Fed Website Hacked - Banker's Info Accessed

Story first appeared on USA Today -

More than 4,000 bank executives had their personal information published on the Internet by hackers who accessed the data on an internal Federal Reserve website, according to a Reuters report.

The Federal Reserve says no critical functions were affected by the breach, which the activist group Anonymous is taking credit for. `

"Exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve system," a spokeswoman for the U.S. central bank told Reuters. All of the bankers affected by the breach had been contacted, Reuters said.

The information posted by Anonymous included mailing addresses, business and personal phone numbers and e-mail addresses.

Anonymous is a ragtag group of activist hackers who've launched scores of attacks on government and business sites.

The Fed did not identify the hacked website. But Reuters said bankers were told that the site was a contact database for use during natural disasters.

Wednesday afternoon, Fed spokeswoman Lisa Oliva said the hackers had exploited a "temporary vulnerability." She says the exposure has been fixed, the executives have been informed of the breach and it is no longer an issue.

Anonymous has been involved in an increasing number of hack attacks on business and government websites in retaliation for the seizure of Megaupload, a popular Internet service that allowed users to transfer large files of movies and music. The FBI has charged several people connected with Megaupload with copyright infringement and running an international criminal enterprise.

Skype Investigating Anonymous IP Hackers

Story first appeared on Slash Gear.

Skype has said today that it is investigating a method that can discover a user’s last known IP address when using the VOIP service. Information on how to unearth IP addresses was posted to Pastebin several days ago, which involved downloading a modified version of Skype 5.5 and enabling debug log file creation in the Windows registry settings.

The method describes how to resolve a user’s IP address without them being on your contact list. With the patched version of Skype, you need only follow the instructions to add a Skype contact, but clicking on their generation information instead of adding them. The debug log file will then contain the public IP address of the user, which could lead to the discovery of their whereabouts thanks to WHOIS services.

Skype put out a statement via email saying that it was looking into the issue, which is apparently faced by all peer-to-peer software companies. Skype is committed to the safety of customers and developing applicable Security Solutions. 

It’s not the first time that Skype has acknowledged the issue: a research paper published in October showed how the IP address could be resolved and linked to BitTorrent usage.


For more national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For technology and electronics related news, visit the Electronics America blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.

Cyber Security Not Getting Better

Story first appeared on eSecurityPlanet.com.

For years, security solution vendors have been in an arms race with hackers. As the rate of discovery of new vulnerabilities continued to grow, attackers have enjoyed an ever-expanding menu of security flaws to exploit. But last year, something happened: The number of new vulnerability reports actually declined.

According to HP's new Top Cyber Security Risks Report for 2011, there was a 19.5 percent decrease in the number of new publicly reported vulnerabilities over the course of last year.

But don't start celebrating just yet, because attack volume still continues to increase. Attack data from HP TippingPoint shows approximately 475 million attacks in 2010 vs. 531 million in 2011 -- an 11 percent increase.

So while the number of publicly reported vulnerabilities is down, the overall security risks have not actually declined. That's according to the security product marketing manager at HP DVLabs, who told eSecurity Planet that a deeper analysis of the new vulnerabilities that were disclosed in 2011 shows that the proportion of high-severity vulnerabilities has actually increased. In 2011, high-severity vulnerabilities (those with a CVSS score of between 8 and 10) jumped by 24 percent. CVSS (Common Vulnerability Scoring System) vulnerabilities with an 8 to 10 score are items that are exploitable remotely and represent high immediate risk.

HP also found that many attackers are also still going after old (unpatched) vulnerabilities. Many attackers are now using exploit toolkits such as Blackhole which are packaged to include known vulnerabilities. That's another reason why there isn't as much of a need for attackers to find new vulnerabilities, because the old ones are still effective against so many systems.

The old vulnerabilities should be well detected, but they are still successful. One of the things that makes them very successful is the obfuscation techniques.

Additionally, unpatched systems and a lack of user awareness are also two key factors affecting the high frequency of attacks against known vulnerabilities. Attack data also showed that the frequency of SQL injection attacks increased during the year, even though that's a well-known attack vector.

HP's report did not include granularity on what specific databases were the most attacked. He added that HP TippingPoint's database protections are database agnostic.

