The agency in charge of overseeing execution of data privacy policies is now actively probing Tesco’s website and online shopping portal for any irregularities that may constitute a significant endangerment of sensitive data pertaining to users.
A number of experts have recently expressed concerns about the way Tesco.com handles passwords of users who register themselves on the online shopping site in order to partake of the shopping facilities.
The UK’s data privacy watchdog is examining the security of Tesco’s website after a string of experts highlighted concerns over the methods used for storing passwords of shoppers on the website of the global supermarket chain. Of particular concern is that in the eventuality of an online hacking attack, scores of highly sensitive (and easy to misuse) customer related information would be compromised.
Tesco has maintained that their security is ‘robust’.
In a released statement, a company spokesperson stressed Tesco’s understanding of the importance of the proper internet security measures and reiterated Tesco’s commitment to ensure that customers’ private data should remain uncompromised.
So far, Tesco has evidently not been targeted by any hacking attacks, nor has there been any evidence to support the contention that customer data is at risk.
However, critics are adamant that Tesco is in breach of some basic yet essential data storage norms.
Apparently, users have to maintain a shopper account in order to shop online on the Tesco website. The passwords for these accounts should be stored in a secure database, but data storage norms decree that there should be further encryption in the event of an unauthorized database breach. This encryption is actually vital in ensuring that password data remain uncompromised. There’s another reason for the additional encryption; without this encryption, Tesco employees who have rightful access to the database itself for maintenance reasons would have very easy (and unauthorized) access to the sensitive data if it is stored in plain text.
The reason security professionals are concerned is that Tesco follows a relatively primitive password recovery process for those who’d forgotten it: they email credentials to the particular user, including the password. That suggests that the passwords are being stored in plain text. In case of encryption, Tesco would have to email their users a special machine generated password reset link.
“It does appear as though Tesco didn’t really follow industry best practice with their site.
The experts criticizing Tesco’s data storage design elements are quick to admit that any sort of panic is unwarranted, as there’s little evidence to suggest any immediate threat to online shoppers. They’re wary, all the same, about what they perceive to be a careless albeit potentially costly liberty taken by the site designers.
Tesco has also received flak in the past for not using HTTPS (Hypertext Transfer Protocol Secure) across its entire site. This leaves users vulnerable to phishing attacks, as well as data interception tactics, especially when using wi-fi networks.
The Information Commissioners Office (ICO), the agency mentioned at the beginning, has confirmed that enquiries into Tesco regarding the complaints were already under way, but refused comment further until more information had been gathered.
The real point of contention, and concern, here is not just that Tesco has outdated data security measures in place, but that it is indicative of a larger industry-wide trend, all the more alarming due to the fact that ideally speaking, the online retailing industry should have the finest data storage techniques next only to the sites of the banking and other financial bodies.
Tesco, on the other hand, clearly have their task cut out. They can either keep denying the problem and wait for a data breach to happen, or they can seize this opportunity to own up to their faults while there’s still no damage done, and set things right, right away.
If there’s one phenomenon that has been the bane of internet users almost since the beginning, it is online hacking. Whether the target be a home PC or a business machine containing vital organizational information, hackers have targeted and broken into computers and networks for a variety of reasons. Some did it for pleasure, others were online hacking muscle-for-hire, others still had a point to prove; all these may soon go the way of the dinosaurs. If the claims being made are to be believed, a new quantum encryption technology has been developed that is quite literally impervious to all online hacking techniques currently in use.
Defeating the Hackers
Encryption technologies have been in vogue for quite some time. Most ‘secure’ networks, websites and e-mail providers make use of this to ensure that any information should only reach those that it intends to reach and not be accessible to unauthorized parties. Quantum cryptography has long been touted as a hacking-proof encryption technology. On paper it looks convincing too.
In principle, quantum cryptography was devised to be a hacker-proof system that would cause any attempts to ‘read’ any encrypted data by unauthorized interception to be immediately noticed by legitimate parties involved. Thus, in the event of there being three involved parties, namely users Bob and Jim, and a hacker Liza, quantum cryptography technology allows for the secure transmission on an encryption key between Bob and Jim.
The Practical Limitations of Older QKD Technology
The communication of the key is done by transmitting and receiving light signals with the help of photon detectors. The challenge that has dogged security experts over the years is that Liza can intercept and manipulate the light signals.
