Posts tagged ‘fbi’

TorrentFreak: MPAA ‘Softens’ Movie Theater Anti-Piracy Policy, Drops Bounty

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

recillegalThe MPAA sees illegally recorded movies as one of the biggest piracy threats and goes to extremes to stop it.

During pre-release screenings and premieres, for example, employees are often equipped with night-vision goggles and other spy tech to closely monitor movie goers.

In some cases members of the public have been instructed to hand over all recording-capable devices including phones and Google glasses.

Through these measures the MPAA hopes to prevent pirates from camcording movies or recording audio in theaters. The underlying policy is drafted in cooperation with the National Association of Theatre Owners (NATO), and a few days ago the most recent version was released.

At first sight not much has changed. The MPAA still recommends theater owners to keep an eye on suspect movie goers while prohibiting the use of any recording devices including phones.

“Preventative measures should include asking patrons to silence and put away their phones and requiring they turn off and stow all other devices capable of recording, including wearable technology capable of recording.

“If individuals fail or refuse to put any recording device away, managers—per your theater’s policy — can ask them to leave,” the recommendation reads.

There are several subtle changed throughout the document though, especially regarding the involvement of police. Previously, theater employees were encouraged to detain suspect visitors and hand them over to the authorities.

This is explicitly stated in the following snippet taken from the 2014 version of the best practices.

“Theater managers should immediately alert law enforcement authorities whenever they have clear indications that prohibited activity is taking place—the proper authorities will determine what laws may have been violated and what enforcement action should be taken.”

In the new document, however, it’s no longer a requirement to call the police. Instead, this is now optional.

“Theater managers have the option to immediately alert law enforcement authorities whenever they have clear indications that prohibited activity is taking place or managers can the stop the activity without law enforcement assistance.”

Similar changes were made throughout the document. Even reporting incidents to the MPAA no longer appears to be mandatory, which it still was according to last year’s text.

“After your theater manager has contacted the police, your theater manager should immediately call the MPAA 24/7 Anti-Camcording Hot Line to report the incident.”

The language above has now been changed to a less urgent option of simply reporting incidents, should a theater manager deem it appropriate.

“Your theater manager can also call the MPAA 24/7 Anti-Camcording Hot Line to report the incident.”

Aside from the softer tone there’s another significant change to the best practices. The $500 “reward” movie theater employees could get for catching pirates is no longer mentioned.

The old Take Action Award mention

In fact, the entire “take action award” program appears to have been discontinued. The NATO page where it was listed now returns a 404 error and the details on FightFilmTheft have been removed as well.

This stands in stark contrast to the UK where the rewards for a similar program were doubled just a few weeks ago, with officials describing it as a great success.

The question that remains unanswered is why the MPAA and NATO have implemented these changes. Could it be that there were too many false positives being reported to the police, or is there an image problem perhaps?

In recent years several questionable police referrals resulted in a media backlash. A 19-year-old girl was arrested for recording a 20 second clip from the movie “Transformers,” which she wanted to show to her brother, for example.

And just last year the FBI dragged a man from a movie theater in Columbus, Ohio, after theater staff presumed his wearing of Google Glass was a sign that he was engaged in camcorder piracy.

Meanwhile, reports of real pirates being apprehended in a similar fashion have been notable by their absence.

Best Practices to Prevent Film Theft

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Megaupload Programmer Already Freed From U.S. Prison

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Acting on a lead from the entertainment industry, in January 2012 the U.S. Government shut down Megaupload.

To date, much of their efforts have been focused on extraditing Kim Dotcom and his former colleagues from New Zealand to the United States but earlier this year it became apparent that they’d already snared an important piece of the puzzle.

Operating under key mega figure Matthias Ortmann, Andrus Nomm was a Megaupload programmer who reportedly earned a little over $3200 per month.

In common with his former colleagues, Nomm was cited in the Megaupload indictment, meaning that the FBI wanted the Estonian in the United States to face criminal charges. With few funds at his disposal to put a Dotcom-like fight, Nomm flew from the Netherlands and handed himself over to U.S. authorities after three years.

In February the 36-year-old was arrested and carried through with a deal he’d promised to cut with U.S. authorities. Just days later the Department of Justice announced that Nomm had pleaded guilty to criminal copyright infringement, and he was sentenced to 366 days in prison.

Dotcom slammed the development.

“An innocent coder pleads guilty after 3 years of DOJ abuse, with no end in sight, in order to move on with his life,” Dotcom said. “I have nothing but compassion and understanding for Andrus Nomm and I hope he will soon be reunited with his son.”

This week it appears Dotcom’s wishes came true. According to NZHerald, after serving just nine months in prison, Nomm’s name appeared on a list of prisoners due to be released this week.

However, the Estonian’s release will be bitter-sweet since according to the same report Nomm’s evidence is already being used against Dotcom and as recently as his just-concluded extradition hearing.

The details will not be made public until have Judge Nevin Dawson hands down his decision but it’s believed that Nomm has stated on the record that Dotcom and his former colleagues knowingly profited from copyright infringement.

Nevertheless, Dotcom still feels that Nomm pleaded guilty to a crime he didn’t commit.

“One year in jail was his way out. I don’t blame him. I can understand why Andrus did it. But it doesn’t change the fact that he is innocent,” Dotcom told the Herald.

Underlining his point, Dotcom points to a video recorded by Nomm just three months after the raid and uploaded to YouTube after Nomm signed the plea deal.

“Andrus made it clear in his documentary interview that he had done nothing wrong,” Dotcom said.

Although three years in limbo and a year in jail will have had a considerable impact on Nomm’s life, his deal with the U.S. now means that he can get on with his life. The same cannot be said of Dotcom and his former colleagues.

Nomm plead guilty to two counts of conspiracy to commit copyright infringement, charges that Dotcom and his former colleagues continue to deny. The U.S. also dropped the money laundering and racketeering charges against the Estonian – the same is unlikely to happen in Dotcom’s case. However, Nomm still has a “money judgment” of US$175m to contend with, a not inconsiderable amount that he will presumably never pay.

The conviction of Nomm is a considerable feather in the cap of U.S. authorities who indicate that Nomm has given them much more evidence than has been revealed thus far. Only time will tell how valuable that will prove.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Krebs on Security: Paris Terror Attacks Stoke Encryption Debate

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

U.S. state and federal law enforcement officials appear poised to tap into public concern over the terror attacks in France last week to garner support for proposals that would fundamentally weaken the security of encryption technology used by U.S. corporations and citizens. Here’s a closer look at what’s going on, and why readers should be tuned in and asking questions.

encryptedeyeDespite early and widely repeated media reports that the terrorists who killed at least 128 people in Paris used strong encryption to disguise their communications, the evidence of this has failed to materialize. An initial report on Nov. 14 from Forbes titled “Why the Paris ISIS Terrorists Used PlayStation4 to Plan Attacks” was later backpedalled to “How Paris ISIS Terrorists May Have Used PlayStation 4 to Discuss and Plan.” Turns out there was actually nothing to indicate the attackers used gaming consoles to hide their communications; only that they could do that if they wanted to.

Politico ran a piece on Sunday that quoted a Belgian government official saying French authorities had confiscated at least one PlayStation 4 gaming console from one of the attacker’s belongings (hat tip to

“It’s unclear if the suspects in the attacks used PlayStation as a means of communication,” the Politico story explained. “But the sophistication of the attacks raises questions about the ability of law enforcement to detect plots as extremists use new and different forms of technology to elude investigators.”

Also on Sunday, The New York Times published a story that included this bit:

“The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly. It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.”

After heavy criticism of the story on Twitter, The Times later removed the story from the site (it is archived here). That paragraph was softened into the following text, which was included in a different Times story later in the day: “European officials said they believed the Paris attackers had used some kind of encrypted communication, but offered no evidence.” To its credit, the Times today published a more detailed look at the encryption debate.

The media may be unwittingly playing into the hands of folks that former NBC reporter Bob Sullivan lovingly calls the “anti-encryption opportunists,” i.e., those who support weakening data encryption standards to make it easier for law enforcement officials to lawfully monitor people suspected of terrorist activity.

The directors of the FBI , Central Intelligence Agency and National Security Agency have repeated warned Congress and the technology community that they’re facing a yawning intelligence gap from smart phone and internet communication technologies that use encryption which investigators cannot crack — even after being granted the authority to do so by the U.S. courts.

For its part, the Obama administration has reportedly backed down in its bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices.

“While the administration said it would continue to try to persuade companies like Apple and Google to assist in criminal and national security investigations, it determined that the government should not force them to breach the security of their products,” wrote Nicole Perlroth and David Sanger for The New York Times in October. “In essence, investigators will have to hope they find other ways to get what they need, from data stored in the cloud in unencrypted form or transmitted over phone lines, which are covered by a law that affects telecommunications providers but not the technology giants.”

But this hasn’t stopped proponents of weakening encryption from identifying opportunities to advance their cause. In a memo obtained in August by The Washington PostRobert Litt, a lawyer in the Office of the Director of National Intelligence, wrote that the public support for weakening encryption “could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

To that apparent end, law enforcement officials from Manhattan and the City of London are expected on Wednesday to release a “white paper on smartphone encryption,” during an annual financial crimes and cybersecurity symposium at The Federal Reserve Bank of New York. A media notice (PDF) about the event was sent out by Manhattan District Attorney Cyrus R. Vance Jr., one of the speakers at the event and a vocal proponent of building special access for law enforcement into encrypted communications. Here’s Vance in a recent New York Times op-ed on the need for the expanded surveillance powers.

