Spy Firm Videos Show How to Hack WiFi, Skype and Email


What better way to sell your wares than to produce a marketing video showing exactly how your product works? Even if that product is spyware, marketed to oppressive regimes.

WikiLeaks, as part of its Spy Files trove of documents, released on Thursday a series of videos from Gamma International, a UK-based firm that markets the Finfisher spyware. The video shows how the company’s product can be used to sniff WiFi networks from a hotel lobby, hack computers and cell phones, or intercept Skype communications and siphon encryption passwords.

Additionally, Gamma, which was found to have marketed its tools to Hosni Mubarak’s regime before Egyptian protestors toppled him, asserts in one of its videos that it has the ability to send a “fake iTunes update” to targets to infect their computers with the company’s surveillance software – though Apple has reportedly fixed the bug it exploited.

Four Romanians Indicted for Hacking Subway, Other Retailers

Four Romanian nationals have been charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment unsealed Thursday.

The hackers compromised the credit-card data of more than 80,000 customers and used the data to make millions of dollars of unauthorized purchases, according to the indictment (.pdf).

From 2008 until May 2011, the hackers allegedly hacked into more than 200 point-of-sale (POS) systems in order to install a keystroke logger and other sniffing software that would steal customer credit, debit and gift-card numbers. They also placed backdoors on the systems to provide ongoing access.

The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs.

POS systems generally consist of a card scanner at a checkout register where customers scan their cards and type in a PIN or provide a signature, as well as a computer system for transferring the data to a card processor for verification and approval.

The indictment doesn’t identify the POS system used by Subway, but the sandwich chain announced in January 2009 that it was deploying the Torex Quick Service POS in all of its 30,000 restaurants.

Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cezar Iulian Butu, 26, and Florin Radu, 23, were charged in the District of New Hampshire with four counts, including conspiracy to commit computer fraud, wire fraud and access device fraud. The indictment refers to two unindicted co-conspirators who used the online nicknames “tonymontanamiami” and “marcos_grande69.”

Oprea was arrested last week in Romania and is in custody there. Dolan and Butu were arrested upon entering the U.S. last August. Radu remains at large.

The indictment doesn’t name the other victims outside of Subway or the remote desktop software application the hackers targeted, but the case shares similarities to what occurred to seven U.S. restaurants who sued the maker of a POS in 2009 for failing to secure the product from a Romanian hacker who breached their systems.

The restaurants, located in Louisiana and Mississippi, filed a class-action suit against Georgia-based Radiant Systems, maker of the Aloha POS system. The plaintiffs say the point-of-sale system Radiant sold them was not compliant with payment-card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.

The suit alleged that the system stored all the data embedded on the bank card magnetic stripe after the transaction was completed — a violation of industry security standards.

Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant’s Aloha POS system.

According to plaintiffs, Computer World’s technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote login and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was “administrator” and the password was “computer.”

A hacker, believed to be based in Romania, accessed the systems of at least 19 businesses through the PCAnywhere software, and possibly others according to the plaintiffs. Once inside, the hacker installed malware to grab card data as it was swiped and send it to an e-mail address in Romania.

It’s not known if the Subway breaches and the breaches involving the Radiant systems at other restaurants were done by the same intruders.

Government Opposes Bradley Manning Defense Witness Requests

Bradley Manning (Facebook.com)

The government is seeking to block Bradley Manning’s attorney’s attempt to call nearly 50 defense witnesses at a pre-trial hearing next week over the private’s alleged leaking of hundreds of thousands of U.S. government documents to WikiLeaks.

The government opposed all witnesses requested by the defense, except ones that the government is also calling as witnesses, according to a new filing from the defense team. That works out to 38 of the 48 witnesses Manning’s defense attorney David E. Coombs asked permission to call to the stand, when the Article 32 hearing commences Dec. 16 in Maryland, according to a new filing from the defense team.

The government’s filing is not publicly available, but according to the defense response to the government’s opposition (.pdf), the government appears to be opposed to the calling of military mental health experts who worked with Manning, as well as other witnesses who can testify to Manning’s deteriorating emotional health before and during the time the alleged leaks occurred. Those witnesses would also be able to testify, the defense hopes, to the failure of the Army to address these issues at the time. The defense’s focus on witnesses who will testify to Manning’s mental health is likely an effort to mitigate any punishment Manning will face if convicted.

But the government seems to indicate that written testimony from these people will be adequate.

“In its response to the defense witness request, the government states that the defense’s proffered testimony regarding the total breakdown in command and control within the S-2 Section and the multiple failures by the unit to take basic steps in response to clear mental health issues being suffered by PFC Manning is somehow ‘not relevant to the Article 32 investigation and will only serve to distract from the relevant issues,’” Coombs writes in his response.

“Simply reading the sworn statements of some of these witnesses and hearing from a few others will not allow either party or the Investigating Officer to explore the relevant information,” Coombs continues. “The listed witnesses need to be questioned personally and individually about what they saw, heard, and experienced if there is to be a thorough and impartial investigation.”

The government also appears to be opposed to the testimony of case agents who worked directly on the investigation. According to the defense filing, more than 22 agents from the Pentagon’s Criminal Investigative Division worked on the case.

“If the defense does not have the opportunity to question the case agents about evidence they developed, witnesses they interviewed, leads they pursued, leads they elected not to pursue, and other relevant matters, the defense will also be denied an important function that the Article 32 investigation is designed to accomplish,” Coombs writes in his response, noting that the fact that agents who worked on the case are likely spread throughout the U.S. and overseas, and the Article 32 hearing will be the “only realistic mechanism available to the defense to personally question the case agents involved in the investigation.”

The defense is also seeking witnesses who could testify to the classification level of the information that Manning allegedly leaked, but the government apparently indicated that such witnesses were not available for testimony due to the importance of their positions.

“The government seems to argue that in matters of justice, if you have too important of a position, you should not be bothered,” Coombs writes. “Military justice should not be controlled by the importance of your duty position.”

Not surprisingly, the government opposed the calling of President Barack Obama and Secretary of State Hilary Clinton. Obama is being sought to testify on what possible undue influence his statements about Manning’s guilt might have on the military court. Clinton was being sought to testify about the level of harm that the data leaks caused to national security.

Coombs writes that if witnesses cannot be present because they are deemed “too important,” he will seek to take depositions from them, if the case goes forward.

Microsoft Releases December Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Microsoft Office, and Internet Explorer as part of the Microsoft Security Bulletin Summary for December 2011. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which update should be applied.

Additional information regarding the vulnerability identified in Microsoft Security Bulletin MS11-091 can be found in US-CERT Vulnerability Note VU#361441.