Suspicion strong that Aussie teen wiz hacked Metro State website
Faisal Kaleem, a computer security expert who happens to teach at Metro State, set out to track down the hacker. He found Abdilo’s profanity-laced blog site, buried deep in the Web’s netherworld, in a matter of minutes.
He calls himself Abdilo. He’s bragged online about hacking into websites on three continents, daring the authorities to catch him.
Now the U.S. Secret Service is trying to find out whether the boastful blogger — said to be a 16-year-old Australian — is behind a massive computer security breach at Metropolitan State University in St. Paul.
Two weeks ago, police raided the Queensland home of the “infamous Australian teen hacker,” as one local news report put it.
The suspect, who has not been publicly identified, has claimed responsibility for a four-month hacking spree that targeted at least one nuclear power organization in Australia, as well as police, government and college websites in his own country, the United States and Britain.
In the process, he attracted the attention of the Minneapolis field office of the Secret Service, which is investigating the Metro State incident. Louis Stephens, special agent in charge, said this week that his agency is working with Australian authorities to determine whether “an Australian teenage hacker utilizing the online alias ‘Abdilo’ is responsible for this and other data breaches.”
Since Metro State discovered that its computers had been hacked in December, it has been scrambling to assess and contain the damage.
This week, after a monthslong investigation, the school announced that the hacker had exposed the personal information of some 160,000 people, including faculty and students, dating back almost 20 years. Some of the data included full or partial Social Security numbers. But so far, there’s no evidence that anyone has used the information for nefarious purposes, says Devinder Malhotra, Metro State’s interim president.
Although he’s heard reports about the teen hacker, he says there’s no proof yet who was behind this “criminal act.”
It was the blogger himself who first blew the whistle. In December, Abdilo wrote a blog post claiming he had hacked into Metro State’s website, among dozens of others. A cyber security firm, which monitors the Web for threats, stumbled across it and notified the university. When the school checked out the claim, it discovered that it had in fact been hacked.
Faisal Kaleem, a computer security expert who teaches at Metro State, said he first learned about the incident from an all-campus e-mail alert in January. Curious, he set out to track down the hacker. He found Abdilo’s profanity-laced blog site, buried deep in the Web’s netherworld, in a matter of minutes.
On the blog, Abdilo wrote that he decided to break into various websites to “see if I got away with it.”
“What most people think is when you attack .edu, .gov and .mil [sites] you get arrested instantly. I decided to test that,” the blogger wrote.
“Here are some of the sites I messed with:”
Yale (“So easy”).
Harvard (“was a challenge but they are dumb”).
Princeton (“LOL easy”).
Why Metro State, a public university in St. Paul? “I broke into you cause i like 22 jump street,” he wrote — an apparent reference to the 2014 film, about undercover cops at a fictional school called Metro City State College.
At one point, Abdilo actually live-streamed one of his hacking sessions, according to an Australian news report in January. The report, on abcnet.au, said Abdilo “was showing off his hacking skills to anyone who wanted to watch.” He demonstrated how he broke into American education websites, the report said, and displayed a video stream as databases “spat out people’s private information.” In an Internet chat with the news site, Abdilo said he wasn’t worried about the police.
Kaleem, who teaches courses on cyber security, said the blogger’s braggadocio reveals that he’s probably not an “elite hacker” — the kind who spy on corporations or governments.
“It looks like he wanted to brag about his skills,” he said.
Technically, though, it wasn’t all that difficult to find the weaknesses in these websites, Kaleem said. “There is a plethora of all these ready-made tools that are available online that you can download for free,” he said. The programs can search a website to see whether it’s vulnerable to attack, and if so, steal information before anyone notices.
That’s essentially what Abdilo did, he said. Metro State has said it has since uncovered the flaw in its computer security and fixed it.
Beyond bragging rights, what might motivate someone like Abdilo?