Critics say any plans designed to build in secret “backdoors” that allow court-ordered access to encrypted communications ultimately would backfire once those backdoors were discovered by crooks and nation states. In her column titled “After Paris Attacks, Here’s What the CIA Director Gets Wrong About Encryption,”’s Kim Zetter examines security holes in the arguments for weakening encryption.

The aforementioned Bob Sullivan reminds us that weakening domestic encryption laws would simply ensure that the criminals we wish to monitor use non-US encryption technology:

“For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.”

“There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.”

“Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.”

“In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.”

Where do you come down on this debate, dear readers? Are you taking advantage of the kinds of technologies and services — like Signal, Telegram and Wickr — that use encryption the government says it can’t crack? Sound off in the comments below.

Schneier on Security: Did Carnegie Mellon Attack Tor for the FBI?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s pretty strong evidence that the team of researchers from Carnegie Mellon University who canceled their scheduled 2015 Black Hat talk deanonymized Tor users for the FBI.

Details are in this Vice story and this Wired story (and these”>two follow-on Vice stories). And here’s the reaction from the Tor Project.

Nicholas Weaver guessed this back in January.

The behavior of the researchers is reprehensible, but the real issue is that CERT Coordination Center (CERT/CC) has lost its credibility as an honest broker. The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project. Instead, the researchers apparently used this vulnerability to deanonymize a large number of hidden service visitors and provide the information to the FBI.

Does anyone still trust CERT to behave in the Internet’s best interests? Did the FBI Pay a University to Attack Tor Users? (Tor blog)

This post was syndicated from: and was written by: jake. Original post: at

The Tor blog is carrying a post from interim executive director Roger Dingledine that accuses Carnegie Mellon University (CMU) of accepting $1 million from the FBI to de-anonymize Tor users.
There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board. We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.” Cryptographer Matthew Green has also weighed in (among others, including Forbes and Ars Technica): “If CMU really did conduct Tor de-anonymization research for the benefit of the FBI, the people they identified were allegedly not doing the nicest things. It’s hard to feel particularly sympathetic.

Except for one small detail: there’s no reason to believe that the defendants were the only people affected.”

Krebs on Security: Ransomware Now Gunning for Your Web Sites

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

One of the more common and destructive computer crimes to emerge over the past few years involves ransomware — malicious code that quietly scrambles all of the infected user’s documents and files with very strong encryption.  A ransom, to be paid in Bitcon, is demanded in exchange for a key to unlock the files. Well, now it appears fraudsters are developing ransomware that does the same but for Web sites — essentially holding the site’s files, pages and images for ransom.

Image: Kaspersky Lab

Image: Kaspersky Lab

This latest criminal innovation, innocuously dubbed “Linux.Encoder.1” by Russian antivirus and security firm Dr.Web, targets sites powered by the Linux operating system. The file currently has almost zero detection when scrutinized by antivirus products at Google’s, a free tool for scanning suspicious files against dozens of popular antivirus products.

Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such shopping cart programs. Once on a host machine, the malware will encrypt all of the files in the “home” directories on the system, as well backup directories and most of the system folders typically associated with Web site files, images, pages, code libraries and scripts.

The ransomware problem is costly, hugely disruptive, and growing. In June, the FBI said said it received 992 CryptoWall-related complaints in the preceding year, with losses totaling more than $18 million. And that’s just from those victims who reported the crimes to the U.S. government; a huge percentage of cybercrimes never get reported at all.


On Nov. 4, the Linux Website ramsomware infected a server used professional Web site designer Daniel Macadar. The ransom message was inside a plain text file called “instructions to decrypt” that was included in every file directory with encrypted files:

“To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay 1 bitcoin(s) (~420 USD),” the warning read. “Without this key, you will never be able to get your original files back.”

Macadar said the malware struck a development Web server of his that also hosted Web sites for a couple of longtime friends. Macadar was behind on backing up the site and the server, and the attack had rendered those sites unusable. He said he had little choice but to pay the ransom. But it took him some time before he was able to figure out how to open and fund a Bitcoin account.

“I didn’t have any Bitcoins at that point, and I was never planning to do anything with Bitcoin in my life,” he said.

According to Macadar, the instructions worked as described, and about three hours later his server was fully decrypted. However, not everything worked the way it should have.

“There’s a  decryption script that puts the data back, but somehow it ate some characters in a few files, adding like a comma or an extra space or something to the files,” he said.

Macadar said he hired Thomas Raef — 0wner of Web site security service — to help secure his server after the attack, and to figure out how the attackers got in. Raef told me his customer’s site was infected via an unpatched vulnerability in Magento, a shopping cart software that many Web sites use to handle ecommerce payments.

CheckPoint detailed this vulnerability back in April 2015 and Magento issued a fix yet many smaller ecommerce sites fall behind on critical updates for third-party applications like shopping cart software. Also, there are likely other exploits published recently that can expose a Linux host and any associated Web services to attackers and to site-based ransomware.


This new Linux Encoder malware is just one of several recent innovations in ransomware. As described by Romanian security firm Bitdefender, the latest version of the CryptoWall crimeware package (yes, it is actually named CryptoWall 4.0) displays a redesigned ransom message that also now encrypts the names of files along with each file’s data! Each encrypted file has a name made up of random numbers and letters.

Traditional ransomware attacks also are getting more expensive, at least for new threats that currently are focusing on European (not American) banks. According to security education firm KnowBe4, a new ransomware attack targeting Windows computers starts as a “normal” ransomware infection, encrypting both local and network files and throwing up a ransom note for 2.5 Bitcoin (currently almost USD $1,000). Here’s the kicker: In the ransom note that pops up on the victim’s screen, the attackers claim that if they are not paid, they will publish the files on the Internet.



Well,  that’s one way of getting your files back. This is the reality that dawns on countless people for the first time each day: Fail to securely back up your files — whether on your computer or Web site — and the bad guys may eventually back them up for you! ‘

Oh, the backup won’t be secure, and you probably won’t be able to remove the information from the Internet if they follow through with such threats.

The tools for securely backing up computers, Web sites, data, and even entire hard drives have never been more affordable and ubiquitous. So there is zero excuse for not developing and sticking with a good backup strategy, whether you’re a home user or a Web site administrator.

PC World last year published a decent guide for Windows users who wish to take advantage of the the OS’s built-in backup capabilities. I’ve personally used Acronis and Macrium products, and find both do a good job making it easy to back up your rig. The main thing is to get into a habit of doing regular backups.

There are good guides all over the Internet showing users how to securely back up Linux systems (here’s one). Others tutorials are more OS-specific. For example, here’s a sensible backup approach for Debian servers. I’d like to hear from readers about their backup strategies — what works — particularly from those who maintain Linux-based Web servers like Apache and Nginx.

It’s worth noting that the malware requires the compromised user account on the Linux system to be an administrator; operating Web servers and Web services as administrator is generally considered poor security form, and threats like this one just reinforce why.

Also, most ransomware will search for other network or file shares that are attached or networked to the infected machine. If it can access those files, it will attempt to encrypt them as well. It’s a good idea to either leave your backup medium disconnected from the system unless and until you are backing up or restoring files.

For his part, Macadar said he is rebuilding the compromised server and now backing up his server in two places at once — using local, on-site backup drives as well as remote (web-based) backup services.

TorrentFreak: YTS Reaches MPAA Deal But Dotcom Faces Decades in Jail?

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

After reporting on thousands of file-sharing related stories around the globe for almost ten years, the folks here at TF have a ‘feel’ for how certain scenarios play out. With that in mind, something doesn’t feel right with the ongoing drama involving YTS / YIFY.

When sites as big as YTS get taken down by the MPAA, RIAA, or their partners around the world, these organizations usually order their PR departments to repeatedly bash the big button marked “CONGRATULATIONS TO US”. Yet for weeks following the YTS shut down there was complete silence.

Details of the multi-million dollar lawsuit supposedly filed in New Zealand are nowhere to be found either. And if one was expecting the usual “Shut down by ICE/FBI/DELTA FORCE” banner to appear on instead of the usual YIFY movie rips, then there’s only disappointment there too.

Ok, the MPAA have this week admitted they’re behind the shutdown, but the way it’s being handled is extremely puzzling. The announcement from MPAA chief Chris Dodd was muted to say the least and the somewhat compulsory gloating at having taken down one of the world’s most important piracy sites is almost non-existent.

This is odd for a number of reasons, not least when one considers the nature and scale of the operation. YIFY / YTS released as many as five thousand copies of mainstream movies onto the Internet. Between them they were shared dozens of millions of times, at least. Over the past decade those kinds of numbers – and a lot less – have seen people jailed for up to five years in the United States and elsewhere.

Yet according to credible sources the operator of YTS – a 21-year-old who for unknown reasons isn’t even being named – has already settled his beef with the MPAA. This, despite running a site that has been repeatedly listed as a worldwide notorious market in the USTR’s Special 301 Report.

Of course, the operator of YTS isn’t in the United States, he’s in New Zealand, but geographical boundaries are rarely an issue for Hollywood. Take the drama surrounding Kim Dotcom and his former site Megaupload, for example.

Like the operator of YTS, Dotcom also lives in New Zealand. Importantly, it’s never been claimed that Dotcom uploaded anything illegal to the Internet (let alone thousands of movies) yet he was subjected to a commando-like raid on his home by dozens of armed police. He’s also facing extradition to the United States where he faces decades in jail.

Now, think of the flamboyant Dotcom what you will. Then feel relieved for the admin of YTS, who by many accounts is a thoroughly nice guy and has somehow managed to save his own skin, despite providing much of the content for global phenomenon Popcorn Time.

But then try to get a handle on how differently these two people are being treated after allegedly committing roughly the same offenses in exactly the same country. One case is still dragging on after almost four years, with tens of millions spent on lawyers and no end in sight. The other was a done deal inside four weeks.

