Turkish police have detained 32 people, five of them under 18, on suspicion of involvement in Anonymous-led distributed denial of service attacks against Turkish government websites. Sites taken down include Turkey's Telecommunications Presidency and the Ministry of Labor.

The DDoS attacks were a response to plans by Turkey's Information and Communications Technologies Authority (BTK) to implement a Web censoring system starting August 22. The country is already no stranger to such censorship, and in the past has demanded ISPs block access to sites such as YouTube, often for prolonged periods, due to real or perceived breaches of Turkish law. Anonymous believes that the filters will allow the government to go further, and record and monitor the activity of citizens, allowing the intervention and disruption of political protest and dissent.

The arrests were made in 12 cities around Turkey. Of the 32 arrested, 13 were claimed by Turkish police to be planning an attack on the site of the Supreme Election Board (YSK), to coincide with the publication of the results of yesterday's election. The response of the Turkish authorities seems remarkably swift, with arrests coming just days after the original attacks. This may be a result of Anonymous' widespread use of the LOIC denial of service tool, which offers no anonymity or identity masking; the only protection it offers is sheer weight of numbers, and the hope that if thousands of people are attacking a site then law enforcement agencies won't single out any individuals.

These latest arrests come just days after Spanish authorities arrested three Anonymous hacktivists in response to attacks on banking and government websites. AnonOps responded almost immediately with a DDoS attack on the site of the National Police, taking it offline for an hour yesterday.

Read the comments on this post

The International Monetary Fund suffered a "major breach" earlier this year that allowed hackers to access a "large quantity" of data, staff and board members were told by e-mail last week. The organization has made no public statement, but sources speaking to the New York Times said that breach lasted several months, with a source "familiar with the attack" telling Bloomberg that the attack was the work of an unspecified foreign government.

Staff were told that suspicious file transfers were detected two weeks ago, and that these were linked to a compromised desktop computer within the IMF. They were also reassured that there was no evidence that personal data was taken or that they would be victims of fraud.

The hacks predate the arrest of IMF Managing Director Dominique Strauss-Kahn on charges of sexual assualt. The IMF holds detailed financial data about foreign economies, as well as documentation of negotiations and discussions with those countries, much of which is private and sensitive, and it's this information that was the most likely target. Other financial institutions such as the French Ministry of Finances and Canadian Finance Department and Treasury Board have also been the victim of data-theft hacks this year.

Perhaps indicative of the hacktivist group's growing reputation, the internal memo said that the intrusion was not connected to Anonymous. The IMF uses RSA SecurID tokens, and though they are due to be replaced after RSA was attacked and critical SecurID was compromised, the memo said that there is no indication that the SecurID compromise played a role. As a precautionary measure, the World Bank shut down its network connections to the IMF.

In a statement, the IMF said that it was "fully functional" and was currently investigating the incident, and the IMF has been joined in this investigation by the FBI.

Read the comments on this post

Three people suspected of being involved in attacks against websites belonging to Sony, Spanish banks BBVA and Bankia, Italian energy company Enel, and the governments of Egypt, Algeria, Libya, Iran, Chile, Colombia, and New Zealand have been arrested in Spain. All three were claimed to be the leadership of hacktivist organization Anonymous in Spain.

The individuals are accused of performing and organizing large distributed denial of service (DDoS) attacks that took their victims' Web servers offline. The detainees were also claimed to have attacked the websites of Spain's Central Electoral Board on May 18, and later the sites of the Catalan police and the UGT trade union.

The arrests were made after investigation work by the Brigada de Investigación Tecnológica (BIT), the cybercrime division of Spain's civilian police force. With these arrests, Spain joins the UK, US, and Netherlands in having taken police action against Anonymous members. During the investigation, more than 2,000,000 lines of IRC logs were examined to track down the people involved.

The three were arrested in Almeria, Barcelona, and Valencia. One of those arrested was said to have set up an IRC server in their home, and this server was used by all three to coordinate their various hack attacks. Those attacks were DDoS attacks, performed using Anonymous' preferred LOIC tool; LOIC has an automatic mode that uses IRC for command and control. Also found were malware creation tools and WiFi cracking software; two of the people arrested apparently had no Internet connection themselves, instead depending on the WiFi connections of others.

