The logistics clearly make this an
“organized crime” operation. Note that the seven arrested took
only a small fraction ($2.8 million) of the total.
This will be one for the books… and
Hollywoood spinoffs. Jessica Dye and Jim Finkle of Reuters report:
The government
charged eight people with using data obtained by hacking into two
credit card processors in a worldwide scheme that netted some $45
million within hours, a crime prosecutors described as one of the
biggest bank heists in history.
The individuals
formed the New York-based cell of a global cybercriminal organization
that stole MasterCard
debit card data from two Middle Eastern banks, the Justice Department
said. The information was used to make more than 40,500 withdrawals
at automated teller machines in 27 countries, prosecutors said.
Read more on CNBC.
Here’s the press
release from the U.S. Attorney’s Office, Eastern District New
York.
[From the CNBC article:
Prosecutors said the attacks, known as
"unlimited operations," occurred in two
separate incidents, in December 2012 and February 2013.
… In the New York area, the ring
withdrew nearly $400,000 in less than three hours at more than 140
ATMs, the prosecutors said. On another occasion, about $2.4 million
was collected in nearly 3,000 ATM withdrawals over 10 hours, they
said.
[From the US Attorney's
press release:
Over the course of approximately 10
hours, casher cells in 24 countries executed approximately
36,000 transactions worldwide and withdrew about $40 million
from ATMs. From 3 p.m. on February 19 through 1:26 a.m. on February
20, the defendants and their co-conspirators withdrew approximately
$2.4 million in nearly 3,000 ATM withdrawals in the New York City
area.
Interesting (if small) breach. Looks
like they ignored almost every “Best Practice” They didn't
detect the breach and once told about it, it sounds like a very poor
response.
Rachel La Corte reports:
The Washington
state Administrative Office of the Courts was hacked
in February, and up to 160,000 Social Security numbers and
1 million driver license numbers may have been accessed during the
data breach of its public website.
Officials with the
courts announced Thursday that so far, it has been confirmed that 94
Social Security numbers were obtained. Initially, authorities didn’t
think confidential information was taken, but following an
investigation by the Multi-State Information Sharing and Analysis
Center, the broader breach was confirmed in April,
said courts spokeswoman Wendy Ferrell.
Read more on KOMO
News. Somewhat surprisingly (to me, anyway):
Ferrell said that
there is no active law enforcement investigation at
this time, but people who believe they are at risk should
take precautions to monitor credit.
Why is there no active law enforcement
investigation of a hack involving the state?
(Related) How they did it.
Rachel La Corte has more on the hack
reported earlier today on this blog:
The breach
happened due to vulnerability in an Adobe Systems Inc. software
program, ColdFusion, that has since been patched, court officials
said. The hack happened sometime after September but
wasn’t caught until February, they said.
[...]
Mike Keeling, the
courts’ information technology operations and maintenance manager,
said officials were alerted to the breach by a
business on the East Coast that had a similar intrusion.
“They
recognized our information in their breach log,” Keeling
said, which led them to install the patch provided by Adobe and start
an investigation.
[...]
Keeling
acknowledged that confidential information should have been kept in a
different area, “and now they are.”
“I can say
nothing more than it was an oversight on our part,” he said.
Read more on Yakima
Herald.
Perhaps my Ethical Hackers would do
this faster? (For a modest fee, of course)
Apple
deluged by police demands to decrypt iPhones
Apple receives so many police demands
to decrypt
seized iPhones that it has created a "waiting list" to
handle the deluge of requests, CNET has learned.
Court documents show that federal
agents were so stymied by the encrypted iPhone
4S of a Kentucky man accused of distributing crack cocaine that
they turned to Apple for decryption help last year.
An agent at the ATF, the federal Bureau
of Alcohol, Tobacco, Firearms and Explosives, "contacted Apple
to obtain assistance in unlocking the device," U.S. District
Judge Karen
Caldwell wrote in a recent opinion. But, she wrote, the ATF was
"placed on a waiting list by the company."
A search warrant affidavit prepared by
ATF agent Rob Maynard says that, for nearly three months last summer,
he "attempted to locate a local, state, or federal law
enforcement agency with the forensic capabilities to unlock" an
iPhone 4S. But after each police agency responded by saying they
"did not have the forensic capability," Maynard resorted to
asking Cupertino.
Because the waiting list had grown so
long, there would be at least a 7-week delay, Maynard says he was
told by Joann
Chang, a legal specialist in Apple's litigation group. It's
unclear how long the process took, but it appears to have been at
least four months.
