College Student Sentenced for Hacking passwords to rig Campus Election

Matthew Weaver, a former Cal State San Marcos student was sentenced one year of prison for stealing almost 750 students password and using 630 of those accounts to cast the ballots.


22 years old Mr. Weaver was a third year business student when he planned to win election as president of the school's student council.

A month before the election Weaver bought three keyloggers.Authorities reports that Weaver installed keyloggers on 19 school computers to steal the passwords.

It has also been reported that he had done a bit of research with computer queries such as “how to rig an election” and “jail time for keylogger.” (utsandiego news reports)

According to a report, Weaver had planned the plot in early 2012. Authorities have found a PowerPoint presentation on his computer about the stipends for the president.

The plot unveiled when in March 2012, the last day of the four voting period, when computer analysts found anomalous activity on one of the college lab computers and they also received an email from a student complaining that the system didn't allow her to vote.

It was then that the technicians called campus police, who found Weaver at the school computer. He had keyloggers with him and was arrested.

After getting caught, Weaver with one of his friend created fake facebook ids for different students and indirectly mentioned a plot against him.
“He’s on fire for this crime, and then he pours gasoline on it to try to cover it up,” the judge reportedly said during Monday’s sentencing hearing.

The school held another election and cleaned security breach at a cost of more than $40,000, which the schools want back.

Meanwhile Mr. Weaver pleaded guilty to three federal charges, including wire fraud and unauthorized access to a computer and is under one year prison sentence.

Twitter bumps Two Step Log-in after Hacks

Twitter Site Upgraded

After a series of high-profile and embarrassing hacks, Twitter has rolled out a new, two-step login to help users prevent unwanted intrusions.

The "two-factor" verification system, which will be optional, asks users to register a phone number, e-mail account and six-digit code that would have to be entered, via text message, each time they log in to the site.

"Every day, a growing number of people log in to Twitter," Jim O'Leary, of the site's security team, said in a blog post. "Usually these login attempts come from the genuine account owners, but we occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the web."

The move comes in the wake of repeated hacks to prominent Twitter accounts in recent months.

Last month, The Associated Press's Twitter account was compromised by someone who falsely tweeted that there had been a bombing at the White House.

It was the latest in a laundry list of media organizations hacked in recent months. Among them: The New York Times, Wall Street Journal, Washington Post, Bloomberg News, CBS, "60 Minutes" and "48 Hours."

In 2011, Fox News saw its Twitter account compromised and used to send a fake message that President Obama had been assassinated.

In February, Burger King and Jeep were similarly hacked. And earlier this year, Twitter itself was hacked. User names and e-mail addresses for about 250,000 users were exposed.

In many cases, account hacking happens when the target has an easy-to-guess password, accesses the account via public Wi-Fi, or forgets to log out after using an account on a publicly shared computer. Accounts can obviously also be accessed when a user who hasn't logged out loses his or her phone or has it stolen.

But high-profile victims are often targeted by phishing, where hackers send deceptive e-mails that encourage victims to enter personal information.

Privacy advocates have long called on Twitter to beef up its security. Many security experts applauded the move Thursday, at least partially.

"Right now Twitter's 2FA (two-factor authentication) is more likely to be welcomed by individuals who own personal accounts, and small companies with a Twitter presence, than embraced by the high profile victims attacked by the (hacker group) Syrian Electronic Army in the past," Graham Cluley, of Sophos Security, wrote on his blog.

But he said it's unlikely that many of the media outlets and other high-profile organizations that have been hardest hit will take advantage of the new tools.

"Sadly, I don't think it's going to help them at all," he wrote. "Media organizations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts. 2FA isn't going to help these companies, because they can't all access the same phone at the same time."

For those users, he recommends a system like Facebook, on which multiple users can access the same account, to varying degrees of authority, with their own unique accounts and passwords.

Twitter's O'Leary noted that the security upgrade isn't a cure-all.

"Of course, even with this new security option turned on, it's still important for you to use a strong password and follow the rest of our advice for keeping your account secure," he wrote.

Story of Hacking $14 million from a bank

stealing $14 million from a bank

It can be easier than most people think. The alleged thieves who made headlines last week for their $45 million bank heist used a similar type of attack that "created" money out of nowhere.

Bhalla talked CNNMoney through his caper. Here, in four easy steps, is how he made himself into a millionaire.

Step one, get access. Bhalla had one big advantage on actual thieves: His client gave him access to the bank's internal network. For real-world crooks, there are some surprisingly easy ways to get in.

It's possible, Bhalla said, to gain access in some places simply by logging on to the bank's wireless network -- an amenity more and more banks are providing as a service to customers. Once you're on the bank's Wi-Fi, the internal and external networks are frequently not segregated enough. It can be possible to fool the bank's other computers into thinking that your computer is a bank computer, a process known as "arp spoofing."

Another on-ramp: Someone posing as a janitor could insert a thumb drive into a teller's system and reboot it using a new operating system, which would enable them to access the hard drive of the teller's system. From there, user names and passwords are often readable.

Because he could simply log straight into his client's network, Bhalla and his assistants skipped the "get physical access" step and dove straight into finding the money.

Step two, start exploring. Bhalla used "sniffer" software, available online for free, to map out which of the bank's systems were connected to each other.

Then he "flooded" switches -- small boxes that direct data traffic -- to overwhelm the bank's internal network with data. That kind of attack turns the switch into a "hub" that broadcasts data out indiscriminately.

The machines that the tellers use quickly became Bhalla's prime target. Again, the sniffer software was deployed to look for login information and passwords in the data flood. Eventually, one hit. He was inside a teller's machine.

Gallery: Scenes from a $45 million bank heist

Step three, move up the ranks. Amazingly, the information being sent between the tellers' computers and the branch's main database was not encrypted. This meant passwords and bank account numbers were all out in the open.

Step four, cash in. Rather than steal money from depositors' accounts, Bhalla just invented a new account for himself.

"We went into the database where the accounts are and set up an account with $14 million," Bhalla explained. "We just created $14 million out of thin air."

If he wanted to, he could have walked into any bank branch, transferred the money to an offshore account, and never have had to work again.

Instead, he went to an ATM to print out a record of his ill-gotten wealth.

"The bank executives were extremely surprised," Bhalla said. "Their faces were shocked."

The bank promptly deleted Bhalla's bounty, he said, and took steps to shore up its network.

In the heist that came to light last week, federal officials say the thieves hacked into networks at firms that process transactions for pre-paid debt cards and manipulated accounts to create high spending limits. From there, it was just a matter of making physical debt cards for those accounts and going around to ATMs to withdraw the cash.

"They just updated the database with that debit-card information," Bhalla said. "That's how simple it was."

In many cyber bank heists, including the recent $45 million scam, it's hard to pin down who is ultimately liable for any losses.

It's typically not individual customers. U.S. law protects consumer checking and savings accounts from losses stemming from fraud. Business accounts, though, have fewer protections.

Bhalla said some financial institutions have insurance to cover the losses -- but he noted that insurance companies are reluctant to issue policies with high coverage limits because the risks in this area area still poorly understood.

In the end, he said the losses are likely borne by a combination of the company, insurance firms and governments.