Earlier this week TorrentFreak spoke with Kim Dotcom who told us he’d been following the YTS story in the media. Intrigued, we wanted to know – how does it feel to be raked over the coals for close to four years, have all your property seized, face extradition and decades in jail, while someone just up the road can walk away relatively unscathed from what would’ve been a slam-dunk case for the MPAA?

“It’s a double standard isn’t it?” Dotcom told TF.

“I think our case has chilled law enforcement and Hollywood against pursuing the criminal route in cases such as this. Quick civil settlements seem to be the new way to go.”

Dotcom may well be right and the fact that New Zealand already has a massive headache because of his case may well have been a factor in the decision not to make a huge example of the YTS operator. At the moment no one is talking though, and it’s entirely possible that no one ever will.

That makes a case like this all the more unsettling. Are we witnessing Hollywood’s ability to switch on a massive overseas law enforcement response in one case and then reel in the United States government in another? It’s worth saying again – YTS was a ‘notorious market’ in the eyes of the USTR yet apparently that be dealt with privately these days.

But with all that being said, it is quite possible that the U.S. government has learned lessons from its heavy-handed actions in 2012 and doesn’t want to repeat them again, least of all in New Zealand, a country whose judges must be growing tired of the Dotcom debacle.

“As the DOJ admitted the Megaupload case is a test case. The test isn’t going well for them,” Dotcom concludes.

And for that the guy behind YTS must be thanking his lucky stars.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Schneier on Security: The Rise of Political Doxing

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week, CIA director John O. Brennan became the latest victim of what’s become a popular way to embarrass and harass people on the Internet. A hacker allegedly broke into his AOL account and published e-mails and documents found inside, many of them personal and sensitive.

It’s called doxing­ — sometimes doxxing­ — from the word “documents.” It emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people on the Internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying “I know a lot about you­ — like where you live and work.” Victims of doxing talk about the fear that this tactic instills. It’s very effective, by which I mean that it’s horrible.

Brennan’s doxing was slightly different. Here, the attacker had a more political motive. He wasn’t out to intimidate Brennan; he simply wanted to embarrass him. His personal papers were dumped indiscriminately, fodder for an eager press. This doxing was a political act, and we’re seeing this kind of thing more and more.

Last year, the government of North Korea allegedly did this to Sony. Hackers the FBI believes were working for North Korea broke into the company’s networks, stole a huge amount of corporate data, and published it. This included unreleased movies, financial information, company plans, and personal e-mails. The reputational damage to the company was enormous; the company estimated the cost at $41 million.

In July, hackers stole and published sensitive documents from the cyberweapons arms manufacturer Hacking Team. That same month, different hackers did the same thing to the infidelity website Ashley Madison. In 2014, hackers broke into the iCloud accounts of over 100 celebrities and published personal photographs, most containing some nudity. In 2013, Edward Snowden doxed the NSA.

These aren’t the first instances of politically motivated doxing, but there’s a clear trend. As people realize what an effective attack this can be, and how an individual can use the tactic to do considerable damage to powerful people and institutions, we’re going to see a lot more of it.

On the Internet, attack is easier than defense. We’re living in a world where a sufficiently skilled and motivated attacker will circumvent network security. Even worse, most Internet security assumes it needs to defend against an opportunistic attacker who will attack the weakest network in order to get­ — for example­ — a pile of credit card numbers. The notion of a targeted attacker, who wants Sony or Ashley Madison or John Brennan because of what they stand for, is still new. And it’s even harder to defend against.

What this means is that we’re going to see more political doxing in the future, against both people and institutions. It’s going to be a factor in elections. It’s going to be a factor in anti-corporate activism. More people will find their personal information exposed to the world: politicians, corporate executives, celebrities, divisive and outspoken individuals.

Of course they won’t all be doxed, but some of them will. Some of them will be doxed directly, like Brennan. Some of them will be inadvertent victims of a doxing attack aimed at a company where their information is stored, like those celebrities with iPhone accounts and every customer of Ashley Madison. Regardless of the method, lots of people will have to face the publication of personal correspondence, documents, and information they would rather be private.

In the end, doxing is a tactic that the powerless can effectively use against the powerful. It can be used for whistleblowing. It can be used as a vehicle for social change. And it can be used to embarrass, harass, and intimidate. Its popularity will rise and fall on this effectiveness, especially in a world where prosecuting the doxers is so difficult.

There’s no good solution for this right now. We all have the right to privacy, and we should be free from doxing. But we’re not, and those of us who are in the public eye have no choice but to rethink our online data shadows.

This essay previously appeared on Vice Motherboard.

Darknet - The Darkside: FBI Recommends Crypto Ransomware Victims Just Pay

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Crypto ransomware is a type of malware that holds you ransom by encrypting your files and has been around for a while, but the FBI recently said at a cyber security summit that they advise companies that fall victim just to pay. Such malware tends to use pretty strong encryption algorithms like RSA-2048, which you […]

The post FBI Recommends…

Read the full post at

Krebs on Security: Cybersecurity Information (Over)Sharing Act?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The U.S. Senate is preparing to vote on cybersecurity legislation that proponents say is sorely needed to better help companies and the government share information about the latest Internet threats. Critics of the bill and its many proposed amendments charge that it will do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions that are ripe for privacy abuses. What follows is a breakdown of the arguments on both sides, and a personal analysis that seeks to add some important context to the debate.

Up for consideration by the full Senate this week is the Cybersecurity Information Sharing Act (CISA), a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime. The Wall Street Journal and The Washington Post each recently published editorials in support of the bill.

“The idea behind the legislation is simple: Let private businesses share information with each other, and with the government, to better fight an escalating and constantly evolving cyber threat,” the WSJ said in an editorial published today (paywall). “This shared data might be the footprint of hackers that the government has seen but private companies haven’t. Or it might include more advanced technology that private companies have developed as a defense.”

“Since hackers can strike fast, real-time cooperation is essential,” the WSJ continued. “A crucial provision would shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another. Democrats had long resisted this legal safe harbor at the behest of plaintiffs lawyers who view corporate victims of cyber attack as another source of plunder.”

The Post’s editorial dismisses “alarmist claims [that] have been made by privacy advocates who describe it as a ‘surveillance’ bill”:

“The notion that there is a binary choice between privacy and security is false. We need both privacy protection and cybersecurity, and the Senate legislation is one step toward breaking the logjam on security,” the Post concluded. “Sponsors have added privacy protections that would scrub out personal information before it is shared. They have made the legislation voluntary, so if companies are really concerned, they can stay away. A broad coalition of business groups, including the U.S. Chamber of Commerce, has backed the legislation, saying that cybertheft and disruption are “advancing in scope and complexity.”

But critics of CISA say the devil is in the details, or rather in the raft of amendments that may be added to the bill before it’s passed. The Center for Democracy & Technology (CDT), a nonprofit technology policy group based in Washington, D.C., has published a comprehensive breakdown of the proposed amendments and their potential impacts.

CDT says despite some changes made to assuage privacy concerns, neither CISA as written nor any of its many proposed amendments address the fundamental weaknesses of the legislation. According to CDT, “the bill requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the National Security Agency (NSA), other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill.”

CDT warns that CISA risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of CTIs (cyber threat indicators) for a broad array of law enforcement purposes that have nothing to do with cybersecurity. Moreover, CDT says, CISA will likely introduce unintended consequences:

“It trumps all law in authorizing companies to share user Internet communications and data that qualify as ‘cyber threat indicators,’ [and] does nothing to address conduct of the NSA that actually undermines cybersecurity, including the stockpiling of zero day vulnerabilities.”


On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer. We read constantly about breaches at major corporations in which the attackers were found to have been inside of the victim’s network for months or years on end before the organization discovered that it was breached (or, more likely, they were notified by law enforcement officials or third-party security firms).

If only there were an easier way, we are told, for companies to share so-called “indicators of compromise” — Internet addresses or malicious software samples known to be favored by specific cybercriminal groups, for example — such breaches and the resulting leakage of consumer data and corporate secrets could be detected and stanched far more quickly.

In practice, however, there are already plenty of efforts — some public, some subscription-based — to collect and disseminate this threat data. From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation — from an organization’s leadership on down — for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today. While many business leaders fail to appreciate the value and criticality of all their IT assets, I guarantee you today’s cybercrooks know all too well how much these assets are worth. And this yawning gap in awareness and understanding is evident by the sheer number of breaches announced each week.

Far too many organizations have trouble seeing the value of investing in cybersecurity until it is too late. Even then, breached entities will often seek out shiny new technologies or products that they perceive will help detect and prevent the next breach, while overlooking the value of investing in talented cybersecurity professionals to help them make sense of what all this technology is already trying to tell them about the integrity and health of their network and computing devices.

One of the more stunning examples of this comes from a depressingly static finding in the annual data breach reports published by Verizon Enterprise, a company that helps victims of cybercrime respond to and clean up after major data breaches. Every year, Verizon produces an in-depth report that tries to pull lessons out of dozens of incidents it has responded to in the previous year. It also polls dozens of law enforcement agencies worldwide for their takeaways from investigating cybercrime incidents.

The depressingly static stat is that in a great many of these breaches, the information that could have tipped companies off to a breach much sooner was already collected by the breached organization’s various cybersecurity tools; the trouble was, the organization lacked the human resources needed to make sense of all this information.

We all want the enormous benefits that technology and the Internet can bring, but all too often we are unwilling to face just how dependent we have become on technology. We embrace and extoll these benefits, but we routinely fail to appreciate how these tools can be used against us. We want the benefits of it all, but we’re reluctant to put in the difficult and very often unsexy work required to make sure we can continue to make those benefits work for us.

