Microsoft rushes out fix to prevent attacks on Office PCs
Tuesday 26 November 2013
Microsoft rushes out fix to prevent attacks on Office PCs
(Reuters) - Microsoft Corp released an emergency software fix on Tuesday after it learned that hackers had exploited a previously undiscovered security flaw in its widely used Office software to infect the PCs of its customers with tainted Word documents.
Jailed Anonymous hacker Jeremy Hammond: 'My days of hacking are done'
Jailed Anonymous hacker Jeremy Hammond: 'My days of hacking are done'
Hammond calls his 10-year sentence a 'vengeful, spiteful act' by US authorities eager to put a chill on political hacking
Jeremy Hammond, the Anonymous hacktivist who released millions of emails relating to the private intelligence firm Stratfor, has denounced his prosecution and lengthy prison sentence as a “vengeful, spiteful act” designed to put a chill on politically-motivated hacking.
Hammond was sentenced on Friday at federal court in Manhattan to the maximum 10 years in jail, plus three years supervised release. He had pleaded guilty to one count under the Computer Fraud and Abuse Act (CFAA) flowing from his 2011 hack of Strategic Forecasting, Inc, known as Stratfor. In an interview with the Guardian in the Metropolitan Correction Center in New York, conducted on Thursday, he said he was resigned to a long prison term which he sees as a conscious attempt by the US authorities to put a chill on political hacking.
He had no doubt that his sentence would be long, describing it as a "vengeful, spiteful act". He said of his prosecutors: "They have made it clear they are trying to send a message to others who come after me. A lot of it is because they got slapped around, they were embarrassed by Anonymous and they feel that they need to save face.”
Most pointedly, Hammond suggested that the FBI may have manipulated him to carry out hacking attacks on “dozens” of foreign government websites. During his time with Anonymous, the loose collective of hackers working alongside WikiLeaks and other anti-secrecy groups, he was often directed by a individual known pseudonomously on the web as “Sabu”, the leader of the Anonymous-affiliated group Lulzsec, who turned out to be an FBI informant.
Hammond, who is under court orders restricting what he says in public, told the Guardian that Sabu presented him with a list of targets, including many foreign government sites, and encouraged him to break into their computer systems. He said he was not sure whether Sabu was in turn acting on behalf of the FBI or other US government agency, but it was even possible that the FBI was using Sabu’s internet handle directly as contact between the two hackers was always made through cyberspace, never face-to-face.
“It is kind of funny that here they are sentencing me for hacking Stratfor, but at the same time as I was doing that an FBI informant was suggesting to me foreign targets to hit. So you have to wonder how much they really care about protecting the security of websites.”
In the interview, conducted in a secure prison meeting room hours before the 28-year-old Chicagoan was sentenced, he was sanguine about his prospects. “I knew when I started out with Anonymous that being put in jail and having a lengthy sentence was a possibility. Given the nature of the targets I was going after I knew I would upset a lot of powerful people.”
Dressed in a brown prison jump suit, and with a long wispy goatee and moustache (he planned to shave both off before the sentencing hearing), Hammond was scathing about the way the CFAA was being twisted in his view for political ends. “They are widening the definition of what is covered by the Act and using it to target specifically political activists,” he said.
He invoked the memory of Aaron Swartz, the open-data crusader who killed himself in January while awaiting trial under the CFAA for releasing documents from behind the subscription-only paywall of an online research group. “The same beast bit us both,” Hammond said. “They went after Aaron because of his involvement in legitimate political causes – they railroaded charges against him, and look what happened.”
Hammond has been in custody since March 2012 having been arrested in Chicago on suspicion of the Stratfor leak of millions of emails that were eventually released by WikiLeaks as the Global Intelligence Files. His sentence is an indication of the aggression with which prosecutors have been pursuing political hackers in the US – other Anonymous members in Britain involved in the breach of Stratfor were sentenced to much shorter jail terms.