Looking to the future, it is expected that the exploit toolkits will be a trend that will continue in 2012. The toolkits are also expected to add more recent vulnerabilities as users slowly patch their system and older vulnerabilities become less exploitable.  It is also a possibility that IT management companies will come to the forefront of network security.  One firm to consider in this is Houston IT Services company Percento Technologies.

Java exploits have been generally very reliable for attackers due to a low patch rate. For example, one recent exploit took advantage of a Java vulnerability for which a patch was available at the end of 2011 -- yet Blackhole included the exploit in its toolkit even after the patch was made available. The Java vulnerabilities tend to have approximately an 80 percent success rate for infection. In contrast, with other technologies, the older vulnerability success rate is only approximately 13 percent.

Java is at the root of the recent Apple Mac OS X Flashback malware and has also been identified by multiple vendors as being the most vulnerable browser plug-in.


For more national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For technology and electronics related news, visit the Electronics America blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.

Hackers Access Law Enforcement Data

First appeared in Associated Press

Saboteurs have hacked into the websites of several law enforcement agencies worldwide in attacks attributed to the collective called Anonymous, including in Boston and in Salt Lake City, where police say personal information of confidential informants and tipsters was accessed.

The Utah hackers gained access this week to sensitive data, including citizen complaints about drug crimes, including phone numbers, addresses and other personal information, police said.

“We’re still knee deep in trying to get a feel for the extent of the problem,” Salt Lake City police Detective Dennis McGowan said.

The group claimed responsibility for an attack on the website of a Virginia law firm for a U.S. Marine convicted in a deadly 2005 attack in Haditha, Iraq.

The attacks come after Anonymous published a recording of a phone call between the FBI and Scotland Yard early Wednesday, gloating in a Twitter message that “the FBI might be curious how we’re able to continuously read their internal comms for some time now.”

In Greece, the Justice Ministry took down its site Friday after a video by activists claiming to be Greek and Cypriot members of Anonymous was displayed for at least two hours.

In Boston, a message posted on the police website Friday said, “Anonymous hacks Boston Police website in retaliation for police brutality at OWS,” apparently a reference to the Occupy Wall Street movement. A police spokesman would not confirm Anonymous was responsible.

In a message posted on the Boston police department’s website, the group said the site had been attacked several months ago and that hundreds of passwords were released in retaliation for what they called brutality against Occupy Boston.

In October, Boston police acknowledged that various websites used by members of the police department - including the website belonging to the police patrolmen’s association - had been hacked and possibly compromised. The department said it had asked all department personnel to change their passwords on the police department’s network.

Boston’s Occupy movement set up camp in the city’s financial district for two months this fall. The first hack came about 10 days after Boston police arrested 141 Occupy Boston demonstrators Oct. 11.

Police dismantled the camp Dec. 10, citing public health and safety concerns.

“They clearly ignored our warnings,” the message on the department’s website said Friday.

“So you get your kicks beating protesters? That’s OK; we get kicks defacing … your websites - again.”

“It is unfortunate that someone would go to this extent to compromise BPDNews.com, a helpful and informative public safety resource utilized daily by community members seeking up-to-date news and information about important safety matters,” police said in a statement.

The Salt Lake City website was down Friday as the investigation continued, and police said criminal charges are being considered.

Investors Don’t Know Companies Were Hacked

First appeared in Reuters

At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.

Top U.S. cybersecurity officials believe corporate hacking is widespread, and the Securities and Exchange Commission issued a lengthy "guidance" document on October 13 outlining how and when publicly traded companies should report hacking incidents and cybersecurity risk.

But with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.

Defense contractor Lockheed Martin Corp, for example, said last May that it had fended off a "significant and tenacious" cyber attack on its networks. But Lockheed's most recent 10-Q quarterly filing, like its filing for the period that included the attack, does not even list hacking as a generic risk, let alone state that it has been targeted.

A Reuters review of more than 2,000 filings since the SEC guidance found some companies, including Internet infrastructure company VeriSign Inc and credit card and debit card transaction processor VeriFone Systems Inc, revealed significant new information about hacking incidents.

Yet the vast majority of companies addressing the issue only used new boilerplate language to describe a general risk. Some hacking victims did not even do that.

