Graham Cluley’s blog

Well, the precedent has been set.

In 1971, ex-Beatle George Harrison got his buddies Eric Clapton and Bob Dylan to join him on stage at Madison State Garden in a benefit concert for Bangladesh.

In 1985, ex-Boomtown Rat Bob Geldof rocked the world with help from Status Quo, Queen, U2 and a galaxy of other stars at Live Aid.

And in 1998, South Park hosted Chef Aid with help from Elton John and Meat Loaf.

Now, supporters of NASA hacker Gary McKinnon are said to be trying to organise their own benefit concert. The keyboardist with Marillion, the progressive rock band most famous for their pop hit “Kayleigh” from 1985, has suggested that he might want to get involved, after organiser Ross Hemsworth wrote to more than 100 bands including the Kaiser Chiefs, Sting, Mark Knopfler and Madonna.

The concert, named “Rock Against Injustice”, is intended to raise awareness about McKinnon’s ongoing legal fight, and the UK’s extradition treaty with the US.

You can’t question the enormous amount of energy that McKinnon’s supporters have put into raising awareness of his plight. Hemsworth, the managing director of Glastonbury Radio, is hopeful that George Michael might record his own version of a song written by Gary McKinnon.

However, having heard McKinnon’s song “Only a Fool” (and watched the video on YouTube) I can’t help but think that’s a little over-optimistic.

Florida-based software company CyberSpy Software has been ordered by a US district court to stop selling its RemoteSpy keylogging spyware program.

According to the Federal Trade Commission, CyberSpy gave customers detailed instructions on “how to disguise their spying program as an innocuous file, such as a photo, attached to an email.”

It is claimed that when innocent internet users clicked on the disguised file, the spyware would install itself silently onto the victims’ computer, monitoring every keystroke, email and instant message, and making a record of every website visited.

Data gathered by RemoteSpy was uploaded to a server run by the CyberSpy company, and made available to customers via a password-protected website.

The RemoteSpy and CyberSpy websites appear to be currently offline (presumably at the court’s request) but I managed to find an archived version for the screenshot above.

CyberSpy is far from the only company to work in this apparent “grey” area between legitimate and illegitimate software. Such products typically promote themselves as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft - but it’s clear that they can be used with a wide variety of motives.

The FTC will be trying to prove that because the RemoteSpy software was installed onto computers without the informed consent of the PC’s owner, and used to secretly steal personal data, that it was in breach of the law. If the FTC is successful in their fight against CyberSpy it could send a warning shot to other vendors selling “legitimate” spyware.

Clu-blog reader Lucian has been in touch following the entry I posted this weekend suggesting that there had been inconsistency in the treatment meted out to NASA hackers Gary McKinnon and Victor Faur.

McKinnon, a Brit, is facing extradition to the United States after hacking into NASA and Pentagon computers shortly after September 2001.

Faur, a computer programmer who hacked into NASA, US Navy and Department of Energy computers between 2005 and 2006, has not faced extradition proceedings and was given a suspended sentence and a fine in Romania last week.

Lucian has been kind enough to go into detail about the apparent discrepancy:

The reason why U.S. did not push for extradition is not because they did not want to, but because they couldn’t. At the time of Faur’s arrest, the extradition agreement between Romania and the U.S. dated back to 1924 with an ammendment in 1936. Therefore, it did not include any IT related offences as basis for extradition, Romania only passing such specific laws in 2001.

At 10 September 2007 Romania and U.S. signed a new bi-lateral agreement, to reflect the one between the European Union and the U.S., which facilitates extradition and it was ratified by the Romanian Parliament on 21 May 2008. The formulation of the new treaty is rather generic and does not specifically say anything about IT-related offenses, but it does contain two noteworthy (for this case) specifications:

1. A person will be extradited even if the laws of the two states place the offence in different categories or if the offense if formulated differently.

2. The extradition will be refused if the person has already been convicted for the offence in the state from where he is to be extradited from.

We could say Faur was just lucky, because the U.S. authorities would have very much loved to have him over, but in the future Romanian hackers will be just as exposed to extradition as the British ones.

Some other information like Faur’s attorney’s comments after the sentence, translated from Romanian into English can be found in my Softpedia article.

Thanks for helping me understand Lucian!

Apologies for the silence from the Clu-blog over the last few days.

Of course, it’s typical that when you take a few days holiday that various stories (large and small) will break in your absence. My wife always reminds me that it was while we were on holiday in Mexico that the notorious female virus writer Gigabyte was arrested.

So, if you can’t wait until I return to my desk on Monday, here’s a quick catch-up on some of the stories that occurred while I was out of keyboard range..

Spam takes a dive

Maybe the biggest story of the last few days has been the dramatic 75% drop in global spam which we witnessed after McColo was disconnected from the internet.

McColo is alleged to have been the home for command-and-control centres for some of the world’s largest botnets - including those responsible for distributing attacks like Rustock and Pushdo.

