Security

A not-so-merry holiday gift for Amazon.com: hackers say they've successfully cracked copyright protections on the company's Kindle e-reader, making it possible to export e-books to other devices.

One hack reportedly resulted from a Kindle DRM challenge issued on Israeli forum Hacking.org. On that site, an Israeli hacker known as Labba claims to have created a tool that lets e-books stored on the Kindle be transferred as PDF files.

A U.S. hacker has written a program to crack copyright protections on the Kindle for PC application.

(Credit: Amazon)

A U.S. hacker who goes by the name "i♥cabbages," meanwhile, created a program called Unswindle that promises to convert books stored in the Kindle for PC application into a different file format.

The free Kindle for PC app lets book buyers read their books right from their PCs without having to buy a Kindle reader. Unswindle has to be used in conjunction with MobiDeDRM, a program by another hacker named "darkreverser."

Posters on i♥cabbages' blog give Unswindle mixed reviews, ranging from "works like a charm" and "worked flawlessly" to descriptions of various errors.

Twitter.com was down Thursday evening, and it appears that the microblogging site may have been hacked or the victim of a DNS hijacking.

The site, which was inaccessible for about an hour starting around 10 p.m. PST, was defaced with the following image before it was taken offline:

Twitter's home page before it went offline Thursday evening.

(Credit: CC u07ch/Flickr)

The message at the bottom of the image appears to be written in Perso-Arabic script and when translated to English it read:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care.

Chris Hoare, a Flickr user in Leicester, England, captured the screenshot above and said his attempt to connect to Twitter bounced through a second Web-hosting server before the image was displayed but that he couldn't catch the address.

"The HTML was pretty basic, and everything that it showed was local on the server it was being sent from," Hoare told CNET News.

A Twitter update message posted at 11:28 p.m. said the site was "working to recovery from an unplanned downtime" and indicated that the incident was indeed a hijacking of Twitter's DNS records:

Twitter's DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.

Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez's feed and proclaimed the journalist was "high on crack." Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members' home pages alerting them of the issue.

Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation's presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.

The MQ-1 Predator.

(Credit: U.S. Air Force)

Iraqi insurgents have reportedly intercepted live video feeds from the U.S. military's Predator drones using a $25.95 Windows application that allows them to track the pilotless aircraft undetected.

Hackers working with Iraqi militants were able to determine which areas of the country were under surveillance by the U.S. military, The Wall Street Journal reported Thursday, adding that video feeds from drones in Afghanistan also appear to have been compromised.

Meanwhile, a senior Air Force officer said Wednesday that a wave of new surveillance aircraft, both manned and unmanned, were being deployed to Afghanistan to bolster "eyes in the sky" protection for the influx of American troops ordered by President Obama.

This apparent security breach, which had been known in military and intelligence circles to be possible, arose because the Predator unmanned aerial vehicles do not use encryption in the final link to their operators on the ground.

Read more of "U.S. was Warned of Predator Drone Hacking" at CBSNews.com.

A lawsuit filed against Heartland Payment Systems over what is believed to be the biggest data breach in U.S. history has been dismissed.

The lawsuit was filed in January against Heartland by shareholders who alleged that Heartland failed to adequately safeguard the compromised consumer data and did not notify consumers about the breach in a timely manner as required by law.

The U.S. District Court for the District of New Jersey granted Heartland's motion to dismiss the lawsuit on Monday, Heartland said in a statement on Wednesday. The court said the plaintiffs had not proved their allegations that Heartland executives knew the company had inadequate security and misled the public about it, according to a report on StorefrontBacktalk.

Heartland had disclosed the breach January 20, the day of President Obama's inauguration. The breach occurred last year but company officials said they found evidence of the intrusion the week before the announcement and immediately notified law enforcement and credit card companies.

Jeff Moss

(Credit: Darington Forbes)

Like many young hackers, Jeff Moss got his start copying computer games, learned how to program, and began to explore the world through a modem.

Unlike many young hackers, Moss has managed to turn his computer and social-networking skills into a business. He founded Defcon, the first major hacker conference and the largest in the world, as well as Black Hat, its more corporate counterpart. And now he is helping the U.S. government, as a member of the Homeland Security Advisory Council.

Moss talked to CNET News during National Cyber Security Awareness Month about his digital coming-of-age and how Google, Yahoo, Facebook, and other sites are putting consumer privacy at risk and jeopardizing social-justice movements around the world.

This is the final installment of a two-part Q&A with Moss. Part 1 ran on Friday.

Q: When you first started Defcon, that was what year again?
Moss: Ninety-two, '93. I think I started planning in '92 and it happened in '93.

So, things were different then. Can you talk about how the landscape has changed and what the real threats are now?
Moss: I'd say the biggest change is just that money got involved and once money was involved it changed everything. Actually that's not true. Technology grew up. So two things: money and technology. Technology grew up and a lot of the original motivations for hacking sort of changed, at least for my generation. When Internet access is essentially free and Unix is free and phone calls are essentially free and pennies on the minute, not dollars on the minute, why do you need to steal a phone call when it's free? Why do you need to break into a university to read man (manual) pages on Unix when you can download free security guides online?

You had to work so hard to learn something, and once you learned it you felt like it was yours. You made it yours by discovering it and figuring it out and sharing it with your friends. But now it's basically just handed to you on a Google search page so that motivation is just different now. Now it's not a question of figuring out how the SS7 phone switching network works. You can download 50 documents that tell you how it works. It's more about now the information is basically free what do you do with the information? How do you use it? Before it was about the quest for information; just getting your hands on the information was a victory.

As soon as people started making money on the Net...during the dot-com boom, that's when you could see the impact. Everybody needed somebody with Internet skills. And at that time it was hackers and early adopters. So all the early adopters could go out and get paid for their hobbies. That changed the nature of it too. It became a job as opposed to a hobby. When the criminals finally caught on that there was some real money with low risk and potential high reward...once nation states and organized crime groups got involved, that was the end of the age of innocence. It happened really quickly; 10 years or so. It used to be that you could probably defend against the bored college student and a couple of his buddies and you could do some defensive maneuvers and watch your log and know when somebody is poking around (your network) and have a pretty good handle on things.

But the amount of noise and the amount of scanning and the amount of resources that people can put against you now, its kind of...(laughs) I used to always say that large governments, military, and an EDS or a Microsoft, they've got the in-house talent to defend themselves and the budget to do it if they have to. But the SMBs, the small and medium businesses, they don't have the talent or the budget or the experience, so those poor companies are at a disadvantage in this kind of world... The technology hasn't matured to where you just plug it in and it works. You still need a certain amount of high-end talent if you want to be secure. So we're not at the point where you buy a car and you've got the air bag. We're not there yet. Every year the bar keeps getting raised and it's a little bit harder to break in. But that just means that the better-funded organized crime groups and governments could potentially be the last ones left standing. And when the attacks get so sophisticated and so subtle your average sec guy is not going to necessarily have the computer skills to protect against it.

Is that an argument then for managed security services?
Moss: Hmm. Do you mean something like a Counterpane, the sort of centralized log management where they analyze everything?

Yeah.
Moss: That's essentially (similar to the idea of putting) your eggs in less baskets and have experts watch the logs. The DHS (Department of Homeland Security) is trying to do that with Einstein. It seems like that's a rational response to the problem. I'll have to think about that. The problem is by the time they notice something is the damage already done if they're infiltrating secrets, say, versus defacing your home page? If you look at the nature of the problems the organized crime groups generally want money and the government wants secrets and they go about their business differently because the goals are different. Maybe centralized services like that work better against one group than the other.

How did you first get into hacking and on to computer security? What got you interested in all this?
Moss: It was kind of random. My dad was a doctor at the University of San Francisco and the university was offering some discount if you bought an IBM, you could get it at some kind of educational discount...so they bought a pretty expensive computer back then for me and my sister to play with.

How old were you?
Moss: I was right around 12 or 13.

And you are how old now?
Moss: Thirty-nine. And my sister wasn't interested in it. She ended up getting into music and it turned into my computer instead of the family's computer. I started off as a software pirate. You're 13 years old and your buddy gets a game for his birthday and I've got a game and there just weren't that many games on the PC back then. You could either just straight copy the game or if there was some sort of copy protection you saved up and bought a copy of 'Copy to PC' and you could copy each others' games. You would try to figure out why did that work. There wasn't a whole lot of programming books back then so I learned BASIC and I started learning assembly language.

And then to upgrade the machine you had to learn how to take apart the machine and it was much cheaper to buy memory and install it yourself than to buy a memory card. I had no money as a kid. So there were these overclocking kits you could buy for like $50 or $60. You could overclock your CPU to make it go 30 or 40 percent faster. Instead of going something like 6.55 or whatever megahertz, you could make it go 8 megahertz and that was awesome. So then you would figure out why does that work? What's going on there?

