Tag Archives: www.scamsfakes.com

US appeals court: Anti-hacking law applies to password sharing case

The 9th Circuit Court of Appeals ruling expands the scope of the already-broad Computer Fraud and Abuse Act.

cybersecurity_image www.intelagencies.com

A US appeals court on Tuesday ruled that the Computer Fraud and Abuse Act, a broad anti-hacking law passed in 2005, applies to a case in which a former executive gained access to his former employer’s confidential client data through a password that was voluntarily shared with him.

In a two-to-one ruling, a three-judge panel on the 9th Circuit Court of Appeals upheld the conviction of David Nosal, who used the information from his former employer — Korn/Ferry International — to start a new firm. He gained access to the data after his former secretary shared her password with him.

The ruling expands the already-sweeping scope of the CFAA, which imposes criminal penalties on anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and bymeans of such conduct furthers the intended fraud and obtains anything of value.”

The Nosal case focused specifically on the question of whether he acted “without authorization”. The panel concluded that “‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission”.

The court panel also upheld Nosal’s conviction for trade secret theft under the Economic Espionage Act.

In his dissent, the court summary of the ruling notes, Judge Stephen Reinhardt “wrote that this case is about password sharing, and that in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”.

The practice of sharing passwords isn’t uncommon, according to a SailPoint survey released earlier this year. It polled 1,000 office workers across six nations and found nearly one in three are willing to share passwords with their co-workers.

The CFAA — opposed by the Electronic Frontier Foundation for its scope — was also used to convict former Reuters editor Matthew Keys of helping Anonymous to deface the LA Times in 2010. Keys, who denied the charges against him, was sentenced to two years in prison.

UPDATE: This article was corrected to note that Keys was sentenced to two years in prison; he is not serving two years in prison.

www.crimefiles.net

www.scamsfakes.com

7fr57i

Henry Sapiecha

 

Cybercrime kingpins are winning the online security arms race

Cybercrime is getting larger and more team driven. It’s time to cast away the idea of the lone-wolf attacker.

shady-hooded-hacker-at-the-computer image www.intelagencies.com

Online attackers do not look like this anymore.

The cliché of the hacker-in-a-hoodie lone wolf is out of date. Cybercrime gangs are now almost as sophisticated as the big businesses they are trying to steal from, leading to a new security arms race that companies are losing.

The increasing threat from organized cyber-criminals and state-sponsored cyber espionage means companies need to forget about the idea of a lone hacker, think through the credible threats to their systems, and deal with them in order to disrupt their attackers’ business models.

“It’s time to think differently about cyber risk, ditching the talk of hackers, and recognising that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources — intent on fraud, extortion, or theft of hard-won intellectual property,” said Paul Taylor, UK head of cyber security at KPMG.

According to research by KMPG and BT, 97 percent of companies surveyed said they had been the victims of digital attacks, but only 22 percent were fully prepared to deal with future attacks.

Executives said they were hampered by regulation (49 percent), legacy IT systems (46 percent) and a lack of the right skills and people (45 percent).

“The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft. The 21st century cyber criminal is a ruthless and efficient entrepreneur,” said Mark Hughes, CEO of BT’s security division.

“We’re up against quite sophisticated organized criminality. Well structured, real businesses, very efficient, very effective,” said David Ferbrache, technical director of cyber security at KPMG.

According to Ferbrache, the last two years have seen some shifts in the patterns of organized cyber criminality, with fraudsters targeting top executives and trying to trick them into making bogus transfers that can cost companies millions.

“CEO frauds now have become a massive issue across many of our clients,” he said.

****A school in Estonia has started a pilot project to teach the basics of cyber security to teenagers.

“Organized crime is spending more time looking at targeting information available on social media. The phishing lures are much better crafted and tailored now, and they can pretend to be senior officers of the company when they know the chief executive is oversees at a conference,” Ferbrache warned.

According to the research, over 90 percent of companies said staff could be open to blackmail and bribery — but less than half have a strategy in place to deal with the threat.

“When you start moving into the big cash-outs, the longer-term operations — that’s the point you see insiders coming into the picture, because you want information on the fraud control measures. Sometimes the way the systems are configured helps the operation along,” said Ferbrache.

IT staff, as well as those with knowledge of finance, could be targeted: “Systems administrators, privileged users — anybody with access credentials, anybody able to initiate financial transactions, anyone who might have an understanding of the fraud control systems and the way they are configured too — they’re all useful,” he warned.

