Much easier
and cheaper. No need for a get-away car (you can do it from any
country that does not have an extradition treaty with your target
country). No need for a fence to launder the cash.
When
mobsters meet hackers: the new and improved bank heist
The
unprecedented heist of $81 million from the U.S. account of
Bangladesh’s central bank is the latest among increasingly large
thefts by criminals who have leveraged the speed and anonymity of
hacking to revolutionize burgling banks.
Hundreds of millions of dollars, and perhaps much
more, have been stolen from banks and financial services companies in
recent years because of this alliance of traditional and digital
criminals, with many victims not reporting the thefts for fear of
reputational damage. [Is
'reputational' a real word? Bob]
… There’s no evidence that old-fashioned
bank robberies are in the decline. But there are increasing
instances of the cyber variety of the crime.
Last year, researchers at Russian security
software maker Kaspersky Lab publicized the activities of the
prolific Carbanak gang, which it says hacked into banks, then ordered
fraudulent money transfers and also forced ATMs to spit out cash.
Kaspersky estimates the group hit as many as 100 banks, with losses
averaging from $2.5 million to $10 million per heist.
(Related)
This is far too complicated for a Hollywood movie plot. (So why
haven't they grabbed the money already?)
Philippines
Can Recover Big Chunk of Stolen Bangladesh Millions: MP
Almost half of the $81 million that hackers stole
from Bangladesh and funneled into Philippine casinos can still be
recovered, a senior Filipino lawmaker investigating the audacious
cyber heist said Thursday.
As much as $34 million remained in two casinos and
a foreign exchange brokerage, senator Ralph Recto said, citing
testimonies from a marathon hearing on Tuesday.
… A
casino junket operator, Kim Wong, testified in the Senate on Tuesday
that two high-rollers from Beijing and Macau shifted the $81 million
to dollar accounts in Manila's Rizal Commercial Banking Corp (RCBC).
Wong
said he did not know that the money was stolen from Bangladesh and
that he merely helped the two men – who are also his casino clients
– open
bank accounts.
He
offered to return $4.3 million of the money, which he said remained
in his account in Solaire, one of the Philippine capital's gleaming
billion-dollar casinos.
But
by Recto's own calculations, far more can be recovered including $17
million that Wong claimed was still with exchange brokerage Philrem,
$10 million from a destitute casino in the north, $5.5 million that
Wong picked up from the house of Philrem's owner and a further $2.3
million in the Solaire casino account of the Macau man who allegedly
brought the $81 million to the Philippines.
Where we
stand. (For my Computer Security students)
BakerHostetler has released its second annual data
security incident response report, which is based on 300 cases they
advised on last year. The report provides some statistics on causes
of incidents, which industries were most affected, and what happens
after a security incident is detected – from containment, to
notification, to regulatory investigations and even lawsuits. A
final section in the report provides the
eight components of being compromise ready and
identifies measures companies should take to minimize the impact of
an incident.
Key findings from the report include:
-
Cause of incidents: phishing/hacking/malware (31%), employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%), internal theft (8%), and lost or improper disposal (6%).
-
No industry is immune: the healthcare industry (23%) was affected more than any other. Rounding out the top three are financial services (18%) and education (16%).
-
Number of individuals notified: for incidents in 2015 where notification was made, the average number of individuals notified was 269,609 and the median was 190,000.
-
52% of the incidents that BakerHostetler helped manage in 2015 were self-detected.
-
Detection time – the time from when an incident first began until it was detected – ranged from 0 days to more than 400 days. The average amount of time from incident to discovery for all industries was 69 days, with healthcare taking nearly twice as long as other industries. Average amount of time from discovery to containment was 7 days.
-
Notification – the average amount of time from discovery to notification – was 40 days.
-
Not all incidents require notification to individuals or the public at large. In about 40% of the incidents that BakerHostetler helped manage in 2015, notification or public disclosure was not necessary.
-
Credit monitoring was offered in 53% of the incidents that BakerHostetler advised on in 2015 and the average redemption rate was 10%. [I don't recall seeing that number before. Bob]
-
Regulatory inquiries resulted from 24% of incidents reported, and litigation commenced after 6% of the incidents were made public.
Note that the average time from discovery to
notification was 40 days. For HIPAA-covered entities, that may not
be a problem, but some states now have notification requirements
where a 40-day gap would be problematic.
SOURCE: BakerHostetler
I'm so glad
the government decided to drop the “Total Information Awareness”
program. I'm sure it only looks like they are creating several
smaller projects that cumulatively do exactly the same thing.