The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches. Meanwhile, history is littered with examples of well-intentioned laws that produce unintended (if not unforeseen) consequences.

Having read through the proposed CISA bill and its myriad amendments, I’m left with an impression perhaps best voiced in a letter sent earlier this week to the bill’s sponsors by nearly two-dozen academics. The coalition of professors charged that CISA is an example of the classic “let’s do something law” from a Congress that is under intense pressure to respond to a seemingly never-ending parade of breaches across the public and private sectors.

Rather than encouraging companies to increase their own cybersecurity standards, the professors wrote, “CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network.”

“CISA creates new law in the wrong places,” the letter concluded. “For example, as the attached letter indicates, security threat information sharing is already quite robust. Instead, what are most needed are more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them, and CISA does nothing to move us in that direction.”

Further reading: Independent national security journalist Marcy Wheeler’s take at

Errata Security: Ethics of killing Hitler

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The NYTimes asks us: if we could go back in time and kill Hitler as a baby, would we do it? There’s actually several questions here: emotional, moral, and ethical. Consider a rephrasing of the question to focus on the emotional question: could you kill a baby, even if you knew it would grow up and become Hitler?

But it’s the ethical question that comes up the most often, and it has real-world use. It’s pretty much the question Edward Snowden faced: should he break his oath and disclose the NSA’s mass surveillance of Americans?

I point this out because my ethical response is “yes, and go to jail”. The added “and go to jail” makes it a rare response — lots of people are willing to kill Hitler if they don’t suffer any repercussions.

For me, the hypothetical question is “If you went back in time and killed Hitler, would you go to jail for murder?“. My answer is “yes”. I’d still do my best to lessen the punishment. I’d hire the best lawyer to defend me. It’s just that I would put judgement of my crime or heroism in the hands of others. I would pay the consequences, whatever they were.

Another way of looking at the question is: “If you had a time machine, is killing Hitler the best option?“. Maybe if you sent a hot chick back in time to get Hitler laid as a teenager, he wouldn’t be so angry at the world. Maybe if you went back in time and purchased his crappy paintings, or hired him as an architect, you could steer his life onto another path. Seriously, the time stream is full of butterflies that simply need to flap their wings in order to divert Hitler from genocide.

I point this out because it’s “murder” that is the question, and Hitler is only window dressing.

There is a cybersecurity bill, “CISA”, in front of congress right now that will be voted on next week. But “cybersecurity” is only the window dressing. The tech industry and cybersecurity experts oppose it. Its only supporters are the intelligence community, like the FBI and NSA. It’s really a disguised surveillance bill. Just like people seem uninterested in stopping Hitler through some means other than murder, government is uninterested in stopping hackers through some other means than mass surveillance and a police state.

Anyway, those are my two answers to the “kill Hitler” question. If I had a time machine, my first choice wouldn’t be “murder”. If I did choose “murder”, I’d expect to go to jail for it.

Schneier on Security: Police Want Genetic Data from Corporate Repositories

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Both the FBI and local law enforcement are trying to get the genetic data stored at companies like 23andMe.

No surprise, really.

As NYU law professor Erin Murphy told the New Orleans Advocate regarding the Usry case, gathering DNA information is “a series of totally reasonable steps by law enforcement.” If you’re a cop trying to solve a crime, and you have DNA at your disposal, you’re going to want to use it to further your investigation. But the fact that your signing up for 23andMe or means that you and all of your current and future family members could become genetic criminal suspects is not something most users probably have in mind when trying to find out where their ancestors came from.

Schneier on Security: Obama Administration Not Pursuing a Backdoor to Commercial Encryption

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Obama Administration is not pursuing a law that would force computer and communications manufacturers to add backdoors to their products for law enforcement. Sensibly, they concluded that criminals, terrorists, and foreign spies would use that backdoor as well.

Score one for the pro-security side in the Second Crypto War.

It’s certainly not over. The FBI hasn’t given up on an encryption backdoor (or other backdoor access to plaintext) since the early 1990s, and it’s not going to give up now. I expect there will be more pressure on companies, both overt and covert, more insinuations that strong security is somehow responsible for crime and terrorism, and more behind-closed-doors negotiations.

Schneier on Security: Automatic Face Recognition and Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

ID checks were a common response to the terrorist attacks of 9/11, but they’ll soon be obsolete. You won’t have to show your ID, because you’ll be identified automatically. A security camera will capture your face, and it’ll be matched with your name and a whole lot of other information besides. Welcome to the world of automatic facial recognition. Those who have access to databases of identified photos will have the power to identify us. Yes, it’ll enable some amazing personalized services; but it’ll also enable whole new levels of surveillance. The underlying technologies are being developed today, and there are currently no rules limiting their use.

Walk into a store, and the salesclerks will know your name. The store’s cameras and computers will have figured out your identity, and looked you up in both their store database and a commercial marketing database they’ve subscribed to. They’ll know your name, salary, interests, what sort of sales pitches you’re most vulnerable to, and how profitable a customer you are. Maybe they’ll have read a profile based on your tweets and know what sort of mood you’re in. Maybe they’ll know your political affiliation or sexual identity, both predictable by your social media activity. And they’re going to engage with you accordingly, perhaps by making sure you’re well taken care of or possibly by trying to make you so uncomfortable that you’ll leave.

Walk by a policeman, and she will know your name, address, criminal record, and with whom you routinely are seen. The potential for discrimination is enormous, especially in low-income communities where people are routinely harassed for things like unpaid parking tickets and other minor violations. And in a country where people are arrested for their political views, the use of this technology quickly turns into a nightmare scenario.

The critical technology here is computer face recognition. Traditionally it has been pretty poor, but it’s slowly improving. A computer is now as good as a person. Already Google’s algorithms can accurately match child and adult photos of the same person, and Facebook has an algorithm that works by recognizing hair style, body shape, and body language ­- and works even when it can’t see faces. And while we humans are pretty much as good at this as we’re ever going to get, computers will continue to improve. Over the next years, they’ll continue to get more accurate, making better matches using even worse photos.

Matching photos with names also requires a database of identified photos, and we have plenty of those too. Driver’s license databases are a gold mine: all shot face forward, in good focus and even light, with accurate identity information attached to each photo. The enormous photo collections of social media and photo archiving sites are another. They contain photos of us from all sorts of angles and in all sorts of lighting conditions, and we helpfully do the identifying step for the companies by tagging ourselves and our friends. Maybe this data will appear on handheld screens. Maybe it’ll be automatically displayed on computer-enhanced glasses. Imagine salesclerks ­- or politicians ­- being able to scan a room and instantly see wealthy customers highlighted in green, or policemen seeing people with criminal records highlighted in red.

Science fiction writers have been exploring this future in both books and movies for decades. Ads followed people from billboard to billboard in the movie Minority Report. In John Scalzi’s recent novel Lock In, characters scan each other like the salesclerks I described above.

This is no longer fiction. High-tech billboards can target ads based on the gender of who’s standing in front of them. In 2011, researchers at Carnegie Mellon pointed a camera at a public area on campus and were able to match live video footage with a public database of tagged photos in real time. Already government and commercial authorities have set up facial recognition systems to identify and monitor people at sporting events, music festivals, and even churches. The Dubai police are working on integrating facial recognition into Google Glass, and more US local police forces are using the technology.

Facebook, Google, Twitter, and other companies with large databases of tagged photos know how valuable their archives are. They see all kinds of services powered by their technologies ­ services they can sell to businesses like the stores you walk into and the governments you might interact with.

Other companies will spring up whose business models depend on capturing our images in public and selling them to whoever has use for them. If you think this is farfetched, consider a related technology that’s already far down that path: license-plate capture.

Today in the US there’s a massive but invisible industry that records the movements of cars around the country. Cameras mounted on cars and tow trucks capture license places along with date/time/location information, and companies use that data to find cars that are scheduled for repossession. One company, Vigilant Solutions, claims to collect 70 million scans in the US every month. The companies that engage in this business routinely share that data with the police, giving the police a steady stream of surveillance information on innocent people that they could not legally collect on their own. And the companies are already looking for other profit streams, selling that surveillance data to anyone else who thinks they have a need for it.

This could easily happen with face recognition. Finding bail jumpers could even be the initial driving force, just as finding cars to repossess was for license plate capture.

Already the FBI has a database of 52 million faces, and describes its integration of facial recognition software with that database as “fully operational.” In 2014, FBI Director James Comey told Congress that the database would not include photos of ordinary citizens, although the FBI’s own documents indicate otherwise. And just last month, we learned that the FBI is looking to buy a system that will collect facial images of anyone an officer stops on the street.

In 2013, Facebook had a quarter of a trillion user photos in its database. There’s currently a class-action lawsuit in Illinois alleging that the company has over a billion “face templates” of people, collected without their knowledge or consent.

Last year, the US Department of Commerce tried to prevail upon industry representatives and privacy organizations to write a voluntary code of conduct for companies using facial recognition technologies. After 16 months of negotiations, all of the consumer-focused privacy organizations pulled out of the process because industry representatives were unable to agree on any limitations on something as basic as nonconsensual facial recognition.

When we talk about surveillance, we tend to concentrate on the problems of data collection: CCTV cameras, tagged photos, purchasing habits, our writings on sites like Facebook and Twitter. We think much less about data analysis. But effective and pervasive surveillance is just as much about analysis. It’s sustained by a combination of cheap and ubiquitous cameras, tagged photo databases, commercial databases of our actions that reveal our habits and personalities, and ­- most of all ­- fast and accurate face recognition software.

Don’t expect to have access to this technology for yourself anytime soon. This is not facial recognition for all. It’s just for those who can either demand or pay for access to the required technologies ­- most importantly, the tagged photo databases. And while we can easily imagine how this might be misused in a totalitarian country, there are dangers in free societies as well. Without meaningful regulation, we’re moving into a world where governments and corporations will be able to identify people both in real time and backwards in time, remotely and in secret, without consent or recourse.

Despite protests from industry, we need to regulate this budding industry. We need limitations on how our images can be collected without our knowledge or consent, and on how they can be used. The technologies aren’t going away, and we can’t uninvent these capabilities. But we can ensure that they’re used ethically and responsibly, and not just as a mechanism to increase police and corporate power over us.

This essay previously appeared on

EDITED TO ADD: Two articles that say much the same thing.

Krebs on Security: Scottrade Breach Hits 4.6 Million Customers

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Welcome to Day 2 of Cybersecurity (Breach) Awareness Month! Today’s awareness lesson is brought to you by retail brokerage firm Scottrade Inc., which just disclosed a breach involving contact information and possibly Social Security numbers on 4.6 million customers.

scottradeIn an email sent today to customers, St. Louis-based Scottrade said it recently heard from federal law enforcement officials about crimes involving the theft of information from Scottrade and other financial services companies.

“Based upon our subsequent internal investigation coupled with information provided by the authorities, we believe a list of client names and street addresses was taken from our system,” the email notice reads. “Importantly, we have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. All client passwords remained encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.”

The notice said that although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, “it appears that contact information was the focus of the incident.” The company said the unauthorized access appears to have occurred over a period between late 2013 and early 2014.

Asked about the context of the notification from federal law enforcement officials, Scottrade spokesperson Shea Leordeanu said the company couldn’t comment on the incident much more than the information included in its Web site notice about the attack. But she did say that Scottrade learned about the data theft from the FBI, and that the company is working with agents from FBI field offices in Atlanta and New York. FBI officials could not be immediately reached for comment.

It may well be that the intruders were after Scottrade user data to facilitate stock scams, and that a spike in spam email for affected Scottrade customers will be the main fallout from this break-in.

In July 2015, prosecutors in Manhattan filed charges against five people — including some suspected of having played a role in the 2014 breach at JPMorgan Chase that exposed the contact information on more than 80 million consumers. The authorities in that investigation said they suspect that group sought to use email addresses stolen in the JPMorgan hacking to further stock manipulation schemes involving spam emails to pump up the price of otherwise worthless penny stocks.

Scottrade said despite the fact that it doesn’t believe Social Security numbers were stolen, the company is offering a year’s worth of free credit monitoring services to affected customers. Readers who are concerned about protecting their credit files from identity thieves should read How I Learned to Stop Worrying and Embrace the Security Freeze.

AWS Security Blog: Learn About the Rest of the Security and Compliance Track Sessions Being Offered at re:Invent 2015

This post was syndicated from: AWS Security Blog and was written by: Craig Liebendorfer. Original post: at AWS Security Blog

Previously, I mentioned that the re:Invent 2015 Security & Compliance track sessions had been announced, and I also discussed the AWS Identity and Access Management (IAM) sessions that will be offered as part of the Security & Compliance track.

Today, I will highlight the remainder of the sessions that will be presented as part of the Security & Compliance track. If you are going to re:Invent 2015, you can add these sessions to your schedule now. If you won’t be attending re:Invent in person this year, keep in mind that all sessions will be available on YouTube (video) and SlideShare (slide decks) after the conference.


SEC314: Full Configuration Visibility and Control with AWS Config

With AWS Config, you can discover what is being used on AWS, understand how resources are configured and how their configurations changed over time—all without disrupting end-user productivity on AWS. You can use this visibility to assess continuous compliance with best practices, and integrate with IT service management, configuration management, and other ITIL tools. In this session, AWS Senior Product Manager Prashant Prahlad will discuss:

  • Mechanisms to aggregate this deep visibility to gain insights into your overall security and operational posture.
  • Ways to leverage notifications from the service to stay informed, trigger workflows, or graph your infrastructure.
  • Integrating AWS Config with ticketing and workflow tools to help you maintain compliance with internal practices or industry guidelines.
  • Aggregating this data with other configuration management tools to move toward a single source of truth solution for configuration management.

This session is best suited for administrators and developers with a focus on audit, security, and compliance.

SEC318: AWS CloudTrail Deep Dive

Ever wondered how can you find out which user made a particular API call, when the call was made, and which resources were acted upon? In this session, you will learn from AWS Senior Product Manager Sivakanth Mundru how to turn on AWS CloudTrail for hundreds of AWS accounts in all AWS regions to ensure you have full visibility into API activity in all your AWS accounts. We will demonstrate how to use CloudTrail Lookup in the AWS Management Console to troubleshoot operational and security issues and how to use the AWS CLI or SDKs to integrate your applications with CloudTrail.

We will also demonstrate how you can monitor for specific API activity by using Amazon CloudWatch and receive email notifications, when such activity occurs. Using CloudTrail Lookup and CloudWatch Alarms, you can take immediate action to quickly remediate any security or operational issues. We will also share best practices and ready-to-use scripts, and dive deep into new features that help you configure additional layers of security for CloudTrail log files.

SEC403: Timely Security Alerts and Analytics: Diving into AWS CloudTrail Events by Using Apache Spark on Amazon EMR

Do you want to analyze AWS CloudTrail events within minutes of them arriving in your Amazon S3 bucket? Would you like to learn how to run expressive queries over your CloudTrail logs? AWS Senior Security Engineer Will Kruse will demonstrate Apache Spark and Apache Spark Streaming as two tools to analyze recent and historical security logs for your accounts. To do so, we will use Amazon Elastic MapReduce (EMR), your logs stored in S3, and Amazon SNS to generate alerts. With these tools at your fingertips, you will be the first to know about security events that require your attention, and you will be able to quickly identify and evaluate the relevant security log entries.


SEC306: Defending Against DDoS Attacks

In this session, AWS Operations Manager Jeff Lyon and AWS Software Development Manager Andrew Kiggins will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:

  • DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
  • What AWS does to protect our services from these attacks.
  • How this all relates to the AWS Shared Responsibility Model.

Incident Response

SEC308: Wrangling Security Events in the Cloud

Have you prepared your AWS environment for detecting and managing security-related events? Do you have all the incident response training and tools you need to rapidly respond to, recover from, and determine the root cause of security events in the cloud? Even if you have a team of incident response rock stars with an arsenal of automated data acquisition and computer forensics capabilities, there is likely a thing or two you will learn from several step-by-step demonstrations of wrangling various potential security events within an AWS environment, from detection to response to recovery to investigating root cause. At a minimum, show up to find out who to call and what to expect when you need assistance with applying your existing, already awesome incident response runbook to your AWS environment. Presenters are AWS Principal Security Engineer Don “Beetle” Bailey and AWS Senior Security Consultant Josh Du Lac.

SEC316: Harden Your Architecture with Security Incident Response Simulations (SIRS)

Using Security Incident Response Simulations (SIRS—also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, AWS Senior Technical Program Manager Jonathan Miller and AWS Global Security Architect Armando Leite will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.

Key Management

SEC301: Strategies for Protecting Data Using Encryption in AWS

Protecting sensitive data in the cloud typically requires encryption. Managing the keys used for encryption can be challenging as your sensitive data passes between services and applications. AWS offers several options for using encryption and managing keys to help simplify the protection of your data at rest. In this session, AWS Principal Product Manager Ken Beer and Adobe Systems Principal Scientist Frank Wiebe will help you understand which features are available and how to use them, with emphasis on AWS Key Management Service and AWS CloudHSM. Adobe Systems Incorporated will present their experience using AWS encryption services to solve data security needs.

SEC401: Encryption Key Storage with AWS KMS at Okta

One of the biggest challenges in writing code that manages encrypted data is developing a secure model for obtaining keys and rotating them when an administrator leaves. AWS Key Management Service (KMS) changes the equation by offering key management as a service, enabling a number of security improvements over conventional key storage methods. Okta Senior Software Architect Jon Todd will show how Okta uses the KMS API to secure a multi-region system serving thousands of customers. This talk is oriented toward developers looking to secure their applications and simplify key management.

Overall Security

SEC201: AWS Security State of the Union

Security must be at the forefront for any online business. At AWS, security is priority number one. AWS Vice President and Chief Information Security Officer Stephen Schmidt will share his insights into cloud security and how AWS meets customers’ demanding security and compliance requirements—and in many cases helps them improve their security posture. Stephen, with his background with the FBI and his work with AWS customers in the government, space exploration, research, and financial services organizations, will share an industry perspective that’s unique and invaluable for today’s IT decision makers.

SEC202: If You Build It, They Will Come: Best Practices for Securely Leveraging the Cloud

Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity.

In this session, Sumo Logic VP of Security/CISO Joan Pepin will cover:

  • Key market drivers and advantages for leveraging cloud architectures.
  • Foundational design principles to guide strategy for securely leveraging the cloud.
  • The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid.
  • Real-world customer insights from organizations who have successfully adopted the "Defense in Depth" approach.

Session sponsored by Sumo Logic.

SEC203: Journey to Securing Time Inc’s Move to the Cloud

Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy. 

Who should attend: InfoSec and IT management. Session sponsored by Alert Logic.

SEC303: Architecting for End-to-End Security in the Enterprise

This session will tell the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, AWS Principal Consultant Hart Rossman and AWS Principal Security Solutions Architect Bill Shinn will share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

SEC321: AWS for the Enterprise—Implementing Policy, Governance, and Security for Enterprise Workloads

CSC Director of Global Cloud Portfolio Kyle Falkenhagen will demonstrate enterprise policy, governance, and security products to deploy and manage enterprise and industry applications AWS.  CSC will demonstrate automated provisioning and management of big data platforms and industry specific enterprise applications with automatically provisioned secure network connectivity from the datacenter to AWS over layer 2 routed AT&T Netbond (provides AWS DirectConnect access) connection.  CSC will also demonstrate how applications blueprinted on CSC’s Agility Platform can be re-hosted on AWS in minutes or re-instantiated across multiple AWS regions. CSC will also demonstrate how CSC can provide agile and consumption-based endpoint security for workloads in any cloud or virtual infrastructure, providing enterprise management and 24×7 monitoring of workload compliance, vulnerabilities, and potential threats.