Hammond stressed that he had not benefitted personally in any way from the Stratfor email release, that exposed surveillance by private security firms on activists including Anonymous members themselves, Occupy protesters and campaigners in Bhopal, India involved in the push for compensation for victims of the 1984 industrial catastrophe. “Our main purpose in carrying out the Stratfor hack was to find out what private security and intelligence companies were doing, though none of us had any idea of the scale of it.”
Paradoxically, Hammond insists that he would never have carried out the breach of Stratfor’s computer system had he not been led into doing it by Sabu – real name Hector Xavier Monsegur – the fellow hacker who is himself awaiting sentencing having pleaded guilty to 12 hacking-related criminal charges. “I had never heard of Stratfor until Sabu brought in another hacker who told me about it. Practically, I would never have done the Stratfor hack without Sabu’s involvement.”
Hammond discovered that Monsegur was an FBI informant the day after his own arrest. As he was reading the criminal complaint against him, he saw quotes marked CW for “co-operating witness” that contained details that could only have come from Sabu.
“I felt betrayed, obviously. Though I knew these things happen. What surprised me was that Sabu was involved in so much strategic targeting, in actually identifying targets. He gave me the information on targets.”
Part of Sabu’s interest in him, he now believes, was that Hammond had access to advanced tools including one known as PLESK that allowed him to break into web systems used by large numbers of foreign governments. “The FBI and NSA are clearly able to do their own hacking of other countries. But when a new vulnerability emerges in internet security, sometimes hackers have access to tools that are ahead of them that can be very valuable,” he said.
Looking back on his involvement with anonymous, the Chicagoan said that he had been drawn to work with Anonymous, because he saw it as “a model of resistance – it was decentralised, leaderless.” He grew increasingly political in his hacking focus, partly under the influence of the Occupy movement that began in Wall Street in September 2011 and spread across the country.
Chelsea Manning, the US soldier formerly known as Bradley who leaked a massive trove of state secrets to WikiLeaks now serving a 35-year sentence in military jail, was a major influence on him. Manning showed him that “powerful institutions – whether military or private security firms – are involved in unaccountable activities that the public is totally unaware of that can only be exposed by whistleblowers and hackers”.
Hammond has often described himself as an anarchist. He has a tattoo on his left shoulder of the anarchy symbol with the words: “Freedom, equality, anarchy”. Another tattoo on his left forearm shows the Chinese representation of “leader” or “army”, and a third tattoo on his right forearm is a glider signifying the hacking open-source movement that is drawn from the computer simulation Game of Life .
He says he plans to use his time in prison “reading, writing, working out and playing sports – training myself to become more disciplined so I can be more effective on my release”. As to that release, he says he cannot predict how he will be thinking when he emerges from jail, but doubts that he would go back to hacking. “I think my days of hacking are done. That’s a role for somebody else now,” he said.
Hammond calls his 10-year sentence a 'vengeful, spiteful act' by US authorities eager to put a chill on political hacking
Jeremy Hammond, the Anonymous hacktivist who released millions of emails relating to the private intelligence firm Stratfor, has denounced his prosecution and lengthy prison sentence as a “vengeful, spiteful act” designed to put a chill on politically-motivated hacking.
Hammond was sentenced on Friday at federal court in Manhattan to the maximum 10 years in jail, plus three years supervised release. He had pleaded guilty to one count under the Computer Fraud and Abuse Act (CFAA) flowing from his 2011 hack of Strategic Forecasting, Inc, known as Stratfor. In an interview with the Guardian in the Metropolitan Correction Center in New York, conducted on Thursday, he said he was resigned to a long prison term which he sees as a conscious attempt by the US authorities to put a chill on political hacking.
He had no doubt that his sentence would be long, describing it as a "vengeful, spiteful act". He said of his prosecutors: "They have made it clear they are trying to send a message to others who come after me. A lot of it is because they got slapped around, they were embarrassed by Anonymous and they feel that they need to save face.”
Most pointedly, Hammond suggested that the FBI may have manipulated him to carry out hacking attacks on “dozens” of foreign government websites. During his time with Anonymous, the loose collective of hackers working alongside WikiLeaks and other anti-secrecy groups, he was often directed by a individual known pseudonomously on the web as “Sabu”, the leader of the Anonymous-affiliated group Lulzsec, who turned out to be an FBI informant.