“We have traditionally thought of insiders and outsiders as two separate categories as you move up the tiers in organized crime. That’s not the case. It blurs.”

Crime groups tend to have a loose, federated business model. The heart of each gang will be the kingpin with the idea and the targets, but the organization around them will be a loose collection of different skills. That might include people developing vulnerabilities and exploits to attack services such as DDoS by the hour. Others will be experts in recruiting money mules to launder the cash, or they might be people who specialize in selling stolen information on the black market.

“The way you have to look at these organised crime groups is that most are running a portfolio of operations,” said Ferbrache.

www.crimefiles.net

www.scamsfakes.com

COMPUTER

Henry Sapiecha

 

How do hackers get the three security numbers from the back of your credit card >>CVV shops:

man handing over credit card image www.intelagencies.com

Stolen card info, particularly from non-chip cards, is great for making phoney cards for use in stores. But how do crooks spend stolen money online?

A longtime reader recently asked: How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The short answer: if not via phishing, probably by installing a web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.

Kenneth Labelle, a regional director at insurer Burns-Wilcox.com, wrote:

“So, I am trying to figure out how card not present transactions are possible after a breach due to the CVV. If the card information was stolen via the point-of-sale system then the hacker should not have access to the CVV because its not on [the card data]. So how in the world are they committing card not present fraud when they don’t have the CVV number? I don’t understand how that is possible with the CVV code being used in online transactions.”

First off, “dumps” — or credit and debit card accounts that are stolen from hacked point of sale systems via skimmers or malware on cash register systems — retail for about $US20 ($25.80) apiece on average in the cybercrime underground. Each dump can be used to fabricate a new physical clone of the original card, and thieves typically use these counterfeits to buy goods from big box retailers that they can easily resell, or to extract cash at ATMs.

However, when cyber crooks wish to defraud online stores, they don’t use dumps. That’s mainly because online merchants typically require the CVV, and criminal dumps sellers don’t bundle CVVs with their dumps.

Instead, online fraudsters turn to “CVV shops,” shadowy cybercrime stores that sell packages of cardholder data, including customer name, full card number, expiration, CVV2 and postcode. These CVV bundles are far cheaper than dumps — typically between $US2–$US5 apiece — in part because they are useful mainly just for online transactions, but probably also because overall they are more complicated to “cash out”, or make money from them.

The vast majority of the time, this CVV data has been stolen by web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking trojan does on an infected PC, except it’s designed to steal data from web server applications.

PC trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the web session and sent to whatever site the victim is visiting.

Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.

These attacks drive home one immutable point about malware’s role in subverting secure connections: whether resident on a web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that web session. With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these website attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).

KrebsOnSecurity

3r5g6yu

www.creditcardseasy.net

www.scamsfakes.com

Henry Sapiecha

Clinton Private Account Targeted in Russia-Linked Email Scam

This portion of an email from Hillary Rodham Clinton's private email account when she was secretary of state and released by the State Department on Sept. 30, 2015, shows an email Clinton received early in the morning on Aug. 3, 2011. The newly released emails show Russia-linked hackers tried at least five times to pry into Clinton's private email account while she was secretary of state. It is unclear if she clicked on any attachment and exposed her account. Clinton received the infected emails, disguised as speeding tickets, over four hours early the morning of Aug. 3, 2011. The emails instructed recipients to print the attached tickets, which would have allowed hackers to take control of their computers. Security researchers who analyzed the malicious software have said that infected computers would transmit information from victims to at least three server computers overseas, including one in Russia. (AP Photo/Jon Elswick)

This portion of an email from Hillary Rodham Clinton’s private email account when she was secretary of state and released by the State Department on Sept. 30, 2015, shows an email Clinton received early in the morning on Aug. 3, 2011. The newly released emails show Russia-linked hackers tried at least five times to pry into Clinton’s private email account while she was secretary of state. It is unclear if she clicked on any attachment and exposed her account. Clinton received the infected emails, disguised as speeding tickets, over four hours early the morning of Aug. 3, 2011. The emails instructed recipients to print the attached tickets, which would have allowed hackers to take control of their computers. Security researchers who analyzed the malicious software have said that infected computers would transmit information from victims to at least three server computers overseas, including one in Russia. (AP Photo/Jon Elswick)

Russia-linked hackers tried at least five times to trick Hillary Rodham Clinton into infecting her computer systems while she was secretary of state, newly released emails show. It is unclear whether she was fooled into clicking any attachments to expose her account.