From EPIC:
In comments to DHS, EPIC criticized a proposed “Insider Threat” database that would gather vast amounts of personal data on individuals outside the federal agency. EPIC urged DHS to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases.
I suppose
this is one way to avoid all those pesky Fifth Amendment issues.
This is probably as good a place as any to ask what would happen if
the decrypted files documented activity (online or geographic) that
showed the suspect was otherwise occupied when the crime(s) took
place? (I know I can manufacture 'instant alibis' as needed.)
J. M. Porup reports:
At a court hearing earlier this month, the UK’s National Crime Authority (NCA) demanded that Lauri Love, a British computer scientist who allegedly broke into US government networks and caused “millions of dollars in damage,” decrypt his laptop and other devices impounded by the NCA in 2013, leading some experts to warn that a decision in the government’s favor could set a worrisome precedent for journalists and whistleblowers.
Arrested in 2013 for the alleged intrusions but subsequently released, Love was re-arrested in 2015 and is currently fighting extradition to the United States. He has so far refused to comply with a Section 49 RIPA notice to decrypt the devices, a refusal that carries potential jail time. However, British authorities have not charged Love with any crime, leading him to counter-sue in civil court for the return of his devices.
Read more on Ars
Technica.
I think Love’s lawyer, Ekeland, is exactly right
in what he told Ars and that any
evidence the UK would obtain would be handed on a silver platter to
the U.S. for our government’s prosecution of Love.
Perspective.
Why Do the
Feds Usually Try to Unlock Phones? It’s Drugs, Not Terrorism
… On Tuesday the ACLU released the results of
a series of FOIA requests it filed along with the Stanford Center for
Internet and Society to the US Justice Department, seeking
information about any cases in which the feds had used the All Writs
Act to ask that Apple or Google assist in accessing data on locked
phones or tablets. It found that since 2008, there have been at
least 63 of those cases across the country, showing that Apple’s
standoff with the FBI was about more than “one
iPhone,” as FBI director Jim Comey had argued. And in the
two-thirds of those cases in which the ACLU could determine the crime
being investigated, the group tells WIRED that 41 percent were
related to drugs, far more than any other category of crime.
… The ACLU’s numbers contrast slightly with
statistics
released by the Manhattan District Attorney’s office in March,
which showed that of 205 locked iPhones the Manhattan DA’s lab had
attempted and failed to access without Apple’s assistance, 25
percent were related to drug cases. It lumped larceny, cybercrime,
forgery, and ID theft into another category of cases that accounted
for 35 percent of the locked iPhones.
… In fact, federal law enforcement has been so
focused on drug cases for the last 30 years that they’ve often
been the first domestic cases used to pioneer new surveillance
techniques, from thermal imaging cameras to GPS tracking to
drones. Even the NSA’s bulk metadata collection that scandalized
the public when it was revealed by NSA leaker Edward Snowden was
first
used by the Drug Enforcement Administration. And in 2014 the FBI
went so far as to subpoena security researchers at Carnegie Mellon
for a technique that could crack the anonymity software Tor’s
protections for hidden websites, which was then used
to take down the Silk Road 2 drug market and dozens of other dark web
sites.
(Related) If they keep sharing this tool, it will
eventually leak to my Ethical Hackers.
FBI agrees
to help Arkansas prosecutors open iPhone after hack of San Bernardino
device
… Cody Hiland, prosecuting attorney for
Arkansas' 20th Judicial District, said that the FBI's Little Rock
field office had agreed to help his office gain access to a pair of
locked devices owned by two of the suspects in the slayings of Robert
and Patricia Cogdell. [So
the tool has been distributed to all the field offices? Bob]
It was not immediately clear whether the FBI
planned to use the same method it used to access data on Syed
Rizwan Farook's phone. [Maybe
there was never a “third party tool?” Bob]
I can
recall discussing “virtual companies” as far back as the early
1990s. Nice to see that the politicians are about to start thinking
about the same things… They might start understanding them in a
few decades.
Digital
disruption on the Potomac
The way the
world conducts business and how we live our daily lives is
fundamentally changing. Some has termed this change a "digital
disruption wave." Consider the following
passage from Tom Goodwin — variations of which have gone viral
on social media — that encapsulates this phenomenon:
Uber, the world's largest taxi company, owns no vehicles.
Facebook, the world's most popular media owner, creates no
content. Alibaba, the most valuable retailer, has no
inventory. And Airbnb, the world's largest accommodation
provider, owns no real estate.