"It's completely confusing to me why companies aren't reporting cyber risks" if only to avoid SEC enforcement or private lawsuits, said Jacob Olcott, former counsel for the Senate Commerce committee. The chair of that committee, John D. Rockefeller, urged the SEC to act last year.

Stewart Baker, a corporate attorney and former assistant secretary of the Department of Homeland Security, said the SEC guidance was detailed enough that companies that know they have been hacked will "have to work pretty hard not to disclose something about the scope and risk of the intrusion."

Otherwise, "this is an opportunity for enforcement that practically hands the case to the SEC on a platter," Baker said.

Lockheed spokesman Chris Williams said hacking was covered under the company's most recent annual securities filing, which has as one of many risk factors "security threats, including threats to our information technology infrastructure, attempts to gain access to our proprietary or classified information, threats to physical security of our facilities and employees, and terrorist acts."

Williams said the May attack had "no material effect on our business."

Mantech International Corp, CACI International Inc and other defense and technology firms that have been reported by security researchers as hacking victims were likewise silent in their most recent filings. Neither Mantech nor CACI responded to interview requests.

"It's common knowledge" that most large defense contractors have been penetrated, said Olcott.

Sikorsky Aircraft, mindful of a strict New Hampshire law warning individuals at risk of identity theft, wrote to that state's attorney general in August that hackers had gotten into its system and could have accessed Social Security numbers of 55 employees who lived in the state.

Sikorsky said the employee data likely was not the hackers' target, which suggests that they might have been after designs or other trade secrets. But Sikorsky parent United Technologies Corp did not mention the May intrusion in subsequent SEC filings.

"Like other companies, our businesses are subject to (information technology) security attacks at times. We monitor systems and cooperate closely with the government when appropriate," said United Technologies spokesman John Moran.

DEARTH OF CONFESSIONS

Melissa Hathaway, a former intelligence official who led U.S. President Barack Obama's initial cybersecurity policy review and helped push the SEC to enact a disclosure policy, said she was "surprised" at the dearth of new confessions.

"The SEC division of corporate finance has an obligation to ask these companies why they didn't disclose," she said. "We need to have transparency on the state of the situation, and we need to have a national conversation regarding the near-term impact of economic espionage and the long-term health of the nation."

The SEC declined to comment. The agency's guidance officially clarifies previous policy instead of establishing a new rule, a process that takes longer and requires a vote of the commissioners. A person close to the agency said it expects fuller disclosures in annual 10-K filings that will begin appearing in volume this month.

Cybersecurity has been an increasing concern in Washington, and Obama asked during his State of the Union speech for action on legislative proposals. Security experts believe hackers are frequently targeting valuable digital information including strategic plans, blueprints and secret formulas.

But security experts in and out of government have complained for years that most companies don't disclose even very successful hacking attacks, because they never find out about them or simply don't want to spook investors, customers or business partners.

The U.S. National Counterintelligence Executive, in a landmark November report that openly accused China of sponsoring military and economic cyber espionage, said that it is hard for companies to estimate the impact of losses that might not be apparent for years.

One Pentagon contractor that did go into some detail recently about the threat was Northrop Grumman Corp, which warned: "Cybersecurity attacks in particular are evolving and include, but are not limited to, malicious software, attempts to gain unauthorized access to data, and other electronic security breaches that could lead to disruptions in mission critical systems, unauthorized release of confidential or otherwise protected information and corruption of data. These events could damage our reputation and lead to financial losses from remedial actions, loss of business or potential liability."

A few technology companies gave even more specific warnings, including Juniper Networks Inc, which makes gear for routing Internet traffic, and chip-maker Intel Corp. Intel had been one of the few to disclose a successful breach in the past, along with Google Inc, which has complained of attacks originating in China.

In a November filing, Intel repeated that hackers had gotten inside and warned that "the theft or unauthorized use or publication of our trade secrets and other confidential business information as a result of such an incident could adversely affect our competitive position and reduce marketplace acceptance of our products."

Some companies asserted that they had not been hacked, or at least averred that they had not been subject to a "material" or "catastrophic" intrusion.

Others confessed to breaches for the first time, including VeriSign and VeriFone Systems, which said it had experienced "security breaches or fraudulent activities related to unauthorized access to sensitive customer information."

The company did not respond to requests for elaboration. Point-of-sale terminals including VeriFone's models are popular targets for criminal hackers, who can tamper with them in order to record passwords and card numbers.

VeriFone has been reported as a supplier of machines to Michaels Stores Inc, a retail chain of hobbyist stores that had to replace more than 7,000 terminals last year after discovering tampering in 20 states.

Two other companies said they disclosed breaches because of the SEC guidance. Tumi Holdings, the luggage maker that is pursuing an initial public offering, said in a stock prospectus that security systems in some of its retail stores had been compromised in the past.

In an interview, Tumi Chief Financial Officer Michael Mardy said there had been no theft of a database or other massive breach. Instead, he said there had been occasions where store employees had conspired with outsiders on a small scale, for example by giving refunds to people who had not made purchases.

"We felt it was necessary to list as a risk factor because it actually is a risk factor," Mardy said.

University of Phoenix parent Apollo Group Inc, which in the past had noted attempted breaches, for the first time said some attempts had succeeded.

"We are facing an increasing number of threats to our computer systems of unauthorized access, computer hackers, computer viruses, malicious code, organized cyber attacks and other system disruptions and security breaches, and from time to time we experience such disruptions and breaches," it wrote in a 10-Q.

Apollo spokesman Rick Castellano declined to say how extensive the breaches had been. "Cybersecurity is an area of growing area of concern for all companies", Castellano said. "We devote significant resources to manage any potential threat."

Zappos Was Hacked, 24 Million Customers Affected

First appeared in Forbes

Twenty-four million Zappos customers are getting an unpleasant Sunday-evening surprise.

The Amazon-owned e-commerce firm has revealed that it was the target of a cyber-attack that gained access to its internal network, including the accounts of 24 million of its users. Though the company says that no complete credit card numbers were revealed in the breach, the intruders may have accessed customers’ names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords. Zappos says it’s taken the precaution of resetting the passwords of all its customers and directing them to set a new password upon visiting the site.

“We were recently the victim of a cyber-attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky,” the chief executive wrote to Zappos employees in an email posted to the site, declining to offer more information about the breach. ”We are cooperating with law enforcement to undergo an exhaustive investigation.”

Even after choosing a new Zappos password, users should be careful to also change their passwords on any site where they’ve used a similar or identical password, in case Zappos’ intruders are able to decrypt the scrambled passwords they’ve stolen. Zappos is also warning affected customers to watch out for phishing emails that will use their stolen email addresses to spoof official Zappos emails and ask for account credentials or financial details.

The chief executive wrote in his all-hands email that every employee at Zappos’ Henderson, Nevada headquarters will be assisting in the customer response to the breach, and that the company will only be responding to emails rather than phone calls in its effort to answer the massive number of queries that it expects to receive.  ”We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” he wrote in the email. “I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.”

Zappos customers can change their passwords.

People's Republic of Hacking

The Wall Street Journal

'Panda' Exploit Offers Rare Inside Look at China's Cybercrime Networks

WUHAN, China—Some of today's biggest cybersecurity worries trace their roots to this central Chinese city, where a hacker with a junior high school education slapped cartoon pandas onto millions of computers to hide a destructive spy program.

The Panda Burns Incense computer worm, created by 27-year-old Li Jun, wreaked havoc for months in China in 2006 and 2007, eventually landing Mr. Li in jail. Jumping one computer to another by tricking users into opening what appeared to be a friendly email message, the Panda funneled passwords, financial information and online cash balances from game Web sites to Mr. Li's cohorts—leaving a panda as its calling card.

When Google Inc. last month alleged that it and more than 20 other companies were breached in a cyberattack it traced to China, the attack, dubbed Aurora, appeared orders of magnitude more complex than the Panda attack. Unlike the Panda attack, which left a calling card and spread quickly and randomly, the perpetrators of Aurora targeted specific employees within the companies they attacked and went to great lengths to cover their tracks.

There is no evidence thus far that the Google hack has any connection to the Panda's pandemonium. What is clear is that Mr. Li learned his craft and launched his attack within a hacker network in China that remains an active and growing threat to global computer users.