One possibility, of course, is money. “Just imagine,” said Kaleem, “if he were to sell all this information to the organized crime outlets, that could have been a disaster.”
In Abdilo’s case, that doesn’t seem to be the primary motivation, he noted. Yet the hacker claimed, at one point, that he tried to sell his covert access to an insurance company’s website for $5,000, but that the company “fixed it just before I was about to sell it.”
Young hackers, though, may not be in it for the money, experts agree.
“There’s a certain kind of macabre fantasy to it all,” said Cameron Camp, a cybersecurity expert at ESET North America, a San Diego firm that makes software to protect against “cyber criminals.”
For a bored teenager, he said, it can be an ego boost. “It’s this weird thing where you think, hope, somebody takes notice and says, ‘Hey, that’s the smartest kid we’ve met.’ ”
They may fantasize that someone will hire them for their computer savvy, Camp said, but it rarely works out that way. He compares it to bragging to the police about speeding. “It feels good for a second. But then there’s that other part, where they come get you.”
From all appearances, Abdilo apparently thought he had outsmarted the authorities. But the recent police raid, notes Kaleem, suggests that his assumptions “have been proven to be false.”
Even if this hacker is caught, there’s little doubt that others could take his place.
“There’s a lot of 16-year-olds out there,” said Camp. “There’s less than that number inside the university working to defend it.”
That’s the challenge for any organization, he adds. “The 16-year-old only has to be right once. You have to be right all the time.”
Facebook tracks all site vistors, violating EU law, report says
Facebook tracks everyone who visits its site, including people who don’t have an account, and even continues to track users and non-users who have opted out of targeted ads, researchers at two Belgian universities have found.
After these initial findings, the researchers did a further technical analysis on Facebook’s tracking practices. They focused on tracking techniques that use social plug-ins such as the “Like Button”, which is used on more than 13 million third -party websites, and also tested the advertising tracking opt-out.
“In doing so, a number of remarkable new issues have come to light,” said Brendan Van Alsenoy, legal researcher at the Interdisciplinary Center for Law and ICT of the University of Leuven.
It turns out, for instance, that Facebook places a cookie on the browser of anyone who visits a Web page belonging to the facebook.com domain, even if the visitor is not a Facebook user, the report found. The cookie placed by Facebook is called “datr” which contains a unique identifier and has an expiration date of two years.
Facebook users also get a range of additional cookies which uniquely identify the user.
Once these cookies have been set, Facebook will in principle receive information from them during every subsequent visit to a website containing a Facebook social plug-in. These cookies will give Facebook information like the URL of the Web page that was visited as well as information about the browser and operating system, the report said.
This means that Facebook tracks its users for advertising purposes across non-Facebook websites by default, the report said. Even opting out won’t help. According to the researchers, Facebook will keep tracking you even if you have no account and opted out from targeted advertising on the European Digital Advertising Alliance website. When someone opts-out there, Facebook will place the same unique identifying “datr” cookie, they said.
Facebook sets the tracking cookie on the European opt-out site, but not on the U.S. and Canadian opt-out sites, Van Alsenoy said.
Facebook users are also extensively tracked. Even when a Facebook user deactivates his account, Facebook will still receive cookies that uniquely identify the ex-user, according to the report.
What’s more, if a user opts out from tracking, Facebook will still receive information about visits to external sites containing Facebook social plug-ins. The only thing that changes is that Facebook promises to no longer use this information for targeted advertising, but there is no way the researchers were able to verify that, Van Alsenoy said.
Without consent—and that’s a problem
The problem with these practices is that the cookies are placed without consent, which under EU law is only allowed if there is a strict necessity to do so. Facebook maintains that the “datr” cookie plays a key role in Facebook’s security and site integrity features. However, given that the “datr” cookie is used in the EU when someone tries to opt out of ad targeting, but isn’t used in U.S. and Canada in similar circumstances, it’s hard to believe that the cookie is strictly necessary for site security, Van Alsenoy said.
