Brian Krebs:

Security vendor Imperva today blogged about a hacker who claims to have access to and control over several top dot-gov, dot-mil and dot-edu Web sites. I’ve seen some of the back-end evidence of his hacks, so it doesn’t seem like he’s making this up. Perhaps out of deference to the federal government, the Imperva folks blocked out the best part of that screen shot — the actual names of the Web site domains that this hacker is selling. For example, the hacker is advertising full control and root access to cecom.army.mil, a site whose stated purpose is to develop, acquire, provide and sustain world-class…systems and Battle Command capabilities for the joint warfighter. It can be yours, for just $499 (sorry, no credit cards accepted; only the virtual currency Liberty Reserve).

Mit einem Fragezeichen der Titel dieses Eintrages: Interessant sind insbesondere die Kommentare zum und über den Eintrag selbst — der “Hacker” ist wohl ein in der Szene bekannter Scammer, auch wenn einige ‘entlarvende’ Kommentare für sich ebenfalls nicht stimmen (traffic rank bei Alexa wird immer nur aggregiert über den Domain-Namen selbst gemessen, nicht gesondert für etwaige Sub-Domains). Ein Meta–Eintrag über die Szene! Außerdem war mir Liberty Reserve (Costa Rica‽) nicht bekannt.

Via Boing Boing.

The Atlantic:

When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting…

Ist halt nicht mehr so einfach.

Evgeny Morozov:

In reality, we don't need to develop a new set of fancy all-powerful weaponry to secure cyberspace. In most cases the threats are the same as they were 20 years ago; we still need to patch security flaws, update anti-virus databases and ban suspicious users from our sites. It's human nature, not the Internet, that we need to conquer and re-engineer to feel more secure. But it's through rational deliberation, not fear-mongering, that we can devise policies that will accomplish this.

Via Richard Stiennon.

Ich muss noch immer endlich Inside Cyber Warfare von Jeffrey Carr lesen.

Here are several cyber security scenarios. The scary thing is, they have already occurred. While the incidents covered may affect adjacent or even unrelated industries it is advisable that IT security practitioners and other stake holders are aware of the threats posed by the prior occurrence of these scenarios.

Notiz an mich: endlich Inside Cyber Warfare von Jeffrey Carr lesen.

Zeit Online:

Smart Meter sind im Grunde Mini-Computer, allerdings haben sie nicht die Sicherheitsvorkehrungen, die in heutigen Computern und Netzwerken Standard sind. Wir haben das getestet. Das Ergebnis: Viele Smart Meter, die heute auf dem Markt sind, können mit allgemein verbreiteten Angriffstechniken unterwandert werden, darunter sogenannte buffer overflows und root kits.

Immerhin sind sie nicht über's Internet zu erreichen. Trotzdem wohl “günstiger” als EMP.

Jeffrey Carr:

According to the Swiss security researcher who runs Abuse.ch, the use of free proxy services like Glype, Tor, and others have an option which allows administrators to log the traffic flowing through their proxy server on the Glype network. This researcher was able to retrieve log files from some of the servers running Glype and the results should scare you straight if you work for an agency, department, or organization that is a target of foreign intelligence services.

Auf die Analyse bin ich gespannt (und auch darauf, was das für Privatpersonen bedeutet, die diese Dienste nutzen).

The Firewall:

In a blog post Monday evening, Desautels laid out a recent hacking operation that his SNOsoft research team was hired to perform on a bank client. Though he doesn't name the target, he describes step by step the social engineering involved in sussing out the bank's defenses, including staging a fake job interview with unwitting employees of the company. The technical strategy for breaching the bank's defenses--a targeted, booby-trapped PDF attachment--isn't a surprise. But the detailed description of the preparation for that exploit is a rare window into the hacking process.

Lektüre zum Thema: The Art of Deception: Controlling the Human Element of Security von Kevin Mitnick.