The steps to conduct similar attacks are:

• Collect a large number of URLs from the targeted website. Preferably big media files (jpg, pdf, mpeg and similar)
• Put these URLs in a Google feed, or just put them in a Google Spreadsheet
• Put the feed into a Google service, or use the image(url) command in Google spreadsheet
• Sit back and enjoy seeing Google launching a Slashdot-style denial of service attack against your target

Nasty.

Internet criminals are sidestepping the need to launch DDoS attack from large networks of malware-compromised bot PCs by using simpler server ‘booter shells’, mitigation firm Prolexic has warned.

America’s 10 most wanted botnets

‘Booter shells’ or plain ‘booters’ are simple PHP, .ASP or Perl script template files planted on compromised servers to direct Get/Post commanded HTTP floods to overload target servers.

As Prolexic explains in its advisory, the approach has several advantages over conventional botnet DDoS attacks, starting with technical simplicity. Even non-technical users can place them on hosted or compromised servers, building a bot from individual servers with up to 1,000 times the capacity of a single PC.

Internet criminals are sidestepping the need to launch DDoS attack from large networks of malware-compromised bot PCs by using simpler server ‘booter shells’, mitigation firm Prolexic has warned.

America’s 10 most wanted botnets

‘Booter shells’ or plain ‘booters’ are simple PHP, .ASP or Perl script template files planted on compromised servers to direct Get/Post commanded HTTP floods to overload target servers.

As Prolexic explains in its advisory, the approach has several advantages over conventional botnet DDoS attacks, starting with technical simplicity. Even non-technical users can place them on hosted or compromised servers, building a bot from individual servers with up to 1,000 times the capacity of a single PC.

What follows is a list of the best advice from security gurus, network administrators, and those responsible for securing company information. The lessons were passed down to them from real-world experience, a supervisor, an industry colleague, or in one case, a complete stranger.

Tip #1: Security must enable business, not prevent it

“I don’t know anything about what you do, for all I know, you are doing your job perfectly, but you have disabled my ability to do my job,” said a company executive to Stewart Allen, now an Information Security Consultant at Metrolinx.

Great list.

This adds up to a disturbing conclusion: China’s manufacturing rise has been illegally aided. Many advances are certainly due to the PRC’s own strengths; others stem from voluntary cooperation by foreign partners. But it is all too easy to find examples of Chinese theft that correspond well to spurts in manufacturing capability in advanced electronics, energy, autos, etc.

A Disturbing Trend

2001: Two people funded by state-owned Datang Telecom indicted for stealing secrets from Lucent.[1]

2002: Two people funded by Hangzhou city government indicted for stealing secrets from four firms.[2]

2003: PetroChina employee arrested for attempting to steal seismic imaging software from Silicon Valley firm (later pled guilty).[3]

2004: Canada’s Nortel discovers that China-based hackers have compromised its entire network.[4]

2005: Chinese national working at U.S. unit of Dutch firm AkzoNobel begins stealing material needed to replicate advanced industrial coating.[5]

2006: Two people indicted for stealing proprietary information from auto parts maker Metaldyne and seeking to pass it to Chinese firms.[6]

2007: Chinese national employed by Dow begins transferring trade secrets to Chinese government-controlled institutes.[7]

2008: Former DuPont employee picked by state-owned Pangang to make titanium dioxide, supposedly using DuPont production method (later pled guilty to espionage).[8]

2009: Ford Motor employee arrested for stealing trade secrets—later found guilty—supposedly on behalf of Beijing Auto.[9]

2010: Dozens of multinationals disclosed as targeted in China-based hacking of Google.[10]

2011: American Superconductor sues top Chinese turbine maker Sinovel for stealing software used to drive wind turbines.[11]

2012: NSA director acknowledges that China-based hackers compromised a company that provides computer security services to defense firms such as Lockheed Martin.[12]

---

[1]News release, “New Indictment Expands Charges Against Former Lucent Scientists Accused of Passing Trade Secrets to Chinese Company,” U.S. Department of Justice, April 11, 2002, at http://www.justice.gov/criminal/cybercrime/press-releases/2002/lucentSupIndict.htm (accessed April 9, 2012).

[2]News release, “Pair from Cupertino and San Jose, California, Indicted for Economic Espionage and Theft of Trade Secrets From Silicon Valley Companies,” December 4, 2002, at http://www.justice.gov/criminal/cybercrime/press-releases/2002/yeIndict.htm (accessed April 9, 2012).

[3]Rachel Konrad, “Chinese Man Sentenced to 2 Years for Silicon Valley Fraud,” Associated Press, December 18, 2004, at http://www.usatoday.com/tech/news/computersecurity/2004-12-18-corp-spy_x.htm (accessed April 9, 2012).