The identity, motivation and methods of Chinese hackers are rarely traceable. But based on interviews with security experts, forensic reports from independent tech firms, and the hackers themselves, the Panda case offers a rare window into how the underground world of Chinese hacking operates.

Mr. Li's Panda attack became known as "the first case of organized cybercrime in China, using a computer virus," according to U.S. technology security firm Symantec Corp. Once a computer was infected, the desktop icon of every executable file, such as Microsoft Corp.'s Word, would change into a picture of a panda. Clicking the panda would prompt the computer to immediately download software from the Internet that in turn allowed Mr. Li's computers to siphon off financial information stored deep inside it.

Cyber experts say hacker forums are very likely fertile recruiting grounds for the Chinese government, which is increasingly anxious about its own cybersecurity. In fact, one person formerly involved in spreading the Panda virus says he was later hired to work with Chinese police to break into accounts of Internet users. That couldn't be independently verified.

China rejects as nonsense that it is a hacker haven. "The government has never supported or been involved in cyber attacks, and it will never do so," Peng Bo, an official with the State Council Information Office's Internet Bureau, told state media in mid-February. "In fact, China is the country worst hit by worldwide hackers."

Investigators probing the Google matter still don't know where it began but have been examining whether computers at China's Shanghai Jiaotong University and Lanxiang Vocational School in Shandong Province were involved in the attacks, according to a person briefed on the matter. The New York Times reported Thursday that the attacks have been traced to computers at the two schools.

Mr. Li was released from prison in December after serving three years of a four-year term for destruction of property related to hacking. He declined a formal interview, but in a series of brief phone calls, online chats and email messages, he said he is looking for a "fresh start," perhaps as a cybersecurity specialist, a so-called "white hat." After his release from jail, Mr. Li spent a few days at his parent's red tiled three-floor house outside Wuhan. Instead, he has crisscrossed the country with his Acer laptop to visit others involved in the Panda attack. Mr. Li says he's interested in working with former co-conspirators on legitimate businesses.

Mr. Li's hacking career began in May 1999, a month before his 17th birthday, when U.S. warplanes bombed China's embassy in Belgrade. Angered by the strike, Mr. Li, who was hanging out at cybercafes in Wuhan, stopped playing computer games to become a hacker.

Mr. Li took lessons from a childhood acquaintance named Lei Lei. He learned how to control thousands of computers as zombie-slaves, or "chickens" in Chinese slang, to attack Websites, Mr. Lei said in an interview. While students in Beijing pelted the U.S. Embassy with rocks, the two skinny teenagers, from the second floor of a dimly lit Wuhan cybercafe called the "Network Club," waged their own "U.S. hacker war," disrupting 20 or 30 U.S. Websites, according to Mr. Lei. "We were too young at the time, doing wild things," Mr. Li said by email.

Over the next few years, the two hacked as teammates, stealing money from Internet users, Mr. Lei recalls. They downloaded simple attack programs found on the Internet to break into gaming accounts to steal and then sell virtual-money credits used by players. To advance in their games, players buy special weapons and other items, which are tradeable for cash.

Mr. Lei, 27, spent a year in the same jail as Mr. Li in Hubei province on similar charges for the Panda attack and was released in 2008. Today he works for his father's manufacturing firm in Wuhan and plans to open an Internet security business. A fan of American hip-hop music, he still flouts authority, steering his luxury Toyota the wrong way down Wuhan streets during an interview to avoid traffic.

The two hackers say they sharpened their skills as part of an online hacker alliance that took its name from a Qing Dynasty insurgency group, the Small Swords Society. Mr. Li adopted the online moniker WHboy, for Wuhan.

In general, Chinese hackers don't fit the Hollywood stereotype of geeky loner-geniuses in American basements or steely smooth Russian mobsters who design and execute hits, reaping all the benefits, cybersecurity experts say. On the contrary, China's hacker community is a widely dispersed, fragmented chain of digital craftsmen. In Chinese, hackers are known as "heike," or black guests.

"As for Chinese hackers, their overall technological skill isn't as good as American or Russian hackers," Mr. Li said in an email, answering questions from the Wall Street Journal. "However, China has the biggest population of hackers in the world." Noting his own communication with foreign hackers, he added, "I often downloaded hacker software from their sites to compare them with programs I wrote or other Chinese hackers wrote."

In China's hacking community, each person does a specific job and, rather than working for a big score, gets paid piecemeal by selling his work, cybersecurity experts say. The programmer of malicious programs usually assembles his program, as Mr. Li did, with lines of computer code he bought elsewhere. The operation works like an assembly line: The programmer then makes customers of others who pay to undertake the broader attack, spreading the malicious software, triggering it and sharing the payoff.

"The chain business is uniquely Chinese," says a Chinese security expert for a major U.S. technology company in Shanghai. Hacker conspiracies in China are structured like multi-level sales networks and even pyramid schemes, he said, not tight-knit criminal gangs that write "technically clean" code designed from the ground up.

Like most Chinese hackers, Mr. Li says he was nurtured inside the informal but active network of online chat rooms where technology break-ins are plotted. According to hackers and Internet security people, such forums are little more than criminal training schools and hardware stores, a cyber underworld where the locks on technological secrets that power online games, bank Websites and Apple Inc.'s iPhone undergo brutal stress tests from the world's largest Internet population.

To sidestep laws against selling malicious software, programmers euphemistically advertise their hacks as "training" and "tutoring," hackers say. Would-be distributors tout themselves as "mail senders," while "script kiddies," keen to build an underworld reputation, will buy hacker tools and pull the trigger.

Anyone along the chain can tweak a virus, for instance, so it attacks another target or trolls for different data. The bounty, benignly called "envelopes," is for sale too: source codes to mimic existing Websites sell priced at 50 yuan, about $7, and data from their users go for 500 yuan. Forum owners and participants mask their identities. The chief barrier to participation is the Chinese language.

Hacker "crowd sourcing"—when large numbers of people contribute to writing code and executing it—reduces the risks individuals face and leaves the network intact if someone does get caught or a forum is shut, Internet security experts say.

By October 2006, looking to filch from several types of online accounts at once, Mr. Li turned to these forums, hoping to steal enough money to buy a Land Rover, he recalled in an email sent to the Wall Street Journal.

Using a Dell computer in a rented apartment in central Wuhan, Mr. Li designed his panda worm, now formally known as W32.Fujacks, to deliver a package of software to Internet users that would steal virtual-money credits and other items from 10 different sources like online game sites. The software exploited poorly protected firewalls to infect virtually any computer connected to the Internet.

Mr. Li fished these hacker forums for usable lines of code, settling on script for a worm called Nimaya. For feedback, in the hacker equivalent of a professional peer review, he dropped samples of his own work into bulletin boards like delphibbs.com, according to Mr. Lei. Hacking "can't have made such fast progress and be here today without innovation, sharing and exchanging of technologies," Mr. Li said by email.

Weeks later, Mr. Li branded his tens of thousands of lines of code with an icon stolen from a chatting website called QQ: a black-and-white panda gripping three incense sticks. He offered the tool that siphoned money out of sites for sale, initially tapping 10 distributors who he charged about $120 each.

With "astonishing frequency," according to Symantec, the panda replicated itself by the millions. For some recipients, it was a reminder of a bug dubbed "ILOVEYOU" that had spread from the Philippines six years earlier. But the panda added a malicious feature: hackers could deploy its "backdoor" to grab virtual money from popular online games, including those run by Tencent Inc. A spokeswoman for Tencent said many companies were affected and declined to comment on the Panda case.

Mr. Lei recalls the two spent every waking moment trying to resell their virtual trove. They fenced it at 10% discounts to face value to online buyers, "like on Ebay," Mr. Lei said. How much the scam brought in isn't known, but Mr. Lei says they could earn $1,200 some days. They partied and Mr. Li bought a $2,000 computer but otherwise Mr. Lei says they didn't spend their winnings much.

Soon Chinese Internet users, including government agencies, were decrying the "poisonous panda." Modified or copycat versions of the panda started doing other kinds of damage: turning screens blue, slowing computer speeds, crashing systems and erasing programs.

By early 2007, the two realized the Panda was "out of control" and set plans to flee to western China. By then, police had tracked the Panda to the $72-per-month apartment in Wuhan rented by Messrs. Li and Lei. Only Mr. Li was home when they swooped in on Feb. 3.

