Ikiwa unataka tengenezewa Blog, Tukiko lolote la Harusi,Msiba, Mahafali, Tamasha, Matangazo auHabari yoyote usisite kututumia kupitia whatsapp 0765056399 au Barua Pepe fredynjeje@live.com. Follow me instagram @fredynjejeblog Twitter @Fredynjeje
It was the decade of the
mega-heist, when stolen credit card magstripe tracks became the pork
bellies of a new underground marketplace, Eastern European hackers
turned malware writing into an art, and a nasty new crop of
purpose-driven computer worms struck dread in the heart of America.
Now that the zero days are behind us, it’s time to reflect on the
most ingenious, destructive or groundbreaking cybercrimes of the first
10 years of the new millennium.
2000
MafiaBoy
Once upon a time, “distributed denial of service attacks” were just a
way for quarreling hackers to knock each other out of IRC. Then one day
in February 2000, a 15-year-old Canadian named Michael “MafiaBoy” Calce
experimentally programmed his botnet to hose down the highest traffic
websites he could find. CNN, Yahoo, Amazon, eBay, Dell and eTrade all
buckled under the deluge, leading to national headlines and an emergency
meeting of security experts at the White House.
Compared to modern DDoS attacks, MafiaBoy’s was trivial. But his was
the cyberstrike that put the internet’s security issues on a national
stage, and inaugurated an era where any pissed off script kiddy could
take down part of the web at will.
2002
California Payroll Database Breach
On April 5, 2002, an unidentified hacker penetrated a California
server housing the state government’s payroll database, gaining access
to names, Social Security numbers and salary information for 265,000
state workers from the governor on down. The breach itself was small
potatoes, but when it emerged that the California Controller’s Office
had waited two weeks to warn the victims, angry lawmakers reacted by
passing the nation’s first breach disclosure law, SB1386.
The law requires hacked organizations to promptly warn potential
identity theft victims. Its passage pulled the rock off the string of
major corporate breaches that companies would have preferred to hush up.
Today, 45 states have enacted similar laws.
2003
Slammer
In 2003, fear came in 376 bytes. The lightning-fast Slammer worm
targeted a hole in Microsoft’s SQL server, and despite striking six
months after a fix was released, the malware cracked an estimated 75,000
unpatched servers in the space of hours. Bank of America and Washington
Mutual ATM networks ground to a halt. Continental Airlines delayed and
canceled flights when its ticketing system got gummed up. Seattle lost
its emergency 911 network, and a nuclear power plant in Ohio lost a
safety monitoring system.
Slammer wasn’t the biggest worm ever, but in its aggressive,
relentless spread, it exposed the secret interconnections that
corporations were foolishly allowing between important private networks
and the public internet.
2004
Foonet
Years before there was a Russian Business Network, a small ISP hosted
in a suburban basement in Ohio gained the dubious reputation as the
first black-hat hosting company. It was a safe spot for hackers and
packet monkeys to attack an unsuspecting internet. Foonet’s hosted
clients included Carder Planet — the dedicated “carder forum” for credit
card hackers — and its IRC servers were where legendary German hacker
Axel “Ago” Gembe controlled his Agobot network of compromised Windows
boxes.
After two FBI raids, in 2004, Foonet’s founder and some of the staff
were indicted for a DDoS-for-hire scheme that collaterally slammed
Amazon.com and the Department of Homeland Security. Foonet’s owner, Saad
Echouafni, skipped out on $750,000 to flee the country, and remains on
the FBI’s wanted list today.
2006
The Los Angeles Traffic Signal Attack
When Los Angeles traffic engineers went on strike in August 2006, the
city decided not to take any chances: They temporarily blocked most
access to the computer that controls 3,200 traffic signals throughout
the City of Angels. Two of the striking engineers hacked in anyway. From
a laptop, Kartik Patel and Gabriel Murillo picked four key
intersections and changed the timing on the traffic signals so the most
congested approach would hit long red lights.
The timing tweaks wreaked havoc in a city already flirting with gridlock, according to the Los Angeles Times,
snarling traffic at the Los Angeles International Airport, backing up
the Glendale Freeway and paralyzing Little Tokyo and the streets of the
downtown Civic Center. It evidently took several days for managers to
figure out what was going on.
In December 2009, the engineers were sentenced to probation.
