Hackers Spoil Their $1 Billion Bank Heist With a Typo
Article courtesy of Wired.com
After the last month’s maelstrom of news around Apple’s fight with the FBI, this week felt like the eye of the storm, with a return to the business-as-usual news of data breaches and zero-days. But in the midst of that relative calm, the government shot back with its response to Apple’s legal argument against cracking the San Bernardino shooter’s iPhone on the FBI’s behalf. Ransomware hit Apple’s operating system for the first time. In a moment inspiring near-universal schadenfreude, ISIS suffered a data breach that identified tens of thousands of its recruits. And a researcher found thousands of industrial vehicles with their telematics’ units left online and accessible to hackers.
And there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Hacker Typo Prevents $1 Billion Bank Heist
Where is autocorrect when you need it? A spelling mistake was the only thing standing between a group of hackers and the $1 billion dollars they tried to steal from Bangladesh Bank. After the hackers misspelled “foundation” as “fandation” in a wire transfer request, it prompted bank authorities to investigate the veracity of the transfer order. The hackers initiated a series of money transfer requests after stealing credentials the bank uses to authorize electronic transfers. They used the credentials to send about three dozen money transfer requests to the Federal Reserve Bank of New York, asking it to transfer funds from the Bangladesh Bank’s account to entities in the Philippines and Sri Lanka, including a non-governmental organization called Shalika Foundation. It was the latter’s name they misspelled. But don’t be too quick to nominate the hackers for a Darwin award. They had already correctly spelled the words in three other transfer requests before making their mistake. Those orders allowed them to steal $80 million before the typo in the fourth transfer put a halt to their heist.
Edward Snowden Agrees: The Government Doesn’t Need Apple to Crack Into iPhones
In a story published last week, WIRED pointed out alternate means the government can use to crack into iPhones without Apple’s help. This week Edward Snowden suggested the same during an interview when he said that the FBI’s claim in court documents that only Apple can unlock its phones is “bullshit.” Unfortunately, the interview ended before Snowden could elaborate but he later sent out a tweet pointing to an ACLU post discussing another possible method.
NSA Surveillance Data Not Just for NSA Anymore
The slope of government surveillance got a little slippery this week when the Guardian revealed that the Foreign Intelligence Surveillance Court had quietly approved changes to rules governing the use of bulk data collected from US tech companies through its so-called PRISM program. The FBI is allowed to directly access the NSA’s massive collection—which can include international email, texts and phone calls—for criminal investigations. The move essentially eliminates any barrier that previously existed between foreign counterterrorism investigations and domestic criminal investigations. The American Civil Liberties Union summed it up this way:
FBI agents don’t need to have any “national security” related reason to plug your name, email address, phone number, or other “selector” into the NSA’s gargantuan data trove. They can simply poke around in your private information in the course of totally routine investigations. And if they find something that suggests, say, involvement in illegal drug activity, they can send that information to local or state police. That means information the NSA collects for purposes of so-called “national security” will be used by police to lock up ordinary Americans for routine crimes.”
It’s not the first time NSA data has doubled as domestic law enforcement data. Previous news reports had found that the government was sharing NSA-collected data with the Drug Enforcement Agency. But since the government didn’t want to reveal where the data came from, the DEA was required to conduct what’s known as “parallel construction” where it takes evidence the NSA obtained through classified national security programs and recreates it using domestic law enforcement means in order to hide the original source of the evidence from defense attorneys and the courts.
Hackers hit KKK.com, a web site of the Ku Klux Klan, on Thursday as part of a larger attack against the web host and security firm Staminus. The hackers, who call themselves FTA, posted more than 15 gigabytes of data stolen from the company on a Tor hidden service, along with a message boasting about their KKK takedown. “Yes, that’s right, Staminus was hosting the KKK… An organization legally recognized in some regions as a terrorist collective,” the hackers wrote. “Not that we hold anything against the KKK. Choosing such an awful host as Staminus however is unforgiveable, and consequently they had to be punished.”
If anyone needs proof that “bug bounty” rewards for benevolent hackers are worth every dime, look no further than the $15,000 bounty Facebook paid out this week. Indian hacker Anand Prakash found a vulnerability in the stripped-down mobile version of Facebook’s password reset page that allowed him to try thousands of the six-digit codes sent to users who forget their passwords. That would have allowed him to brute-force his way into any of Facebook’s 1.1 billion accounts. Facebook rushed out a fix within hours of hearing about the flaw.
Hack a former US president, and it’s no surprise that you’ll probably face a US prosecutor. Romanian authorities this week agreed to extradite hacker Marcel-Lehel Lazar, a.k.a. Guccifer, to the US to face criminal charges. Lazar is accused of hacking the email account of George W. Bush—revealing some highly personal self-portrait paintings—as well as the emails of Clinton aide Sidney Blumenthal and Colin Powell. Lazar was arrested in early 2014, and has already been sentenced to seven years in Romanian prison for hacking targets in his home country. Later in 2014, he was indicted by a US grand jury in absentia, and now faces additional charges including wire fraud, computer hacking, cyberstalking, and obstruction of justice.
Feds Seek 5-Year Prison Term for Matthew Keys
A former Reuters employee is facing five years in prison if prosecutors have their way. Matthew Keys was an online social media editor for the Reuters news agency when he was indicted in 2013 for providing a username and password to members of Anonymous to gain access to the server of his former employer, the Tribune Company. Prosecutors said he encouraged the hackers to use the credentials to “go fuck some shit up.” Someone subsequently used the credentials to hack into the web site of the Los Angeles Times, which is owned by the Tribune Company, and change the headline of a story. Keys was convicted last year on conspiracy and the transmission of data to damage a computer. The government is asking the court to sentence him to five years in prison, which Keys attorneys say is wildly disproportionate to his actions and their impact, according to Politico.
Read the original article over at Wired.com.