Hammond, who is under court orders restricting what he says in public, told the Guardian that Sabu presented him with a list of targets, including many foreign government sites, and encouraged him to break into their computer systems. He said he was not sure whether Sabu was in turn acting on behalf of the FBI or other US government agency, but it was even possible that the FBI was using Sabu’s internet handle directly as contact between the two hackers was always made through cyberspace, never face-to-face.
“It is kind of funny that here they are sentencing me for hacking Stratfor, but at the same time as I was doing that an FBI informant was suggesting to me foreign targets to hit. So you have to wonder how much they really care about protecting the security of websites.”
In the interview, conducted in a secure prison meeting room hours before the 28-year-old Chicagoan was sentenced, he was sanguine about his prospects. “I knew when I started out with Anonymous that being put in jail and having a lengthy sentence was a possibility. Given the nature of the targets I was going after I knew I would upset a lot of powerful people.”
Dressed in a brown prison jump suit, and with a long wispy goatee and moustache (he planned to shave both off before the sentencing hearing), Hammond was scathing about the way the CFAA was being twisted in his view for political ends. “They are widening the definition of what is covered by the Act and using it to target specifically political activists,” he said.
He invoked the memory of Aaron Swartz, the open-data crusader who killed himself in January while awaiting trial under the CFAA for releasing documents from behind the subscription-only paywall of an online research group. “The same beast bit us both,” Hammond said. “They went after Aaron because of his involvement in legitimate political causes – they railroaded charges against him, and look what happened.”
Hammond has been in custody since March 2012 having been arrested in Chicago on suspicion of the Stratfor leak of millions of emails that were eventually released by WikiLeaks as the Global Intelligence Files. His sentence is an indication of the aggression with which prosecutors have been pursuing political hackers in the US – other Anonymous members in Britain involved in the breach of Stratfor were sentenced to much shorter jail terms.
Hammond stressed that he had not benefitted personally in any way from the Stratfor email release, that exposed surveillance by private security firms on activists including Anonymous members themselves, Occupy protesters and campaigners in Bhopal, India involved in the push for compensation for victims of the 1984 industrial catastrophe. “Our main purpose in carrying out the Stratfor hack was to find out what private security and intelligence companies were doing, though none of us had any idea of the scale of it.”
Paradoxically, Hammond insists that he would never have carried out the breach of Stratfor’s computer system had he not been led into doing it by Sabu – real name Hector Xavier Monsegur – the fellow hacker who is himself awaiting sentencing having pleaded guilty to 12 hacking-related criminal charges. “I had never heard of Stratfor until Sabu brought in another hacker who told me about it. Practically, I would never have done the Stratfor hack without Sabu’s involvement.”
Hammond discovered that Monsegur was an FBI informant the day after his own arrest. As he was reading the criminal complaint against him, he saw quotes marked CW for “co-operating witness” that contained details that could only have come from Sabu.
“I felt betrayed, obviously. Though I knew these things happen. What surprised me was that Sabu was involved in so much strategic targeting, in actually identifying targets. He gave me the information on targets.”
Part of Sabu’s interest in him, he now believes, was that Hammond had access to advanced tools including one known as PLESK that allowed him to break into web systems used by large numbers of foreign governments. “The FBI and NSA are clearly able to do their own hacking of other countries. But when a new vulnerability emerges in internet security, sometimes hackers have access to tools that are ahead of them that can be very valuable,” he said.
Looking back on his involvement with anonymous, the Chicagoan said that he had been drawn to work with Anonymous, because he saw it as “a model of resistance – it was decentralised, leaderless.” He grew increasingly political in his hacking focus, partly under the influence of the Occupy movement that began in Wall Street in September 2011 and spread across the country.
Chelsea Manning, the US soldier formerly known as Bradley who leaked a massive trove of state secrets to WikiLeaks now serving a 35-year sentence in military jail, was a major influence on him. Manning showed him that “powerful institutions – whether military or private security firms – are involved in unaccountable activities that the public is totally unaware of that can only be exposed by whistleblowers and hackers”.