2006
Max Vision
In 2006, a former computer security researcher turned professional
black hat weighed and measured the computer underground, and found it
wanting. So in a two-night hackfest from his San Francisco safe house,
Max Vision (aka Iceman) trained his guns on the online carder forums where hackers and fraudsters buy and sell stolen data, fake IDs and specialized underground services.
When he was done hacking in and wiping out their databases, he
absorbed their content and membership into his own site, CardersMarket,
turning it into the largest English-speaking criminal marketplace on the
web — 6,000 members strong. The hostile takeover got the attention of
the feds who’d thoroughly infiltrated some of the sites he hacked, and a
year later FBI and Secret Service tracked Iceman to his hideout. He’s
now awaiting sentencing for stealing 2 million credit cards that rang up
$86 million in fraudulent charges.
2008
RBS Worldpay Heist
The first time we learned that the payment processor RBS Worldpay had
been hacked, it sounded like no big deal: The company announced in
December 2008 that it had seen fraud on only 100 of the 1.5 million
payroll and gift card accounts compromised in the breach. But it turns
out the hackers were able to raise the withdrawal limits on 44 of those
cards to as high as $500,000. Then they dispatched a global army of
cashers to slam the accounts with repeated rapid-fire withdrawals.
More than 130 ATMs in 49 cities
from Moscow to Atlanta were hit simultaneously just after midnight
Eastern Time on November 8, 2008, resulting in a one-day haul of $9.5
million in cold, hard cash. In November, the United States indicted four of the alleged ringleaders, who are in Estonia, Russia and Moldova. Good luck with that.
2005 – 2008
Albert Gonzalez
He called it “Operation Get Rich or Die Tryin’.” For nearly four years ending in 2008, 28-year-old Albert “Segvec” Gonzalez and his accomplices
in America and Russia staged the biggest data thefts in history,
stealing credit and debit card magstripe data for sale on the black
market. Using Wi-Fi hacking and SQL injection, the gang popped companies
like 7-Eleven, Dave & Buster’s, Office Max, TJX, and the credit
card processor Heartland Payment Systems, which alone gave up 130
million cards.
The intrusions didn’t just make Gonzalez a millionaire — he buried
$1.1 million in his parents’ backyard — they exposed slipshod security
in America’s card-processing infrastructure, and positioned the former
Secret Service informant to break a new record: longest U.S. prison term
for hacking. His plea agreements envision a 17- to 25-year sentence. It
could be worse. One of Gonzalez’s overseas accomplices got 30 years in a Turkish prison.
2009
Conficker
Bots were probably the biggest black-hat innovation of the decade, and the biggest and best was Conficker. From the start, the Conficker botnet had a trouble managing expectations.
But just because the worm didn’t destroy the internet, as predicted by
the mainstream press, doesn’t mean it wasn’t an impressive achievement.
Packing state-of-the-art encryption, and sophisticated peer-to-peer
update mechanism, Conficker tantalized security researchers and resisted
attempts at eradication, inhabiting at its peak as many as 15 million
unpatched Windows boxes, mostly in China and Brazil.
Experts think it’s the work of an organized team of coders, and there
are hints that it originated in Ukraine. And like most of the hacking
out of Eastern Europe, the software has a profit motive: It’s been seen
sending spam, and serving victims a fake anti-virus product that offers
to remove malware for $49.95. Dude. It used to be about the mayhem.
2009
Money Mules
Another innovation from the former Soviet empire were the so-called
“money mule” scams that emerged in 2009. Using specialized Trojan horses
like Zeus and URLZone,
the perps target small businesses that use online banking, stealing the
victim’s credentials and initiating wire transfers from their accounts,
usually totaling tens or hundreds of thousands of dollars.
In some cases, the Trojan horse even covers up the crime by rewriting
the victim’s online bank statement on the fly; other times, the hacker
just wipes the hard drive to keep the target off the internet for a
while. The stolen money goes to mules
who’ve been recruited through bogus work-at-home offers, and whose job
it is to withdraw the cash and send the bulk of it to the scammers via
Moneygram. It’s the perfect crime, one the FBI says has racked up $100
million in thefts, and counting.
(Photos: Michael Calce courtesy Arcade Publishing; Max Vision courtesy Santa Clara County Department of Corrections; Albert Gonzalez courtesy law enforcement;
No comments:
Post a Comment