People who want an easy way to protect themselves against ad tracking can use browser add-ons such as Privacy Badger, Ghostery and Disconnect, which block tracking, researchers said.
Meanwhile, Facebook slammed the findings. “This report contains factual inaccuracies,” said a Facebook spokeswoman in an emailed statement, adding that the inaccuracies in the report were explained in detail to the Belgian Privacy Commission after the report’s earlier draft was published.
Cookies are also set for non-Facebook users who have visited facebook.com, to help protect Facebook Services and the people who use it from malicious activity, the company said. They can help detect and prevent denial-of-service attacks and the mass creation of fake accounts, it added.
Facebook is confident that its updated policies comply with EU law, the spokeswoman said, adding that it routinely reviews product and policy updates with its EU regulator, the Irish Data Protection Commissioner (DPC).
Facebook will have to deal with other, national privacy authorities though. The Belgian, Dutch and a German privacy authority have all started investigations into Facebook’s policy changes and the three countries in February formed a task force to examine how the policy might violate EU privacy laws.
The researcher’s report will be taken into account by the three authorities, a spokeswoman for the Belgian Privacy Commission said, adding that it was too early to draw any conclusions. The Commission hopes that if it turns out that Facebook has violated the law, it can come to a friendly agreement, but if that turns out to be impossible, Facebook could also be sued as an extreme measure, the spokeswoman said.
Computer Users Face Hard Choice Pay Ransom or Lose Files
It happened at Jeff Salter’s home health care business last December. The network of nearly 30 computers at Caring Senior Service was infected with ransomware, malicious software that hackers use to try to extort money from people and businesses by preventing them from opening or using documents, pictures, spreadsheets and other files. If computer users don’t pay, there’s no way they can access their files.
Ransomware is one of the fastest-growing forms of hacking, cybersecurity experts say. Anyone from a home computer user to a Fortune 500 company can be infected. It can also attack smartphones. The smaller the users, the more vulnerable they are to losing their files — unless they have a secure backup for their system or go through the complicated process of paying cybercriminals.
Salter thought he was prepared for such an invasion. Most of his files were backed up in a place hackers couldn’t access, and he was able to restore his information. But one machine wasn’t; it contained marketing materials for his San Antonio-based franchise chain with 55 locations. Salter paid a $500 ransom.
“It would have cost us $50,000 to try to spend the time to recreate the stuff,” Salter says. “It would have been pretty devastating if we’d lost all that.”
EVERYONE’S AT RISK
Like many hackers’ tools, ransomware can arrive in emails with links or attachments that, when clicked on, unleash software into files. Attacks can also occur when users visit websites; cybercriminals can attach computer code even to well-known sites operated by tech-savvy companies, says technology consultant Greg Miller of CMIT Solutions of Goshen, New York.
Anyone can be hit: individuals, big and small companies, even government agencies. The Durham, New Hampshire, police department was attacked by ransomware in June when an employee clicked on a legitimate-looking email. The department’s 20 computers were cleared of the ransomware and files were restored from a backup system. The Swansea, Massachusetts, police department, meanwhile, had to pay a $750 ransom after it was attacked.
“We certainly are seeing ransomware as a common threat out there,” says FBI Special Agent Thomas Grasso, who is part of the government’s efforts to fight malicious software including ransomware.
Attacks are generally random, but specific companies and people can be targeted. Many small businesses and individuals are at risk because they lack technology teams and sophisticated software to protect them from hackers, says Keith Jarvis, a vice president at Dell SecureWorks, a security arm of the computer maker. Many don’t have secure backup systems that will allow them to retrieve uninfected files.
Hackers can invade computers at large companies, as seen in attacks at companies like retailer Target Corp. that stole customer information. Big companies’ risks from ransomware are relatively low; they have backups and separate computers for departments like sales or accounting, Jarvis says. An email click in one department could infect one or more computers, but likely wouldn’t spread elsewhere.