Of course, the drop in spam levels is likely to be only temporary - but that shouldn’t stop us from congratulating members of the security industry like Brian Krebs who helped make this happen.

Great work!

Inconsistent treatment for NASA hackers?

Remember Gary McKinnon, the British hacker who is facing extradition after breaking into NASA and Pentagon computers shortly after 9/11?

Well, his case contrasts dramatically with that of another NASA hacker sentenced this week. According to media reports, Victor Faur, a Romanian computer programmer who hacked into NASA, US Navy and Department of Energy computers has escaped a jail term.

28-year-old Faur received a suspended sentence of 16 months on Monday, and was ordered to pay a total of $238,000, after being found guilty of hacking into the government departments between November 2005 and September 2006.

What’s curious is, that as far as anyone can tell, the US doesn’t seem to be making much attempt to extradite Faur to their own shores. And furthermore, years after the McKinnon incident the American military systems were still open to exploitation by hackers.

My guess is that McKinnon would be very happy to receive a fine (and even spend time behind bars) if it meant he could stay in his country of birth and be tried by a British court.

$1 million bounty offered for capture of identity thief

Earlier this month I applauded Express Scripts who had refused to pay a ransom demand after data on some of their customers was apparently stolen by an identity thief.

Now the US-based company, which handles 500 million medical prescriptions every year, is offering a million dollar reward for information which might lead to the arrest and conviction of the thief.

Express Scripts have asked the FBI to investigate the theft - so if you have any clues about who might be responsible and fancy $1 million give them a call on 1-800-CALL-FBI.

Dental records extracted from University of Florida

The records of some 330,000 current and former patients at the University of Florida’s College of Dentistry were potentially compromised by hackers, reports revealed on Wednesday.

It turns out that the University’s IT team discovered unauthorised software on the computer system when they were doing a routine upgrade to the server in early October. Apparently, information stored on the computer included the names, addresses, dates of birth and social security numbers of dental patients reaching back as far as 1990.

There’s a worry here that educational establishments may be something of a soft target when it comes to identity theft and data leakage compared to, say, financial organisations who are more used to always looking over their shoulder for the next hacker attack. As more universities realise the severity of attacks like this we’re likely to see them instilling the need for stronger security throughout their systems.

Some people leave their job with a chip on their shoulder - but not many would go so far as to hack into their ex-employees’ computer servers and open them up for spammers. At least I hope not.

37-year-old Steven John Barnes of Mill Valley, San Francisco, used to work as an IT manager at internet media company Blue Falcon Networks (now known as Akimbo Systems) between September 2002 and April 2003.

Later that year, Barnes hacked into the firm’s computer system using a still active password, turning the server into a open-relay through which spammers could spew out pornographic and malicious viral emails. As a result, Blue Falcon was blacklisted by some anti-spam services, preventing the company from communicating with its customers.

He pleaded guilty in March to unauthorized access into a protected computer, recklessly causing damage.

Barnes will begin serving his time in jail on January 8 2009. By boosting his sentence beyond a year, Barnes will be eligible to reduce his prison term by a few weeks for good behaviour.

Barnes may have worried that it would look bad when he applied for new jobs that he had been sacked from Blue Falcon, but it will probably look worse that he spent time in jail after taking revenge on a former employer.

This case reminds me a little of a bizarre story that played out in front of the world’s media earlier this year. In case you missed it, an IT technician was accused of holding the city of San Francisco hostage after setting a secret password for the city government’s multi-million dollar network. 43-year-old Terry Childs was reported to have acted after being disciplined in the workplace.

When you have a victim of banking fraud as high profile as the President of France, it’s not surprising that the authorities will put a lot of resources and effort into getting to the bottom of who might be responsible.

According to media reports, French police have now arrested a total of six people in connection with the breach of President Nicolas Sarkozy’s bank account.

President Sarkozy filed a complaint with police last month following withdrawals of “small amounts of money” from his personal Parisian bank account. It is alleged that the money was used to set up mobile phone subscriptions - and some of the people arrested are said to be employees of a cellphone store in Rouen.

Of course, it should be remembered that identity theft isn’t just a problem for famous people like Sarah Palin, Paris Hilton or Nicolas Sarkozy. It can - and does - potentially impact all of us, and we must all do what we can to properly defend ourselves.

My guess is that many of you are still working hard on rolling that critical Microsoft security patch across your business - so here’s a quirky story for you to cheer you up this Friday.

A Japanese player of the online interactive game “MapleStory” has been arrested by police after allegedly breaking into her virtual husband’s account and killing his avatar.

According to media reports, the woman is suspected of carrying out the virtual murder after her fellow player and online love “divorced” her in the game without warning.

It sounds as though her 33-year-old Sapporo-based office worker victim (who no doubt was 6 foot 4, and rippling with muscles in the online game) was careless and shared too much information with his one-time internet lover, which helped her break into his account and kill his character when the relationship turned sour. He subsequently complained to police, who arrested the woman on Wednesday at her home in southern Miyazaki.