Hammond has often described himself as an anarchist. He has a tattoo on his left shoulder of the anarchy symbol with the words: “Freedom, equality, anarchy”. Another tattoo on his left forearm shows the Chinese representation of “leader” or “army”, and a third tattoo on his right forearm is a glider signifying the hacking open-source movement that is drawn from the computer simulation Game of Life .
He says he plans to use his time in prison “reading, writing, working out and playing sports – training myself to become more disciplined so I can be more effective on my release”. As to that release, he says he cannot predict how he will be thinking when he emerges from jail, but doubts that he would go back to hacking. “I think my days of hacking are done. That’s a role for somebody else now,” he said.
Cyber warrior shortage hits anti-hacker fightback
Cyber warrior shortage hits anti-hacker fightback
Credit: Reuters/Kacper Pempel/Files
(Reuters) - For
the governments and corporations facing increasing computer attacks, the
biggest challenge is finding the right cyber warriors to fight back.
Hostile computer activity from
spies, saboteurs, competitors and criminals has spawned a growing
industry of corporate defenders who can attract the best talent from
government cyber units.
The U.S.
military's Cyber Command is due to quadruple in size by 2015 with 4,000
new personnel while Britain announced a new Joint Cyber Reserve last
month. From Brazil to Indonesia, similar forces have been set up.
But
demand for specialists has far outpaced the number of those qualified
to do the job, leading to a staffing crunch as talent is poached by
competitors offering big salaries.
"As
with anything, it really comes down to human capital and there simply
isn't enough of it," says Chris Finan, White House director for cyber
security from 2011-12, who is now a senior fellow at the Truman National
Security Project and working for a start-up in Silicon Valley.
"They
will choose where they work based on salary, lifestyle and the lack of
an interfering bureaucracy and that makes it particularly hard to get
them into government."
Cyber
attacks can be expensive: one unidentified London-listed company
incurred losses of 800 million pounds ($1.29 billion) in a cyber attack
several years ago, according to the British security services.
Global
losses are in the range of $80 billion to $400 billion a year,
according to research by the Washington-based Center for Strategic and
International Studies that was sponsored by Intel Corp's McAfee
anti-virus division.
There is a
whole range of attacks. Some involve simply transferring money, but more
often clients' credit card details are stolen. There is also intellectual property theft or theft of commercially sensitive information for business advantage.
Victims
can also suffer a "hacktivist" attack, such as a directed denial of
service to bring a website down, which can cost a lot of money to fix.
Quantifying the exact damage is almost impossible, especially when secrets and money are not the only targets.
While
no government has taken responsibility for the Stuxnet computer virus
that destroyed centrifuges at Iran's Natanz uranium enrichment facility,
it was widely reported to have been a U.S.-Israeli project.
Britain
says it blocked 400,000 advanced cyber threats to the government's
secure intranet last year while a virus unleashed against Saudi Arabia's
energy group Aramco, likely to be the world's most valuable company,
destroyed data on thousands of computers and put an image of a burning American flag onto screens.
Adobe data breach more extensive than previously disclosed
Adobe data breach more extensive than previously disclosed
(Reuters) - Adobe Systems
Inc said on Tuesday that the scope of a cyber-security breach disclosed
nearly a month ago was far bigger than initially reported, with
attackers obtaining data on more than 38 million customer accounts.
The software
maker also said that hackers had stolen part of the source code to
Photoshop editing software that is widely used by professional
photographers.
The company
disclosed the breach on October 3, saying attackers took credit card
information and other data from nearly 3 million customers' accounts.
Adobe
also said that the hackers accessed an undisclosed number of Adobe IDs
and encrypted passwords that were stored in a separate database. On
Tuesday, it revealed that about 38 million records from that database
were stolen.
On October 3, the
company also reported that the attackers stole source code to three
other products: Acrobat, ColdFusion and ColdFusion Builder.
Adobe spokeswoman Heather Edell said the software
maker believes the attackers also obtained access to "many invalid
Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted
passwords and test account data."