[4]CBC News, “Nortel hit by suspected Chinese cyberattacks for a decade,” February 14, 2012, at http://www.cbc.ca/news/world/story/2012/02/14/nortel-chinese-hackers.html (accessed April 9, 2012).

[5]Ann Woolner et al., “The Great Brain Robbery,” Businessweek, March 15, 2012, at http://mobile.businessweek.com/articles/2012-03-14/the-great-brain-robbery (accessed April 9, 2012).

[6]David J. Lynch, “FBI Goes on Offensive Against China’s Tech Spies,” USA Today, July 25, 2007, at http://www.usatoday.com/money/world/2007-07-23-china-spy-2_N.htm (accessed April 9, 2012).

[7]News release, “Chinese National Pleads Guilty to Economic Espionage and Theft of Trade Secrets,” October 18, 2011, at http://www.justice.gov/opa/pr/2011/October/11-crm-1372.html (accessed April 9, 2012).

[8]Karen Gullo, “Former DuPont Worker Pleads Guilty in Economic Espionage Case,” Businessweek, March 2, 2012, at http://www.businessweek.com/news/2012-03-02/former-dupont-worker-pleads-guilty-in-economic-espionage-case (accessed April 9, 2012).

[9]China Daily, “Ford Engineers Yuxiang Dong China Steal Secrets Jailed for 70 Months,” April 14, 2011, at http://www.china-daily.org/China-News/Ford-engineers-Yuxiang-Dong-China-steal-secrets-jailed-for-70-months/ (accessed April 9, 2012).

[10]Kim Zetter, “Google Hack Attack Was Ultra Sophisticated, New Details Show,” Wired, January 14, 2010, at http://www.wired.com/threatlevel/2010/01/operation-aurora/ (accessed April 9, 2012).

[11]Ed Crooks and Leslie Hook, “American Superconductor Sues Chinese Group,” Financial Times, September 15, 2011, at http://www.ft.com/intl/cms/s/0/df685246-df17-11e0-9af3-00144feabdc0.html#axzz1qvfY4yzA (accessed April 9, 2012).

[12]Jason Mick, “NSA: China Is Destroying U.S. Economy Via Security Hacks,” DailyTech.com, March 28, 2012, at http://www.dailytech.com/NSA+China+is+Destroying+US+Economy+Via+Security+Hacks/article24328.htm (accessed April 9, 2012).

It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), told Congress last week of an American company that had all of its data from a 10-year, $1 billion research program copied by hackers in one night. Gen. Keith B. Alexander, head of the military’s Cyber Command, called the continuing, rampant cybertheft “the greatest transfer of wealth in history.

Idea: any U.S. position that deals with sensitive IP should require that you can get a government clearance. And in order to get such a clearance you’d have to NOT be a threat for sharing information with any country that is known to be ACTIVELY and AGGRESSIVELY pursuing U.S. secrets via hire-and-steal tactics.

Problem addressed.

Racism? No. This is country and government based–not race. Japan? Fine. Korea? Fine. It’s China that’s the threat here, and if that were to stop then this would be lifted.

Until then, sorry. The people that lose their job opportunities as a result then become victims of the Chinese government–not ours. They’re playing dirty, and we must stop letting our politically correct tendencies hamstring us while our enemy watches with smiles on their faces.

On Friday, we heard the news that payments processor Global Payments was hit with a massive security breach involving MasterCard and Visa cardholders. At the time it was unclear the reach of the security issue, which was being investigated by the U.S. Secret Service. Tonight, Global Payments reports that those cards affected in the breach processing system were confined to North America and up to 1.5 million card numbers may have been exported. Visa had originally pegged that number at around 50,000 cards stolen.

In one of the flaws the researchers exposed, for example, not all websites confirmed that a verification coming from OpenID included all of the items the website asked to be confirmed, such as the first name, last name and email address. The researchers were able to access the request, delete one piece of requested information (the email address, for example) as it went to OpenID and simply re-insert it in the signed okay from OpenID. In this way, even a hacker who didn’t control the email address linked to the user’s account on the website in question could log in, and potentially make purchases, using that person’s account.

Amichai Shulman, co-founder and CTO of security firm Imperva, has told CBR that if Anonymous really wants to fight for freedom of speech it should attack the Chinese government.

In an interview with CBR back in February Shulman told us that even though most Anonymous activity is said to be driven by a cause, such as internet freedom and expression, some activity by the group makes him question if that is the real motivation behind Anonymous attacks.

“If you’re looking for freedom of speech go and hack the Chinese government or the Syrian government,” said Shulman.

Interesting approach.

Favored by hacktivists and financially motivated attackers alike, Havij automates bad guys’ SQL injection attacks by automatically detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting.