Monday, June 19, 2006

PayPal Flaw and Computer Hacking Course

PayPal Flaw
Online Transaction outfit, PayPal has found a phony URL on its site that was being used by fraudsters to steal credit card numbers and other personal information belonging to PayPal users.

The scam involved tricking users into accessing a URL hosted on the real PayPal web site. This URL used SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate was presented to confirm that the site does indeed belong to PayPal. But the content on the page had been modified by the fraudsters via a cross-site scripting technique (XSS).

When a victim visits the page, they are presented with a message that has been “injected” into the genuine PayPal site that says, “Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center.” After a short pause, the victim is then redirected to an external server located in Korea, which presents a fake PayPal Member Login page.

If the victim logs in via the fake login page, their PayPal username and password is transmitted to the fraudsters and they are subsequently presented with another page which requests them to enter further details to remove limits on the access of their account. Information requested includes social security number, credit card number, expiration date, card verification number and ATM PIN.

The server currently running the scam is hosted in Korea and is accessed via a hex-encoded IP address. PayPal has now addressed this vulnerability. A company spokesman said Paypal is working with the Internet Service Provider that hosts the malicious site to get it shut down, and does not yet know how many people may have fallen victim to the scam.

Abertay Computer Hacking Course
Dundee’s Abertay University has become the first in the country to offer a degree in computer hacking. The university has been quick to point out that the BSc (Hons) in Ethical Hacking and Countermeasures is not designed to train the next generation of hi-tech criminals, but to help organisations fight computer crime.

Students will learn how to overcome the most sophisticated IT security systems, with a view to advising companies on how best to protect their systems and their customers.

Nevertheless, the university accepts the skills being taught on the four-year course would be invaluable to criminals and terrorists.

“That is a concern that has been expressed,” said an Abertay spokesman. “However, the students will be thoroughly vetted to make sure we are not recruiting any known criminals.

“In addition, they will not be introduced to hacking skills from day one, but gradually over the length of the course.

“There will be two years or so during which we can keep a very close eye on them to see what type of people they are.”

After graduation, the students are unlikely to have to look too hard for a job, the spokesman went on.

“We have done some research which shows there is a rapidly growing marketplace in what the industry calls penetration testing, and is more usually known as ethical hacking,” he explained.

“There are cases where companies and organisations are required to have this as a condition for insurance.

“As a result, there is a very high demand and the right people can command salaries of £45,000 upwards.”

The course is being led by tutor Colin McLean, the only academic in the country with an ethical hacking qualification.

Explaining the need for hacking skills to be passed on, he said, “These days there’s such a large reliance on computers for most aspects of a company’s work, and legislation means reasonable steps have to be taken to make sure data is secure.

“Specialist companies are employed to go in and test computers for any kind of security flaw and we are looking to prepare undergraduates for jobs in that area.”

Mr McLean said the stringent selection process would play the most important part in preventing hacking skills being taught to students prepared to use them illegally.

Despite the high cost of computer-based crime —up to £270,000 an hour — many companies fail to tell the police about it because they do not want adverse publicity, according to a report today.

Cyber crime is one of the fastest growing problems for businesses, but many firms are not aware of how badly they could be hit, risk consultants Protiviti said.

The company said there had been a 66% increase in the number of computer-related crime cases it had dealt with in the first three months of the year compared with the same period in 2005.

Firms were often not aware of the scale of the problem because they could not visualise the crime or were not so afraid of criminals they could not see, it was suggested.

Sean Holohan of Protiviti said, “Through greater connectivity and technological advances, e-crime is growing at a rapid rate and will continue to do so for the foreseeable future.

“However, the factors behind this also make it easier to identify the electronic ‘fingerprints’ of the criminals.”

Computer crimes included fraudulently mis-stating accounts by abusing spreadsheets and other financial related electronic information, defrauding company payroll systems to create fictitious staff to steal money from the company or creating false certifications and other official documents.

No comments: