Growing no. of teen hackers (or wannabes)

The number of teenagers dabbling in high-tech crime is on the rise. "Computer security professionals say many Net forums are populated by teenagers swapping credit card numbers, phishing kits and hacking tips," the BBC reports. Kids as young as 11 and 12 are being found in these forums using credit card numbers to pay for packaged exploits, computer security experts say, some of whom seem to view searching for videogame cheats as a kind of "gateway" activity (I'd say only for those who've never been told the difference between legal and illegal). In any case, these hacker wannabes' age and low skill level make them relatively easy to catch and arrest, the BBC sources' say, and they need to know that nobody wants to be in the position of trying to get into college with a criminal record! The BBC says some are going for thrills, some for a certain kind of fame or validation (even making videos of their exploits and posting them on YouTube), some for money, and others some combination of all the above.

Common social-networking hack

We get a lot of questions in the ConnectSafely forum about people finding their profiles compromised in various ways. One way this can be done concerns social networkers' passwords - if they've either given their passwords to friends or their passwords have been stolen. A researcher colleague of mine in Portugal, Daniel Cardoso, sent me a heads-up about the latter. Here, a post in EthicalHacker.com explains that there is free downloadable software on the Net that allows malicious hackers to steal users' passwords. Cain & Abel is "a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols." In Slashdot, which Daniel linked me to, a young security expert posted: "If I were to run this attack on the computers at my high school, I could cripple a lot of kids' social lives (and get expelled when the admins see :) I see SO many of my classmates using proxies to get on MySpace at school (even though it's against school rules, which I don't blame after seeing some of my classmates' MySpace pages). They just don't understand how easily I could get their password (or whoever's, running the proxy, or even the admins). And it's worse when you wonder how many kids use the same user name and password for everything. Kids these days [note that he's talking about his peers] are just not educated enough on good security practices, or show a lack of common sense with this stuff." Parents, make sure your kids practice good computer security - choose hard-to-guess passwords, don't share them with friends, change them fairly often, and choose different ones for different sites and services. IT News in Australia reports that "criminal hackers now view social networking sites as their best target for attacks." It goes on to describe another vulnerability besides passwords, and IT Pro in the UK reports on a Facebook vulnerability involving users' private photos.

Teen 'cybercrime kingpin' arrested

The 18-year-old New Zealander's screenname is "AKILL," and he is the alleged head "of an international cyber crime network accused of infiltrating 1.3 million computers" and stealing $20+ million from victims' bank accounts, the Associated Press reports. "Working with the FBI and police in the Netherlands, New Zealand police raided" his house in Hamilton and took him and several computers in custody. His arrest was part of an international crackdown on criminal hackers who hack or social-engineer their way into large numbers of computers, install malicious software, and take control of the machines, turning them into "zombies." The zombie computers become part of large networks (or "botnets") of computers that can launch denial-of-service attacks on large Web commercial Web sites, extort, manipulate stocks, etc. "Eight people have been indicted, pleaded guilty or have been convicted since the investigation started in June."

Hacking ethics

A Sydney Morning Herald commentator looks at the ethical questions around 17-year-old George Hotz's iPhone hack. There's no question it's a great story: "In a quest for a car that will win all the girls, some no-name kid in the US devotes his last summer before college to unlocking the seemingly impenetrable iPhone. Corporate giants Apple and AT&T watch helplessly as this kid kills their monopoly with a soldering iron and a pile of energy drinks, then pours the know-how out over the Internet." Here's my post on the news story. This is great material for a discussion with any hackers in your house or classroom involving questions like, "Could you have done this hack?" "Would you have, should he have?" "Why/why not?" "Even if it was legal, should it have been?" There are no black 'n' white answers, but this is the kind of discussion that develops the "filter" between kids' ears, the kind that can handle any and all change and growth the user-driven Internet throws at our youth and us.

Teen hackers mostly good

A lot of teens do some hacking, and - though their intentions aren't malicious, their hacks are illegal, USATODAY reports. Covering a report by psychologist Shirley McGuire at the American Psychological Association conference, the article says "a large minority of teenagers commit computer crimes such as hacking and software piracy, but it's done mostly out of curiosity and a hunger for excitement rather than wanting to cause trouble." McGuire found in a survey of some 4,800 San Diego-area high school students that 38% had copied software without permission; 18% went into someone's computer or Web site without permission, 16% have taken material from it; and 13% changed a computer system, file program or Web site without permission."

Hacks in social sites

What I mean is, hackers (not malicious ones) have something to say about social-networking sites. Thousands of them gathered at two conferences in Las Vegas this past week, the Associated Press reports. Here's the important part: Hackers are seeing intruders in social-networking sites who "commandeer personal Web pages and possibly inject malicious code." They look for flaws in sites' code that allows them to "inject" their own malicious code into pages. This is " a particular problem for social networking sites, where it's difficult to police the content of the millions of posts each day," according to the AP. The intruders often add links to Web pages in other sites that steal the computer "cookie" information from the computer of the social networker who clicks on the link. Particularly vulnerable are people who use older versions of Firefox, one of the AP's sources said. The source said Facebook and MySpace patch flaws they find, but there are probably hundreds of flaws like this and it's tough to keep up with what's on tens of millions of pages. So the take-away is: Everybody needs to keep their browsers up-to-date and be careful about what links they click on in profiles and blogs!

Facebook & ID theft

This is something for social networkers to be on the alert about: computer security and social engineering on social-networking sites (social engineering is what phishers and identity thieves use to trick people into making themselves and their devices vulnerable to hacks and ID theft). The latest warning signal concerns Facebook, which recently announced it's becoming a social-networking platform for all kinds of online services and widgets. "While thousands of applications being developed by third parties for Facebook users are enriching the social network's functionality, the Facebook Platform provides a perfect channel for distributing malicious software," CNET reports. To be fair, experts quoted in the article are talking more about the potential than actual attacks. And, "while Facebook third-party developers do not necessarily have access to Facebook members' personal details, whether users agree to install an application is ultimately a caveat emptor scenario" - meaning read the fine print before you agree to install stuff, people!