Sunday, March 20, 2016

This will definitely be a topic in my Spring Computer Security class. Conversion (turning your stolen money into laundered cash) is the hardest part of any theft.
Bangladesh Heist Exposes Philippine Dirty Money Secrets
The $81 million stolen from the Bangladesh central bank's American accounts last month was immediately sent via electronic transfer to the Philippines' RCBC bank, with the thieves deliberately targeting their laundering location.
The Philippines has some of the world's strictest bank secrecy laws to protect account holders, while its casinos are exempt from rules altogether aimed at preventing money laundering.
Still, if the thieves were to get away with their audacious heist, the money had to be moved quickly through the banking system and into the casinos.
And it did.
Authorities took four days to order a recall of the money.
But by then it had vanished – leaving in its place a tale of death threats, bribes, shady business figures and a bank manager who could be the villain or a victim.
A final roadblock has emerged at the casinos, with the money apparently vanishing in mountains of gambling chips and mysterious middlemen.
"Our money trail ended at the casinos," Julia Abad, deputy director of the anti-money laundering council, told senators Tuesday.
On February 5, the same day Bangladesh Bank was hacked, the money was sent electronically to four accounts in Deguito's RCBC branch in the financial capital of Makati, according to testimony to the Senate inquiry.
Those accounts appeared to have been set up solely for that purpose because they were done using aliases, the Senate inquiry heard.
After that, the bulk of the money was transferred into accounts of a local ethnic Chinese businessmen, William Go, who has since protested his innocence. He said his signature was forged to set up the accounts.
From there, the money was briefly held by Philrem, a foreign exchange brokerage.
Philrem President Salud Bautista told the Senate inquiry $30 million went to a man named Weikang Xu.
He was described as a casino junket operator but senators have said they know little more about him other than he is of Chinese origin.
Senator Osmena said the case was likely just the tip of the iceberg.
"This could have happened hundreds of times already," he said.
"We discovered this one only because someone complained. But normally, if a drug dealer from Burma (Myanmar) or China would send money here, no one would complain."

Eric Mugendi reports:
Unknown individuals have made four attempts to illegally transfer US$24 million (UGX81 billion) from the Bank of Uganda to accounts located outside the country.
Officials within the Government of Uganda are believed to have shared passwords with tech-savvy individuals who then logged in to the financial management system and targeted the accounts of the Defence, Energy and Agriculture ministries and the Uganda National Roads Authority (UNRA).
Read more on TechCabal.

Where does responsibility begin and end?

Not our hack, not our data breach: Greenshades

Although media reports this month have been talking about a hack of payroll services provider Greenshades that has resulted in clients’ employees discovering that their identity info has been used for fraudulent returns, Greenshades want you to know that they haven’t had a breach of their system.
Earlier this week, Karen Berkowitz reported that District 113 employees in Chicago had also been reporting fraudulent tax returns filed with their identity information. The District uses Greenshades as its payroll services provider.
“We have identified potentially suspicious activity relating to Greenshades’ tax portal,” Herrick said, in a statement read Monday at a school board meeting attended by angry and distraught employees.
Herrick said the school district has used Jacksonville, Fla.-based Greenshades to process employees’ W-2 tax forms for more than 10 years. The forms detail earnings and withholdings. The school district also recently used the firm to distribute 1095 tax forms.
The district does not yet know how many employees have been affected. As a precaution, employees’ access to the Greenshades tax portal has been blocked while the district continues its investigation.
But the owner of Greenshades told Berkowitz that this was not a “data breach” or “hack,” because the criminals used valid login credentials:
“For this particular client (District 113), the credentials that were required were the SSN and DOB,” Kane said, referring to the employee’s social security number and date of birth. “Those credentials were chosen by the client.”
“What happened from our perspective is that we detected IP addresses from (geographic) areas that seemed suspicious, trying to make multiple log-ins, and we shut them down,” Kane said.
Well, that, indeed would be an incident of a different color.
In a statement on their blog on March 16, Greenshades writes:
The IRS is reporting an increase in fraudulent tax filings nationwide, and Greenshades is likewise seeing a marked increase in reports of fraudulent login attempts to some client GreenEmployee portals. There is no indication that any of the information used in these fraudulent login attempts is a result of a technical breach of the Greenshades network. Instead, it appears criminals with personal information obtained from other sources are attempting to log into some GreenEmployee portals.
Greenshades is taking various steps to help maintain the security of client and employee information. This includes proactively monitoring attempts to access the Greenshades network from suspicious IP addresses and requiring that all clients adhere with Greenshades’ recommended log in settings. In the past, Greenshades has allowed the employer to establish its own credentials for log in.

