13-Year Sentence for Hacker

A skilled San Francisco computer intruder was sentenced here Friday to 13 years in federal prison for stealing nearly two million credit card numbers from banks, businesses and other hackers — in what is the longest hacking sentence in U.S. history.

Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to a thousand different banks, who tallied the fraudulent charges on the cards at $86.4 million.

The hacker faced up to life in prison under federal sentencing guidelines. But prosecutor Luke Dembosky on Friday recommended the significantly lower 13-year sentence, noting that Vision has provided substantial assistance to the government during his time in pre-trial custody.

“I was quite impressed by the cooperation shown by Mr. Butler,” agreed U.S. District Judge Maurice Cohill Jr.

Dressed in orange jail clothes, the soft-spoken hacker said little at Friday’s hearing, which at times felt more like an awards ceremony than a sentencing. Vision’s lawyer, prosecutor and judge took turns praising the hacker for his computer skills, and his apparent remorse over his crimes.

“I have a lot of regrets, but I think my essential failing was that I lost touch with the accountability and responsibility that comes with being a member of society,” Vision wrote in a letter (.pdf) to the judge on Thursday.

“I’ve changed,” Vision said in court Friday.

“He’s a likable person,” said prosecutor Dembosky. “Almost wide-eyed and optimistic in his view of the world.”

Vision’s 13-year term is the longest U.S. hacking sentence, though that record likely will be eclipsed next month when confessed TJX hacker Albert Gonzalez faces the first of two sentencing hearings. One of Gonzalez’s plea agreements contemplates a term of 17 to 25 years in prison.

The defendant’s sentence is longer than the one given to Michigan hacker Brian Salcedo. He was handed a then-unprecedented, nine-year term in 2004 for cracking the corporate network of the Lowe’s chain of home improvement stores.

In the late 1990s, Vision was a superstar in the computer security community, billing himself as an $100-an-hour computer security consultant. He gave the FBI information on security and piracy threats, and earned the respect of his peers for creating and curating an open source library of attack signatures used to detect computer intrusions.

But it turned out Vision was staging recreational hacks on the side, and in 2001 he was sent to federal prison for 18 months for launching a scripted attack that closed security holes on thousands of Pentagon systems, and left backdoors and packet-sniffers behind for his own use.

While in prison, Vision met more serious criminals, and after his release one of them introduced him to an Orange County, California entrepreneur and former bank robber named Chris Aragon, who became Vision’s partner.

Aragon, who’s pending trial on related state charges in Southern California, used Vision’s stolen credit card data to create near-perfect counterfeit cards, complete with holograms, and recruited a crew of shoppers who used the cards to snap up designer merchandise for resale on eBay. Aragon earned at least $1 million in the business, police say.

Vision also sold the credit card data online under the handles “Generous” and “Digits.” He stole data from restaurant point-of-sale terminals and other targets, including competing hackers.

“From what I know, his actual income from this entire event is probably not even a million dollars,” federal public defender Michael Novara said Friday.

The hacker became a priority to federal law enforcement officials in 2006 when, under the handle “Iceman,” he staged a brazen takeover of the competing online carder forums where hackers and fraudsters buy and sell stolen data, fake IDs and specialized underground services.

He hacked into the forums, wiped out some of their databases, and absorbed their content and membership into his own site, CardersMarket.

On one of the sites he hacked, called DarkMarket, Vision later discovered that an administrator named “Master Splyntr” was logging in from an FBI office here in Pittsburgh. The defendant partnered with a Canadian hacker to try and expose Master Splyntr as a fed, but his claim was largely dismissed in the underground as inter-forum rivalry. DarkMarket went on to become a full-blown undercover FBI operation, and the FBI and Secret Service began an investigation into “Iceman.”

Using informants and some genuine electronic gumshoe work, the feds identified Iceman as Vision about a year later, and arrested him in September 2007 at a corporate apartment he used as a hacking safe house. When the feds seized his computer, they found five terabytes of encrypted data. Experts at Carnegie Mellon University’s Computer Emergency Response Team eventually cracked Vision’s crypto.

Vision’s plea deal wraps up a separate federal case in Virginia, where Vision was charged with staging the first documented “spear phishing” attack against employees of a financial institution by unlawfully accessing the corporate network of Capital One bank.

With credit for time served and good behavior, Vision could be released in December 2018.

Microsoft stops serving Windows patch blamed for blue screens

Microsoft late Thursday said it had halted distribution of a security update linked to crippled Windows XP PCs that display the notorious Blue Screen of Death.

According to users who posted complaints to Microsoft's support forum, after installing the update, one of 13 released Tuesday, their machines refuse to start up. Instead, their systems shudder to a stop at the blue screen which in Windows indicates a serious software error and crash.

"We stopped offering this update through Windows Update as soon as we discovered the restart issues," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC).

Bryant also said that Microsoft was digging into the problem. "Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165)," he said. "However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software."

He also downplayed the extent of the blue screening, saying that only a "limited number" of users were affected.

The support thread dedicated to the problem, however, grew by bounds on Thursday. By day's end it boasted more than 250 messages -- double the number of 12 hours before -- and had been accessed over 55,000 times.

Bryant encouraged Windows XP users to apply Tuesday's other patches, and to protect their machines in lieu of the now-missing MS10-015 with a automated workaround that disables the vulnerable NT Virtual DOS Mode (NTVDM) subsystem.

MS10-015 quashed a pair of 17-year-old kernel bugs in all 32-bit versions of Windows. The vulnerability went public three weeks ago when a Google engineer published proof-of-concept attack code.

Microsoft did not provide any new help Thursday to users whose machines have been incapacitated, nor did Bryant provide a timetable when the company would conclude its investigation. The only Microsoft-endorsed solution, which was posted to the support forum Wednesday by a user, is worthless to netbook owners whose systems lack a CD or DVD drive.

Late Thursday, however, someone identified as "John E" and labeled as a Microsoft employee asked users with the blue screen problem to submit a memory dump file from their PCs for examination.

The impact now stretches beyond Microsoft. A spokeswoman for Dell acknowledged Thursday that calls to its support center were on the increase because of the blue screen issue. Hewlett-Packard did not respond to a similar request for comment on the update problem.

Not surprisingly, rumors began circulating about possible causes of the apparent conflict between the MS10-015 update and some, though certainly not all, Windows XP machines. One making the rounds ended up on the support thread: "Is it true that the [Blue Screen of Death] only happens on people already infected with the malware that this update is supposed to fix?" Several users jumped in to reject that theory, a good bet since although exploit code was publicly disclosed several weeks ago, Microsoft said Tuesday that it had seen no in-the-wild attacks.

This week's incident was not the first where a Microsoft update has harmed rather than helped. Two years ago, a set of updates for Vista sent machines into an endless series of reboots. Similar problems stymied users who tried to upgrade to Windows XP Service Pack 3 (SP3) in May 2008, and others attempting to upgrade from Vista to Windows 7 last October.

Firefox add-on malware false alarm

Updated Mozilla has admitted it erred in labelling one of the two Firefox add-ons offered for download from its official add-on site as malign last week.

Warnings that version 4.0 of Sothink Video Downloader add-on was contaminated by a Trojan were wrong and down to a false positive triggered by an anti-virus scanner used by Mozilla rather than the presence of real malware. The add-on, withdrawn from download last week because of malware concerns, has now been restored.

In a blog posting on Tuesday, Mozilla apologised for the mix-up and confirmed the other add-on under suspicion, Master Filer, is infected by the Bifrose Trojan and remains blacklisted.

The open source browser firm thanked McAfee for helping it sort out the confusion. It's not clear whose scanner triggered the false alert in the first place.

Mozilla revised its estimates that 6,000 downloads of potentially infected downloads might have taken place radically downwards. It now reckons its site might have served up malware-laced Firefox plug-ins fewer than 700 times.

As previously reported, Master Filer was downloaded 600 times between September 2009 and January from Mozilla's official add-on site before potential problems were detected. A scanning tool used to check add-ons during the upload process failed to detect anything awry even though the password-stealing Trojan strain it was infected with has been detected by commercial scanners since October 2008.

Malware infection in Firefox add-ons is rare but not unprecedented. In May 2008, the open source browser supplier warned that a Vietnamese language pack for Firefox 2 was contaminated with adware.

Russian botnet tries to kill rival

An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.

Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses.

Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules -- U.S. residents with bank accounts -- who then move the cash out of the country.

Sensing an opportunity, a number of similar Trojans have emerged recently, including Filon, Clod and [Bugat], which was discovered just last month.