Though Sony was one of the organizations victimized by the hacktivists, the official statement issued by the police did not indicate any suspicion of involvement in the hacks that forced Sony to take Playstation Network offline for weeks, nor the subsequent hacks made on Sony Web properties by LulzSec. Rather, the three hackers appear to have been involved with the denial of service attacks of early April. Vocal Anonymous faction AnonOps has long denied that Anonymous had any involvement with the broader, more serious attack against Playstation Network.

When news of the arrests became public, AnonOps was swift to issue a warning to the Spanish authorities: Expect us.

Read the comments on this post

Citigroup has announced that personal information belonging to some of its credit card customers had been compromised by hackers. In total, about 1 percent of Citi's 21 million customers had their data taken.

The system breached was Citi Account Online, which contains names, addresses, account numbers, and similar information. Citi claimed that more sensitive data—such as dates of birth, social security numbers, and the CVV card security codes—was held elsewhere, and has not been compromised.

Citi also says that only credit card customers were affected; however, the Financial Times, which first reported the story, said that it had been contacted by debit card customers whose cards had been compromised.

The company said that the hacking was detected in early May by routine account monitoring, but offered no information on how the information was taken or by whom it might have been taken. Nor did Citi state whether the information had been used to perform fraudulent transactions.

Citi says that it is in the process of contacting customers about the problem. The FT reports that some cardholders discovered the issue when trying to make purchases, only to find the transactions refused and their cards blocked. Industry guidelines require the bank to inform its regulator of data breaches as soon as they are detected, but do not require it to inform customers if it is believed that doing so would jeopardize law enforcement investigations.

Though theft of credit card data is not unusual, taking it directly from a bank is rare. More often, hackers go after retailers, who have to physically handle cards and often store card details in their customer databases, or card-holders directly, using keyboard loggers embedded into malware.

Bank systems are assumed to be more robust and better-protected against attacks. This data breach shows that that confidence may be misplaced.

Read the comments on this post

RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

Lulz Security, the hacking group that broke into a number of Sony servers and then denied any moral responsibility for repercussions of that hack, is at it again. The group discovered a security issue on one of Nintendo's Web servers, published the user database of an FBI information sharing program, and for good measure, published the source code to another Sony Web property.

The Nintendo hack was minor; LulzSec found a configuration issue and exploited it to retrieve an Apache configuration file, which it duly published. The group said that the issue has since been fixed while expressing its love for the company, and said that it would never harm Nintendo, or one-time Nintendo rival Sega.

The North Atlantic Treaty Organization contains the combined military might of 28 member countries, including Germany, the United Kingdom, and France. All three of those nations, and the United States, possess huge armies, nuclear weapons, and are committed to Article Five of NATO's charter:

I've lost count of how many times Sony's online properties have been hacked now—I just don't have that many fingers—but it's happened again. Databases used to operate sonypictures.com, sonybmg.nl, and sonybmg.be have been compromised by a group calling itself Lulz Security, or LulzSec for short. This is the same group that earlier in the week hacked PBS's servers in retaliation for a documentary felt to be critical of Wikileaks; they also hacked sonymusic.co.jp last week.

Just as was the case with the sonymusic.gr hack and LulzSec's sonymusic.co.jp hack, the latest hack was performed using SQL injection: a rudimentary technique that depends on improper handling of Web site URLs. Being susceptible to SQL injection is embarrassing enough—techniques to prevent it are well-known, and easy to apply to any database-driven Web site—but what makes this hack even worse is the data that has been compromised.

The hackers retrieved account information from the database. They claim there are more than a million accounts in total; their BitTorrented dump just contained a sample. The database contained information about a variety of different account types, apparently related to different promotions and features operated by the company. Different sets of accounts, but with one major feature in common: they included plaintext passwords. Anyone who can read the database can read the passwords. And given that password reuse is rampant—many, many people use the same passwords for Web sites as they do their e-mail or online banking—many of those who have had their Sony accounts compromised now risk having their e-mail accounts attacked.

Some accounts also included names, phone numbers and full postal addresses.

At some point, one has to imagine that Sony will realize that it's a major target for hackers and it will wise up, and fix its multitudinous broken Web applications. Until then, Lulz Security's "Lulz Boat" will continue to find rich plunder wherever it sails.

Read the comments on this post