And then the huge revelation for me was getting a modem. Once I got an acoustic coupler modem, a 300-baud modem, that was the beginning of the end for me because all of a sudden I got to communicate (with others online). It started with my friends who had modems and I would use them over at their house and eventually I saved up and got my own. And you would be on these message bulletin board systems talking with people in the Bay Area. They didn't know your age or your gender or your education or anything and you're having conversations with grownups about grownup topics, drugs, technology, music, whatever it is. The sort of conversations you didn't have with your parents. You could overhear other people having conversations about (things). It was this great glimpse into the bigger world that was out there. And that really opened up my eyes. It was different from what we talked about at school. It was different from what you talked about with your friends, your parents. It was a whole other world and it just made you want to find more and more bulletin boards and more and more people. And that led to phone phreaking, trying to figure out how the phone systems worked and how to call longer distance and the cheapest way to do it. It was that exploration.

And it was all very random for me. I knew about the phone systems because I ran a bulletin board and I spent a lot of time dialing long distance to get onto different bulletin boards. And I knew about software programming but I didn't really know about hacking until a chance encounter with someone. And he had the opposite experience. He didn't know anything about phones and he didn't know anything about copy protection or reverse engineering that way, but he knew all about hacking. He knew all about networking, which is something I didn't know about because I didn't have a network in my house. Everything was point-to-point dial-up. Nothing was a network. So through him I learned about networking.

Things happened in my life at certain times. Very random. It was luck. I was lucky my parents bought that computer. It was lucky I learned about the modem and lucky I ran into that guy who taught me about hacking. I would love to say it was some master plan on my part, but it was a happy set of circumstances.

That reminds me of the Malcolm Gladwell book "Outliers" that I'm reading right now. It's very relevant to what you're talking about--that it's not just intelligence, but also opportunities that give people the ability to accomplish things.
Moss: Is that the book that talks about the 10,000 hours (the amount of time it takes to practice something in order to become a success at it)?

Yes.
Moss: Somebody told me about that and I totally believe it. If I think about it, I put in thousands and thousands and thousands of hours just talking to people and reading and programming and screwing around with computers and trial and error on phones and everything until it became sort of second nature. If you think about people who are really good with musical instruments, they put in tens of thousands of hours. Or (people) working on cars. I have a friend who is fantastic car guy and he grew up with a wrench in his hand. He innately understands how mechanical things work.... (These people) see the world differently (and have) developed a sixth sense toward it.

Do you have a sixth sense toward hacking?
Moss: Well, you have a sixth sense toward looming problems. Somebody announces an (integration) project and you just think to yourself "Oh, that's going to be a problem. How are they going to do that?" From a technology standpoint how are they ever going to get all those systems to work and from an HR or organizational standpoint, you just know it's not going to happen...

In the back of my head I wonder if we haven't embraced the Internet technologies (too) quickly. If you're going to touch these critical systems you need a different mentality. You need a different skill set. I don't know. For example, SCADA (Supervisory Control and Data Acquisition) systems are starting to be hooked up to Web interfaces and it makes central management really easy and it makes understanding and visualizing the process flow information really easy. So the managers hear that and think cost savings and ease of management and ease of visibility. I hear that and I think "Whoops, that's going to be a problem." You're joining these two networks with Web protocols that are essentially inherently insecure or are difficult to secure and then you go and listen to Moxie Marlinspike talk about the problems with SSL and you think to yourself, "That's a problem." You just get a sixth sense about things like that.

So we've covered a lot of ground here. Is there anything else to discuss about computer security, cybersecurity, your background?
Moss: I have a current rant I've been going on about. It's my low-hanging fruit rant. Six months ago there was an open letter to Google asking them to please make everything HTTPS (Hypertext Transfer Protocol Secure) by default and I was a signer on that letter. It was another one of those (proposals that) made total sense. Why isn't there a push to just make everything HTTPS by default? Because everybody's browsers work with it. Computers are fast enough now. Home PCs are fast enough that the extra encryption doesn't even faze them. Why not start getting rid of HTTP and moving to HTTPS? That seems like a pretty low-hanging fruit, easy to do. If you can't do that what makes you think you are going to be able to do more complicated things?

And if you look at what we rely on, we rely on the Web, which isn't secure. We rely on DNS (domain name system), which isn't secure and we rely on e-mail, which isn't secure. The three foundational things we've been using since the dawn of time aren't secure and there doesn't seem to be a big push to fix any of it. These big companies that are encouraging us to put our lives online, the Yahoos, the YouTubes of the world, they're not doing their bit to secure it.