How does this private-sector digital disruption
potentially translate to federal government sectors like health,
security, education, transportation, agriculture, energy, etc.?
There are recent initiatives (among others) that comprise
government's transition to digital citizen services: Open Data, Smart
Cities and the Opportunity Project.
Typical
government response: The OPM is unmanageable – let's build another
agency and put the OPM in charge! Bigger government, higher taxes to
pay for it, another slot for political supporters – how could any
politician resist?
Following
OPM Personnel Data Hack New Agency To Process Federal Security
Clearances
by Sabrina
I. Pacifici on Mar 30, 2016
Federal
News Radio – “The Office of Management and Budget and Office
of Personnel Management are standing
up a new agency to assume responsibility of the federal security
clearance process. The National Background Investigations Bureau
(NBIB) will have a specific, presidentially
appointed director and member of the Performance
Accountability Council, who will
report to OPM. The new agency will absorb the Federal
Investigative Services (FIS), the organization that currently
conducts about 95 percent of federal background checks.”
Has
Microsoft made a bunch of money because the NFL uses their Surface
tablets? Have a lot of colleges and high schools purchased Surface
tablets? Perhaps Microsoft thought football fans would want to see
what the coaches see?
Baseball’s
Latest Recruit Is an iPad
There will
be a new player in Major League Baseball dugouts this season: the
iPad. Apple Inc.
and MLB signed a multi-year agreement to equip every team with
iPad Pro tablets to help coaching staffs make better use of data.
Teams will be able sift through performance stats
from current and past seasons, weigh potential pitcher-hitter
matchups, look at “spray charts” showing where a player is likely
to hit a ball, even cue up videos of plays from previous games.
… The data available on the iPads will be
proprietary to each team, rather than drawing from a league-wide
database.
At launch, the Dugout app’s data will be
preloaded before each game. In the future, the MLB would like to have
data that is closer to real time. Testing began in games during the
postseason last year.
… Though Microsoft’s investment with the NFL
started off badly—with glitchy devices and broadcasters calling
Surface tablets “iPads” during games—the exposure has been
valuable overall, said Matt Powell, an analyst with the NPD Group
Inc. research firm. “Everyone knows that being the ‘official
whatever-type-of-product of a league’ is something companies pay
for,” Mr. Powell said. “When you see athletes and coaches
actually using a product and technology in games, it’s a whole
other level.” he said.
… The NFL mandates that Surface tablets must
be visible on every sideline during games; MLB is making
iPad use optional. But the commissioner thinks that most teams will
use the tablets in both dugouts and pitching bullpens during games
and training.
(Related) Can technology change this? (The
article also gives you some idea how many statistics MLB gathers)
A Baseball
Mystery: The Home Run Is Back, And No One Knows Why
My students
will enjoy this.
Microsoft
unveils Desktop App Converter, a developer tool for bringing existing
Win32 apps to the Windows Store
Microsoft
today unveiled the Desktop App Converter, which lets developers bring
existing Windows applications to the Windows Universal Platform
(UWP).
The company is hoping to bring the 16 million existing Win32/.Net
applications to the Windows Store.
UWP allows developers to build a single app that
changes based on your device and screen size. One app can work on
your Windows 10 computer, Windows 10 tablet, Windows 10 Mobile
smartphone, Xbox One console, and eventually HoloLens headset.
… The best part is that this works for games
as well.
My students
should be able to do this too. If every technology student in the US
does their own App, will the FBI give up?
I don’t know if there’s been any real security
audit of this app, but I do love seeing teens focused on developing
privacy tools. Gary Haber reports:
A high school student with a cellphone can get into a lot of trouble.
A hastily sent Facebook post or Twitter message can last forever and come back to bite someone when they’re applying for college or a job. Then there are the prying eyes of parents who can see what their children post online.
As a high school student, privacy is something Nick Pitoniak takes seriously.
Pitoniak, a senior at York Suburban High School who lives in Spring Garden Township, developed a cellphone app called Mutter Mail, which he says lets users send messages back and forth without leaving any trace. The messages disappear within 30 seconds, Pitoniak said.
Read more on WUSA.
For the next time I teach Statistics.
The 8-Bit
Game That Makes Statistics Addictive
… Guess
the Correlation is the brainchild of Omar Wagih, a graduate
student at the European Bioinformatics Institute, and nefarious
devourer of the thing I once called “my free time.” On paper, it
sounds incredibly boring. In practice, it is inexplicably addictive.
Try it.
A project
for my geeky students or maybe all of them?
Google
Cardboard
No comments:
Post a Comment