STE WILLIAMS

Federal investigators have confirmed that they are widening a probe into fraud by the former IT security director of the Multi-State Lottery Association (MSLA).

In July, Eddie Tipton, 52, was found guilty of installing a rootkit in the MSLA’s random-number generating computer that allowed him to predict the digits for future winning tickets. He also tampered with security cameras to cover up his time at the keyboard, the court heard.

Tipton was sentenced to ten years in prison after CCTV caught him buying a $16.5m winning ticket in the Iowa state lottery. He is free on bail while appealing his conviction.

Meanwhile, investigators claim that three other state lotteries in Colorado, Wisconsin, and Oklahoma also report paying out prizes worth $8m to people associated with Tipton.

“It would be pretty naive to believe they are the only four,” former investigator Thomas Miller told AP. “If you find one cockroach, you have to assume there are 100 more you haven’t found.”

The MSLA provides the technology for 37 US states and territories and the investigation team has asked every local lottery board to check their records to see if Tipton can be linked to any more big wins. He has already been charged with criminal conduct and money laundering in three more states.

“There’s just absolutely no evidence whatsoever that he did anything to alter the proper operations of the computers that were used to pick those numbers, absolutely no evidence. It’s just all speculation,” said Tipton’s attorney Dean Stowers.

Tipton was convicted after investigators released camera footage of a behoodied man buying the winning Iowa ticket and some hot dogs from a convenience store near the MSLA office. At Tipton’s trial, his brother, Tommy Tipton, said that the footage didn’t show his sibling, remarking: “Eddie’s not a hot dog guy.”

Now Tommy Tipton is also in investigators’ sights after he was named as the beneficiary of a $537,000 cash payout from a winning lottery ticket in Colorado in 2005. T. Tipton, who was elected as a justice of the peace in Flatonia, Texas, denies any wrongdoing, and resigned his post after charges were brought against him.

Meanwhile, in Oklahoma, cops are investigating a $1.2m Hot Lotto jackpot that paid out in 2011. The winner was the owner of a Texas construction company that police claim was an associate of Eddie Tipton.

“This is kind of an eye-opener,” said Oklahoma Lottery director Rollo Redburn. “It reaffirms the fact that we’ve got to be constantly vigilant against people trying to defraud the system.”

The authorities in Wisconsin are also looking into the winner of a $2m Megabucks prize that was claimed in 2008 by a law firm acting on behalf of Robert Rhodes, a close friend of Tipton’s. Rhodes was also linked to the attempt to cash in the $16.5m Iowa lottery ticket, and is fighting extradition to the state. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/24/feds_widen_investigation_into_lottery_it_boss_who_rooted_game_for_profit/

Federal investigators have confirmed that they are widening a probe into fraud by the former IT security director of the Multi-State Lottery Association (MSLA).

In July, Eddie Tipton, 52, was found guilty of installing a rootkit in the MSLA’s random-number generating computer that allowed him to predict the digits for future winning tickets. He also tampered with security cameras to cover up his time at the keyboard, the court heard.

Tipton was sentenced to ten years in prison after CCTV caught him buying a $16.5m winning ticket in the Iowa state lottery. He is free on bail while appealing his conviction.

Meanwhile, investigators claim that three other state lotteries in Colorado, Wisconsin, and Oklahoma also report paying out prizes worth $8m to people associated with Tipton.

“It would be pretty naive to believe they are the only four,” former investigator Thomas Miller told AP. “If you find one cockroach, you have to assume there are 100 more you haven’t found.”

The MSLA provides the technology for 37 US states and territories and the investigation team has asked every local lottery board to check their records to see if Tipton can be linked to any more big wins. He has already been charged with criminal conduct and money laundering in three more states.

“There’s just absolutely no evidence whatsoever that he did anything to alter the proper operations of the computers that were used to pick those numbers, absolutely no evidence. It’s just all speculation,” said Tipton’s attorney Dean Stowers.