… It's not clear whether that means
Apple has created a backdoor for police -- which has been the topic
of speculation in the past -- whether the company has custom
hardware that's faster at decryption, or whether it simply is more
skilled at using the same procedures available to the government.
Apple declined to discuss its law enforcement policies when contacted
this week by CNET.
“We are determined to give our secret
police the ability to create complete dossiers on every citizen. How
else can we control them?”
David Kravets reports:
The immigration
reform measure the Senate began debating yesterday would create a
national biometric database of virtually every adult in the U.S., in
what privacy groups fear could be the first step to a
ubiquitous national identification system.
Buried in the more
than 800
pages of the bipartisan legislation (.pdf) is language mandating
the creation of the innocuously-named “photo tool,” a massive
federal database administered by the Department of Homeland Security
and containing names, ages, Social Security numbers and photographs
of everyone in the country with a driver’s license or other
state-issued photo ID.
Read more on Threat
Level.
[From the article:
Employers would be obliged to look up
every new hire in the database to verify that they match their photo.
[After all, job applicants are guilty until proven
innocent, right? Bob]
… “It’s like a national ID
system without the card.”
Interesting. Is that a “We'll never
make that mistake again” or a “Let's let the anger die down for a
while?” Or perhaps they have a better way? In-store drones?
Angela Martin of CBS-DFW follows up on
a story mentioned previously on this blog:
Nordstrom is no
longer collecting information from the smart phones of its customers.
Since September,
sensors staged throughout the stores were able to track signals from
smart phones as they attempted to connect to Wi-Fi service. The
company said it was using the data to measure foot traffic within
different departments of its stores at different times of the day.
Nordstrom
spokesperson Tara Darrow confirmed the company
stopped using sensors the day after CBS 11 aired a story about the
practice. [Yep. A definate “We didn't think we'd get caught!”
Bob] After the story, customers contacted the company to
ask questions and share feedback, according to Darrow.
Read more on CBSDFW.
Shining the light on surveillance
practices – by government or businesses – sometimes help. In
this case, it seems to have brought the “experiment” to a quicker
halt and gave the business some feedback from customers who were
unhappy with what the store was doing.
(Related)
Nordstrom may no longer be using Euclid
to track smartphones, but other retailers are. And Ryan Grenoble
reports that opting out may not be easy
for some shoppers:
On its privacy
page, Euclid assures skeptics it
does not collect sensitive data, such as “who you are, whom you
call or the websites you visit.” The anonymous data on individual
shoppers that the company does collect is bundled with data from
other individuals, resulting in an aggregate report of anonymous
information.
Euclid
has an opt-out option for shoppers who would rather not be
tracked as they wander the aisles of participating retailers, though
the process requires the user to look up his smartphone’s MAC
address, a unique code that identifies the device to a network.
(However, the MAC address is usually buried deep in the phone’s
settings, and digging it out may be a daunting task for some users.)
After a shopper opts out, his information is wiped
from Euclid’s database along with Euclid’s record of the
phone’s MAC address.
Read more on Huffington
Post.
I think I'll forget this article...
May 09, 2013
On
The "Right to Be Forgotten": Challenges and Suggested
Changes to the Data Protection Regulation
- "Since January 2012, the European Union institutions have been debating draft legislation to reform European rules on data protection (commonly referred to as the Data Protection Regulation (DPR)). Article 17 of the proposed DPR presents the concept of a "Right to Be Forgotten". Article 17 would allow a user to request that an online service provider delete all data – including data that has been made public – it has about that user. While CDT is sympathetic to the concerns that underlie Article 17, we have recommended that it be redrafted and narrowed substantially. As laid out in the Commissionʼs proposal it would significantly limit usersʼ free expression rights and impose unreasonable burdens on online platforms and ISPs, likely leading to fewer platforms for user speech. Private companies are ill-equipped to take responsibility for decisions that balance the right to privacy with the right to free expression. [Are they being asked to make a decision? Bob] Such questions are ultimately for courts to decide, interpreting carefully drawn legislative mandates in light of relevant human rights jurisprudence. Moreover, we believe that the measures to protect journalistic and artistic expression – namely, those granted by Article 80 of the DPR – are too narrowly drafted and do not satisfy international human rights obligations regarding free expression."
As goes California? I imagine the
social networks will fight to avoid loss of their most easily
influenced age group.
Philip Janquart reports:
A bill intended to
give parents the right to pull their children’s’ personal
information off social networking sites has passed the California
Senate.
