Google Maps Search

Google Maps Search

Phreaking

Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telecommunication systems, like equipment and systems connected to public telephone networks. The term "phreak" is derived from the words "phone" and "freak". It may also refer to the use of various audio frequencies to manipulate a phone system. "Phreak", "phreaker", or "phone phreak" are names used for and by individuals who participate in phreaking. Additionally, it is often associated with computer hacking. This is sometimes called the H/P culture (with H standing for Hacking and P standing for Phreaking). information on this site is for educational purposes only! Wyretap Network ©2007 - 2010

Disclaimer: The information on this site is for educational and entertainment purposes only. It is not intended to encourage or teach you to break the law, that's what TV is for, albeit in a very flawed manner. The owner(s) of this website will not be held liable for anything you choose to do with the information contained on this site. If you want to learn how to rape, murder, loot, and commit acts of terror on a monumental scale, well, you won't find it here. Instead, tune-in to your nightly news and take a lesson from your 'elected' 'leaders'.

Social engineering techniques and terms

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.[1] These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:
Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target. [2]
This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).
As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many situations and will likely continue to be a security problem in the future.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.
Phishing
Main article: Phishing
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN.
For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.
IVR or phone phishing
This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
The technical name for phone phishing, is vishing.
Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.[3]
In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
For example, an attacker might create a disk featuring a corporate logo, readily available off the target's web site, and write "Executive Salary Summary Q2 2009" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.
Quid pro quo
Quid pro quo means something for something:
An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.
In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen.[4] Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.[5]
Other types
Common confidence tricksters or fraudsters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud.
The latest type of social engineering techniques include spoofing or hacking IDs of people having popular e-mail IDs such as Yahoo!, GMail, Hotmail, etc. Among the many motivations for deception are:
Phishing credit-card account numbers and their passwords.
Hacking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals.
Hacking websites of companies or organizations and destroying their reputation.

The Real ID Coming Soon!!!

The Real ID Coming Soon!!!

Thursday, March 25, 2010

TJX Hacker Gets 20 Years in Prison


TJX Hacker Gets 20 Years in Prison

* By Kim Zetter Email Author
* March 25, 2010 |
* 2:02 pm |
* Categories: Breaches, Crime, Hacks and Cracks
*

albert2_crop_small

BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.

The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.

Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.

Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency … that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”

“I violated the sanctity of my parents’ home by using it to stash illegal proceeds,” said Gonzalez. He asked for a lower sentence “so I can one day prove to [my family] that I love them as much as they love me.”

The hacker’s voice cracked and his gaze drifted to the floor as he finished his statement. His father, mother and sister sat in the front row of the gallery; Gonzalez’s father’s eyes reddened and he held a tissue to his face.

Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had argued in court filings that his only motive was technical curiosity and an obsession with conquering computer networks. But chat logs the government obtained showed Gonzalez confiding in one of his accomplices that his goal was to earn $15 million from his schemes, buy a yacht and then retire.

The hacker had faced a sentence of between 15 and 25 years for the TJX string of intrusions. The government sought the maximum, while Gonzalez sought the minimum, on grounds that he suffered from Asperger’s disorder and computer addiction, and that he cooperated with the government extensively against his U.S. co-conspirators and two Eastern European hackers (known only as “Grigg” and “Annex”). Gonzalez even provided the government with information about breaches that had not yet been detected.
soup_nazi-2001-defcon1

Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas

A psychiatrist who examined Gonzalez for prosecutors, however, found no evidence of Asperger’s disorder or computer addiction. At Thursday’s hearing, assistant U.S. attorney Stephen Heymann urged the court to hand down a 25-year sentence that would strongly deter future Albert Gonzalezes from a life of cybercrime.

Gonzalez “conned law enforcement once before with the idea that he had seen the error of his ways,” said Heymann. “What matters is that teenagers and young people not look up to him.”

Defense attorney Martin Weinberg argued the minimum 15-year sentence would be sufficient to set an example. “That’s an enormous, devastating sentence … and a compelling and clear message to anyone looking at this case that they would suffer what he has suffered.”

In splitting the difference, U.S. District Judge Patti Saris credited Gonzalez for his apparent remorse, and his bond with his family. But Saris said she was disturbed by the fact that he committed his crimes while working for the government. She explained the low $25,000 fine by predicting her restitution order, to be set at a future hearing, will be sizable.

“You’re never possibly going to be paying back all the restitution that’s going to be ordered,” said Saris.

The government claimed in its sentencing memo that companies, banks and insurers lost close to $200 million, and that Gonzalez’s credit and debit card thefts “victimized a group of people whose population exceeded that of many major cities and some states.”

Gonzalez’s crimes were committed mostly between 2005 and 2008 while he was drawing a $75,000 salary working for the U.S. Secret Service as a paid undercover informant.

The sentence is for two criminal cases that were consolidated and that concern hacks into TJX, Office Max, Dave & Busters restaurant chain, Barnes & Noble and a string of other companies.

The drama in the case continued up to the last minute when Gonzalez attempted last week to contest the monetary losses attributed to the TJX intrusion. The defense served the company with a subpoena seeking documentation to back its assessment that it suffered $171.5 million loss, a figure that the judge will take into consideration when she decides what restitution Gonzalez will have to pay.

Gonzalez’s attorney argued in court documents that some of the losses were the result of TJX’s own negligence. Gonzalez should not be responsible, for example, for the cost of security upgrades the company implemented after the breach — upgrades that, had they been in place before, might have prevented the intrusion.

According to documents filed in a class-action lawsuit against the retailer, TJX had failed to notice 80 gigabytes of data being siphoned from its network over seven months beginning in July 2005. A 2004 audit of the company’s network had also found “high-level deficiencies” in its security practices.

On Wednesday, TJX sought to quash the 11th-hour subpoena, calling it a “diversion and a sideshow.” In a motion and memo filed with the court, the company took issue with Gonzalez’s characterization of its security. (.pdf)

“TJX firmly denies that it was negligent, but it is not on trial in this proceeding,” the company wrote. “Defendant’s responsibility for the loss suffered by TJX is not mitigated by accusations against TJX.”

The company pointed out that at least 11.2 million payment cards were stolen from the TJX intrusion alone. If the government calculated the potential loss at $500 per card (per federal guidelines) the impact of the intrusion would exceed $400 million.

The string of hacks began in 2005 when Gonzalez and accomplices conducted war-driving expeditions along a Miami highway and other locations in search of poorly protected wireless networks, and found easy access into several retailer networks.

Once inside a local TJX outlet’s network, the hackers forged their way upstream to its corporate network in Massachusetts. Gonzalez obtained a packet sniffer from best friend Stephen Watt, which he and accomplices installed on the TJX network to siphon transaction data in real time, including the magstripe data on the credit and debit cards.

The stolen magstripe data was routed to servers Gonzalez leased in Latvia and Ukraine, and ultimately passed to master Ukrainian card seller Maksym “Maksik” Yastremskiy, who peddled them to other carders in the underground, accepting payment through web currencies, such as E-Gold and Web Money, or direct bank-account deposits to Eastern Europe. Maksik’s customers programmed the magstripe data onto counterfeit credit cards.

Yastremskiy, whom authorities say earned $11 million from card sales, was captured in Turkey in 2007 while on vacation and was sentenced in 2009 to 30 years in prison by a Turkish court. U.S. authorities seized a treasure trove of data from his computer that helped build a case against Gonzalez.

Some of Gonzalez’s breaches were the first known intrusions to involve the decryption of PIN codes, the holy grail of bank card security. According to court documents, Gonzalez sought out accomplices in Eastern Europe to crack the PINs. Gonzalez’s associates programmed blank cards with debit card magstripe data and used them with the stolen PINs to siphon money from ATMs.