Mr. Li appeared in court handcuffed with a newly shaved head and was convicted of destroying property and stealing $18,000.

Mr. Lei was caught later. Police arrested others in Zhejiang, Yunnan and Shandong provinces for their involvement in the Panda attack, some of whom were jailed as well. Many others were never identified, including people who spurred the Panda's spread and profited from it.

As Mr. Li began his four-year sentence, state media pictured him behind bars in a yellow jumper using a prison computer to exterminate his panda virus. (It didn't work. Last November, McAfee Inc., the Internet security firm, warned fresh strains of the panda bug were spreading.)

In December, Mr. Li was released early for good behavior. His first call was to Mr. Lei.

To his fast-expanding 17,000 following on a Twitter-like service, Mr. Li issued a cryptic message about what he planned for the future: "Bread will come. Milk will come. Everything can be restarted all over again."

Hack Attacks and Technical Snafus at Facebook and Twitter

NEW YORK (AP) - Facebook users have been complaining about problems at the social media site.

Users in the U.S. and other countries reported problems beginning Saturday morning. Some could not log in, and the site was unusually slow and glitchy for others. Users in London, Bangkok and Mexico City reported problems. Many used Twitter to complain.

Facebook spokesman Matt Hicks said it was a "small percentage of users" who had problems accessing Facebook, their friends' profiles or specific site features because of an isolated server problem.

At 6 p.m. Saturday, Facebook said it had restored access to the users who were having access problems.

Facebook, which has more than 100 million users, has occasionally experienced such hiccups. Twitter has had bigger problems. Last August, hackers shut down the short messaging service for several hours. Facebook also experienced problems, though it was never shut down completely.

U.S. Electrical Grid Compromised by Cyber-spies
Story from the Wall Street Journal

WASHINGTON -- Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Officials said water, sewage and other infrastructure systems also were at risk.

"Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told lawmakers. "A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure."

Officials cautioned that the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt.

But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.

Overseas examples show the potential havoc. In 2000, a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks, rivers and the grounds of a Hyatt hotel.

Last year, a senior Central Intelligence Agency official, Tom Donohue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.

The U.S. electrical grid comprises three separate electric networks, covering the East, the West and Texas. Each includes many thousands of miles of transmission lines, power plants and substations. The flow of power is controlled by local utilities or regional transmission organizations. The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.

The sophistication of the U.S. intrusions -- which extend beyond electric to other key infrastructure systems -- suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. While terrorist groups could develop the ability to penetrate U.S. infrastructure, they don't appear to have yet mounted attacks, these officials say.

It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.

Russian and Chinese officials have denied any wrongdoing. "These are pure speculations," said Yevgeniy Khorishko, a spokesman at the Russian Embassy. "Russia has nothing to do with the cyberattacks on the U.S. infrastructure, or on any infrastructure in any other country in the world."

A spokesman for the Chinese Embassy in Washington, Wang Baodong, said the Chinese government "resolutely oppose[s] any crime, including hacking, that destroys the Internet or computer network" and has laws barring the practice. China was ready to cooperate with other countries to counter such attacks, he said, and added that "some people overseas with Cold War mentality are indulged in fabricating the sheer lies of the so-called cyberspies in China."

Utilities are reluctant to speak about the dangers. "Much of what we've done, we can't talk about," said Ray Dotter, a spokesman at PJM Interconnection LLC, which coordinates the movement of wholesale electricity in 13 states and the District of Columbia. He said the organization has beefed up its security, in conformance with federal standards.

In January 2008, the Federal Energy Regulatory Commission approved new protection measures that required improvements in the security of computer servers and better plans for handling attacks.

Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.

Specialists at the U.S. Cyber Consequences Unit, a nonprofit research institute, said attack programs search for openings in a network, much as a thief tests locks on doors. Once inside, these programs and their human controllers can acquire the same access and powers as a systems administrator.

The White House review of cybersecurity programs is studying ways to shield the electrical grid from such attacks, said James Lewis, who directed a study for the Center for Strategic and International Studies and has met with White House reviewers.

The reliability of the grid is ultimately the responsibility of the North American Electric Reliability Corp., an independent standards-setting organization overseen by the Federal Energy Regulatory Commission.

The NERC set standards last year requiring companies to designate "critical cyber assets." Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.