Anonymous Launches HackerLeaks: WikiLeaks For Stolen Data

A new website called HackerLeaks, reportedly launched last week by members of hacker-activist collective Anonymous, invites users to submit hacked data for analysis and publication.

Similar to the whistleblower website WikiLeaks, HackerLeaks operatives “receive documents through anonymous submission channel, analyze them, and then distribute them to the press,” Forbes's Andy Greenberg reported on Thursday.

The organization’s official mission statement, available on the HackerLeaks website (here), reads,

“In both security as well as overall strategy, HackerLeaks is closely modeled on WikiLeaks. Our first priority is to provide a safe, secure - and anonymous way for hackers to disclose sensitive information. Our team of analysts first carefully screens each submission for any possible trace of the senders identity. Our second commitment is to ensure that each and every leak receives the maximum exposure possible in order to achieve the most profound political impact for the risks taken by those submitting material. To that end, we work with media outlets all over the world.”

Amidst recent Internet security breaches, independent hackers have been utilizing sites such asPastebin to release compromised data. HackerLeaks, on the other hand, claims to provide an added incentive, offering “maximum exposure and political impact” as a result of such "leaks".

“We just wanted to make our own offering, compete in the disclosure marketplace and maybe fill a unique role if we can,” says a HackerLeaks representative who spoke to Greenberg over instant message.

As of this writing, there has been one anonymous submission to HackerLeaks –– a leak containing personal information of Orlando officials. Time will tell whether or not more hackers will utilize HackerLeaks in order to publicize the data that they’ve taken.

Anonymous has reportedly launched a "war" against the city of Orlando to voice disapproval over the arrests of non-profit workers who distribute food to the homeless without obtaining permits from the city. The group claimed that it will target "city web assets," and apparently downed the Orlando Florida Guide soon thereafter.

Homeland Security Vs Anonymous vs Orlando Florida

WASHINGTON -- Businesses facing a growing threat of cyberattacks against their websites will now have more tools to protect themselves and harden their Internet sites against hackers.

The Homeland Security Department will help small companies and nonprofit groups avoid programming problems that allow hackers to get into the businesses' websites.

The government's latest cybersecurity effort follows a series of high-profile hacking attacks against corporate and federal websites, including one that shut down the CIA's site for several hours last week.

The new program was developed with the Mitre Corp. and is an effort to shore up known weaknesses in programming that give hackers a backdoor into websites. The effort began well before the recent website attacks.

It includes a list of top 25 technical software problems that hackers exploit and sets up a way to rank software so that customers can see whether it meets necessary standards.

Right now, when owners of small businesses buy software or hire a firm to build a website, it is difficult to know whether the programs are secure or not, said Alan Paller, director of research at SANS Institute, a computer-security organization.

He said the information, which has been compiled on a special website that the public can view, will tell people what to look for in setting up a secure website and how to judge potential programming errors. It also sets up a scorecard, so that companies looking for a firm to set up a website can check their security score.

The effort is aimed at the more than 1 million computer programmers and other high-tech professionals who write code, build websites and develop software. It lays out known software weaknesses and how to fix them.

++++++++++++++++++++++++++++++++++++++++++++++++

Meanwhile Anonymous Declares War on Orlando Florida

Orlando, Florida: home of Disneyworld, and newest target of hacker group Anonymous.

The Washington Post reports that Anonymous has apparently posted a new release threatening to take down websites belonging or relating to the city of Orlando.

This new effort comes as a response to the arrests of Food Not Bombs non-profit workers who have been distributing food to the homeless without permits. The group's compliance with city ordinances has, in the past, caused tension between workers and the city government. Orlando Mayor Buddy Dyer has allegedly referred to Food Not Bombs members "food terrorists," according to a quote in the Orlando Sentinel.

"This is a declaration of war," read the supposed Anonymous release, which TechCrunch has posted in full. "Henceforth there will be no more cease fires, no more attempts to get you to resolve this issue with human decency. We will now treat you like the human rights abusers that you are."

The release also contained a warning that "Anonymous will now begin a massive campaign against you and your city web assets. Everyday we will launch a new DDoS attack on a different Target."

The authors of the release went on to say that Anonymous planned to take down the Orlando Florida Guide at 10 AM today and leave it down until 6 PM. At the time of this writing, the site is down.

Anonymous is tweeting out its actions at the handle @oporlando2011.

Aimi Eguchi, Of Japan's AKB48 Pop Idols, Has A Secret: She's Not Human

And She only takes up 150 Gigs of Memory!

