HackrNews

The Pentagon got owned pretty hard with 1,500 accounts being taken offline due to a hack attack. For once however they did admit the incident and didn’t try to cover it over or brush it off.

I guess the amount of attacks they get is exponentially more than other networks…but still, I would have thought they should be super secure.

About 1,500 unclassified e-mail users at the Pentagon had their service disrupted yesterday when a hacker infiltrated the e-mail system, forcing the accounts to be taken offline.

In a briefing today with reporters in Washington at the Pentagon, Secretary of Defense Robert M. Gates confirmed the incident and said that the users were disconnected from the system after the intrusion was discovered.

“The reality is that the Defense Department is constantly under attack,” Gates said during the briefing. “Elements of the [Office of the Secretary of Defense] unclassified e-mail system were taken offline yesterday afternoon, due to a detected penetration. A variety of precautionary measures are being taken. We expect the system to be online again very soon.”

The funny thing is the Secretary of Defense himself doesn’t even use e-mail…so I doubt he even noticed what had happened.

Hopefully the government will sharpen up it’s ideas.

Gates said that he was not sure why the 1,500 users were removed temporarily from the system. “Well, I don’t know the answer to that, and they’re still investigating it.”

Gates said he doesn’t use e-mail, so he didn’t know if his account was affected.

“I don’t do e-mail,” he said. “I’m a very low-tech person.”

A spokesman at the Department of Defense late this afternoon said he had no additional information about the incident.

Security experts at RSA have come across a new tool that automatically creates sophisticated phishing sites, a sign that cybercrooks are getting increasingly professional.

The tool, which RSA calls the “Universal Man-in-the-Middle Phishing Kit,” is available on underground online marketplaces for about $1,000, Jens Hinrichsen, RSA’s product marketing manager for fraud auction, said in an interview Wednesday.

“Unlike other phishing kits which have been in existence for quite some time, this kit is unique because with a very simple user interface you can choose whatever site you’d like to spoof,” Hinrichsen said. “The arms race continues; we on the security side have to continue to escalate resources and invest in technology.”

Phishing scams are a prevalent online threat that typically use fraudulent Web pages and spammed e-mail messages to trick people into giving up personal information such as user credentials or credit card data.

Using the new kit, a fraudster only has to enter variables such as which site should be spoofed and where the fraudulent page will be hosted. The tool then produces a dynamic Web page in the PHP (hypertext preprocessor) scripting language. The fraudster hosts this page somewhere on the Web, typically on a compromised Web server or a free Web host, and lures people to it with spammed e-mail messages or other links.

Unlike traditional phishing Web sites that have static Web pages designed to look like a real online bank or other trusted site, the dynamic page created by the phishing kit actually pulls in the current Web site of the target organization and displays it. However, any data entered is captured by the miscreants, Hinrichsen said.

“Once you enter your credentials, it would be intercepted by that server where the PHP file is hosted,” he said. At the same time, the victim is actually logged in to the legitimate site and may never know he’s been phished.

Shrewd phishers monitor the log-in process to validate that the data they capture is legitimate, Hinrichsen said. An incorrect username and password combination would be discarded. Also, the man-in-the-middle-style attack lets the miscreants continue to eavesdrop on the victim’s interactions with the legitimate Web site, according to RSA.

The most popular phishing targets are banks and online payment services such as PayPal. Auctioneer eBay is also a common target. Fraudsters run phishing scams to collect personal information that can be used for identity fraud.

Phishing protection is becoming common. The latest versions of Firefox and Internet Explorer include phishing shields. Also, security firms such as Symantec and McAfee sell antiphishing software.

Protection technologies typically rely on a list of known bad Web sites and display a warning when a user surfs to one of those. This means, however, that a brand-new fraudulent site won’t be detected. In general, people should be cautious when following links to any site that requires a log in. It is better to type in the address or use a bookmark.