Tipton was convicted after investigators released camera footage of a behoodied man buying the winning Iowa ticket and some hot dogs from a convenience store near the MSLA office. At Tipton’s trial, his brother, Tommy Tipton, said that the footage didn’t show his sibling, remarking: “Eddie’s not a hot dog guy.”

Now Tommy Tipton is also in investigators’ sights after he was named as the beneficiary of a $537,000 cash payout from a winning lottery ticket in Colorado in 2005. T. Tipton, who was elected as a justice of the peace in Flatonia, Texas, denies any wrongdoing, and resigned his post after charges were brought against him.

Meanwhile, in Oklahoma, cops are investigating a $1.2m Hot Lotto jackpot that paid out in 2011. The winner was the owner of a Texas construction company that police claim was an associate of Eddie Tipton.

“This is kind of an eye-opener,” said Oklahoma Lottery director Rollo Redburn. “It reaffirms the fact that we’ve got to be constantly vigilant against people trying to defraud the system.”

The authorities in Wisconsin are also looking into the winner of a $2m Megabucks prize that was claimed in 2008 by a law firm acting on behalf of Robert Rhodes, a close friend of Tipton’s. Rhodes was also linked to the attempt to cash in the $16.5m Iowa lottery ticket, and is fighting extradition to the state. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/24/feds_widen_investigation_into_lottery_it_boss_who_rooted_game_for_profit/

Hyatt Hotels Corporation says it “recently identified malware on computers that operate the payment processing systems for Hyatt-managed locations.”

The hotelier says “As soon as we discovered the activity, we launched an investigation and engaged leading third-party cyber security experts.”

The chain’s asking customers to keep an eye on their credit card bills, on the off-chance that the folks responsible for the malware injection have gone on a room-booking spree.

And that’s about all the chain is saying, but it has erected a site called ”Protecting our customers” on which it pledges to keep customers updated on the situation.

All of which provides cover for those among you who may have checked into a hotel for reasons you’d rather not explain to loved ones. Which, in a post-Ashley-Madison world might be rather less often than in the past. Or rather more. We just wouldn’t know. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/24/secret_shaggers_rejoice_now_you_can_blame_that_hyatt_credit_card_bill_on_hackers/

Hyatt Hotels Corporation says it “recently identified malware on computers that operate the payment processing systems for Hyatt-managed locations.”

The hotelier says “As soon as we discovered the activity, we launched an investigation and engaged leading third-party cyber security experts.”

The chain’s asking customers to keep an eye on their credit card bills, on the off-chance that the folks responsible for the malware injection have gone on a room-booking spree.

And that’s about all the chain is saying, but it has erected a site called ”Protecting our customers” on which it pledges to keep customers updated on the situation.

All of which provides cover for those among you who may have checked into a hotel for reasons you’d rather not explain to loved ones. Which, in a post-Ashley-Madison world might be rather less often than in the past. Or rather more. We just wouldn’t know. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/24/secret_shaggers_rejoice_now_you_can_blame_that_hyatt_credit_card_bill_on_hackers/

The Raspberry Pi Foundation was offered cash to smuggle malware onto its bargain-basement credit-card-size computers, we’re told.

Liz Upton, the Foundation’s director of communications, today revealed an email from a “business officer” called Linda, who promised a “price per install” for a suspicious executable file. “Amazing. This person seems to be very sincerely offering us money to install malware on your machines,” said Liz.

The name of the company Linda claimed to represent was redacted, so we are unable to check the veracity of the offer. Plus the email, dated Wednesday, does contain a number of odd details – like writing exe. rather then .exe, and using “u” in place of “you.” Some of the language also points to someone whose first language is not English.

Amazing. This person seems to be very sincerely offering us money to install malware on your machines. pic.twitter.com/1soL0MIc5Z

— Raspberry Pi (@Raspberry_Pi) December 23, 2015

It’s fair to say Linda’s approach wasn’t exactly professional. However, the offer seems genuine, and it shines a light on the murky world of paid-for malware distribution.