Only 15 seconds in the limelight and she’d already created an overnight buzz. She was the newest member of the very popular all-girl Japanese idol group AKB 48. Upon seeing the new face appear on a candy commercial, the band’s faithful took to the message boards: Who is Aimi Eguchi?

This past Sunday, Ezaki Glico, the candy company which aired the commercial,confirmed what many of AKB 48’s fans had come to suspect: Aimi Eguchi wasn’t real. The new group member, it turns out, was a computer-generated composite of the real band members. Her pretty face was actually made up of the “best features” of six other members: her eyes, nose, mouth, hair/body, face outline and eyebrows were not flesh-and-blood, but cut-and-paste.

Not everyone was so quick to catch on, however, and Aimi had already formed a fan base of her own. “The video shocked fans of Eguchi,” reports ChannelNews Asia, “who were convinced that her features were more the result of good genes than the skillful use of computer graphics.

But why the suspicion in the first place? A quick search and fans found Aimi’s AKB 48 profile, discovered she was sixteen years old, that she competed in track and field, and that she was from Saitama, a prefecture on the island of Honshu. They would have also discovered that Aimi had debuted in a photoshoot for Shueisha’s Weekly Playboy magazine.

Conspiracy theorists who gave it more thought, however, would have found it a suspicious coincidence that the letters of the new member’s name could be derived from the name of the candy company, the theme song in the commercial, and the name of the candy being advertised. They would have also found it suspicious that Aimi’s birthday, February 11, was coincidentally the date Ezaki Glico was founded, and that the company’s slogan “Hitotsubu 300 meter,” sounded all too much like Aimi’s favorite sport (I guess). Not to mention Aimi bore a striking resemblance to six other members.

A lot of work was invested in creating Aimi Eguchi. In addition to the commercial–which still has fans completely fooled–they released a video in which Aimi makes a statement. Take a look at this video showing how she was composited off of the LIVE band members. It’s a damn good job.

 

LulzSec and Anonymous team up

LulzSec and Anonymous team up, plan digital destruction

Though it looked for a moment as if LulzSec and Anonymous might be getting ready for a hacker war against each other, the two groups have instead decided to band together against their real enemies: Governments. 


Over the weekend, LulzSec, a relatively new group of Internet pranksters, announced it would join Anonymous – a much more established, if still loosely affiliated, organization of hackers – to wage war on government sites, under the auspices of an initiative called "Operation Anti-Security."

"We encourage any vessel, large or small, to open fire on any government or agency that crosses their path," reads a LulzSec statement. "We fully endorse the flaunting of the word 'AntiSec' on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships."

Another tweet published to the official LulzSec Twitter page, informed the world that "anarchy is now." So this should be interesting. Two groups of hackers, intent on unleashing chaos, all in the name of the public good. For fans of chaos – and dystopian graphic novels such as "V for Vendetta" – this will no doubt be greeted as grand news indeed. For government employees, well, not so much. 

"Top priority is to steal and leak any classified government information, including email spools and documentation," LulzSec have announced. "Prime targets are banks and other high-ranking establishments. If they try to censor our progress, we will obliterate the censor with cannonfire anointed with lizard blood." Because regular cannonfire would obviously not suffice.

LulzSec – short for Lulz Security – already has a string of successful hacks under its belt, including the recent breach of the US Senate site, which LulzSec spokespeople said was done, "just for kicks." Before that, there was "Sownage" – an ongoing war against Sony – and attacks on the Websites of PBS and Fox. (In the latter case, LulzSec exposed a database of "X-Factor" contestants.)

Follow up To Sega Hacked Article. 1.3 Mil

Sega says 1.3 million users affected by cyber attack

TOKYO | Sun Jun 19, 2011 6:28am EDT

(Reuters) - Japanese video game developer Sega Corp said on Sunday that information belonging to 1.3 million customers has been stolen from its database, the latest in a rash of global cyber attacks against video game companies.

Names, birth dates, e-mail addresses and encrypted passwords of users of Sega Pass online network members had been compromised, Sega said in a statement, though payment data such as credit card numbers was safe. Sega Pass had been shut down.

"We are deeply sorry for causing trouble to our customers. We want to work on strengthening security," said Yoko Nagasawa, a Sega spokeswoman, adding it is unclear when the firm would restart Sega Pass.

The attack against Sega, a division of Sega Sammy Holdings that makes game software such as Sonic the Hedgehog as well as slot machines, follows other recent significant breaches including Citigroup, which said over 360,000 accounts were hit in May, and the International Monetary Fund.

The drama surrounding the recent round of video game breaches paled compared to what PlayStation maker Sony Corp experienced following two high-profile attacks that surfaced in April.