Authorities found 16.3 million stolen card numbers on Gonzalez’s leased Latvian server. Another 27.5 million stolen numbers were found on the server in Ukraine.

But this wasn’t the first of Gonzalez’s carding crimes. His initial run-in with law enforcement began in 2003, when he was arrested for making fraudulent ATM withdrawals in New York. Under the nickname “Cumbajohnny,” he was at the time a top administrator on a carding site called Shadowcrew, where crooks trafficked in stolen bank card data and other goods.

When the Secret Service discovered his central role in the carding community, the agency cut him loose and put him to work undercover on the site, where he lured his associates into using a supposedly secure VPN for their internet traffic, which was actually wiretapped by the Secret Service’s New Jersey office.

The undercover sting operation, known as “Operation Firewall,” ended in October 2004 with coordinated raids that resulted in the arrest of 28 members of the site, which agents subsequently closed.

At that point, Gonzalez, still on pre-trial release from his 2003 arrest, moved back to Miami. He continued to help the Secret Service, though he was now on salary with the agency earning $75,000 a year.

Simultaneous to his government crime-fighting work, however, he adopted a new nick, “segvec,” and resumed his criminal activity under the noses of the agents who were paying him, ramping up his activities to a level that far exceeded any crimes he’d committed before his arrest, or any staged by the Operation Firewall defendants.

Authorities, who had no idea the “segvec” they were furiously chasing for more than a year was their salaried informant, finally figured it out and nabbed Gonzalez in May 2008. A few months later, during interrogations, he directed authorities to a stash of $1.1 million in cash that he’d buried in a barrel in the backyard of his parents’ home.

In addition to this cash, the government has seized Gonzalez’s Miami condo, a 2006 BMW, a Glock 27 firearm, a currency counter, a Tiffany diamond ring given to his former fiance and three Rolex watches that Gonzalez gave to his father and others as gifts.

Gonzalez’s sentencing this week follows two others related to the TJX hacks. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing the sniffer that Gonzalez used in the TJX hack. Watt was also ordered to pay restitution to TJX, jointly with other accomplices, in the amount of $171.5 million.

Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez.

Gonzalez’s sentence is among the stiffest imposed for a financial crime, and the longest U.S. prison term in history for hacking. It beats out a sentence recently imposed on hacker Max Ray Vision, who received 13 years in prison for similar crimes.

On Friday, Gonzalez will be sentenced in another case involving breaches at Heartland Payment Systems — a New Jersey card-processing company — Hannaford Brothers supermarket chain, 7-Eleven and two national retailers that are unidentified in court documents. These hacks involved more than 130 million debit and credit card numbers. He faces a likely sentence of between 17 and 25 years in that case.

Under the plea agreements, the sentences will be served concurrently.

Updated 15:55.

Top photo of Albert Gonzalez courtesy of Stephen Watt

See Also:

* Secret Service Paid TJX Hacker $75,000 a Year
* Gonzalez Accomplice Gets Probation for Selling Browser Exploit
* TJX Hacking Conspirator Gets 4 Years
* Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack
* TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison
* TJX Hacker ‘Will Never Commit Any Crime Again’
* Document Reveals TJX Hacker’s Assistance to Prosecutors
* In Gonzalez Hacking Case, a High-Stakes Fight Over a Ukrainian’s Laptop
* TJX Hacker Charged With Heartland, Hannaford Breaches
* Former Teen Hacker’s Suicide Linked to TJX Probe
* Indicted Federal Informant Allegedly Strong-Armed Hacker Into Caper That Drew 9-Year Sentence
* TJX Failed to Notice Thieves Moving 80-GBytes of Data on Its Network

Tags: Albert Gonzalez, breach, carding, gonzalez, hack, tjx

Read More http://www.wired.com/threatlevel/2010/03/tjx-sentencing/#ixzz0jEtVnKW3
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)