The technology of quantum key distribution, so plainly effective on paper, has its Achille’s heel in the photon detectors used to receive light signals.
When quantum hacking occurs, light signals subvert the photon detectors, causing them to only see the photons that Liza wants Bob or Jim to see. Research results derived at the Norwegian University of Science and Technology have shown how a clever quantum hacker can hack commercial QKD systems.
Researchers have now come up with a simple solution to the untrusted device problem. Their method is called “Measurement Device Independent QKD.”
A Newer Approach to Defeating Online Hacking
While Liza may operate the photon detectors and broadcast measurement results, Bob and Jim no longer have to trust those measurement results. Instead, Bob and Jim can simply verify Liza’s honesty by measuring and comparing their own data. The aim is to detect subtle changes that occur when quantum data is manipulated by a third party.
Specifically, in Measurement Device Independent QKD, the two users send their signals to an untrusted relay — “Charlie” — who might possibly be controlled by Liza. Charlie performs a joint measurement on the signals, providing another point of comparison.
An interesting feature is that Charlie’s detectors can be arbitrarily flawed without compromising security,” says Professor Lo. “This is because, provided that Jim and Bob’s signal preparation processes are correct, they can verify whether Charlie or Liza is trustworthy through the correlations in their own data following any interaction with Charlie/Liza.”
As a result of implementing this new method, quantum cryptography’s Achilles’ heel in the fight against online hacking has been resolved. Perhaps, a quantum jump in internet security has now been achieved.
The online hacking group LulzSec’s demise is all but complete, what with it being made public, as reported by this online hacking weblog, that their leader “Sabu” had been working with the FBI over a better part of the past year. Anonymous may still be alive and kicking, but the loss of LulzSec—plus the looming danger of betrayal by anyone who gets compromised turning government informant—can’t be shrugged off easily.
The Motivation Behind Online Hacking Collectives
What we often find asking ourselves is how do these movements figure in the larger scheme of things? Are Anonymous, LulzSec, and similar organizations simply aberrations manifested as a result of some wannabe anarchists with grandiose ideas, but are bound to blow over and die out sooner than later? Or are they greater movements signaling a shift in power with the changing times? It may be too soon to judge, but it is never too early to analyze.
How is it different this time?
Online hacking has been a threat since as long as we remember. High profile crimes by hackers, ranging from data theft to credit card fraud has captured the imaginations of the masses and inspired many a Hollywood flick. It is a relatively recent development, however, that we have seen online hacking experts come together as collectives such as Anonymous
It’s still cyber-crime and it still does not pay
“Online hacking does not pay” should be the mantra for the new age, as a rather tiresome extension of the similar age-old adage about crime. For all that one may argue about online hacking—proponents of which now seem to have deluded themselves into notions of vigilantism—and crime (in the conventional sense that crime is perceived) are not always mutually inclusive, few can disagree that when you take on the government machinery in the name of fighting ‘corruption’ with anarchy, it doesn’t ‘pay’ in any sense of the word.
Now look at what happened to Hector Monsegur, which we all know by now as the man behind the nom de guerre ‘Sabu’, the aforementioned leader of the hacker collective LulzSec. Over a better part of an year, the hacker who’d been tracked down by the investigative agencies in 2011, had been aiding the FBI in gathering evidence against his fellow online hacking perpetrators, all the while tweeting out a barrage of vitriolic statements against the US Government the ‘corrupt system’ and just about everybody not a part of their system. As an afterthought, it was a vital part of his cover as regular statements such as these must amount to politically correct cyber-speech in the online hacking community.
Too early to celebrate
While we may exult over momentary victories such as these, a fact we need to worry about is that there’s little we understand about the men behind these movements. Law enforcement agencies may go on dismantling these organizations by taking out key players every now and then through what is a veritable cat-and-mouse game, but the truth is that unless we understand their motivations, there’s little we can do to stop the few elusive individuals from getting together and surfacing as another group some time down the line.
Do we understand ‘hacktivist’ groups?