She
said the company is still investigating to determine how much invalid
account information was breached and is in the process of notifying
affected users.
Even though the
company believes the stolen passwords were encrypted, the attackers may
have been able to access them in plain text by one of several methods,
including breaking the algorithm that Adobe used to scramble them, said
Marcus Carey, a security researcher and expert on cyber attacks, who
formerly worked as an investigator with the National Security Agency.
They
could likely use those passwords to break into other accounts because
many people use the same passwords for multiple accounts, he said.
"This is a treasure trove for future attacks," Carey said.
Adobe
spokeswoman Heather Edell said that the company was not aware of any
unauthorized activity on Adobe accounts as a result of the attack.
Yet
Edell said she could not say whether stolen credit cards or passwords
had been used to launch follow-on attacks against Adobe customers or
conduct other types of cyber crimes.
"Our investigation is still ongoing," she said. "We anticipate the full investigation will take some time to complete."
Chicago hacker tied to Anonymous given 10 years in prison
Chicago hacker tied to Anonymous given 10 years in prison
(Reuters) - A
Chicago computer hacker tied to the group known as Anonymous was
sentenced on Friday to 10 years in prison for cyber attacks on various
government agencies and businesses, including a global intelligence
company.
Jeremy Hammond, 28, was handed
the maximum term for the December 2011 hacking of Strategic Forecasting
Inc, an attack his lawyers contend was driven by concern about the role
of private firms in gathering intelligence domestically and abroad.
Prosecutors
say the hack of Strategic Forecasting, or Stratfor, resulted in the
theft of 60,000 credit card numbers and records for 860,000 clients,
which were then uploaded online. Hammond admitted being behind it in
May.
He also admitted to hacking several law enforcement agencies and organizations, including the Arizona Department of Public Safety, releasing personal details of officers as part of an attack by the Anonymous-affiliated group LulzSec.
Hammond's
lawyers argued their client should be sentenced to only time he had
already served since his March 2012 arrest, portraying him as a
political activist and whistleblower.
As part of the Stratfor attack, Hammond's lawyers said he turned over company emails to the anti-secrecy group WikiLeaks, which has since selectively released documents revealing the firm's dealings with clients including Goldman Sachs Group Inc and Coca-Cola Co.
"As
a result of the Stratfor hack, some of the dangers of the unregulated
private intelligence industry are now known," Hammond said in court.
But
Chief Judge Loretta Preska of the U.S. District Court in Manhattan
imposed the 10-year term followed by three years of supervised release,
citing his "total lack of respect for the law."
"There was certainly nothing high-minded or public spirited about his hacking," Preska said.
The
sentence was the maximum allowed under the single charge of conspiracy
to engage in computer hacking that Hammond pleaded guilty to in May.
Hammond's
sentencing drew more than 250 letters of support from family, friends
and activists, including Daniel Ellsberg, the former U.S. military
analyst who in 1971 released the Pentagon Papers, the top secret report
on the United States' role in the Vietnam War
Exclusive: FBI warns of U.S. government breaches by Anonymous hackers
Exclusive: FBI warns of U.S. government breaches by Anonymous hackers
The word 'password' is pictured on a computer screen in this picture illustration taken in Berlin May 21, 2013.
(Reuters) - Activist hackers linked to the collective known as Anonymous have secretly accessed U.S. government computers in multiple agencies and stolen sensitive information in a campaign that began almost a year ago, the FBI warned this week.
The hackers exploited a flaw in Adobe Systems Inc's software to launch a rash of electronic break-ins that began last December, then left "back doors" to return to many of the machines as recently as last month, the Federal Bureau of Investigation said in a memo seen by Reuters.
The memo, distributed on Thursday, described the attacks as "a widespread problem that should be addressed." It said the breach affected the U.S. Army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies.
Investigators are still gathering information on the scope of the cyber campaign, which the authorities believe is continuing. The FBI document tells system administrators what to look for to determine if their systems are compromised.
An FBI spokeswoman declined to elaborate.