Session sponsored by CSC.

SEC402: Enterprise Cloud Security via DevSecOps 2.0

Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented "Enterprise Cloud Security via DevSecOps" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we’ve learned quite a bit more about running sensitive workloads in AWS.

We’ve evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit DevSecOps Leader Shannon Lietz and AWS Senior Security Consultant Matt Bretan to learn about second-year lessons and see how DevSecOps is evolving. We’ve built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps.

Security Architecture

SEC205: Learn How to Hackproof Your Cloud Using Native AWS Tools

The cloud requires us to rethink much of what we do to secure our applications. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, autoscaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats. And AWS provides powerful tools that enable users to confidently overcome these challenges.

In this session, CloudCheckr Founder and CTO Aaron Newman will discuss leveraging native AWS tools as he covers topics including:

  • Minimizing attack vectors and surface area.
  • Conducting perimeter assessments of your virtual private clouds (VPCs).
  • Identifying internal vs. external threats.
  • Monitoring threats.
  • Reevaluating intrusion detection, activity monitoring, and vulnerability assessment in AWS.

Session sponsored by CloudCheckr.

Enjoy re:Invent!

– Craig

Krebs on Security: With Stolen Cards, Fraudsters Shop to Drop

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A time-honored method of extracting cash from stolen credit cards involves “reshipping” scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity.

Many retailers long ago stopped allowing direct shipments of consumer goods from the United States to Russia and Eastern Europe, citing the high rate of fraudulent transactions for goods destined to those areas. As a result, fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators essentially split the profits from merchandise ordered with stolen credit and debit cards.

Source: Drops for Stuff research paper.

Source: Drops for Stuff research paper.

Much of the insight in this story comes from a study released last week called “Drops for Stuff: An Analysis of Reshipping Mule Scams,” which has multiple contributors (including this author). To better understand reshipping scheme, it helps to have a quick primer on the terminology thieves use to describe different actors in the scam.

The “operator” of the reshipping service specializes in recruiting “reshipping mules” or “drops” — essentially unwitting consumers in the United States who are enlisted through work-at-home job scams and promised up to $2,500 per month salary just for receiving and reshipping packages.

In practice, virtually all drops are cut loose after approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, the operator must be constantly recruiting new drops.

The operator sells access to his stable of drops to card thieves, also known as “stuffers.” The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive the packages, the stuffers provide them with prepaid shipping labels that the mules will use to ship the packages to the stuffers themselves. After they receive the packaged relayed by the drops, the stuffers then sell the products on the local black market.

The shipping service operator will either take a percentage cut (up to 50 percent) where stuffers pay a portion of the product’s retail value to the site operator as the reshipping fee. On the other hand, those operations that target lower-priced products (clothing, e.g.) may simply charge a flat-rate fee of $50 to $70 per package. Depending on the sophistication of the reshipping service, stuffers can either buy shipping labels directly from the service — generally at a volume discount — or provide their own [for a discussion of ancillary criminal services that resell stolen USPS labels purchased wholesale, check out this story from 2014].

The researchers found that reshipping sites typically guarantee a certain level of customer satisfaction for successful package delivery, with some important caveats. If a drop who is not marked
as problematic embezzles the package, reshipping sites offer free shipping for the next package or pay up to 15% of the item’s value as compensation to stuffers (e.g., as compensation for “burning” the
credit card or the already-paid reshipping label).

However, in cases where the authorities identify the drop and intercept the package, the reshipping
sites provide no compensation — it calls these incidents “acts of God” over which it has no control.

“For a premium, stuffers can rent private drops that no other stuffers will have access to,” the researchers wrote. “Such private drops are presumably more reliable and are shielded from interference by other stuffers and, in turn, have a reduced risk to be discovered (hence, lower risk of losing packages).”


One of the key benefits of cashing out stolen cards using a reshipping service is that many luxury consumer goods that are typically bought with stolen cards — gaming consoles, iPads, iPhones and other Apple devices, for instance — can be sold in Russia for a 30 percent to 5o percent markup on top of the original purchase price, allowing the thieves to increase their return on each stolen card.

shopFor example, an Apple MacBook selling for 1,000 US dollars in the United States typically retails for for about 1,400 US dollars in Russia because a variety of customs duties, taxes and other fees increase their price.

It’s not hard to see how this can become a very lucrative form of fraud for everyone involved (except the drops). According to the researchers, the average damage from a reshipping scheme per cardholder is $1, 156.93. In this case, the stuffer buys a card off the black market for $10, turns around and purchases more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.

The study examined the inner workings of seven different reshipping services over a period of five years, from 2010 to 2015, and involved data shared by the FBI and the U.S. Postal Investigative Service. The analysis showed that at least 85 percent of packages being reshipped via these schemes were being sent to Moscow or to the immediate surrounding areas of Moscow.

The researchers wrote that “although it is often impossible to apprehend criminals who are abroad, the patterns of reshipping destinations can help to intercept the international shipping packages beforethey leave the country, e.g., at an USPS International Service Center. Focusing inspection efforts on the packages destined to the stuffers’ prime destination cities can increase the success of intercepting items from reshipping scams.”

The research team wrote that disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service  can earn a yearly revenue of over 7.3 million US dollars, most of which is profit.

A copy of the full paper is available here (PDF).

Krebs on Security: Bidding for Breaches, Redefining Targeted Attacks

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of “targeted attacks.” These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources.

A good example of this until recently could be found at a secretive online forum called “Enigma,” a now-defunct community that was built as kind of eBay for data breach targets. Vetted users on Enigma were either bidders or buyers — posting requests for data from or access to specific corporate targets, or answering such requests with a bid to provide the requested data. The forum, operating on the open Web for months until recently, was apparently scuttled when the forum administrators (rightly) feared that the community had been infiltrated by spies.

The screen shot below shows several bids on Enigma from March through June 2015, requesting data and services related to HSBC UK, Citibank, Air Berlin and Bank of America:

Enigma, an exclusive forum for cyber thieves to buy and sell access to or data stolen from companies.

Enigma, an exclusive forum for cyber thieves to buy and sell access to or data stolen from companies.

One particularly active member, shown in the screen shot above and the one below using the nickname “Demander,” posts on Jan. 10, 2015 that he is looking for credentials from Cisco and that the request is urgent (it’s unclear from the posting whether he’s looking for access to Cisco Corp. or simply to a specific Cisco router). Demander also was searching for services related to Bank of America ATMs and unspecified data or services from Wells Fargo.

More bids on Enigma forum for services.

More bids on Enigma forum for services, data, and access to major corporations.

Much of the information about Enigma comes from Noam Jolles, a senior intelligence expert at Diskin Advanced Technologies. The employees at Jolles’ firm are all former members of Shin Bet, a.k.a. the Israel Security Agency/General Security Service — Israel’s counterespionage and counterterrorism agency, and similar to the British MI5 or the American FBI. The firm’s namesake comes from its founder, Yuval Diskin, who headed Shin Bet from 2005 to 2011.

“On Enigma, members post a bid and call on people to attack certain targets or that they are looking for certain databases for which they are willing to pay,” Jolles said. “And people are answering it and offering their merchandise.”

Those bids can take many forms, Jolles said, from requests to commit a specific cyberattack to bids for access to certain Web servers or internal corporate networks.

“I even saw bids regarding names of people who could serve as insiders,” she said. “Lists of people who might be susceptible to being recruited or extorted.”

Many experts believe the breach that exposed tens of millions user accounts at — an infidelity site that promises to hook up cheating spouses — originated from or was at least assisted by an insider at the company. Interestingly, on June 25, 2015 — three weeks before news of the breach broke — a member on a related secret data-trading forum called the “Gentlemen’s Club” solicits “data and service” related to AshleyMadison, saying “Don’t waste time if you don’t know what I’m talking about. Big job opportunity.”

On June 26, 2015, a forum member named "Diablo" requests data and services related to

On June 26, 2015, a “Gentlemen’s Club” forum member named “Diablo” requests data and services related to

Cybercrime forums like Enigma vet new users and require non-refundable deposits of virtual currency (such as Bitcoin). More importantly, they have strict rules: If the forum administrators notice you’re not trading with others on the forum, you’ll soon be expelled from the community. This policy means that users who are not actively involved in illicit activities — such as buying or selling access to hacked resources — aren’t allowed to remain on the board for long.


In some respects, the above-mentioned forums — as exclusive as they appear to be — are a logical extension of cybercrime forum activity that has been maturing for more than a decade.

As I wrote in my book, Spam Nation: The Inside Story of Organized Cyber Crime — From Global Epidemic to Your Front Door, “crime forums almost universally help lower the barriers to entry for would-be cybercriminals. Crime forums offer crooks with disparate skills a place to market and test their services and wares, and in turn to buy ill-gotten goods and services from others.”

globeauthThe interesting twist with forums like Enigma is that they focus on connecting miscreants seeking specific information or access with those who can be hired to execute a hack or supply the sought-after information from a corpus of already-compromised data. Based on her interaction with other buyers and sellers on these forums, Jolles said a great many of the requests for services seem to be people hiring others to conduct spear-phishing attacks — those that target certain key individuals within companies and organizations.

“What strikes me the most about these forums is the obvious use of spear-phishing attacks, the raw demand for people who know how to map targets for phishing, and the fact that so many people are apparently willing to pay for it,” Jolles said. “It surprises me how much people are willing to pay for good fraudsters and good social engineering experts who are hooking the the bait for phishing.”

Jolles believes Enigma and similar bid-and-ask forums are helping to blur international and geographic boundaries between attackers responsible for stealing the data and those who seek to use it for illicit means.

“We have seen an attack be committed by an Eastern European gang, for example, and the [stolen] database will eventually get to China,” Jolles said. “In this data-trading arena, the boundaries are getting warped within it. I can be a state-level buyer, while the attackers will be eastern European criminals.”


Jolles said she began digging deeper into these forums in a bid to answer the question of what happens to what she calls the “missing databases.” Avivah Litan, a fraud analyst with Gartner Inc., wrote about Jolles’ research in July 2015, and explained it this way:

“Where has all the stolen data gone and how is it being used? 

We have all been bombarded by weekly, if not daily reports of breaches and theft of sensitive personal information at organizations such as Anthem, JP Morgan Chase and OPM. Yet, despite the ongoing onslaught of reported breaches (and we have to assume that only the sloppy hackers get caught and that the reported breaches are just a fraction of the total breach pie) – we have not seen widespread identity theft or personal damage inflicted from these breaches.

Have any of you heard of direct negative impacts from these thefts amongst your friends, family, or acquaintances? I certainly have not.

Jolles said a good example of a cybercriminal actor who helps to blur the typical geographic lines in cybercrime is a mysterious mass-purchaser of stolen data known to many on Enigma and other such forums by a number of nicknames, including “King,” but most commonly “The Samurai.”

“According to what I can understand so far, this was a nickname was given to him and not one he picked himself,” Jolles said. “He is looking for any kind of large volumes of stolen data. Of course, I am getting my information from people who are actually trading with him, not me trading with him directly. But they all say he will buy it and pay immediately, and that he is from China.”

What other clues are there that The Samurai could be affiliated with a state-sponsored actor? Jolles said this actor pays immediately for good, verifiable databases, and generally doesn’t haggle over the price.

“People think he’s Chinese, that he’s government because the way he pays,” Jolles said. “He pays immediately and he’s not negotiating.”

The Samurai may be just some guy in a trailer park in the middle of America, or an identity adopted by a group of individuals, for all I know. Alternatively, he could be something of a modern-day Keyser Söze, a sort of virtual boogeyman who gains mythical status among investigators and criminals alike.

Nevertheless, new forums like The Gentlemen’s Club and Enigma are notable because they’re changing the face of targeted attacks, building crucial bridges between far-flung opportunistic hackers, hired guns and those wishing to harness those resources.

TorrentFreak: Kim Dotcom Denied Fresh Bid to Delay U.S. Extradition Hearing

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Monday morning, Kim Dotcom arrived at court dressed in his trademark black attire. After ten delays the hearing to determine whether the Megaupload founder will be extradited to the United States on copyright infringement charges got underway.

Almost immediately the case became bogged down in legal argument, with the defense insisting that various submissions should be heard before the extradition hearing gathered full steam. Due to Dotcom’s funds being seized by the FBI, unfair restrictions had been placed on the ability to mount a defense, they argued.

Christine Gordon QC, countering for the Crown, said that the claims of Dotcom’s team were “speculative” and would only serve to delay proceedings by several weeks. Any applications should be part of the main hearing or included at trial in the United States, Gordon argued.

This morning Judge Nevin Dawson handed down his decision and it represents an early setback for Dotcom and his former Megaupload colleagues.

“The interlocutory applications now before the Court are such that they would best be heard and considered by the Court during the eligibility hearing as they are largely contextual in nature,” Judge Dawson begins.

“The Court would be better placed to rule on these applications, having had the benefit of hearing the evidence of the eligibility hearing.”

Judge Dawson said that all matters would be fully heard and both parties would have a right of appeal in the event they were dissatisfied with the outcome.

“If [Dotcom et al] are successful in their applications that might lead to an adjournment or conclusion of the hearing. The respondents would suffer no prejudice if either of these outcomes should come about. All parties ultimately have their rights of appeal,” Judge Dawson concludes.

The eligibility hearing will now go ahead on Thursday morning.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: FBI Seizes Domains Of Two Pre-Release Music Sites

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

sharebeastAs efforts to hinder file-sharing sites gather pace around the world, in Europe in particular, criminal actions in the U.S. remain relatively rare.

Home to the very Hollywood studios and major recording labels pressing for tough measures elsewhere, the United States has taken somewhat of a backseat, with only sporadic criminal actions to report in the past few years.

This past Friday, however, U.S. authorities say they took action against a pair of sites involved in music piracy. According to the RIAA, and were responsible for the distribution of “a massive library” of popular albums and tracks. Notably, the sites are blamed for offering “thousands of songs” that hadn’t yet enjoyed their official release.

On Friday, U.S. Department of Justice (DOJ) seizure notices appeared on both sites, suggesting that the authorities concluded that immediate domain seizures were required to bring ongoing copyright infringement to an end.


According to the RIAA, ShareBeast was the largest illegal file-sharing site operating in the United States and recent IP addresses do suggest that at some point the file-hosting site was hosted in Illinois.

However, when compared to other household file-sharing names the site’s traffic stats were pretty modest. In fact, as can be seen from the chart below, the site had been on a serious decline for some months already.


Nevertheless, the RIAA says that it reported more than 100,000 infringing files to the service for takedown. That sounds like a reasonable assessment since the music industry group filed a similar number of complaints (118,000) with Google over the past couple of years. When all rightsholders are taken into consideration, complaints about ShareBeast averaged around 36,000 URLs per week.

In traffic terms, alleged sister site AlbumJams has never been significant. It reached the dizzy heights of 45,000th most popular site in January but almost completely dropped off the radar in May. According to Alexa it is now the 8,545,925th most popular site in the world.

“This is a huge win for the music community and legitimate music services. Sharebeast operated with flagrant disregard for the rights of artists and labels while undermining the legal marketplace,” commented RIAA Chairman & CEO Cary Sherman.

“Millions of users accessed songs from Sharebeast each month without one penny of compensation going to countless artists, songwriters, labels and others who created the music.”

The RIAA thanked the FBI and Department of Justice for its “strong stand” against Sharebeast but stopped short of commenting on what has happened to the site’s alleged operator. There has been no official statement concerning any arrests or any indication that the site was run from within the United States.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Schneier on Security: FBI and Apple’s Encryption

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The New York Times is reporting that Apple encryption is hampering an FBI investigation:

In an investigation involving guns and drugs, the Justice Department obtained a court order this summer demanding that Apple turn over, in real time, text messages between suspects using iPhones.

Apple’s response: Its iMessage system was encrypted and the company could not comply.

Government officials had warned for months that this type of standoff was inevitable as technology companies like Apple and Google embraced tougher encryption. The case, coming after several others in which similar requests were rebuffed, prompted some senior Justice Department and F.B.I. officials to advocate taking Apple to court, several current and former law enforcement officials said.

While that prospect has been shelved for now, the Justice Department is engaged in a court dispute with another tech company, Microsoft.

Several people have asked me in e-mail if this is the case I was referrring to here:

There’s a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly — and they’re losing. This might explain Apple CEO Tim Cook’s somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor.

It’s not. The rumor I am hearing is not about access to a particular user and his communications. It is about general access to iOS data and communications. And it’s in the FISA court, which means that it’s not a domestic criminal matter.

To reiterate: this is a rumor. I have no confirmation. But I know three reporters that are poking around, looking for the story.

Krebs on Security: Arrests Tied to Citadel, Dridex Malware

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Authorities in Europe have arrested alleged key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex. The arrests involved a Russian national and a Moldovan man, both of whom were traveling or residing outside of their native countries and are now facing extradition to the United States.

cuffedLast week, a 30-year-old from Moldova who was wanted by U.S. authorities was arrested in Paphos — a coastal vacation spot in Cyprus where the accused was reportedly staying with his wife. A story in the Cyprus Mail has few other details about the arrest, other than to say authorities believe the man was responsible for more than $3.5 million in bank fraud using a PC.

Sources close to the investigation say the man is a key figure in an organized crime gang responsible for developing and using a powerful banking Trojan known as “Dridex” (a.k.a. Cridex, Bugat). The Dridex gang is thought to have spun off from the “Business Club,” an Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide.

In June 2014, the U.S. Justice Department joined multiple international law enforcement agencies and security firms in taking down the Business Club’s key asset: The Gameover ZeuS botnet, an ultra-sophisticated, global crime machine that infected upwards of a half-million PCs and was used in countless cyberheists. Dridex would first emerge in July 2014, a month after the Gameover Zeus botnet was dismantled.

Separately, the press in Norway writes about a 27-year-old Russian man identified only as “Mark” who was reportedly arrested in the Norwegian town of Fredrikstad at the request of the FBI. The story notes that American authorities believe Mark is the software developer behind Citadel, a malware-as-a-service product that played a key role in countless cyberheists against American and European small businesses.

For example, Citadel was thought to have been the very same malware used to steal usernames and passwords from a Pennsylvania heating and air conditioning vendor; those same stolen credentials were reportedly leveraged in the breach that resulted in the theft of nearly 40 million credit cards from Target Corp. in November and December of 2013.

The Norwegian newspaper VG writes that Mark has been held under house arrest for the past 11 months, while the FBI tries to work out his extradition to the United States. His detention is being fought by Russia, which is naturally opposed to the treatment he may receive in the United States and says the evidence against Mark is scant.