Our understanding of black-hat hackers is limited to criminally motivated individuals who do not look beyond the immediate ramifications of their actions, whether it be the ones who steal credit card numbers to shop with or those who steal commercial data of one corporation to sell it to another or those who simply break into government department servers just for the fun of it. In all fairness, we’re probably dealing with a new, evolved class of criminal here; in fact it’s not even clear yet whether we are to call them criminals unless we know what drives them. By their own view, they are vigilantes standing up to injustices nobody else is addressing. Some of their statements make it plain enough, their message as blunt and unapologetic as it comes:
“We are a force to be reckoned with. Anonymous has a goal that needs to achieved and nothing will stop us from achieving that goal. We’ll go after anyone that we feel needs to be taught a lesson….. We’re just as sick and tired of the corrupt malicious system as the next person. The current democratic institutions are not only failing us, they’re making our lives miserable.”
Using online hacking as a weapon of protest
They call themselves hacktivists, while their actions range from baffling to infuriating to even heroic. Over the short period that they’ve been in existence, hackers affiliated to Anonymous have targeted the Wall Street, ‘corrupt’ governments and organizations, even threatened to shut down the internet itself! At the same time, they have worked to expose those who distribute and avail of child porn over the internet, among other appreciable efforts. Their larger than life antics, coupled with a span of activities that is difficult to define, force us to think of them in light of that rather dicey terrorist-revolutionary duality. It’s not even as simple as having to pick sides in this fight between Anonymous and everybody they think is wrong. Normal folks, while they’re intrigued by the notion of vigilantism, would hate for their investments, no matter how meager, to suffer, nor would they like to lose the use of the internet; they would, however, definitely like to see anti-social elements online to be ambushed and brought to book.
Only time will tell what direction all this would take, and whether more such hacker collectives would crop up. Online hacking as a weapon for the alleviation of the dissatisfaction of the masses may turn out to be a recipe for disaster, or it may be the beginning of a revolution.
Self styled activists and notorious online hacking group, Anonymous has once again targeted the Greek governnment websites. It is the third time since February this year that websites of Greek government have been hacked. As per the reports given by the police to Reuters, Anonymous is the prime suspect behind the attack on the government websites of Greece. The message left by the hackers on the hacked Finance Ministry website was as follows: “To them, you are just economic indicators, deficits and balance sheets – but there are no indicators for misery,”.
Damage Control After Online Hacking Attack
The General Accounting Office has been assessing and gauging the extent to which the security of the site was breached. The reports confirm that damage caused to the site is minor. In addition to the hacking of government sites, the hacking of websites of three universities was also reported. This incident is however, an indicator of growing unrest amongst the people of Greece with respect to the nation’s economic policies.
Online Hacking Déjà vu
Earlier this year, i.e. at the end of February, a website that belonged to the Justice Ministry of Greece was hacked. In that particular event of hacking, the hackers had threatened to erase from the website, the debts faced by the people of Greece. These recent incidents of hacking have a backdrop of tax evasion, a commonly observed practice in Greece. The government had taken strict measures for fighting the menace of tax evasion. Obtaining information about the spending patterns of people by tapping into their credit card and bank transactions was one of the measures taken by the government. Steps like these could possibly have triggered a series of acts of hacking. Recently the government also announced spending cuts that are in line with the EU/IMF bailout program. These spending cuts have drawn the ire of the public.
There are few who believe that tax evasion is observed mainly due to the flawed system of tax collection. Drawing attention to the woes of the Greek people is speculated as the motive behind the hacking of goverment sites. The above mentioned incidents indicate that the Anonymous group has once again became active in the online hacking world.
Online hacking collective Lulzsec may have been taken down, but Hector Monsegur aka Sabu, the group’s hacker leader-turned- traitor to cause is an uneasy man. At least that’s what the official reason is for his no show at his arraignment for a misdemeanor charge on Thursday.
A Federal Spy Among Online Hacking Anarchists
As widely reported in the news media as well as this online hacking weblog, Monsegur had been working with the FBI, gathering evidence against his Lulzsec comrades-in-arms, for a better part of the previous year. While this was going on, he also did his best to keep the invective machine rolling, spitting venom against the ‘enemy’ i.e. the US Government as evidenced by his near incessant chirping on twitter. Can’t blame him hardly; wouldn’t have done to have aroused any suspicion now, would it?
