Hacker Arrested for Blackmailing German Childrens’ Social Networking Site: 1 M Children Affectedby futurecrimes on Oct 30, 2009 • 11:44 am No Comments
While hacking is by no means a new phenomenon, the volume of data criminals are able to obtain as a result of such attacks is increasing exponentially. For those who live their lives online and provide a constant stream of personal data to the social networking companies such as Facebook, Myspace and Twitter, they are placing their trust in these firms to protect their personal information. Even though nearly all social media companies have implemented to one extent or another privacy policies and settings for their users, such steps only protect against voluntary disclosure of information. That is to say, establishing privacy settings to only allow friends and family in your network to see your activities is a useful to to prevent the social networking site itself from disclosing your data to uninvited parties.
While much has been written and said about the limited nature of privacy protection in Web 2.0 services, it is important to note that all of these policies only protect you against people who follow the law and the terms of service of the social networking firm with whom you have shared your data. As illustrated below, however, they do nothing to prevent hackers from obtaining unauthorized access to your personal data–all your personal data.
This case underscores the need to carefully weigh the risk versus gain in opting to share personal data in social networking sites. Of course it goes without saying that poor site security, insecure software, wide propagation of malware and the common use of social engineering also are also a big part of the problem. While the great benefit and convenience of Web 2.0 services can prove almost addicting, it may be time for a more rational and reasoned approach to the massive push to use these services. At a minimum, users should understand the risks in participating in such activities.
Up to 1 Million German School Children Affected by Data Security Breach
by Markus Goebel, October 21, 2009
and other German social networks.
The man had used crawler software to harvest detailed user information (residence, date of birth, relationship status, hobbies, favourite music, favourite movie, …) not only only from the group’s networks for adult people, StudiVZ and MeinVZ, but also from Germany’s biggest social network for pupils, SchülerVZ. The 20 year old man asked for €80,000. Kind of a pathetic amount, don’t you think?
If the company had refused to pay, he threatened to sell the information to gangs in Eastern Europe. The true number of the stolen records remains unclear. But in a blog post from May he had already bragged how his bot could copy 48,000 profiles in just four hours and even posted a video on Youtube.
The case developed very fast since last weekend, as you can see in the post at the StudiVZ company blog which is full of strike-throughs and updates. What started as a white hat attack on SchülerVZ, a network with 5m members from 12 to 21 years, turned into a crime story.
At Friday the whistleblower blog Netzpolitik.org received data of more than 1m minors from another anonymous source that only wanted to point at a security hole in SchülerVZ. He had no intentions to sell the records and also has used a crawer software to obtain these data. No hacker skills were necessary, although IP number checks and the website’s Captchas should have prevented the harvest.
The Netzpolitik.org post about this leak drew out the other hacker, known only as Mathias L., who obviously had less noble intentions. He bragged in his now defunct blog that his bot “sVZ Crawler”, based on PHP, JS, Ajax and different shell scripts, was better and that he could download much more detailed user information. As a proof, he uploaded some of the data to a Hacker and Cracker internet forum where at least 17 other users downloaded it.
On Sunday he paid a visit to the social networks’ office in Berlin upon invitation by VZ-Netzwerke, and was welcomed by the waiting police. He has already admitted the attempted extortion, the public prosecutor’s office declared on Tuesday.