According to VG, the U.S. Justice Department believes Mark is none other than “Aquabox,” the nickname chosen by the proprietor of the Citadel malware, which was created based off of the source code for the ZeuS Trojan malware. Citadel was sold and marketed as a service that let buyers and users interact with the developer and one another, to solicit feedback on how to fix bugs in the malware program, and to request new features in the malware going forward.

For a full translation of the original Citadel sales pitch as penned by Aquabox in 2011, see this link (PDF). For a full translated version of the VG story on Mark, see this PDF (thanks to KrebsOnSecurity reader Jeevan Sivagnanasuntharam for helping with the translation). VG notes that Mark continues to maintain his innocence. [Side note: The Citadel malware has for years had in its code a dig directed at the author of this blog: Included in the guts of the Trojan is the text string, “Coded by BRIAN KREBS for personal use only. I love my job & wife.” Needless to say, the second part of that statement is true, but Citadel was not coded by this Brian Krebs.]

A text string inside of the Citadel trojan. Source: AhnLab

A text string inside of the Citadel trojan. Source: AhnLab

Ars Technica carries an interesting piece about Deniss Calovskis, a Latvian man who was arrested in February and extradited to the United States for his role in creating the Gozi virus, another powerful malware family that has been used in countless cyberheists. The 30-year-old Calovskis long maintained his innocence, but ultimately acknowledged his role in a guilty plea entered in a federal court in Manhattan last week.

In August 2013, Calovskis denied being associated with Gozi, and told Latvian a television news station that he was “like a hostage in this situation. I don’t know about the Gozi virus. I haven’t helped any schemers to get money and I haven’t received any,” he told reporters. According to Reuters, Calovskis changed his tune last week.

“I knew what I was doing was against the law,” he reportedly told the court.

Finally, Finnish authorities are holding a Russian man named Maxim Senakh who is accused of committing malware crimes in the United States. Russian news agency RT says the Russian Foreign Ministry has denounced Senakh’s detention as an “illegal practice” and a “witchhunt.” He was reportedly detained on Aug. 8, 2015.

The various media stories in the European press about Senakh’s arrest say he is wanted for cyber crimes allegedly committed against a victim in Minnesota, but beyond that there are few details about the reason behind his arrest. U.S. authorities are currently seeking his extradition to the United States.

Krebs on Security: FBI: $1.2B Lost to Business Email Scams

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The FBI today warned about a significant spike in victims and dollar losses stemming from an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.


In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of $179 million in so-called business e-mail compromise (BEC) scams, also known as “CEO fraud.” The latest figures show a marked 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than $1.2 billion, the FBI said.

“The scam has been reported in all 50 states and in 79 countries,” the FBI’s alert notes. “Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong.”

CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “” the thieves might register “” (substituting the letter “L” for the numeral 1) or “,” and send messages from that domain.

Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.

They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with key words like “invoice,” “deposit” and “president.”

On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.

Business Email Compromise (BEC) scams are more versatile and adaptive than more traditional malware-based scams.

Business Email Compromise (BEC) scams are more versatile and adaptive than more traditional malware-based scams.

In these cases, the fraudsters will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from In all cases, however, the “reply-to” address is the spoofed domain (e.g., ensuring that any replies are sent to the fraudster.

The FBI’s numbers would seem to indicate that the average loss per victim is around $100,000. That may be so, but some of the BEC swindles I’ve written about thus far have involved much higher amounts. Earlier this month, tech firm Ubiquiti Networks disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a BEC scam.

In February, con artists made off with $17.2 million from one of Omaha, Nebraska’s oldest companies — The Scoular Co., an employee-owned commodities trader. According to, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.

In March 2015, I posted the story Spoofing the Boss Turns Thieves a Tidy Profit, which recounted the nightmarish experience of an Ohio manufacturing firm that came within a whisker of losing $315,000 after an employee received an email she thought was from her boss asking her to wire the money to China to pay for some raw materials.

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

Consumers are not immune from these types of scams. According to a related advisory posted the FBI today, in the three months between April 1, 2015 and June 30, 2015, the agency received 21 complaints from consumers who suffered losses of nearly $700,000 after having their inboxes hijacked or spoofed by thieves. The FBI said it identified approximately $14 million in attempted losses associated with open FBI investigations into such crimes against consumers.

Schneier on Security: No-Fly List Uses Predictive Assessments

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The US government has admitted that it uses predictive assessments to put people on the no-fly list:

In a little-noticed filing before an Oregon federal judge, the US Justice Department and the FBI conceded that stopping US and other citizens from travelling on airplanes is a matter of “predictive assessments about potential threats,” the government asserted in May.

“By its very nature, identifying individuals who ‘may be a threat to civil aviation or national security’ is a predictive judgment intended to prevent future acts of terrorism in an uncertain context,” Justice Department officials Benjamin C Mizer and Anthony J Coppolino told the court on 28 May.

“Judgments concerning such potential threats to aviation and national security call upon the unique prerogatives of the Executive in assessing such threats.”

It is believed to be the government’s most direct acknowledgement to date that people are not allowed to fly because of what the government believes they might do and not what they have already done.

When you have a secret process that can judge and penalize people without due process or oversight, this is the kind of thing that happens.

Krebs on Security: Cyberheist Victim Trades Smokes for Cash

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Earlier this month, KrebsOnSecurity featured the exclusive story of a Russian organized cybercrime gang that stole more than $100 million from small to mid-sized businesses with the help of phantom corporations on the border with China. Today, we’ll look at the stranger-than-fiction true tale of an American firm that lost $197,000 in a remarkably similar 2013 cyberheist, only to later recover most of the money after allegedly plying Chinese authorities with a carton of cigarettes and a hefty bounty for their trouble.

wirefraudThe victim company — an export/import firm based in the northeastern United States — first reached out to this author in 2014 via a U.S. based lawyer who has successfully extracted settlements from banks on the premise that they haven’t done enough to protect their customers from cyberheists. The victim company’s owner — we’ll call him John — agreed to speak about the incident on condition of anonymity, citing pending litigation with the bank.

On Christmas Eve 2013, the accountant at John’s company logged on to the bank’s portal to make a deposit. After submitting her username and password, she was redirected to a Web page that said the bank’s site was experiencing technical difficulties and that she need to provide a one-time token to validate her request.

Unbeknownst to the accountant at the time, cybercrooks had infected her machine with a powerful password-stealing Trojan horse program and had complete control over her Web browser. Shortly after she supplied the token, the crooks used her hijacked browser session to initiate a fraudulent $197,000 wire transfer to a company in Harbin, a city on the Chinese border with Russia.

The next business day when John’s company went to reverse the wire, the bank said the money was already gone.

“My account rep at the bank said we shouldn’t expect to get that money back, and that they weren’t responsible for this transaction,” John said. “I told them that I didn’t understand because the bank had branches in China, why couldn’t they do anything? The bank rep said that, technically, the crime wasn’t committed against us, it was committed against you.”


In April 2011, the FBI issued an alert warning that cyber thieves had stolen approximately $20 million in the year prior from small to mid-sized U.S. companies through a series of fraudulent wire transfers sent to Chinese economic and trade companies located on or near the country’s border with Russia.

heil2In that alert, the FBI warned that the intended recipients of the fraudulent, high-dollar wires were companies based in the Heilongjiang province of China, and that these firms were registered in port cities located near the Russia-China border. Harbin, where John’s $197,000 was sent, is the capital and largest city of the Heilonjiang province.

Undeterred, John’s associate had a cousin in China who was a lawyer and who offered his assistance. John said that initially the Harbin police were reluctant to help, insisting they first needed an official report from the FBI about the incident to corroborate John’s story.

In the end, he said, the Chinese authorities ended up settling for a police report from the local cops in his hometown. But according to John, what really sealed the deal was that the Chinese lawyer friend met the Harbin police officers with a gift-wrapped carton of smokes and the promise of a percentage of the recovered funds if they caught the guy responsible and were able to recover the money.

Two days later, the Harbin police reportedly located the business that had received the money, and soon discovered that the very same day this business had just received another international wire transfer for 900,000 Euros.

“They said the money that was stolen from us came in on a Tuesday and was out a day later,” John said. “They wanted to know whether we’d pay expenses for the two police guys to fly to Beijing to complete the investigation, so we wired $1,500 to take care of that, and they froze the account of the guy who got our money.”

In the end, John’s associate flew with her husband from the United States to Beijing and then on to Harbin to meet the attorney, and from there the two of them arranged to meet the cops from Harbin.

“They took her to the bank, where she opened up a new account,” John said. “Then they brought her to a hotel room, and three people came into that hotel room and online they made the transfer [of the amount that the cops had agreed would be their cut].”

Getting the leftover $166,000 back into the United States would entail another ordeal: John said his handlers were unable to initiate a direct wire back to the United States of such a sum unless his company already had a business located in the region. Fortunately, John’s firm was able to leverage a longtime business partner in Singapore who did have a substantial business presence inside China and who agreed to receive the money and forward it on to John’s company, free of charge.

I like John’s story because I have written over 100 pieces involving companies that have lost six-figures or more from cyberheists, and very few of them have ever gotten their money back. Extra-legal remedies to recoup the losses from cybercrime are generally few, unless your organization has the money, willpower and tenacity to pursue your funds to the ends of the earth. Unfortunately, this does not describe most victim businesses in the United States.

U.S. consumers who bank online are protected by Regulation E, which dramatically limits the liability for consumers who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).

Businesses, however, do not enjoy such protections. States across the country have adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

Do you run your own business and bank online but are unwilling to place all of your trust in your bank’s security? That’s a sound conclusion. If you’re wondering what you can do to protect your accounts, consider adopting some of the advice I laid out in Online Banking Best Practices for Businesses and Banking on a Live CD.