We’ve seen hackers break into virtual games before of course - sometimes to cause mischief, but other times to steal virtual goods that they then sell for profit. Indeed, it’s surprising how much money can be made by selling “virtual gold” online to fellow games players.

I’d never heard of “MapleStory” before (I’m so unhip..) but apparently it’s a lot like other MMORPGs, albeit in 2D rather than the 3D world of “World of Warcraft” or “Second Life”. Judging by the screenshot of its Japanese homepage above, though, it’s also a fair bit cuter.

Anyway, a useful reminder to all us chaps that hell has no fury like a woman scorned. And doubly so, it seems, if the internet is involved. So make sure that you choose your passwords sensibly, and always keep them secure, unless you want to end up as the murder victim on a virtual crime scene.

A University of Pennsylvania student has escaped charges related to possessing child pornography, but been sentenced to three months in prison for his part in a worldwide botnet of compromised computers.

22-year-old Ryan Goldstein pleaded guilty to his involvement in the hacking ring and assisted the FBI in its investigations, but then blotted his copybook rather by engaging in “unspecified mischief” with the agency’s computers.

According to the FBI, Goldstein worked with Owen Thor Walker, a New Zealand teenager known by the handle “AKILL”, who comandeered thousands of computers.

In July Sophos reported on how Walker had been fined $11,000 - including over $7,000 to the University of Pennsylvania who suffered damage to their computer network - but managed to escape jail because of he assisted police in their investigation.

Walker and Goldstein’s gang were said to have infected 1.3 million computers around the world, installing revenue-generating adware and stealing information worth US $20 million.

The several thousand illegal images of child abuse are not believed to be related to Goldstein’s hacking activities. However, despite their discovery on Goldstein’s computer, prosecutors made the decision not to charge the student in relation to the under-age images porn because he assisted the authorities investigating the hacking ring.

Assistant US Attorney Michael Levy said the decision not to charge Goldstein with child porn was appropriate given his extensive co-operation. Some might argue that being interested in illegal content like that and creating a demand for children to be abused is more serious than hacking computers - but apparently that wasn’t the opinon of the authorities so it was swept under the carpet.

Extraordinary.

Jennifer Brunner, Secretary of State of Ohio, has confirmed that her official website was hacked earlier this week by unknown intruders.

Ms Brunner, a member of the Democrat party, says that no sensitive information was breached in the attack on the website, which was restored on Tuesday after a period of downtime.

What’s particularly interesting about this case is that the State of Ohio has been involved in an almighty brouhaha with the Republican John McCain’s election campaign after allegations of voter fraud. Ohio is considered by many in America to be a key state in the race to the White House.

There is speculation that the hack may be connected to the controversy, as Brunner’s office has also been on the receiving end of offensive emails, phone calls and even a suspicious package containing an unidentified powder and a message saying “Death to Obama supporters”.

Of course, if hackers were able to find a way to make changes to the Ohio Secretary of State’s website then they possibly had the opportunity to install malware or commit identity theft too. There’s no suggestion at this time that they succeed in doing that, but it’s perhaps a timely reminder to all website owners to do everything they can to reduce the chances of their own website getting hacked.

Hackers motives may not always be financial - they can be political too..

* Image source: Spatulated’s Flickr photostream (Creative Commons 2.0)

A hacker who posted candid photographs of Hannah Montana star Miley Cyrus on the internet was the subject of an FBI raid yesterday.

19-year-old Josh Holly, of Murfreesboro, Tennessee, boasted that he had broken into the Disney teen queen’s email account and stolen photos - including, according to media reports, pictures of her baring her midriff in the shower, and “posing provactively” in her underwear and swimsuit.

According to Holly’s previous statements, he broke into Cyrus’s Gmail account to find the photos, and also illegally accessed areas of the MySpace social networking website. It is said that the daughter of “Achy Breaky Heart” legend Billy Ray Cyrus made the common mistake of using the same password for multiple websites.

It’s pretty sick how some of the media has reported this incident. For instance, I found a video on YouTube (not linked to here) where a hip-hop radio station interviewed the hacker a while back and actually encouraged him to hack into other accounts on their behalf. It beggars belief why the radio station is allowed to get away with this, and include in their video some of the photos that were stolen.

In case you’re not aware, Miley Cyrus is only 15 years old. Is no-one remembering this?

Anyway, back to the news. The FBI haven’t arrested or charged Holly (who used screen names such as “TrainReq”, “Rockz” and “h4x”) with a crime as of yet, but they did confiscate three computers and a mobile phone.

Miley Cyrus is just the latest in a long line of high profile figures to have been caught with their pants down when it comes to securing their online identity. Maybe it’s time we got back to basics, and ensured that everyone understood the importance of properly securing themselves when on the internet?

* Image source: Jade L Photo’s Flickr photostream (Creative Commons 2.0)