Those breaches led to the theft of account data for more than 100 million customers, making it the largest ever hacking of data outside the financial services industry.

Sega Europe, a division of Sega that runs the Sega Pass network, immediately notified Sega and the network customers after it found out about the breach on Thursday, Nagasawa said.

Lulz Security, a group of hackers that has launched cyber attacks against other video game companies including Nintendo, has unexpectedly offered to track down and punish the hackers who broke into Sega's database.

(Reporting by Yoko Kubota; Editing by Nick Macfie)

Sega Hacked! @LulzSec Tweets Sega support

@LulzSecThe Lulz Boat

@Sega - contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.

Sega Pass Hacked, User Information Compromised

Another video game company has been hacked. This time, it's Sega.

The company's Sega Pass system, which distributes free content like demos to users, was taken offline on Thursday. According to the email sent to users, reprinted by PlayStation Lifestyle, "unauthorized" entry was discovered on the database. No payment information has been compromised.

Sony wrote that some users' email addresses, dates of birth and encrypted passwords were taken. Payment details are safe, however, as Sega uses external payment providers. Sega advised that users should change passwords for other sites they may have used the same login information for, and to beware emails asking for personal information.

"We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach," Sega wrote. "We have launched an investigation into the extent of the breach of our public systems."

While some have speculated that LulzSec, which claimed responsibility for hacks of Sony and theCIA's website, is responsible for this latest attack, the group denied involvement. "@Sega - contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down," it wrote on its Twitter.

U.S. Government In Cyber Fight But Can't Keep Up

By Phil Stewart, Diane Bartz, Jim Wolf and Jeff Mason

WASHINGTON (Reuters) - The Pentagon is about to roll out an expanded effort to safeguard its contractors from hackers and is building a virtual firing range in cyberspace to test new technologies, according to officials familiar with the plans, as a recent wave of cyber attacks boosts concerns about U.S. vulnerability to digital warfare.

The twin efforts show how President Barack Obama's administration is racing on multiple fronts to plug the holes in U.S. cyber defenses.

Notwithstanding the military's efforts, however, the overall gap appears to be widening, as adversaries and criminals move faster than government and corporations, and technologies such as mobile applications for smart phones proliferate more rapidly than policymakers can respond, officials and analysts said.

A Reuters examination of American cyber readiness produced the following findings:

* Spin-offs of the malicious code dubbed "agent.btz" used to attack the military's U.S. Central Command in 2008 are still roiling U.S. networks today. People inside and outside the U.S. government strongly suspect Russia was behind the attack, which was the most significant known breach of military networks.

* There are serious questions about the security of "cloud computing," even as the U.S. government prepares to embrace that technology in a big way for its cost savings.

* The U.S. electrical grid and other critical nodes are still vulnerable to cyber attack, 13 years after then-President Bill Clinton declared that protecting critical infrastructure was a national priority.

* While some progress has been made in coordinating among government agencies with different missions, and across the public-private sector gap, much remains to be done.

* Government officials say one of the things they fear most is a so-called "zero-day attack," exploiting a vulnerability unknown to the software developer until the strike hits.

That's the technique that was used by the Stuxnet worm that snarled Iran's enriched uranium-producing centrifuges last summer, and which many experts say may have been created by the United States or Israel. A mere 12 months later, would-be hackers can readily find digital tool kits for building Stuxnet-like weapons on the Internet, according to a private-sector expert who requested anonymity.

"We're much better off (technologically) than we were a few years ago, but we have not kept pace with opponents," said Jim Lewis, a cyber expert with the Center for Strategic and International Studies think tank. "The network is so deeply flawed that it can't be secured."

"IT'S LIKE AN INSECT INFESTATION"

In recent months hackers have broken into the SecurID tokens used by millions of people, targeting data from defense contractors Lockheed Martin, L3 and almost certainly others; launched a sophisticated strike on the International Monetary Fund; and breached digital barriers to grab account information from Sony, Google, Citigroup and a long list of others.

The latest high-profile victims were the public websites of the CIA and the U.S. Senate - whose committees are drafting legislation to improve coordination of cyber defenses.

Terabytes of data are flying out the door, and billions of dollars are lost in remediation costs and reputational harm, government and private security experts said in interviews. The head of the U.S. military's Cyber Command, General Keith Alexander, has estimated that Pentagon computer systems are probed by would-be assailants 250,000 times each hour.

Cyber intrusions are now a fact of life, and a widely accepted cost of doing business.

"We don't treat it as if it's here today, gone tomorrow," said Jay Opperman, Comcast Corp.'s senior director of security and privacy. "It's like an insect infestation. Once you've got it, you never get rid of it."