After a 23-10
vote, SB501,
or the Social Networking Privacy Act, now moves to the Assembly, the
lower house of the California Legislature.
Read more on Courthouse
News.
“It’s for the children” arguments
are often problematic. Should a parent really be allowed to demand
removal of a 17 year-old’s information? What if the 17 year-old is
politically advocating for changes in law and gives out his/her
details because s/he wants to be contacted by others with similar
views?
Think of this as a “Get out of jail,
free” card.
Karen Gullo reports:
Delta Air Lines
Inc. won dismissal of claims it violated California’s Internet
privacy law because its mobile-phone application didn’t notify
users that personal information, such as their locations, was being
collected.
California
Attorney General Kamala Harris sued Atlanta-based Delta in December
alleging its “Fly Delta” app didn’t have a clearly posted
privacy policy. Judge Marla Miller in state court in San Francisco
agreed today with the airline that the federal
Airline Deregulation Act bars states from imposing regulations on
airlines related to price, routes or services.
Read more on Bloomberg
News.
“It's a bird! It's a plane! It's
SuperDrone!” Except where prohibited by law...
Jackie Johnson reports:
Photos, video and
audio recordings captured without permission on private property with
the use of a drone would be against the law under legislation being
introduced at the state Capitol.
Lawmakers from
both sides of the political aisle in Wisconsin want to ensure
remote-controlled [How about autonomous drones? Bob]
flying devices do not threaten individual privacy rights.
Read more on Wisconsin
Radio Network.
(Related) Is the era of the drone
already at an end? (reads more like a hypothetical case to me)
Scott Bomboy writes:
A United Nations
report about “killer robots” is a new spin on the rising concern
about drones—and the legal problems caused by self-guided machines
could be closer than you think.
The U.N. Human
Rights Commission plans to address part of the issue later this month
in Geneva. Christof Heyns, a South African professor of human rights
law, released an extensive U.N.
report on the topic in April that has ominous overtones.
[...]
Like many military
technologies, these robots are also making their way into the
civilian world. FEMA’s website lists government-approved robots
including the SNEAKY,
a small surveillance robot that literally sneaks around gathering
evidence. SNEAKY can do border inspections, gather audio and video
evidence, sniff bags, and issue voice instructions.
Read more on Constitution
Daily.
This could be very interesting, if it
ever actually happens.
May 09, 2013
Executive
Order -- Making Open and Machine Readable the New Default for
Government Information
"To promote continued job growth,
Government efficiency, and the social good that can be gained from
opening Government data to the public, the default state of new and
modernized Government information resources shall be
open and machine readable. Government information shall
be managed as an asset throughout its life cycle to promote
interoperability and openness, and, wherever possible and legally
permissible, to ensure that data are released to the public in ways
that make the data easy to find, accessible, and usable. In making
this the new default state, executive departments and agencies
(agencies) shall ensure that they safeguard individual privacy,
confidentiality, and national security."
We knew this was coming...
Google announced
on Thursday the launch of a pilot program designed to offer paid
channels on YouTube with subscription fees starting at $0.99 per
month. The program kicked off with a small group of partners
including the producers of Sesame Street, Big Star Movies, DHX Kids
TV, National Geographic Kids, Primezone Sports, and TYTPlus.
According to Google, there are over 1
million channels generating quality professional content and revenue
on YouTube, making paid channels a natural way for content producers
to increase their revenue beyond advertising sponsorship.
The paid
channels work similarly to any online subscription service.
Fun and games for my Ethical Hackers?
Gianna,
14, discovers iPad 2 heart risk
Gianna Chien is somewhat different from
all the other researchers reporting on their work to more than 8000
doctors at the Heart Rhythm Society meeting in Denver,
Colorado.
Chien is 14, and her study – which
found that Apple's iPad 2 can, in some cases, interfere with
life-saving heart devices because of the magnets inside – is based
on a science-fair project that didn't even win her first place.
… If a person falls asleep with the
iPad 2 on the chest, the magnets in the cover can "accidentally
turn off" the heart device, said Chien, a high school freshman
in Stockton, California, whose father is a doctor. "I
definitely think people should be aware. That's why I'm presenting
the study."
Defibrillators, as a safety precaution,
are designed to be turned off by magnets. The iPad 2 uses 30 magnets
to hold the iPad 2's cover in place, Chien said. While the iPad 2
magnets aren't powerful enough to cause problems when a person is
holding the tablet out in front of the chest, it can be risky to rest
it against the body, she found.
No comments:
Post a Comment