According to an internal email from Energy Secretary Ernest Moniz' chief of staff, Kevin Knobloch, the stolen data included personal information on at least 104,000 employees, contractors, family members and others associated with the Department of Energy, along with information on almost 2,0000 bank accounts.
The email, dated October 11, said officials were "very concerned" that loss of the banking information could lead to thieving attempts.
Officials said the hacking was linked to the case of Lauri Love, a British resident indicted on October 28 for allegedly hacking into computers at the Department of Energy, Army, Department of Health and Human Services, the U.S. Sentencing Commission and elsewhere.
Investigators believe the attacks began when Love and others took advantage of a security flaw in Adobe's ColdFusion software, which is used to build websites.
Adobe spokeswoman Heather Edell said she was not familiar with the FBI report. She added that the company has found that the majority of attacks involving its software have exploited programs that were not updated with the latest security patches.
The Anonymous group is an amorphous collective that conducts multiple hacking campaigns at any time, some with a few participants and some with hundreds. In the past, its members have disrupted eBay's Inc PayPal after it stopped processing donations to the anti-secrecy site Wikileaks. Anonymous has also launched technically more sophisticated attacks against Sony Corp and security firm HBGary Federal.
Some of the breaches and pilfered data in the latest campaign had previously been publicized by people who identify with Anonymous, as part of what the group dubbed "Operation Last Resort."
Among other things, the campaigners said the operation was in retaliation for overzealous prosecution of hackers, including the lengthy penalties sought for Aaron Swartz, a well-known computer programmer and Internet activist who killed himself before a trial over charges that he illegally downloaded academic journal articles from a digital library known as JSTOR.
Despite the earlier disclosures, "the majority of the intrusions have not yet been made publicly known," the FBI wrote. "It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed."
Credit: Reuters/Pawel Kopczynski
The hackers exploited a flaw in Adobe Systems Inc's software to launch a rash of electronic break-ins that began last December, then left "back doors" to return to many of the machines as recently as last month, the Federal Bureau of Investigation said in a memo seen by Reuters.
The memo, distributed on Thursday, described the attacks as "a widespread problem that should be addressed." It said the breach affected the U.S. Army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies.
Investigators are still gathering information on the scope of the cyber campaign, which the authorities believe is continuing. The FBI document tells system administrators what to look for to determine if their systems are compromised.
An FBI spokeswoman declined to elaborate.
According to an internal email from Energy Secretary Ernest Moniz' chief of staff, Kevin Knobloch, the stolen data included personal information on at least 104,000 employees, contractors, family members and others associated with the Department of Energy, along with information on almost 2,0000 bank accounts.
The email, dated October 11, said officials were "very concerned" that loss of the banking information could lead to thieving attempts.
Officials said the hacking was linked to the case of Lauri Love, a British resident indicted on October 28 for allegedly hacking into computers at the Department of Energy, Army, Department of Health and Human Services, the U.S. Sentencing Commission and elsewhere.
Investigators believe the attacks began when Love and others took advantage of a security flaw in Adobe's ColdFusion software, which is used to build websites.
Adobe spokeswoman Heather Edell said she was not familiar with the FBI report. She added that the company has found that the majority of attacks involving its software have exploited programs that were not updated with the latest security patches.
The Anonymous group is an amorphous collective that conducts multiple hacking campaigns at any time, some with a few participants and some with hundreds. In the past, its members have disrupted eBay's Inc PayPal after it stopped processing donations to the anti-secrecy site Wikileaks. Anonymous has also launched technically more sophisticated attacks against Sony Corp and security firm HBGary Federal.
Some of the breaches and pilfered data in the latest campaign had previously been publicized by people who identify with Anonymous, as part of what the group dubbed "Operation Last Resort."
Among other things, the campaigners said the operation was in retaliation for overzealous prosecution of hackers, including the lengthy penalties sought for Aaron Swartz, a well-known computer programmer and Internet activist who killed himself before a trial over charges that he illegally downloaded academic journal articles from a digital library known as JSTOR.
Despite the earlier disclosures, "the majority of the intrusions have not yet been made publicly known," the FBI wrote. "It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed."
Subscribe to:
Posts (Atom)