Spy Eye popped up in Russian cybercrime forums in December, according to Symantec Senior Research Manager Ben Greenbaum.

With its "Kill Zeus" option, Spy Eye is the most aggressive crimeware, however. The software can also steal data as it is transferred back to a Zeus command-and-control server, said Kevin Stevens, a researcher with SecureWorks. "This author knows that Zeus has a pretty good market, and he's looking to cut in," he said.

Turf wars are nothing new to cybercriminals. Two years ago a malicious program called Storm Worm began attacking servers controlled by a rival known as Srizbi. And a few years before that, the authors of the Netsky worm programmed their software to remove rival programs Bagle and MyDoom.

Spy Eye sells for about $500 on the black market, about one-fifth the price of premium versions of Zeus. To date, it has not been spotted on many PCs, however.

Still, the Trojan is being developed quickly and has a growing list of features, Greenbaum said. It can, for example, steal cached password information that is automatically filled in by the browser, and back itself up via e-mail. "This is interesting in its potential, but it's not currently a widespread threat at all," he said.

Google Buzz Makes Private Contact Info Public

While Google was busy plotting the beginnings of SkyNet on one front, they simultaneously launched their full-frontal attack on Facebook with the debut of Google Buzz, their new social networking tool that puts status updates right on your Gmail page. And, just like Facebook, Google Buzz managed to completely overstep the bounds of personal privacy.

When launched, Buzz automatically makes you a follower of the people you contact and chat with most frequently via Gmail. But the rub is this — anyone who follows you can see all the people you follow.

So, imagine you've been looking for a new job and you've been e-mailing Marcie at the new company with your resume and references and whatnot. If Buzz makes you a follower of Marcie, all your friends from your current job who automatically follow you can see you've been chatting with the enemy. Now imagine this situation expanded to the even more risky (and potentially risque) realm of personal and romantic relationships. Yeah, you're getting the picture.

You can go into Buzz and selectively follow/unfollow certain people to avoid this kind of incident, but the best evasive maneuver is to scroll down to the bottom of the screen and click "Turn off Buzz."

Facebook Cash Scam

Over the past few years social networking sites such as Facebook and Twitter have given unprecedented access to people’s private lives. More and more personal information is revealed through photos, status updates and conversations that are all being documented online. In a joint venture between London police and Financial Services Authority, over 10,000 people were notified that their names were on a “master list” that contained a range of personal information, that might include: names, address, phone number, place of business, income and relationship status. While this is the only reported list, it’s quite possible thousands more were already victims of this latest cash scam.


Facebook users may not mention all that personal information on their Facebook page, however, they may have it listed on a combination of networking sites. For example, a Facebook user will list their name and location along with photos on Facebook. The scammer can take that information and then look you up on LinkedIn and Twitter to find out your personal website, job, position, average income, number of years employed, education level and parlay all that information into a “cash scam.”

Fraudsters are using this information to set up “boiler rooms” and contact people on this master list. Boilers rooms look to employ high pressure sales tactics to push unwanted, over priced, or sometimes non-existent stock to unsuspecting buyers. Boiler rooms are nothing new, but using Facebook to gather leads and target people is becoming a serious problem.

The FSA is clearly trying to stay ahead of the scam, “By writing to people now, we can raise awareness of this type of fraud and help protect people from losing money to these criminals,” FSA said. While multiple efforts are being taken to stop these criminals, these cash scam continue to grow and more boiler rooms continue to operate off shore. It’s up to the individual to be aware of such fraud and report any phone calls that you suspect could be criminal.

In the mean time, keep your friends close, your Facebook account closed to outsiders, and don’t allow just anyone to view your personal details on your Facebook page.

iPhone users at risk of phishing attacks

When Apple introduced iPhone OS 3.0, it attempted to beef up the security of over-the-air enterprise management of iPhones by adding support for Cisco Systems' Simple Certificate Enrollment Protocol (SCEP). However, a flaw in the implementation of the standard could allow hackers to offer mobile configuration files that appear to be from a legitimate source, but may otherwise set your iPhone to access malicious servers.