The thing that really kind of pissed me off, during the whole Iranian revolution or protest over the election you saw all these people just pouring their hearts out on these different social sites and their political beliefs out over unsecured http. And the government is sitting there just collecting it all, recording it. And sooner or later they'll come knock on people's doors. It really drove home we are beyond sharing pictures of fluffy cats and the social sites are now being used to organize political movements and social-justice issues.

If that kind of stuff is going to happen you've got to do it in a secure fashion or you're being negligent. Because if it was SSL (Secure Sockets Layer) between say the dissidents in Iran and some social site they would know your IP (Internet Protocol) address connected to Facebook, for example. And they would know that you transferred a couple hundred thousand bytes (of data) but they wouldn't know your log in, they wouldn't know your friends, they wouldn't see what you are posting. They wouldn't know any of that. That seems like a good thing if you are concerned about the well-being of your citizens. A lot of problems would go away if everything were just SSL by default. A lot of the privacy concerns would go away. Every time I get a chance to talk to somebody at one of the big social sites I give them some grief and say, "How come you aren't doing this? Why do you protect my log in but you don't bother to protect the rest of my session?" It's super frustrating.

There has been a marked increase in the amount of spam e-mails being sent from Yahoo, Gmail, and Hotmail accounts, according to analysts at Websense Security Labs.

Websense said on Thursday that personalized spam e-mails had been sent from the compromised accounts to all of each user's contacts. The e-mails contain links to fake shopping sites, intended to capture sensitive information from the reader.

Earlier this week, Microsoft acknowledged that 30,000 Hotmail accounts had breached, and suggested the passwords for the accounts had been obtained in a phishing scam.

However, some security experts believe that the password breach cannot be attributed to phishing. Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet UK on Friday that the information was likely to have been obtained through key logging.

"The quantity of people hit makes me think that it was key logging--the success rate for phishing is only about one in 1,000," said Shulman. "Secondly, when I went through the list of email account credentials...

Read more of "Hacked Web mail accounts used to send spam" on ZDNet UK.

Update October 6 at 11:25 a.m.: This was later discovered to be an industrywide problem that has affected users of Gmail and possibly other e-mail services as well. See more details here.

Thousands of Windows Live Hotmail passwords have been leaked online, Microsoft has confirmed. The news was first reported by Neowin.

According to Microsoft, it "learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site" at some point over the weekend. Neowin originally reported that the credentials were posted to a developer forum on Pastebin.com on October 1.

After learning of the breach, Microsoft "immediately requested that the credentials be removed and launched an investigation to determine the impact to customers," it wrote on its Windows Live blog.

The company was quick to point out that credentials were stolen through what was "likely a phishing scheme." The company said that it "was not a breach of internal Microsoft data." It's currently "working to help customers regain control of their accounts."

Microsoft did not immediately respond to CNET's request for comment.

Microsoft didn't say exactly how many accounts were affected, but Neowin reported that the original list displayed accounts with names starting with "A" and "B."

Twitter and other social networks are abuzz with people advising others to change their passwords. Microsoft wrote in the blog post that those who believe they were affected by the phishing scheme should immediately do just that.

Updated at 1:30 p.m. PDT to include Microsoft's confirmation of the breach.

Dino Dai Zovi

(Credit: Tehmina Beg)

It was summer 2005. Dino Dai Zovi walked into a Manhattan Starbucks, ordered a coffee, sat down, and opened up his laptop.

Before his coffee was cold he had found a local privilege escalation vulnerability in Mac OS X Tiger, which could allow people to elevate from normal user to full super user, and had written code that could exploit the hole.

"I just think that I got lucky, but that's what I always think when I find a bug that quickly," he said in an interview on Wednesday.

Dai Zovi has been exploiting Macs for a long time, publishing his first Mac OS X shellcode (code used as the payload in an exploitation of a vulnerability) for the PowerPC in July 2001. He said he has reported more than 10 vulnerabilities to Apple over the years and does so out of love for the platform.

"I'm an avid Mac user," he said. "So I have a vested interest in them being more secure."

The 29-year-old got an early start in computers, using bulletin boards in second grade and accessing the Internet through a computer running VAX at 13. He taught himself to program and got a computer science degree from the University of New Mexico. While still in college, Dai Zovi worked for the Information Design Assurance Red Team at Sandia National Laboratories, which performs security assessments for the government, military, and commercial industry.

Since then he's worked for consultancies @Stake and Matasano Security, Bloomberg, been director of security at a hedge fund in New York, and now works as chief scientist at Endgame Systems, an information security start-up.