Sabu’s Betrayal: An Idol for Hackers Turns Traitor
His involvement with federal agencies was finally revealed on March 6 2012 in what was a major egg-in-the-face moment for Lulzsec and closely associated online hacking collective Anonymous. The full extent of his cooperation would become evident over the next few days, as it slowly dawned on his former associated that Monsegur worked almost full time over this period over gathering incriminating evidence, all the while steering away (it is easier when you happen to be the leader) the group’s activities to attacks on high-profile targets that got them the maximum media attention.
Among the online hacking exponents ‘Sabu’ helped stitch up is Chicago based anarchists-hacker Jeremy Hammond, the alleged mastermind of the Stratfor leak. To his colleagues, as well as the many aspirants to the online hacking life who literally saw ‘Sabu’ as an online hacking demigod, it was a rude awakening that they were in store for.
Case Adjourned with View to Dismiss; Federal Online Hacking Case Still Looming
Monsegur now claims that he’s afraid for his life in the light of recent death threats; this is the cited cause behind his not showing up at his arraignment in Manhattan criminal court on Thursday. The arraignment was in connection to impersonation charges resulting from a confrontation with NYPD officers earlier this year in February, when he was already working for the FBI. While in reality he was simply an informant cooperating in hopes of a lighter sentence for his own offences), he allegedly told the policemen that he was a federal agent. His failure to produce any identity documents to back up the claim is what landed him in this soup. However, even not considering the host of other charges Sabu may be facing on account of his electronic crimes, it may seem that the impersonation charges may be the least of his worries. As reported by his legal counsel Peggy Cross-Goldenberg, Monsegur fears for his personal safety now that his ratting out has been made public, making vague references to physical threats. The Manhattan criminal court judge waived Monsegur’s appearance and agreed to dismiss the misdemeanor charges in six months time, subject to good behavior from the defendant.
The four-minute hearing resulted in Monsegur’s New York criminal case being adjourned in contemplation of dismissal.
As mentioned before, the case concerning his much more serious offenses relating to criminal online hacking activity continues, and he shall be tried in a federal court.
Websites of Indian government and Tibetan activists in the country are facing an online hacking attack campaign engineered by a Chinese hacker, working with one of the world’s largest e-tailers Tencent.
The Online Hacking Perpetrator
Online Hacking Vigilante or State Sponsored Spy?
It is currently a matter of speculation of the Luckycat Online Hacking attack was actually the work of an overzealous nationalist or funded by the government. At any rate, it seems more than merely coincidental that the hacker would randomly carry out an online hacking attack against a movement (Tibetan Freedom) that’s a regular eyesore for the Chinese government. The significance of the fact that the Indian government has provided asylum to several Tibetan spiritual leaders has also not been lost on this online hacking weblog in light of the fact that websites belonging to the Indian government have also been targeted.
The Luckycat cyber campaign, has been linked to 90 attacks in recent past against targets in India and Japan, as well as against Tibetan activists. ‘Luckycat’ has been able to compromise about 233 computers many of which are in India. A report on the campaign released by an Indian internet security organization shows that the Luckycat perpetrators began around June 2011.
The report mentions a set of campaign codes used to track compromised systems; the codes detail dates corresponding to the launch of each online hacking attack, providing an indicative measure of the frequency of the attacks.
The report did not directly implicate the Chinese government, but security researchers believed that the style of the attacks and the types of targets indicated state-sponsored spying.
For more news on cybercrime and internet security, keep watching this online hacking weblog.
In a coordinated move to crack down on online hacking and related computer crime activities, especially by cartel-like anarchic groups, police forces in two continents swooped down on the top leadership of the online hacking group that calls itself LulzSec. With arrests being made across UK and Ireland, and with the FBI carrying out raids and arrests in the USA, the final tally has come to three arrested and two charged with conspiracy. This could effectively spell doom for LulzSec, as the people in question are part of the top leadership.
Online Hacking News: The Enemy Within LulzSec
The irony of the situation was not lost on this online hacking weblog when reports surfaced
that the forces were able to act so decisively only as a result of the cooperation extended by one Hector Xavier Montsegur aka ‘Sabu’. Yes, that’s the same ‘Sabu’ who’s familiar to many as the leader of LulzSec.
Targeting the Online Hacking Leadership
It is being widely reported that Montsegur has been working with the FBI over the past several months, gather and furnishing incriminating evidence on his accomplices to the federal law enforcement agency.
