Occupy Wall Street (Through Hacking)

http://www.huffingtonpost.com/2012/03/28/cybercrime-financial-sector_n_1385029.html?ref=cybersecurity

Did you know that in 2009, financial service firms reported zero cybercrime? Yeah , I'm not making that up! Zero cybercrime! And now, just three years later, cybercrime accounts for 38% of economic crime that financial service companies have experienced. So why the sudden jump? Read on...

Well, as it turns out, this data is probably flawed. According to other research cited in the article, the reason that cybercrime was not reported in 2009 was due to a lack of detection of the crime taking place. This largely had to do with the companies either lacking the proper security software, or the employees lacking the training to be able to detect cybercrime, or both.

However, the data it still striking, and there definitely has been a large increase in cybercrime on the financial spectrum since 2009. This is thought to have to do with the economic downturn in recent years. Even street gangs like the Bloods and Crips have apparently stopped bashing people in the head, and instead have turned the attention to learning Bash so they can breach security systems for monetary gain. 

It seems that this is a problem that could get much worse in coming years. Based on the reading I did, it seems to me that companies and judiciaries are woefully in the dark when it comes to the risk that cybercrime poses. I mean, we live in the Internet age, where most records are kept electronically, and if someone can hack into the computer systems for these major financial instutions, then that is obviously a serious problem. Companies should probably start taking this threat more seriously, and place some time and money into the problem now, rather than having something bad happen to them, and losing much, much more time and money in the end.

Mac Attack!

http://arstechnica.com/apple/news/2012/03/james-bond-style-malware-attacks-come-to-the-mac.ars


It turns out that Mac OSX, Apple's operating system, is turning out to have more security vulnerabilities than previously thought. Once touted as the ultra-secure alternative to Microsoft's Windows operating system, more and more security issues are beginning to come out. What specific problems are being found? Read on...


The OSX problems that have been found rely on vulnerabilities found in Microsoft Office and the Java framework. The backdoor trojans, which were used to target pro-Tibetan organizations, install unbeknownst to the user and send information about the user's machine to the attacker's server. The attacker is then able to use this information to remotely issue Unix commands that affect the attacker's machine (Mac is Unix-based, after all). These attacks signify an increased shift from hackers targeting nearly only Windows machines to hackers targeting both Windows and Mac machines. 


These sorts of vulnerabilities certainly could have major ramifications. The article mentions that companies as large as Google have been switching many of their computers from Windows machines to Mac machines for the specific purpose of avoiding these sorts of security issues, which Macs were previously thought to not be subject to. Again, this illustrates the trend of writers of malicious software putting more emphasis on Mac OSX. Ironic, isn't it?

FCC: Fighting Computer Crime

http://arstechnica.com/business/news/2012/03/fcc-publishes-voluntary-code-of-isp-conduct-to-combat-botnets.ars

The FCC, or as I like to call them, the Factory of Crazy Censorship, has done something good! They have given something solid and measurable to the field of Internet security. This might actually be one of the biggest steps in security taken recently, and certainly deserves praise.

So what did the FCC actually do? A council in the FCC, the third Communications, Security. Reliability, and Interoperability Council, created a code that describes in details steps that must be taken by ISPs to fight botnets. Now, this code is voluntary, but major communications companies such as AT&T, Sprint, and Time Warner cable have already agreed to follow this code, granting them a position on a list maintained by the FCC that is essentially a "safe list."

This code has already been shown to have an impact. According to the working group who drafted the code, benefits included "fewer class to help desks from customers with infected machines, reduced upstream bandwidth consumption from denial-of-service attacks and spam, increased customer goodwill, and a drop in spam-related complaints from other ISPs." This is real, demonstrable data that touches on a wide variety of important Internet security issues. Hopefully, more major companies will adopt these rules, and the web will be a safer place!

if(year == 2011) { hacktivists > cybercriminals }

http://www.wired.com/threatlevel/2012/03/hacktivists-beat-cybercriminals/

So, it turns out that in 2011, hacktivists have overtaken cybercriminals in terms of the amount of data collected. According to the Verizon 2012 Data Breach Investigations Report, over 100 million (out of 174 million) stolen records were stolen by hacktivist groups in 2011. Is this a good thing?