The private-sector expert who requested anonymity said a top official at a major Internet service provider told him that he knew his network had been infiltrated by elite hackers. He could digitally kick them out - but that would risk provoking a debilitating counter-attack.

"THE THING ... THAT KEEPS ME UP AT NIGHT"

The idea behind the soon-to-be-announced Pentagon program for defense contractors is to boost information-sharing with the Defense Department on cyber threats. It also aims to speed reporting of attacks on firms that make up what the Pentagon calls the Defense Industrial Base.

The DIB, as it is sometimes known, provides the Defense Department some $400 billion a year in arms, supplies and other services. The new program is voluntary and builds on a smaller pilot, reflecting the persistent challenge of regulating private firms that traditionally shield proprietary data and often downplay cyber setbacks.

Ultimately, the new program may lead to agreement to put at least some Pentagon contractors behind military-grade network perimeter defenses, such as those that protect the Pentagon's own classified networks.

On another front, the Pentagon's far-out research arm, the Defense Advanced Research Projects Agency, is expected to launch by mid-2012 the National Cyber Range, a kind of replica of the Internet costing an estimated $130 million that would be used to test cutting-edge cyber defense technologies and help train cyber warriors.

The Obama administration has made cyber security a national priority, and tried to fashion an "all-government response" that imposes order on the competing domains and priorities of the Pentagon, FBI, Department of Homeland Security, the super-secret National Security Agency and the private sector.

"We're far better prepared than we've ever been before," said White House cybersecurity coordinator Howard Schmidt.

"Notwithstanding all the threats that we see out there, the things that are making news on a regular basis about a company that's been intruded upon ... (look at) how much the system still runs," Schmidt told Reuters in an interview.

The key, Schmidt said, is resiliency, "to make sure that we're better prepared, to make sure that the disruptions when they do occur are minimum - we're able to recover from them."

Still, he said major worries remain. "The thing that I worry about that keeps me up at night is the unknown vulnerability that may exist out there."

Some officials are even less sanguine.

The Pentagon's computer systems are widely considered to be better protected than other U.S. government agencies', and far safer than the private sector's. Still, a U.S. defense official told Reuters he would give the Pentagon just a "C+" grade overall for its cyber defenses. "We're not impervious to attack by any stretch, but nor are we 'open kimono'," the official said. He added: "And we're getting better."

WHAT IS 'CYBER'?

Experts say that one of the toughest challenges of cyber defense is, oddly, definitions. What constitutes "cyber"? Computers and digital networks, certainly. But how about digitized pictures or video streams from a pilotless Predator drone flying over Pakistan?

Who is responsible for protecting what? Where does national security begin and privacy end?

"The other big problem is lack of policy," said one former U.S. official. "(We) lack policy because we lack consensus. We lack consensus because we haven't had an informed debate. We lack an informed debate because we don't have a common pool of data. And we don't have a common pool of data because we don't share it."

Nowhere is the problem more acute than in thinking about cyber warfare. What constitutes an act of war in cyberspace? And how do you determine who it was that fired the shot?

U.S. military officials, eager to talk about how the Pentagon has boosted computer defenses, clam up when the topic turns to offensive capabilities.

The Pentagon has put together a classified list of its cyber capabilities so policymakers know their options - just as it does for more conventional weapons.

Offensive actions against foreign systems would require White House authorization. But the Pentagon does not need special approval to do the kind of cyber surveillance work that can identify vulnerabilities in foreign networks, a U.S. official told Reuters, speaking on condition of anonymity.

That includes leaving hidden digital "beacons" inside adversaries' networks that could be used to pinpoint future targets. The beacons can phone home to tell U.S. military computers that they are still operational, the official said.

While the United States is trying to apply conventional military logic to the cyber realm, there is no global consensus about the rules of cyber war. A Pentagon report due out toward the end of the month is not expected to articulate case-by-case possibilities of when a cyber war could turn into a real one.

INTO THE CLOUD

Even as such policy debates rage, the technological landscape is being remade, seemingly by the month, posing new challenges - and opportunities. Tens of thousands of mobile applications for smartphones and tablet computers represent new vectors for hacks and attacks.

"The quick answer is we haven't been doing enough and we're semi-late to the game" on protecting mobile applications, said Rear Admiral Mike Brown, a senior Department of Homeland Security cyber security official.

U.S. government agencies are working with major commercial vendors "to start looking together at how to address the issues of mobile vulnerabilities," Brown said at a symposium sponsored by Symantec Corp.