Dai Zovi's Mac hacking hobby has won him some measure of fame. He won the first ever PWN2OWN hacking contest at the CanSecWest security conference in 2007, exploiting a vulnerability in Apple's QuickTime that affected not only Mac-based computers but also those running Windows and for which Safari, Internet Explorer Firefox were vulnerable. (In the contest, participants show up with exploits ready to go. The exploits do not require local access to the systems; they only require that the user visit a web page to simulate a drive-by web exploit, as is common on the Internet today.)

He co-authored a book, The Mac Hacker's Handbook this year with security expert Charlie Miller that argues that contrary to popular belief, the Mac platform is not more secure than Windows, it's just not targeted by malware writers--yet.

"The sky is not falling," Dai Zovi said. But also, "the Mac is not magically protected from malware."

If security features are added to the new version of Mac OS X, Snow Leopard, which is due out on Friday, that could change Dai Zovi and Millers' opinion. (The CNET review of the product is here.)

Charlie Miller

(Credit: Charlie Miller)

Miller has won the PWN2OWN contest the past two years. In 2008, he was able to gain control of a Leopard-based MacBook Air using a newly discovered vulnerability in Safari. That took him less than two minutes. This year, it only took him 10 seconds or so to exploit a hole in Safari on a MacBook running Leopard.

Miller is probably best known, though, for being the first to hack the iPhone, discovering a hole in the mobile version of Safari in 2007.

One of the reasons he entered the PWN2OWN contest was to prove that Mac OS security was lacking.

"I had a feeling that Mac was easier (to hack) than Windows," he said. "If I can find the Safari bug or exploit in a few days and it would take me 10 times as long for IE, why would I do that? I go after the easiest guy."

Miller comes from a Linux and Windows background and is relatively new to the Mac platform because he worked in the financial and government sector before becoming a security whiz.

After getting a Ph.D. in mathematics at the University of Notre Dame, Miller worked at the U.S. National Security Agency for five years. Hired as a cryptographer, Miller pushed for computer security training because he was "looking for something else to do."

He then worked at a financial-services firm before moving back to his home town of St. Louis and taking a job as principal analyst at consultancy Independent Security Evaluators, where Macs are standard.

"I hack products I own and use and like," he said. "I want to know how they work and play around with them...I thought the Mac OS and the iPhone were cool."

Updated at 6:58 a.m. PDT with more details about the PWN2OWN contest.

Two Russians and a Florida man were charged on Monday with hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, and stealing data related to more than 130 million credit and debit cards.

The indictment names 28-year-old Albert Gonzalez of Miami, who already has been charged with stealing data related to 40 million credit cards from eight major retailers, including TJ Maxx, and two unnamed co-conspirators based in Russia.

The breach involving Heartland and the others is believed to be the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. In addition to Heartland, 7-Eleven, and Hannaford Brothers, it involves two unnamed corporate victims, according to a statement from the U.S. Attorney's office.

The three men were indicted on charges of conspiring to hack into computer networks and stealing data as far back as October 2006. Gonzalez, whose aliases include "segvec" and "soupnazi," and the others allegedly found victims on a list of Fortune 500 companies and visited retail locations to see what type of checkout systems they used.

They used an SQL injection attack to steal the data and used computers in California, Illinois, New Jersey, Latvia, Ukraine, and the Netherlands for storing malware and stolen data and launching attacks, according to the indictment. In an SQL injection attack, a small malicious script is inserted, exploiting a vulnerability in the database layer of an application that feeds information to the Web site.

They also allegedly installed backdoors and sniffers to intercept data in real time as it was processed by the victims and tried to hide their actions by accessing the victim networks through proxy computers, modifying their software so as to evade detection by antivirus programs and programming it to delete traces of the malware from victim networks, according to the indictment.

The men also tried to sell the stolen data to others, the indictment alleges. They are charged with conspiracy to gain unauthorized access to computers, commit fraud in connection with computers and damage computers, as well as conspiracy to commit wire fraud. They face up to 35 years in prison as well as a fine of $1.25 million.

Gonzalez, who is in federal custody, was charged in May 2008 in New York with hacking the computer network of Dave & Buster's restaurant chain and was named in an indictment in Massachusetts in August 2008 related to the TJX breach. Other alleged victims in those cases include BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW. He faces trial on the New York charges next month.

Heartland reported the breach on presidential Inauguration Day in January and said that although it occurred last year, it found evidence of the intrusion just the week prior.

Formerly a federal government informant, Gonzalez also was arrested in New Jersey in 2003 on charges related to ATM and debit card fraud.