The FBI made one arrest on US soil, with four more coming in the UK and Ireland. The FBI, apparently leading decision making on this one, is hoping to kill the monster by cutting off the head(s). LulzSec had been in the news quite frequently since the last summer, in connection to their joining the hacker collective Anonymous and launching a series of high profile online hacking attacks.
The last strong tweet by sabu was “The federal government is run by a bunch of fucking cowards. Don’t give in to these people. Fight back. Stay strong.”
Sabu began working for the FBI in June last year after the FBI busted him. In a classic case of the good guys having the last laugh, Montsegur not only plead guilty to 12 hacking related charges on August 15, he also agreed to be a mole in his own organization. Information pertaining to the full extent of his admissions is to be unsealed in the court hearing on March 6.
The Rogues Gallery
The five charged in the LulzSec conspiracy indictment were identified by sources as: Ryan Ackroyd, aka “Kayla” and Jake Davis, aka “Topiary,” both of London; Darren Martyn, aka “pwnsauce” and Donncha O’Cearrbhail, aka “palladium,” both of Ireland; and Jeremy Hammond aka “Anarchaos,” of Chicago.
For more news on this and other topics related to online hacking, keep watching this space.
As many an online hacking weblog has reported, this past year provided many important lessons in online security and malware protection. Based on these lessons and because of the numerous online hacking attacks and threats in 2011, online security guidelines and systems all over the world are being beefed up in an effort to improve authentication compliance and abide by authentication best practices.
FFIEC Introduces Strong Authentication Compliance Guidelines for Financial Institutions
In January, the Federal Financial Institutions Examination Council (FFIEC) recent updates to its Authentication Guidelines went into effect, requiring up-to-date and strong authentication compliance for financial institutions. The purpose of the guidelines is to “provide a risk management framework for financial institutions offering Internet-based products and services to their customers. Institutions should use effective methods to authenticate the identity of customers and that the techniques employed should be commensurate with the risks associated with the products and services offered and the protection of sensitive customer information” (See BankInfoSecurity for more information).
DoD Beefs Up Security against Online Hacking with new Updates
The Department of Defense (DoD) has also made updates to its authentication program, the Joint Personnel Adjudication System (JPAS). JPAS is a centralized security program that helps protect against unauthorized access to its networks and applications, comply with data protection regulations and enforce security best practices. As of January 21, 2012, non-DoD individuals in the JPAS program must use a digital certificate stored on a USB token or smartcard that has been issued by a DoD-approved External Certificate Authority (ECA).
Both the FFIEC and the DoD took note of the cyberthreat and attack lessons learned in 2011. In order for corporations to follow suit, they must implement authentication best practices that will more effectively keep their data and customer data secure. One of the most important solutions of identity authentication available to corporations today is two-factor authentication or risk-based authentication. Two-factor authentication helps corporations better protect themselves against hackers by requiring two methods of identity verification: a password (something the user knows) and an authentication token (something the user has). Risk-based authentication profiles a user’s device and their behavior to assess the risk associated with their activity and invoke secondary authentication when that activity appears to be unusual.
The popularity of smartphones and tablet devices represents a security opportunity for organizations – more users already have a device that could function as an authentication token to provide a stronger assertion of their identity to a wide variety of parties. Unlike traditional two-factor authentication token solutions, approaches that enable re-use of existing mobile devices are faster and easier to deploy, and more cost-effective to maintain. And, unlike traditional hardware tokens, users are far less likely to forget their mobile device at home. And using risk-based authentication mechanisms that profile a user’s device and behavior can provide similar protection, without any impact to a legitimate user’s experience.
Like this last year, 2012 will be full of cyberthreats and attacks. We can expect hackers will only increase the number and intensity of their attacks. Among the current threats to users of financial institutions is the Zeus Trojan, which the FBI is calling “Gameover” because once the hackers get a user’s financial information, it’s game over. In fact, so far in 2012 Symantec has seen over 200,000 attacks each day from criminals using the Zeus tool kit. The Zeus Trojan, as well as the recent DreamHost attack, prove the urgency corporations should feel about stronger authentication.
As corporations and organizations implement these and other authentication best practices, they’ll not only be keeping theirs and user data more secure, but they’ll also be better equipped to avoid finding themselves the subject of the latest online hacking incident.
