University of New Mexico student Jeffrey Knockel claims
to have revealed an encrypted list of 1,100+ keywords
within China's Skype client, TOM-Skype. This list, containing
words like "BBC" and phrases like "Democratic Unionist Party",
are suspected to be used for monitoring TOM-Skype users.
When a TOM-Skype user sends chat messages containing
"suspicious" language found within the program's periodically
updated keyword list, Knockel's research indicates an alert is
sent to TOM-Skype's servers containing the sender's account
name, message timestamp and detected word(s).
The list was uncovered after Knockel had been monitoring
suspicious communications between TOM-Skype and its Chinese
servers. The collection of words was encrypted, but Knockel was
able to employ some clever analytical techniques and
reverse-engineering, which eventually lead to its uncovering.
The two-year long research project found only evidence of
text-based chat monitoring. A similar mechanism used for voice
communications was not found, although that doesn't preclude
other vectors of surveillance.
According to Reporters Without Borders, numerous journalists
and activists have had their Skype communications intercepted.
As a result, privacy and anti-censorship advocates have chided
Microsoft for not being more transparent about TOM-Skype and
its dealings with China.
If you're going to do business in China, you have to play by their
rules. In this case, Microsoft has ostensibly made concessions to
appease Chinese authorities, granting the company access to the
most populous market on Earth.
"As a Chinese company, we adhere to rules and regulations in
China where we operate our businesses." TOM-Skype said in 2008.
The practice though, although possibly a demand of Chinese policy,
is likely to make Western idealists cringe. However, it should be
noted that Western democracies aren't necessarily above these
kinds of techniques themselves.
Knockel has published the growing list of questionable keywords
online. The words are in Chinese, but running them through a
translator reveals a plethora of seemingly politically-focused
language.

Syrian Electronic Army take on tat biz overlords...

Surfers visiting the eBay and PayPal UK websites were redirected to defacement pages instead following a DNS hack for which the Syrian Electronic Army has claimed responsibility.

The hijacking of surfers instigated by the pro-Assad hacktivists only persisted for a short period over the weekend before normality was restored.

The potty-mouthed defacement message that greeted surfers during the brief period of the hijacking can be found in a blog post by veteran security researcher Graham Cluley.

The hacktivists said that the hijack was motivated by eBay's stance on doing business through PayPal with users in Syria – currently in the midst of a civil war. "For denying Syrian citizens the ability to purchase online products, PayPal was hacked by SEA," the hacktivists complained through their Official_SEA16‎ Twitter account.

The hijacking involved changing entries in the online lookup table that translates PayPal.co.uk to an IP address computers use to route surfing requests. Servers belonging to PayPal, or its owners eBay, were unaffected. There's no suggestion customer information was exposed.

The effects of the hack from eBay's perspective would have amounted to email delivery problems.

The websites of PayPal France and India were also briefly hijacked.

In a statement sent to El Reg, PayPal’s PR director downplayed the significance of the incident:

We were not hacked. For a brief period on Saturday 1 February, a very limited number of people visiting certain PayPal and eBay marketing pages in the UK, France and India were redirected.

There was no access to any consumer data whatsoever and no accounts were ever in any danger of being compromised. The situation was swiftly resolved and PayPal’s service was not affected. We take the security and privacy of our customers very seriously and are conducting a forensic investigation into this situation.

The SEA boasted about the defacement on Twitter through their official account before the micro-blogging service banned the profile. The Syrian Electronic Army’s Official_SEA16‎ Twitter account was suspended after the hack. But an apparent (though unconfirmed) replacement @official_sea18 has already appeared.

The Syrian Electronic Army is best known for hacking into the social media profiles of media outlets before posting pro-Assad propaganda. The latest victim of this type of attack was CNN, around two weeks ago. Microsoft was hit repeatedly by similar hijinks that affected control of blogs and Twitter profiles associated with properties such as Skype throughout January.

These hacks typically involve multi-part phishing attacks. It's unclear if the same methodology was used to trick PayPal's DNS provider into changing records but it has to be at minimum a strong possibility

"I plead guilty to 2 counts of conspiracy and these b*st*rds were doing the ... same thing?'

British intelligence ran denial-of-service attacks against chatrooms used by Anonymous and LulzSec, according to an investigation by NBC News involving Snowden confidante Glenn Greenwald.

Documents leaked by the NSA whistleblower record how a GCHQ unit known as the Joint Threat Research Intelligence Group, or JTRIG, used a packet flood operation dubbed Rolling Thunder to "scare away 80 per cent of the users of Anonymous internet chat rooms," NBC reports.

Intelligence agents also infiltrated chatrooms in an operation that successfully identified a hacktivist who siphoned off confidential data from PayPal and also picked up another who had participated in attacks on government websites.