There are countless examples of software nasties being installed on systems via unrelated applications – toolbars and spyware bundled with legit-looking apps, mainly. Sometimes the developer directly plants the dodgy code, but more often than not the malware comes from a third-party willing to pay for access to PCs and devices.

While some malware is relatively benign and easy to remove, others severely compromise computers – allowing them to hold files to ransom, snoop on passwords, hide within operating systems, and so on. Some ad-injecting software nasties even come bundled with new PCs, right, Lenovo?

More than five million Raspberry Pis have been sold to date, which is quite an install base. The Foundation declined Linda’s offer, and described her company as “evildoers.” ®

Sponsored:
Simpler, smarter authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/23/raspberry_pi_flags_malware_offer/

A Bahamian bloke is accused of stealing scripts and raunchy videos from celebrities – and selling them to an undercover agent.

Alonzo Knowles, 23, allegedly bragged he had infiltrated the email inboxes of people in the worlds of showbiz and sports – either by tricking them into handing over their account passwords in phishing emails, or by sending them malware that infected their PCs and snooped on their logins.

Ironically, the phishing emails were dressed as security alerts warning the victims their accounts had been hacked, and that if they sent over their passwords, someone in tech support would put everything right, we’re told.

Knowles did not always target celebrities directly, it is claimed, but instead noted which friends they were photographed with in gossip magazines, and went after those pals instead. Once in their accounts, it’s alleged, he rifled through their inboxes to get the celebs’ contact details.

Once Knowles broke into the stars’ messages, he swiped copies of upcoming TV and movie scripts, 30 unreleased tracks from a “very popular A-list celebrity,” and sexually explicit private photos and videos, it is claimed.

We’re told an executive producer tipped off US Homeland Security of the hack after hearing that Knowles, of Freeport, Bahamas, was touting copies of the scripts.

In a Facetime video call with an undercover g-man, Knowles boasted he had laid his hands on celebrities’ private sexy snaps and videos, their social security numbers, scans of passports, and other material that could be used for blackmail or identity theft, it is claimed. The alleged hacker showed off an X-rated private video of a radio host as proof of his skills.

On December 21, in a followup meeting in New York City with the agent, Knowles tried to flog about a dozen movie and television scripts, and the social security numbers of three athletes and a film actress, for $80,000, it is claimed.

Minutes later, Knowles was collared by Homeland Security investigators, and charged [PDF] with one count of criminal copyright infringement and one count of identity theft.

“This case has all of the elements of the kind of blockbuster script the defendant, Alonzo Knowles, is alleged to have stolen: hacks into celebrities’ private emails, identity theft, and attempts to sell victims’ information to the highest bidder,” Manhattan US attorney Preet Bharara said on Tuesday.

“Unfortunately, these circumstances are all too real.”

Knowles faces up to ten years behind bars if found guilty. No date has been set as yet for his trial. ®

Sponsored:
Simpler, smarter authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/23/hollywood_hacker/

Expect to see an increase in attempts by cyber crooks to trick businesses and individuals to part with their money say Mimecast, Kaspersky Labs.

One of the biggest online security threats to individuals and businesses this holiday season is not from sophisticated new malware tools but decidedly low-tech phishing and whaling campaigns.

Separate alerts from security vendors Kaspersky Labs and Mimecast this week warned about an increase in both forms of criminal activity in recent weeks and urged users to take precautions to mitigate their risk of becoming the next victims.

Mimecast said it has noticed a recent uptick in the number of whaling, or spear-phishing campaigns directed at business executives at mostly large corporations. The goal behind these campaigns is to trick financial staff into making fraudulent wire transfers to bank accounts controlled by threat actors, the company said.

The campaigns typically involve emails that purport to be from the CEO, chief financial officer or other senior executive to an individual within the firm with the authority to make wire transfers on behalf of the organization. Often, the messages contain language that conveys a sense of urgency to get the recipient to act quickly in response to the email.

