Jul 31 2011

Jake Davis named as suspected hacker Topiary by UK police

Yell, ShetlandBritish police have tonight named the teenager they arrested in Shetland last week, in relation to the LulzSec and Anonymous hacking groups.

Jake Davis, 18, will appear in court on Monday charged with five offences including unauthorised computer access and conspiracy to carry out a DDoS (distributed denial-of-service) attack against the SOCA website.

(SOCA is the UK’s Serious Organised Crime Agency – the very group that investigates serious cybercrime in Great Britain. You can just imagine how they must have felt when cybercriminals launched an attack against their website which made it inaccessible).

Here is the full list of the charges against Jake Davis:

  • Unauthorised access to a computer system, contrary to Section 3 of the Computer Misuse Act 1990;

  • Encouraging / assisting offences, contrary to S46 of the Serious Crime Act 2007;

  • SOCA

  • Conspiracy with others to carry out a Distributed Denial of Service Attack on the website of the Serious and Organised Crime Agency contrary to S1 Criminal Law Act 1977

  • Conspiracy to commit offences of section 3 Computer Misuse Act 1990, contrary to S1 Criminal Law Act 1977

  • Conspiracy between the defendant and others to commit offences of section 3 Computer Misuse Act 1990 contrary to S1 Criminal Law Act 1977.

Davis, reportedly an avid online chess player, was arrested on Yell, one of the northern isles of Shetland. Frankly, it’s hard to imagine a more remote place in the British Isles to be.

Although there have been plenty of internet rumours speculating that the police might have been tricked by the hackers into arresting the wrong person, the authorities have been confident since Davis’s arrest that he was the one they believed to be “Topiary”.

A few days before Davis’s arrest, Topiary’s Twitter account was strangely wiped and replaced with a single message:

"You cannot arrest an idea"

You cannot arrest an idea

Both Topiary and LulzSec’s Twitter accounts have remained silent since Davis’s arrest.

We will publish more information as it becomes available, or follow me on Twitter for updates.

Further reading: Suspected Anonymous hacker ‘had 750,000 passwords’, court hears.

Jul 31 2011

How a Facebook blind date led to supermarket robbery

Sexy ladyDo you take enough care over who you make your Facebook friend?

A Belgian supermarket manager learnt a lesson the hard way, after he struck up a friendship with a woman called “Katrien Van Loo” on Facebook.

Little did he know, that when she invited him to a dinner date at her apartment, something else entirely was planned.

As you can see in the following video, the unnamed supermarket manager didn’t find a sexy Facebook admirer, but instead two men who overpowered him, and left him gagged and blindfolded.


(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

Before the night was out, a third man had broken into the supermarket and made off with an unspecified amount of money from the store’s safe.

More information about the crime can be found on the Belgian police website. If you recognise the men caught on the CCTV footage, or have any additional information then email the police at opsporingbericht@politie.be.

If you use Facebook and want to get an early warning about the latest threats, I strongly recommend you join the Sophos Facebook page where we have a thriving community of over 100,000 people.

Hat-tip: Trend Micro’s Rik Ferguson via The Register.

Jul 31 2011

Facebook killer video scam spreads between social networkers

A new scam has spread quickly across Facebook this weekend, pretending to be a link to a TV news report about an alleged Facebook killer.

Here’s a typical message that has been seen spreading between social networking users:
Facebook Killer

(BREAKING NEWS) Facebook-Killer
[LINK]
07-29-2011 - News гepoгts of a maп they are calling the 'Facebook Killer' have ƍone ramрant, he has claimed 9 lives in the United States so far that we ᴋnow

Other variants of the scam read:

(CNN) The Facebook-Killer
[LINK]
‎07-29-2011 - News reporтs of a man tһey are calling tһe 'Facebook Killer' have ɡone rampant, he hаs claimed 9 lives in tһe Uniтed Sтaтes so far thαt we know ..

Clicking on one of the links will take you, not to a genuine TV news report from the likes of CNN, but to a fake YouTube webpage instead, where you are tricked into sharing the link further with your online friends.

Facebook Killer

For those who haven’t learned the scammers’ trick yet, “Jaa” is Finnish for “Share”. If you click the button, you’re sharing the link with your friends *before* you have even seen the supposed video.

What’s particularly interesting to me though is that the webpage appears to have attempted to work out where I am in the world, in an attempt to make the video more interesting to me. Through GEO-IP lookup techniques it has attempted to work out where in the world I am – and so is presenting (in my case) a video which claims the serial killer is in the British city of Salisbury.