Ars spoke with a mobile security expert who discovered the problem (who asked to remain anonymous because he did not have approval to talk about the issue). He told Ars that the issue is one of trust: "Who would you trust to change your iPhone configuration over the air? Your carrier? Your company? Your IT security admin?" he asked. Apple uses SCEP as a way for the iPhone to check in with a certificate server to verify that a mobileconfig file has been signed by a trusted source, but flaws in the set-up on the iPhone mean that the process doesn't always work as intended.

The problem stems from Apple's method of checking root certificate authorities. Apple added SCEP, which intended to be a protocol to securely verify trust relationships for closed systems, to iPhone OS 3.0. However, a mobileconfig file that uses the older protocol for verification must be sent to the iPhone to initiate SCEP, and this older protocol has a verified flaw in its implementation.

Certificate authorities are used to verify that mobileconfig files come from a trusted source. As long as the certificate used to digitally sign a mobileconfig file can be traced back to a known trusted authority, then it is considered "verified" and safe to install. Unfortunately, the iPhone uses Safari's list of certificate authorities instead of a much more narrowly defined set for authorizing OTA mobileconfig files. Furthermore, it only requires that certificates used to sign mobileconfig files be signature only, instead of a more secure type of certificate that specifies how it can be used.

"The very fact that Apple would confuse a browser keychain and an OTA trust management issue shows that they have not really given any thought about it," the researcher told Ars.

Our source was able to obtain a temporary, signature-only test certificate from VeriSign with the name "Apple Computer." VeriSign issues such certificates for testing only, and are not configured for use for serious security purposes. As such, these certificates only require a verified e-mail address to obtain. Using this certificate, however, he created and signed a fake mobileconfig file that appeared to come from Apple. A user that downloaded this configuration file OTA might easily believe that it came from Apple and click install. That's where the really bad stuff can happen.

A mobileconfig file can change quite a few settings on an iPhone. Some changes would be merely annoying, such as blocking access to the App Store or Mobile Safari. Others could be far more serious, such as replacing your VPN settings to connect to a hacker's server, where all the supposedly secure network traffic could be monitored. Or e-mail settings could be changed to route all outgoing e-mails through a malicious server, and a user would be be none the wiser.

Another serious potential problem is that a mobileconfig can be used to install additional root certificate authorities. This would allow SSL connections to phishing sites with names that are similar to real websites appear to be legitimate. Even easier, our source said, would be to reroute the traffic to a real website, like a bank, and merely capture login credentials or rewrite transactions to send money to a hacker's account.

A mobileconfig file can also be set to not let the user uninstall it; the only way to get rid of bad settings in that case would be to wipe the iPhone and restore it to factory settings.

This problem isn't limited to enterprise users either; less-savvy consumers could be tricked into downloading a malicious mobileconfig file from the Internet just as easily as the average business user. Thankfully, the problem only affects OTA mobileconfig files, and not those downloaded via USB using iPhone Configuration Utility or those that come via iTunes. However, Apple will need to seriously reconsider its implementation of trust verification and SCEP if it expects enterprises to feel secure deploying OTA management.

Twitter p2p scam

Twitter has identified a scheme that uses compromised file-sharing sites to steal the log on information of users.

The service said it had discovered a number of compromised torrent sites that include code used to skim usernames and passwords.

Torrent sites acts as indexes of links to TV, film and music files.

Scammers were then able to use the data to gain access to Twitter and other sites because many people use the same logon for multiple services.

The firm has reset the accounts of affected users.

The conclusion is echoed by security researchers who say it is a particular problem for banking websites.

A survey of millions of people conducted by the security firm Trusteer, suggests that 73% of people share the passwords which they use for online banking, with at least one nonfinancial website.

Around 47% of users share both their user ID and password with at least one nonfinancial website, it found.

Twitter said that it had discovered the scam after seeing unusual activity on the site.

After doing some digging the firm found a network of compromised torrent sites that included code that could be used to harvest logon information.

The sites also contained security exploits allowing the person to steal usernames and passwords.

Twitter said that it hadn't identified all of the affected torrent sites but had reset the passwords of compromised accounts.

The information comes as security firm Sophos launched its annual report.

One of its findings that spam and attacks on social networks - such as Twitter and Facebook - had risen 70% in the last year.

Facebook was branded the riskiest network, although the firm also pointed out that it was also the largest and would therefore attract the most attention form cybercriminals.

The first post

This blog will be related to security. This is the first post and it won't contain usefull information :)