“Cyber-attackers have gained sophistication, capability and bravado over the recent years resulting in some complex and well-executed attacks,” Mimecast said in its advisory. “But some of the most successful threat activity remains relatively basic and uses simple social engineering to dupe targets,” it said.

Whaling campaigns often involve considerable research beforehand by threat actors who scour social media sites such as Facebook, Twitter, and LinkedIn to gather information about key executives at large organizations. Employees who have excessive information on their social media sites provide a particularly rich source of information to spear-phishers, Mimecast said.

The information gathered from these sites and other sources is then used to craft highly convincing emails. “Whaling is simple for hackers too, because they do not need to use malware or any technical expertise to exploit your organization,” Mimecast cautioned.  “As a result the barriers to entry for this type of cyber-crime are painfully low.”

The FBI, which calls such campaigns Business Email Compromise (BEC), earlier this year noted that as many as 7,000 US businesses have been victimized by such scams over the past two years, resulting in some $740 million in losses.

Employee awareness and education is key to protecting against the threat Mimecast said. Key executives and staff members from within the finance department need to be made aware of the scams and they need to be tested on a regular basis using simulated whaling attacks, the Mimecast advisory said.

Reviewing the finance team’s processes for initiating wire transfers and implementing and an additional layer of authentication for wire transfer can help as well, the company said.

Meanwhile, Kaspersky Labs in its alert Wednesday warned about an increase in phishing scams during the holiday season. People who buy online often get email notifications, shipment tracking alerts and other notices from the services that deliver their purchases, Kaspersky said.

Phishers often take advantage of this to send messages to victims that appear to originate from DHL and Fedex and try to get them to follow or click on malicious links and attachments, Kaspersky labs security researcher Andrey Kostin wrote in the blog post.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/security-vendors-report-uptick-in-whaling-phishing-scams/d/d-id/1323692?_mc=RSS_DR_EDT

Thieves are using the popular gay dating app Grindr to target and rob men.

Detectives in the south London town of Croydon have issued a warning after two separate men were robbed after arranging to meet a man via the dating app.

Both robberies happened last week.

Both victims were robbed at knife-point by a gang of four men at the agreed meeting spot.

Croydon Police Detective Constable Sheree Yates said that the victims were “very shaken” but fortunately escaped without serious injury.

He said that police are eager to track down the suspects and are appealing to anyone who has any information to contact them.

In the UK, victims of such crimes can report incidents to police on 101 (999 in an emergency) or by contacting Crimestoppers anonymously at 0800 555 111.

A spokesperson for Grindr told the BBC that the company’s always encouraged users to use the platform like any social interaction: with a “measure of caution” and “an awareness of their own safety.”

From the Grindr spokesperson:

There are many ways to verify and take steps to protect yourself, from meeting in more public spaces to getting phone numbers and speaking beforehand. We take these matters very seriously and cooperate with local law enforcement at all turns where we can.

That advice is part of this list of safety tips for when using a dating app that London police had to offer:

• If you decide to meet in person, let someone know where you are going and when you’re likely to return.
• Always meet in a public place with lots of people around.
• Plan your journey to and from the date in advance. If using a cab, always pre-book.
• Drink responsibly and never leave your drink unattended.
• Ensure your mobile phone is fully charged and working.
• If at any time your feel uncomfortable, leave the date. You’re not obliged to stay.
• Don’t share personal details such as your home address until you can trust the person you are communicating with.

Here’s another tip from us: If you want to be extra cautious – and don’t mind giving up a little privacy for the sake of security – consider enabling a mobile phone app such as Find My iPhone or Android Device Manager.

Those apps allow your location to be tracked. Just remember to turn it off again if you don’t want your mother or your best buddy to know where you are at all times.

Of course, this isn’t a Grindr-specific problem. Everybody who uses online dating apps and sites should be cautious when meeting strangers.