Meanwhile, the U.S. federal government is planning to move in a big way into "cloud computing," in which off-site providers offer network and storage resources accessible remotely from a variety of computing platforms.

Potential cost savings are significant. Handled correctly, computing clouds could offer added security, specialists say. But there are also risks.

A study released in April by CA Technologies and the Michigan-based Ponemon Institute contained alarming findings. Based on a survey of 103 U.S. and 24 European cloud computing providers, it found that a majority did not view security of their services as a competitive advantage, and believed that security was their customers' responsibility, not theirs.

Most did not have dedicated security personnel on staff.

Deputy Defense Secretary William Lynn met Google executives in California in mid-February to discuss cloud computing. On May 19, Lynn instructed the Pentagon's Defense Science Board to study the benefits and risks of cloud computing, "paying particular attention to attacks on communications that would destroy or delay delivery of services and information for time-critical uses."

Lynn told Reuters that "cloud computing has the potential to offer greater capability at equal or lesser costs." He added: "I want to make sure we are taking full advantage of these advanced technologies."

The Pentagon is preparing a cloud computing strategy, which it expects to complete by the end of the summer, a U.S. defense official told Reuters.

"We're trying to get to the place where warfighters or any of us can get to our information from anywhere on the planet, with any device," the official said.

Schmidt, the White House coordinator, said as many as 170 security controls are being built into government cloud computing projects from the start. "It's not deploying something and securing it later. We're setting the requirements at the outset."

"I'M NOT CONFIDENT THAT WE WOULD KNOW..."

So how safe are the computer networks of the United States, which perhaps more than any nation relies on them for banking, electric power and other basics of modern civilization?

In May 1998, then-President Clinton signed Presidential Decision Directive 63, calling for a "reliable, interconnected, and secure" network by 2003, and establishing a national coordinator for protecting critical infrastructure.

The Department of Homeland Security now has lead responsibility for protecting the power grid. Yet, as with almost everything involving cyber, it's not quite that simple.

If there were a cyber attack on the power grid today, "I'm not confident that we would know what parts of the government should respond," said one former U.S. official, who asked not to be identified. "Who jumps in there? DHS, DoD, Cyber Command, NSA, the intelligence community?"

"So nothing's really happened." said former Pentagon general counsel Judith Miller, talking about grid vulnerability at a cyber event in Washington this month.

"This is a discussion we had in the 1990s. We're having it right now. Nothing really has changed, although perhaps the ability of attackers, whether they're nation states or just kids, has grown apace," she said.

A central conundrum is that the Pentagon's National Security Agency, which specializes in electronic eavesdropping, has personnel with the best cyber skills, but has been until recently mostly shut out of protecting domestic networks. That's due to the highly classified nature of the NSA's work, and fears that it will stray into domestic spying.

Another complicating factor: the 1878 Posse Comitatus Act, which generally bars federal military personnel from acting in a law-enforcement capacity within the United States, except where expressly authorized by Congress.

"NSA has a long history in cyber security, on both the offensive and the defensive sides. It has great resources and expertise. But it makes privacy advocates nervous," said Stewart Baker, a former DHS official now at the law firm Steptoe and Johnson LLP.

Last October, the Defense Department and Homeland Security - responsible for protecting civilian U.S. government networks - signed a memorandum to cooperate, with the NSA sharing technology and the agencies swapping personnel.

The effort has gotten mixed reviews. Schmidt said that early reports of inter-agency tension have dissipated, and Representative James Langevin, a member of the House intelligence committee, said DHS is improving. "I don't think that they're there yet but we're moving in the right direction," he said.

However other experts, who would not be quoted for the record, said the gap between the two agencies remains wide.

Even if the NSA, DHS and other agencies worked together seamlessly, the problem remains of coaxing industries in critical infrastructure to accept more government regulation.

"There's absolutely no question that the power companies and indeed state regulators have been unenthusiastic about a federal role," Baker said. He added this warning: "The regulation that would pass after a disaster is a lot worse than they would get right now."

And then there's the Stuxnet-like "zero day" attack, exploiting a flaw no one knew existed, perhaps tucked into some off-the-shelf software like that purchased daily by federal agencies.

"Our largest fear ... is the zero day attack," said Sherrill Nicely, the CIA's deputy chief information officer. "It's very, very, very difficult to protect oneself from an attack that you did not know was coming or the vulnerability that you did not know existed."

(Additional reporting by Jeremy Pelofsky and Warren Strobel; Writing by Warren Strobel; Editing by Kristin Roberts and Claudia Parsons)

Copyright 2011 Thomson Reuters. Click for Restrictions