Furthermore, if you look down the page you’ll see supposed comments left by other viewers of the video including one which says:

This is UNREAL! I live in Salisbury

Again, however, this is a trick by the scammers. If you look at the webpage’s code you will see that it substitutes the name of the city into the comments as well.

Facebook Killer

But imagine that you came to this page without your skeptical hat on. What would happen if you did click twice to “prove” that you were over 13 years old, and share the link with your friends?

Well, you would be taken to what is commonly termed as a survey scam. These are surveys, or competitions, which trick you into handing over your personal information and either earn the scammers commission or require you to sign-up for an expensive premium rate service.

Facebook Killer

Don’t be tricked into clicking on such links and sharing them with your online friends – you’re only making life more profitable for scammers who earn a crust from creating new spam campaigns on social networks.

If you got hit by this scam, make sure you have removed the entries from your news feed (to stop them being shared amongst your friends), marking them as spam if you like, and check your profile does not have any unwanted “Likes” under your “Likes and interests”.

If you use Facebook and want to get an early warning about the latest attacks, I strongly recommend you join the Sophos Facebook page where we have a thriving community of over 100,000 people.



Jul 31 2011

Facebook to start paying security bug bounties

Just over two years ago, a triumvirate of security researchers – Charlie Miller, Alex Sotirov, and Dino Dai Zovi – announced what they hoped would become an internet meme: “No more free bugs.”

Their argument was that non-aligned security researchers who find security-related bugs ought to be paid for disclosing them to the relevant vendor. No money, no report.

You can also argue that vendors, especially of web-based services, who offer to pay a reasonable fee for bugs – and why limit bug-finding just to security flaws? – are more likely to attract the goodwill and bug-hunting skills of independent researchers and observant home users. By doing so, they will therefore end up with better-quality products and services than those vendors who don’t.

(Computer science luminary, high priest of the analysis of algorithms, pipe-organ buff, funky Biblical scholar and all-round Good Guy, Donald Knuth – you’ve either heard of him or are about to go and read up about him – famously pays a bounty for any and all errors, no matter how small, found in his publications.

Spelling mistakes, factual errors, historical inaccuracies, incorrect index entries: all qualify for a reward of at least $2.56. That’s 100 hexadecimal cents.)

Facebook is the most recent company to come to the bug-bounty party, officially announcing recently that “to show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.”

There’s been general approval of this step, though a few observers have claimed that Facebook’s bounty is a bit on the cheap side. Google, say the Facebook detractors, offers US$3113.70 for bugs, and Mozilla US$3000, compared to Facebook’s typical starting bounty of US$500.

In fact, the detractors are wrong. Google’s offer to start paying for for web application bugs explicitly opens the bidding, just like Facebook, at US$500.

Google’s Chromium bug bounty also started at US$500, a figure Google says it copied from Mozilla. The higher figures are for more serious bugs – something Facebook also says it will pay extra for.

So Facebook has definitely taken a step in the right direction here, and its “budget price” for bugs matches what other industry giants are offering. Nice one, Facebook.

Are there any downsides?

The bad news is that Facebook is only interested in security reports to do with explicit web coding flaws, such as XSS (cross-site scripting) bugs or code injection faults. Bugs or shortcomings in the company’s general attitude to security don’t count.

Sadly, that means you can’t grab yourself a quick $1500 by simply sending in Naked Security’s Three Simple Steps To Better Facebook Security from our open letter earlier in the year. If you missed them back then, they were:

* Privacy by default.
* Vetted application developers.
* HTTPS for everything.

In fact, Facebook won’t pay for bugs in third-party applications at all, even though those applications carry an implicit endorsement by knitting themselves into the fabric of Facebook itself, and even though Facebook still doesn’t have a decent application vetting process.

That’s a pity.

So too is the verbiage in Facebook’s Responsible Disclosure Policy. You might expect that this would merely limit bug payouts to people who give Facebook time to fix the bugs before they announce them to the world.

It does, but also adds the following:

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

To me, this wording comes across as pretty scary stuff. Facebook, if you want to draw attention to the threat of lawsuits and of calling the cops, why not stick to doing so against the huge number of scammers who already plague your social network?

Please don’t write what sounds eerily close to a threat to the very security researchers you want to get working on your behalf!