A few months ago, the City of London, together with Action Fraud, launched a new initiative dubbed “Urban Fraud Myths” that aimed to separate cybercrime and fraud facts from fiction.

It kicked off with a look at online dating, a crime that swindled 3,543 Brits out of £33.65 million ($51 million) in the previous year.

One of the key myths:

I can always trust the people I meet on online dating sites as they will have been vetted before being allowed to join.

But the reality is that most dating sites allow people to sign up without being vetted, the organizations said, which should make us all wary of trusting strangers we meet online:

Always be cautious about the people you meet online, especially if they start asking for money to help a family member, to visit you or pay medical bills etc. Never send money or give credit card or online account details to anyone you don’t know and trust.

That’s good advice, and we have even more tips here for staying safe when you use online dating sites.

Predators can be extremely convincing. Be careful!

Follow @NakedSecurity

Follow @LisaVaas

Image of Grindr logo courtesy of Vdovichenko Denis / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gXe_EkEKLdE/

You’ve heard of Java.

It’s a computer programming language that can be used to develop applications that aren’t tied to a single sort of computer.

Java programs have two main ways of running:

• As full-blown applications, installed permanently onto your computer in the same way that you might install Word on Windows or Keynote on a Mac.
• As web applets, delivered in a web page to run inside your browser, under stricter security controls than full-blown Java applications.

A few years ago, Java applets were a happy hunting ground for cybercrooks: finding an exploitable bug in the applet subsystem was as good as finding a bug in the browser itself.

At the same time, fewer and fewer websites actually relied on Java, so the only people who really benefitted from it being turned on in your browser were the crooks.

That’s the problem with software that you only rarely need, but which is continually exposed to outside threats: it’s easy to ignore it, and let it get out of date, only to receive a rude shock when it’s used to attack your computer.

That’s why we’ve been recommending for years that you turn Java off in your browser.

Even Oracle, the owners of Java, agree these days, and have provided a “switch” for centralised control of browser-based Java.

Why not do us all a favour, including yourself, and use your Java Control Panel to check that it really is turned off?

💡 LEARN MORE: Turning off Java won’t turn off JavaScript ►

💡 DID YOU KNOW: Java was originally named after a tree ►

💡 LISTEN TO OUR PODCAST: Sophos Techknow – All about Java

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Follow @NakedSecurity

Follow @duckblog

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kPRcvZwdsI8/

Many of you are your family’s IT Manager. You’re the help desk when something goes wrong, and you’re the saviour who can fix it all.

And you’re the one who ends up dealing with that 11pm phone call from your Auntie Linda on Christmas Eve saying she’s staring at a blue screen with lots of funny numbers and letters.

If that’s you, then you might be interested to know about our new free tool – Sophos Home.

It’s Sophos’s known and trusted business-grade product, but for home users.

You probably know that Sophos has been offering free Mac antivirus for a while, but this is the first product that protects both Macs and PCs in your home. If you’re already a Sophos Antivirus for Mac user then you can switch to Sophos Home now!

What’s really useful is that it’s cloud managed, so you can look after security for your whole family, from anywhere, with an easy-to-use web console. Yes, even Auntie Linda’s.

It’s the first totally free home security product – free from annoying pop-ups, free from ads, free from complicated security settings. And, of course, it’s free from costing anything!

If this all sounds interesting, and you’re one of those people that likes to be in there first, trying out new stuff, then this is for you.

We’d also love to know what you think of it. If you fill in our feedback form after you’ve played around with it, we’ll put you in the draw to win one of ten $20 gift cards to use on the Sophos Store – you can use it on laptop stickers, T-shirts, lunchboxes, slap bands, or many other products.

To be in with a chance of winning a gift card, please include your email address when you fill in the form. Or if you just want to let us know what you think of the product, then just leave that field blank.

Let us know what you think!

Follow @AnnaBrading

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/97efDJDwq2U/