Clinton received the virus-riddled emails, disguised as speeding tickets from New York, over four hours early on the morning of Aug. 3, 2011. The emails instructed recipients to print the attached tickets – and opening them would have allowed hackers to take over control of a victim’s computer.

Security researchers who analyzed the malicious software in September 2011 said that infected computers would transmit information from victims to at least three server computers overseas, including one in Russia. That doesn’t necessarily mean Russian intelligence or citizens were responsible.

Nick Merrill, a spokesman for Clinton’s Democratic presidential campaign, said: “We have no evidence to suggest she replied to this email or that she opened the attachment. As we have said before, there is no evidence that the system was ever breached. All these emails show is that, like millions of other Americans, she received spam.”

Practically every Internet user is inundated with spam or virus-riddled messages daily. But these messages show hackers had Clinton’s email address, which was not public, and sent her a fake traffic ticket from New York state, where she lives. Most commercial antivirus software at the time would have detected the software and blocked it.

The phishing attempts highlight the risk of Clinton’s unsecure email being pried open by foreign intelligence agencies, even if others also received the virus concealed as a speeding ticket from Chatham, New York. The email misspelled the name of the city, came from a supposed New York City government account and contained a “Ticket.zip” file that would have been a red flag.

Clinton has faced increasing questions over whether her unusual email setup amounted to a proper form of secrecy protection and records retention. The emails themselves – many redacted heavily before public release – have provided no shocking disclosures thus far and Clinton has insisted the server was secure.

During Clinton’s tenure, the State Department and other U.S. government agencies faced their own series of hacking attacks. U.S. counterterrorism officials have linked them to China and Russia. But the government has a large staff of information technology experts, whereas Clinton has yet to provide any information on who maintained her server and how well it was secured.

Republican presidential candidate Marco Rubio told Fox News Channel on Wednesday, “The exposure of sensitive information to foreign intelligence agencies by communicating in an insecure manner is incompetent, it is malpractice, it’s inexcusable.”

The emails released Wednesday also show a Clinton confidant urging her boss and others in June 2011 not to “telegraph” how often senior officials at the State Department relied on their private email accounts to do government business because it could inspire hackers to steal information. The discussion never mentioned Clinton’s own usage of a private email account and server.

The exchange begins with policy chief Anne-Marie Slaughter lamenting that the State Department’s technology is “so antiquated that NO ONE uses a State-issued laptop and even high officials routinely end up using their home email accounts to be able to get their work done quickly and effectively.” She said more funds were needed and that an opinion piece might make the point to legislators.

Clinton said the idea “makes good sense,” but her chief of staff, Cheryl Mills, disagreed: “As someone who attempted to be hacked (yes I was one), I am not sure we want to telegraph how much folks do or don’t do off state mail b/c it may encourage others who are out there.”

The hacking attempts were included in the 6,300 pages the State Department released, covering a period when U.S. forces killed Osama bin Laden and the Arab Spring rocked American diplomacy.

New York State police warned as early as July 2011 about emails containing warnings of traffic tickets that actually contained computer viruses.

Clinton received five copies between 1:44 am and 5:26 am on Aug. 3, 2011. They appeared to come from “New York State — Department of Motor Vehicles,” warning that a car registered to Clinton was caught speeding “over 55 zone” on July 5. Clinton had no public events in Washington that day, following the July 4 holiday. The email instructed the recipient to “print out the enclosed ticker and send it to town court, Chatam Hall, PO Box 117.”

The former first lady and New York senator had maintained that nothing was classified in her correspondence, but the intelligence community has identified messages containing “top secret” information. Clinton had insisted that all of her work emails were being reviewed by the State Department, but Pentagon officials recently discovered a new chain of messages between Clinton and then-Gen. David Petraeus dating to her first days in office that she did not send to the State Department.

As part of Wednesday’s release, officials upgraded the classification level of portions of 215 emails, State Department spokesman John Kirby said. Almost all were “confidential,” the lowest level of classification. Three emails were declared “secret,” a mid-tier level for information that could still cause serious damage to national security, if made public.

“The information we upgraded today was not marked classified at the time the emails were sent,” Kirby stressed.

Source: Associated Press

ooo

Henry Sapiecha