The leaked slides from GCHQ boast that the operation allowed the authorities to identify Edward Pearson (aka GZero), 25, from York, who was convicted and sentenced to 26 months in prison for stealing information from 200,000 PayPal accounts. Pearson and his then girlfriend were both convicted of using stolen credit card details to pay for a hotel stay.

Details of how the g-men's evidence against Pearson was put together were among two case studies included in the leaked GCHQ presentation. The other case cited is partially redacted.

The whole GCHQ counter-offensive operation took place in September 2011, around two or three months after malicious activities spearheaded by LulzSec and other hacktivists reached their zenith.

Hacktivists from LulzSec launched DDoS – as distinct from your common or garden denial-of-service attacks – on the website of the Serious and Organised Crime Agency in June 2011. They also ran a DDoS attack against the US Central Intelligence Agency at around the same time. It's hard to believe either of these actions had much of an effect on the agencies concerned beyond possibly slowing the delivery of emails, and even that's a bit improbable.

A greater concern ought to have been boasts by LulzSec that it had hacked into InfraGard chapters' websites, a non-profit organisation affiliated with the FBI. These claims were supported by the leak of InfraGard member emails and a database of local users.

An attack on Senate.gov that reportedly led to the leaks of internal data ought to have also ought to have set off warnings.

Members of the wider Anonymous movement ran DDoS attacks as part of online protests against the WikiLeaks banking blockade against PayPal and Mastercard as part of OpPayback in late 2010.

Responses to DDoS attacks normally involve setting up mitigation technologies on a technical level while using law enforcement to identify and arrest the perpetrators. The GCHQ division seemingly decided to fight fire with fire by launching a packet flood at IRC servers used by Anonymous.

Security experts, such as Robert ...

Read the whole post...

Another day, another item of news about unwarranted state surveillance from the desk of one E. Snowden, late of Moscow.

This time the allegation is that Communications Security Establishment Canada (CSEC) slurped information about the owners of wireless devices from the free WiFi service in one of the nation's airports. With that data in hand, the agency is said to have then tracked travellers for “days” after they left the airport.

The Canadian Broadcasting Corporation (CBC) has the story and says it comes from “A top secret document retrieved by U.S. whistleblower Edward Snowden and obtained by CBC News”.

Snowden's documents apparently say anyone that passed through an airport could be tracked, although it is not clear if login to the free WiFi service was required. Logging in wouldn't necessarily be required to track someone: a device set to detect the presence of WiFi networks is likely to reveal its MAC address. If spooks sniffed WiFi routers for MAC addresses of connecting devices, then looked for that MAC address popping up elsewhere, they could easily plot a device's movement.

(Yes, we know that MAC addresses an oddity because they are supposed to be unique but can also be changed to a value used in another device. Changing MAC address is therefore a fine way to make it harder to identify a device, but is not the kind of thing most people who pass through airports would know about.)

The usual oohing and aahing that follows a Snowden release is now rippling across the Web. CESC is pointing out that it is allowed to collect communications metadata (which explains now sniffing a MAC address in an airport could translate into wider tracking). Canadians are expressing shock that their own government spied on them.

Making things more interesting is that the head of CSEC recently said the agency does not surveil Canadians. If CSEC was able to sort citizens from visitors at an airport just by sniffing WiFi-enabled devices, that could be the most damaging revelation of all!

Another $US200,000-plus worth of Bitcoins has been lifted, according to Trustwave, which has identified a new Pony botnet targeting crypto-currencies.

News of the heist comes hard on the heels of Mt Gox withdrawing from the Bitcoin foundation and killing off its social media accounts.

Pony isn't a horse of a completely different colour: it first emerged during 2013, and was fingered for lifting a couple of million passwords in December, as explained in this McAfee blog post.

The same botnet has now been successfully deployed as a crypto-currency stealer, according to a Trustwave Spiderlabs post.

“Not only did this Pony botnet steal credentials for approximately 700,000 accounts, it’s also more advanced and collected approximately $220,000 (all values in this post will be in U.S. dollars) worth, at time of writing, of virtual currencies such as BitCoin (BTC), LiteCoin (LTC), FeatherCoin (FTC) and 27 others,” write the company's Daniel Chechik and Anat Davidi.

They continue: “This instance of Pony compromised 85 wallets, a fairly low number compared to the number of compromised credentials. Despite the small number of wallets compromised, this is one of the larger caches of BitCoin wallets stolen from end-users.”

This Pony, Trustwave says, went after not only Bitcoin, but a bunch of other crypto-currencies. They list Anoncoin, BBQcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Franko, Freicoin, GoldCoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Mincoin, Namecoin, NovaCoin, Phoenixcoin, PPCoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin and Zetacoin.

The attack ended not by being shut down by security companies, but because the attackers “closed shop” during January.

Trustwave notes that most users, it seems, don't encrypt their wallets, which seems somewhat rash