This is a completely subjective issue, and depends on people's subjective opinions of the political and social agendas of these hacktivist groups. On one hand, these groups often point out gaping security holes, which then get patched, but on the other hand, some these groups are at best annoying and at worst destructive.

Obviously, the hacktivist group with the most name recognition is Anonymous. Surprisingly, this article doesn't mention Anonymous at all. This could be because Anonymous relies largely on denial-of-service attacks, rather than attacks that require more technical computer knowledge. The article does mention that the reason that the amount of data that hacktivists may have collected so much more data than cybercriminals is because hacktivists often target large organizations or government agencies (usually to further the political agenda of the hacktivist group), while cybercriminals are more likely to attack smaller businesses that have weak security systems.

So how do we judge this information? After reading the article, I'm not convinced as to who is worse. On one hand, cybercriminals clearly do more damage to individuals, especially business owners and employees. However, hacktivist groups could pose a larger-scale threat, due to their ability to disrupt larger agencies. It makes one think... where do we draw the line between hacktivism and cybercrime?

Your Android Is Safe

http://www.wired.com/threatlevel/2012/03/fbi-android-phone-lock/ 

In recent years, the popularity and power of smartphones has been growing exponentially. The two largest competitors in the smart phone market, in terms of software, are Google's Android and Apple's iOS. Since smartphones are basically miniature web-enabled computers, the security of the information that is stored on one's smartphone is obviously a huge issue. While we often find that security solutions offered by major companies are subpar, in the case of Android, it has been proven that its built in security feature is quite good.

Android's built in security mechanism, which prevents any data on your phone from being accessed, is pattern based. It consists of a 3 x 3 grid, and the owner of the phone initially programs in a pattern in a "connect-the-dots" fashion. Any time the user wants to unlock the phone, the correct pattern must be drawn on the phone screen. If the pattern is attempted and failed several times, the pattern mechanism will be "locked out," and the user will be required to enter the Google email and password that corresponds to the phone. Not only is the pattern-based mechanism extremely difficult to guess, but the lockout feature prevents someone from attempting to unlock the phone by using brute force to try every different possibility.

The article specifically talks about a case in which forensics experts from the FBI were attempting to unlock a Samsung Exhibit II phone (which runs Android) that is suspected to belong to a San Diego-based prostitution pimp, but were unable to crack the password. The security of an effective built-in security mechanism, such as Android's pattern-based mechanism, is critical because many states allow authorities access to a suspect's mobile phone upon arrest. This can help prevent innocent people, or who people who have been arrested for crimes that do not require invasion of privacy to determine innocence, from having their personal information looked at. Currently, in the case in question, the FBI is attempting to have Google override the lockout feature so that they can access the phone. 

Ruby on Rails Fails

http://arstechnica.com/business/news/2012/03/hacker-commandeers-github-to-prove-vuln-in-ruby.ars
http://erratasec.blogspot.com/2012/03/rubygithub-hack-translated.html

A huge flaw in Ruby on Rails has been pointed out. Ruby on Rails is a popular web-application framework that is based on the Ruby programming language. Rails aims to be an all-encompassing framework that attempts to address all aspects of the web development process. This sounds good, right? However, in order for something like this to work, all of the pieces have to actually be designed well, to work securely. This is the basis for the security flaw that was pointed out.

The flaw in question was pointed out by the Russian hacker Egor Homakov. Homakov discovered the flaw, which had to do with "mass assignment." Mass assignment introduces a security flaw because it potentially allows hackers to add parameters to webrequests that shouldn't be there. This hole, which Homakov pointed out several days prior to his attack, is a known security flaw, and can allow hackers to gain administrator rights on some websites that are built with Ruby on Rails.

After an unsuccessful bug report, Homakov decided that he would make his point by showing how serious the security flaw could be. By exploiting this flaw, Homakov was able to gain administrator rights to GitHub.com, one of the largest source code repository hosts there is (ironically, the source code for Ruby on Rails is hosted on GitHub). This allowed Homakov to have complete control over the site. Luckily, he didn't do anything malicious, but the possibility of extremely destructive activity was certainly there. All Homakov did, appropriately enough, was add a comment regarding the security problem in the Ruby on Rails source code. GitHub quickly patched the security problem in there website, but it is still clear that the possibility for security problems like this in other websites running on Ruby on Rails should be a huge concern. As of now, the flaw has not been fixed.