Online hacking, cybercrime, cyber terrorism… these words evoke images of credit card numbers and personal identity details being stolen from massive electronic databases. At most, the imagination stretches to massive DDoS attacks by online hacking organizations such as Lulzsec and Anonymous.
Online Hacking DoS: Threat to our Basic Needs
Scary as those scenarios may be, they pale next to the actual possibilities. Picture how dependant your life is on electric power; from illumination and food storage, every basic amenity of modern life runs on power. The lay person has no idea just how vulnerable our daily water supply, power stations, and gas supply lines are to an online hacking attack. And these attacks are very much a real possibility.
Ill-prepared and Under-informed for an Online Hacking Armageddon
Figures reveal that the Homeland Security Department received and acted upon nearly 116 requestedIn 2010 the Homeland Security Department responded to only 116 requests for assistance from its Control System Security Program cyber experts. By September of 2011 there were 342. All of these attacks didn’t originate domestically, either. On Nov. 8 an IP address originating from Russia attacked an Illinois based water utility company, managing to control a Supervisory Control And Data Acquisition system, resulting in a burnout of the associated pump. These types of real world results to online hacking attacks are not unknown. In 2007 an online hacking attack on a diesel generator caused it so self destruct.
At this time, companies in the sights of these types of online hacking attacks can only prevent between 67% and 76% of these types of attacks. They could prevent more but there’s one thing holding them back: money. Right now these companies spend $5.3 billion on protection against online hacking and other cyber attacks. To reach a 95% prevention rate they would have to increase that amount to more than $46 billion, an increase they say their customers won’t approve.
With the very real and national threat posed by online hacking, some would like the government to step in and foot the bill for these improvements. Others may think that this is a private sector issue and the government need not intervene. However, the decisive battles of the next major war may very well be fought by cyber-warriors on computer screens rather than surgical commando strikes deep within enemy territory. The question is, are we up to countering the threat of online hacking that goes beyond mere pranks?
You must be familiar with the term phishing, or phishing scam. It is an online hacking attack where an individual involved in online hacking tricks a victim into giving away secret information such as log-in details, financial data and so on, without the latter realizing the true nature of the scam.
So you can understand the potential use of phishing to online hacking criminals who wish to perpetrate identity theft. The term itself originates from phone phreaking, a word that traces its way to early hacking incidents reported in the media and identity theft cases. Though based on a simple underlying concept, perpetrators can weave an elaborate con aimed at ‘phishing’ the identity details of a target. These may then be used to mail bomb another target, other online hacking activity or even to access the target’s financial data.
Online Hacking: How Phishing Scammers Operate
Phishers try to con you into providing them with sensitive info such as email/ login data, which they can then put into their nefarious online hacking skills and use it to make money out of the system.
One very vulnerable target for phishers is your PayPal account. PayPal is a web-based payment processing system that lets you transfer money to and from your PayPal account with your credit or debit card, thus avoiding the risk of revealing your credit card details to every e-commerce website you shop at.
This does make PayPal a particularly meaty target for online hacking. If you wanted to take money out of other people’s PayPal accounts, all you would really need is their email address and password. Then you sign in to their account, and send the money to an account you have set up.
What phishers will do is email PayPal customers with an email that looks like an official email from PayPal. It will have the PayPal logo and format and will look exactly like official PayPal emails to customers. It may even come from an address that looks like PayPal’s official website. It will go on to say it is a random security check or some other technical procedure and that you are required to type in your user name and password. It will then thank you and say the check or whatever other scheme it claims to be is complete. In the meantime, the phisher will have your password and can clear out your account.
While this is a basic example, there are countless variations of increasing complexity that will be used to try and entice customers to give out bank account details, credit card details or other sensitive information. It can often be next to impossible for the average customer to detect that the email or website is not the official one of the company it is supposed to be from and they are therefore very dangerous.
Any suspect email that has even a remote possibility of being a phishing attempt must be immediately notified to the concerned party that is being mimicked; often your bank or credit card company or PayPal account. You need not be a Sherlock Holmes to spot such a scam: no bank or payment processor would ask for your password in an email, so if a purported bank or bank employee requests such information then its time to hit the panic button.
Keep watching this online hacking weblog for the latest online hacking news.