly masters at their craft.
    2. Phishing is one of the hacker’s preferred tools, since the trick is directed towards humans, not computers.
    3. To  check if a link is going to a phishing site, hover your cursor over the link to see its actual destination. Keep in mind that hackers can still make a link look like a legitimate destination, so watch our for misspellings and bad grammar.
  3. Oversharing. Malicious links are like pollen—they get transported all over the place by the winds of social media. Not only can a malicious link be shared without the sharer knowing it’s a bad seed, but hackers themselves have a blast spreading their nasty goods—and one way of doing this is to pose as someone else.
    1. Be leery of social media posts from your “friends” that don’t seem like things they would normally post about. It could be a hacker who is using your friend’s profile to spread malware. Really think…is it like your prude sister-in-law to send you a link to the latest gossip on a sex scandal?
    2. Don’t friend people online that you don’t know in real life. Hackers often create fake profiles to friend you and then use their network of “friends” to spread their dirty wares.
    3. Take care about what you post online. Even if your privacy settings are set to high, you should think that when you post on the Internet, it’s like writing in permanent ink—it’s forever. Because did we all really need to know that time you saw Kanye from afar?

All of us must be coached and trained to keep ourselves and our workplaces safe, and that starts with practicing good cyber hygiene both at home and at work.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.