“Jedi Packet Trick” Punches Right Through Firewalls

Hackers have hit on a new way to break into computers: by attacking the firmware used in networking cards.  Independent security researcher Arrigo Triulzi is set to unveil one such attack on Friday at the CanSecWest security conference.  He calls his technique the Jedi Packet Trick.  It essentially installs a clandestine virtual private network inside a firewall by hacking the firmware of the victim’s networking cards.

Using a little-known remote factory diagnostic mechanism used by certain Broadcom cards, Triulzi has developed a way of installing customized firmware that instructs the card to directly pass packets to another card without telling the operating system.  “You trick the operating system into believing that packets going between two different network cards don’t exist,” he said.


FBI Sting Reveals How Organized “Cyber” Gangs Really Are

The FBI recently released some interesting findings about online crime that confirms what we suspected all along.  That the criminals involved are business-like, coordinated and cooperative, and operating just like businesses that are out to turn a profit.  A number of sting operations have uncovered the various roles individuals play within a criminal organization, down to specific titles and duties.

For example, Coders write malware.  Hackers actively search for vulnerabilities to exploit.  Fraudsters create and deploy social engineering schemes.  Hosters provide safe content servers and sites.  Techies maintain the infrastructure.  Leaders are the managers who keep the team together.

Although the FBI report is written from a heavily US perspective, it can be gleaned and extrapolated from this report that these organized and efficient gangs continue to steal public and private sector information for the purpose of undermining the stability of all of our governments, or weakening our economic and military independance.  This threat can be an existential threat, meaning it can challenge any country’s very existence, or significantly alter a nation’s potential.

Undercover FBI agents who became trusted members of criminal organizations found that self-reliance is rare.  Almost every criminal on a team is a member of at least one online forum, website or chat room.  They use these virtual meeting places to discuss techniques, share tools, tips, and evaluate other users.

The rise of Mafia-like cyber crime syndicates


ATM tampering ring busted in Durham Region, Ontario Canada

Happy Ending In Search For Missing Boys Near BowmanvillePolice have seized thousands of bank account numbers stolen by an identity theft ring and charged 6 people with 80 criminal offences.   Durham Regional Police and the Ontario Provincial Police have been working almost a year to bust up an ATM tampering ring in an operation dubbed Project Kaiser.  The Identity Crime Unit focused on a small group of suspects who were manufacturing devices to be used by criminal networks in Ontario.  Raids were conducted simultaneously in Vaughan, Barrie and Newmarket resulting in the arrest of 5 males and 1 female arrested.

During the raids about 110 ATM overlay and pinhole camera devices were seized.  Each device can cost a bank up to $100,000 in losses.  Hundreds of debit cards and thousands of pieces of compromised electronic data were also seized.  Police also seized 3 vehicles under Proceeds of Crime legislation: a 2010 Porsche Cayenne; a 2010 Dodge Magnum and a 2001 Volkswagen Jetta.  Other items seized included about $100,000 worth of power tools and electronic games and items used to disguise the suspects near the ATM security cameras.

Sebastin Bihari, 35, of Ford Wilson Boulevard in Newmarket, Lemak Bary, 23, of Ford Wilson Boulevard in Newmarket, Geza De Breceni, 50, of Torresdale Avenue, North York, Nyla Pejhan, 23, of Tester Lane, Zephyr, Gabor Lakatos, 25 of Pegasus Drive, Richmond Hill, and Jozsef Lakatos, 46, of Morris Road, Bradford, were all arrested on various charges including participating in a Criminal Organization.

Digital Journal

3 New US Breaches Affect 20,000+

The new HHS/OCR web site has added three more US breach reports:

Montefiore Medical Center
Date of Breach: 2/20/10
State: New York
Individuals Affected: 625
Type of Breach: Laptop Theft

Private Practice
Date of Breach: 2/20/10
City and State: San Antonio, Texas
Individuals Affected: 21,000
Type of Breach: Portable Electronic Device Theft

Aspen Dental Care P.C.
Date of Breach: 10/04/09
State: Colorado
Individuals Affected: 2,500
Type of Breach: Theft

None of these breaches had been reported in the media to my knowledge.  Unfortunately, because of the type of summary HHS/OCR has chosen to provide, we do not know if any SSN or financial information were also involved in the breaches.  The second breach highlights a liability and disclosure issue: private practitioners’ names are being shielded.  Here you have a practitioner who has a device with unsecured protected health information on 21,000 patients stolen, and you cannot tell who it is.  If you lived in San Antonio, wouldn’t you want to know whether a doctor you were considering using had left Personal Health Information unsecured?


Caution FIFA Fans! Beware PDF Files

  Security researchers are issuing their annual warning regarding an ongoing targeted email attack using a FIFA World Cup-themed lure.  The intention of this one is to trick users into opening a malicious PDF file.  The PDF file targets a code execution vulnerability in Adobe Reader that was patched in February (CVE-2010-0188).

The FIFA World Cup is the most important football (soccer of Americans) competition and arguably the most watched regular sport event in the world.  The 19th edition of the event will kick off on June 11, 2010 in South Africa.  The current attack misuses the name and intellectual property of a renowned African safari organizer called Greenlife Africa.  Greenlife produces an informative and useful PDF guide to the World Cup.  The attackers have downloaded Greenlife’s PDF, and changed it to include malicious code, explains Symantec.  They also point out that a worker from “a major international organisation that brings together governments from all over the world,” was among the targets of this email attack.  The wording in the email suggests that attackers intended to trick consulates and tourism authorities into distributing the PDF file through official channels to the general public. 

Successful exploitation by this PDF will result in several encrypted executable files being dropped and executed on the system.  This threat also features a rootkit component, installing itself as a service called “Remote Access Connection Locator.”  This malware agent might also be capable of self-propagation on local networks.  Symantec warns that detection rates are currently very low.  Users of Adobe Reader and Acrobat older than 9.3.1 or 8.2.1 are urged to upgrade immediately to the latest version.

Symantec Notes