Would it have been proper to install the “bug” on the neighbor's property?
I frequently mutter to myself when I read stories out of the U.K. about councils snooping on recycling bins or dog poop, but in New Zealand, it’s barking dogs. The editors of Stuff explain that an Avonside resident found bugging equipment on her property after a neighbor complained about her dogs barking months earlier.
The Christchurch City Council has admitted placing bugging equipment without consent inside the Bennetts’ property, in an attempt to get a lead on their barking dogs, and has now apologised. The Bennetts – who hold “responsible dog owner” status with the council – have accepted the apology and are waiting to hear from their lawyer about whether to take legal action against the council for the breach of privacy.
So the council got busted, and apologized. But they intend to keep monitoring – with the homeowner’s consent, it seems. The council says they’ll ignore any sounds or speech picked up. *cough*
So….would you permit that bugging device on your property or tell them they are free to monitor noise from the street, but not from your private property?
Read the editorial from Stuff here.

The FTC is saying that governments can't control technology. Isn't that the opposite of the FBI's argument?
Gigabites: Muni Broadband Takes a Backseat
Score one for the incumbent ISPs. The state of Tennessee has killed a bill that would have allowed municipal utility companies to expand their broadband service offerings to new regions, pushing off further debate until next year.
That's not the whole story, however. More than a year ago, the Federal Communications Commission (FCC) passed a ruling saying that Tennessee and North Carolina specifically are not allowed to prohibit muni broadband expansion. That might have prevented Tennessee from killing this year's bill, but the FCC is now locked in a court battle with both states, which are suing the agency for allegedly overstepping its authority. The oral arguments for the case against the FCC were heard this week in the United States Court of Appeals for the Sixth Circuit, though it's not yet clear when the court plans to rule on the lawsuit. (See FCC Clears Way for Muni Network Expansion.)
And to add one further wrinkle, lawmakers in Tennessee were treated to an invitation this week by ISP incumbent Charter Communications Inc. to record their own PSAs as part of Charter's public affairs programming. Representative Kevin Brooks thought the timing was suspect, seeing as how the state House had just done Charter a favor, blocking the path of municipal competitors like Chattanooga's municipally owned (and Gigabit darling) EPB Fiber Optics.

At least my students will find this interesting. (What happened to the friend's wife?)
Hulk Hogan verdict raises crucial privacy issues in the digital age
It's hard to think of a case with details more spectacular: A videotape featuring wrestling star Hulk Hogan having sex in a canopy bed with the young wife of a good friend — a guy whose legal name is Bubba the Love Sponge Clem.
… "People are thinking a little bit more about the concept of what is newsworthy, because what's changed is the concept of who a public figure is," said Mary Anne Franks, a professor at the University of Miami School of Law and the legislative and tech policy director of the nonprofit Cyber Civil Rights Initiative, which advocates for privacy issues.
"Society can be contemptuous toward a celebrity because they're a celebrity, and people think that a celebrity can deal with this," Franks said. "But nowadays you can be turned into a public figure because of a sex tape that is released of you." [Does it have to be a sex tape? Bob]
… But the Hulk Hogan verdict has emboldened privacy advocates, who say that 1st Amendment rights don't trump an individual's right to privacy — no matter how famous the person. Unlike other celebrity-versus-media legal battles, the issue here was privacy, not whether published material was defamatory or false.
… After a photo or a video appears on the Internet, the Web's cut-and-paste powers of regeneration make it virtually impossible to take down — even if an individual is armed with a pile of injunctions.
It's an issue that isn't just affecting celebrities, but private citizens too, who have to contend with the phenomenon of revenge porn.
"The term we prefer is 'nonconsensual pornography,'" Franks said. "It's not about the motives of the person who posted it. It's sexually explicit material distributed without consent."
… Whether the amount or the verdict will stick on appeal remains to be seen. But at a moment in which questions of privacy are in the ether — from NSA surveillance to the FBI's battle with Apple over its iPhone source code — attitudes about what might appear to be a silly celebrity sex tape may be shifting.

(Related) And there seems to be plenty of cases to argue about.
Antonio Giansante Garcia, a 39 year old computer professional, pled guilty today to providing accessibility of nude and sexually explicit photos to his ex-girlfriend’s employer, supervisors and fellow workers. The goal of such actions was to embarrass the victim before her professional associates.

(Related) A different take on the same issue. Fire the victim!
Seanna Adcox of AP reports that Leigh Anne Arthur, the Union County, South Carolina teacher whose nude photos on her cell phone were disseminated by a student to others, has now sued her former employee. No, she doesn’t want her job back after being forced to resign. She wants her dignity back, she says.
The case made headlines because there were conflicting reports about whether students were routinely allowed to use her cellphone and whether the nude photos had been in a separate, and secured file in her phone. [Should that make a difference? Bob] The student who accessed the photos and disseminated them was arrested and is no longer attending that school.
Read more of the AP’s report on NewsTimes.

Perspective. “Tip me, or I'll go all Terminator on you!”
Domino’s Pizza delivery robots on trial run in New Zealand

(Related) Coincidence or proof that the technology is ready?
Future of fast food? Carl’s Jr. CEO contemplates restaurants where diners ‘never see a person’

No comments: