"“We have lent a huge amount of money to the U.S. Of course we are concerned about the safety of our assets. To be honest, I am definitely a little worried.”
"
Chinese premier Wen Jiabao 12th March 2009
""We have a financial system that is run by private shareholders, managed by private institutions, and we'd like to do our best to preserve that
system."
Timothy GeithnerUS Secretary of the Treasury, previously President of the Federal Reserve Bank of New York.1/3/2009
The trial opened in Suweon , near Seoul, S. Korea today, of someone calling herself Won Jeong-Hwa . She is suspected of being a spy for North Korea .
According to the chief prosecutor Kim Kyeong Su, Ms Won, thought to be aged 35, was a convicted in North Korea after being caught stealing several tonnes of zinc. She fled to China, was rumbled and returned to the DPRK and agreed to help infiltrate the South as a refugee.
One of her tasks was to find where former secretary of the North Korean Workers' Party Hwang Jang-yop, a key architect of Pyongyang's Juche (self-reliance) theory and the highest-ranking defector in the South in 1997. It appears she failed ... principally because he is in North America.
Apparently she has been in South Korea since 2001 under the tutelage, control, care of "Uncle Kim" (now 63 and also arrested and held - thought to have arrived via cambodia a popular regugee smuggling route) with frequent visits (14 at least) to China to receive orders, money, poisoned needles etc. Her job it appears - after a lengthy debriefing , all defectors are subject to, was as a model defector delivering anti - communist lectures at military bases.
These meetings were used to seduce male military officers and obtain classified military information. Poor Captain Hwang, 26, fell for the honey in the trap and is held in prison.
More will probably become public of what she discovered (although no doubt the trial will go into secret sessions) - she is said to have passed back to the North information about military installations, lists of North Korean defectors and personal data about South Korean military officers.
She is the first female spy to be arrested since Lee Sun-sil, a key figure in North Korea's Communist Party, was apprehended on espionage charges in 1992, and the first defector to violate the National Security Law.
Sexy Ms. Won could face execution
Connections to Spyware attack on Military ? No conection has been established with a recently reported incident when a North Korean spyware e-mail was transmitted to the computer of a colonel at a field army command via China in early August. This e-mail contained a typical program designed automatically to steal stored files if the recipient opens it. Little information is available or if the hack was successful, but their scale could be devastating given that the recipient is in charge of the South Korean military's central nervous system -- Command, Control, Communication, Computer & Information (C4I).
A National Security Council official is said to have lost files stored on his computer after a hacking attack from China earlier this year.
There are claims that an electronic warfare bureau at the North Korean Army's General Staff in accordance with leader Kim Jong-il's instruction in the mid-1980s to prepare for the new battleground. It seems unlikely that efforts started that early but from his first visits to DPRK in 1993, the brightest and the best were being trained and had a fascination for malware - which was then very primitive.
The school was as well kitted out as Google offices are today with pool tables, western music and food and they all spoke excellent (if Oxford accented) English.
The South Korean Defense Ministry believes that the skills of 500 to 600 North Korean hackers are on a par with those of CIA experts. This seems unlikely . In 1999, the department said it traced frequent cyber visitors and found that North Korea topped the list. (i.e 9 years ago - a log, long time in cyberspace)
The Massachusetts Bay Transportation Authority (The T)uses a Charlie Cardfor their touch free payment electronic payment systems. This uses the NXP/Philips' MIFARE standard 1k chips provided by G&D and Schlumberger - Sema and the card is a contactless radio transmitter / receiver. Nearly half a million dollars are collected every weekday by riders on the subway using these cards.
This RFID chip has been hacked by Dutch academics and recent failures of Transport for London's Oyster card may be the result of hackers exploiting the architecture and systems that have been revealed by them.
There is a DEFCON hacker convention due today. DEFCON , founded in 1993, has a website and claims on its website, http://www.defcon.org/ to be the oldest continuously running hacker convention in the world, drawing 3,000 to 5,000 people annually. It began Friday at the Riviera Hotel & Casino in Las Vegasand runs through to today.
They have advertised a presentation by 3 Massachussets Institute of technology students (Zack Anderson, R.J. Ryan, and Alessandro Chiesa) initially on the DEFCON site - "Want free subway rides for life?" T officials then contacted the students and the university, arranging a meeting last week. After the meeting, In which it appears it was stated that the FBI were also inviolved, in an apparent conciliatory gesture, the students changed the first line of the posting to read, "The anatomy of a subway hack." See below for details.
The T is sueing the named students claiming their plan to unmask potential security flaws in the CharlieCard and Charlie- Ticket systems at a Las Vegas computer conference would cause "significant damage to the transit system."
The T was granted a 10 day injunction yesterday in the US District Court in Boston by Judge Douglas Woodlock at 8 am Saturday that barring the 3 named students from presenting their methods and findings at the DEFCON hacker convention today. He ordered them not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."
The MBTA allege in documents presented to the court that the trio claimed to have circumvented the security protocols of the electronic ticketing system. The suit alleges the students publicly offered "free subway rides for life" to people over the Internet, and planned to show others how to duplicate their methods at a DEFCON presentation.
The lawsuit was also spreading their flak by naming MIT as a defendant, saying the school failed to "instruct and guide the MIT undergraduates to responsibly disclose information concerning perceived security flaws."
A computer security researcher, Eric Johanson, defended the students in a statement filed in court by and on behalf of MIT, saying none of the information they were planning to disclose was new.
Johanson also said that computer security researchers need to openly discuss the flaws they find in real-world systems so better ones can be built.
He added that "prohibition of open discussion of security vulnerabilities greatly harms the ability of researchers to function and has a chilling effect not only on publication, but on whether some important research is done in the first place, greatly stifling scientific advancement."
The T is seeking , as yet unspecified financial damages , plus an extended injunction to prevent the trio from releasing their findings until it can plug any possible security holes - if there are any.
The T is not sure there is a security problem (Oh yes there is !!) , but the 10-day injunction will provide time to find out. Lydia Rivera, a T spokeswoman says "The injunction is allowing us to review the research that they have and see if there is any validity to their findings, and take corrective action, if any is even necessary."
The injunction was a bit late as every person registering for Defcon (several thousand) received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and US$990 worth of hardware to read and clone the RFID-based CharlieCards. This apparently enables cloning of cards with a value up to US$655.36.
The distribution of the CD's commenced on Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities--not included on the CD--was removed from www.web.mit.edu/zacka/www/subway/ by Saturday morning.)
The Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems
Zack AndersonStudent, MIT RJ RyanStudent, MIT Alessandro ChiesaStudent, MIT
In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subways around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We survey 'human factors' that lead to weaknesses in the system, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote in the process of researching these attacks. With live demos, we will demonstrate how we broke these systems.
Zack Anderson is studying electrical engineering and computer science at MIT. He is an avid hardware and software hacker, and has built several systems such as an autonomous vehicle for the DARPA Grand Challenge. Zack is especially interested in the security of embedded systems and wireless communications. He has experience building and breaking CDMA cellular systems and RFID. Zack has worked for a security/intelligence firm, and has multiple patents pending. He enjoys building systems as much as he enjoys breaking them.
R J Ryan is researcher at MIT. His longtime passion for security has resulted in a number of hacks and projects, including a steganographic cryptography protocol. RJ works on a number of technical projects ranging from computer security to operating systems, distributed computation, compilers, and computer graphics. He enjoys learning how things work, and how to make things work for him.
Alessandro Chiesa is a Junior at MIT double majoring in Theoretical Mathematics and in Electrical Engineering and Computer Science. Born and raised in Varese,Italy, he came to MIT with interests in computational algebraic geometry, machine learning, cryptography, and systems security. He has authored papers such as "Generalizing Regev's Cryptosystem", which proposes a new cryptosystem based on shortest vector problems in cyclotomic fields. He is currently working with Oracle's Database Security group.
These guys are not crooks.
Public Transport systems relying on the Mifare chip had better get their act together - fast. This is their wake - up call. Anyone listening at TfL ?
MIT students R.J. Ryan, Alessandro Chiesa and EFF attorney Marcia Hofmann talk about the injunction.
Craig Murray's website archive can be reached at http://www.craigmurray.org.uk/ testing is underway and the gems of wisdom will Alisher Usmanov usher forth as soon as ....
Chris Floyd and Rich Kastelein, of Empire Burlesque are hosting but have been subect to a hack attack (Some pictures are still missing, but they are working on that.)
The trial opened in Suweon , near Seoul, S. Korea today, of someone calling herself Won Jeong-Hwa . She is suspected of being a spy for North Korea .
These meetings were used to seduce male military officers and obtain classified military information. Poor Captain Hwang, 26, fell for the honey in the trap and is held in prison.
