STE WILLIAMS

A Lithuanian hacker will spend the next five years behind bars for masterminding a $120m (£92.05m) scam that involved emailing fake IT equipment invoices to Facebook and Google.

A US district court in New York on Thursday handed Evaldas Rimasauskas the 60-month sentence, along with a bill for $26,479,079 in restitution, after he admitted to one count of wire fraud. He had faced a maximum of 30 years in the cooler.

This came after Rimasauskas pleaded guilty to overseeing the phishing scam that allowed him to collect money transfers from Google and Facebook under the guise of a Taiwanese equipment manufacturer.

The super-fraud pulled off the massive cash scam by creating lookalike domains and email accounts for Quanta, a Far Eastern contract manufacturer that builds, among other things, server components.

Those fake accounts were then used to contact employees at both Facebook and Google between 2013 and 2015 and supply them with phony invoices that each of the tech giants thought were for real purchases (they were, mind you, likely doing business with the real Quanta while this was going on.)

Rimasauskas then directed his victims to make wire payments into overseas accounts he controlled.

While these sort of business email compromise attacks are hardly new concepts, it is rare to see one succeed against two companies of this size and net such a large payout for the attacker. When all was said and done, it was estimated that the two tech giants filled Rimasauskas’ coffers to the tune of just over $120m.

VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

READ MORE

He was indicted on the charge just before Christmas of 2016, got picked up by Lithuanian police in March of 2017, made his initial US court appearance in August of that year, and finally agreed to take the guilty plea on one count of wire fraud in March of 2019.

Now, almost exactly three years after his indictment was filed under seal, Rimasauskas has been given the five-year prison term. Following his release, he will also face deportation to Lithuania.

“Evaldas Rimasauskas devised an audacious scheme to fleece U.S. companies out of more than $120m, and then funneled those funds to bank accounts around the globe,” boasted US attorney Geoffrey Berman, prosecutor in the case.

“Rimasauskas carried out his high-tech theft from halfway across the globe, but he got sentenced to prison right here in Manhattan federal court.” ®

Sponsored:
Beyond the Data Frontier

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/20/facebook_google_hacker_five_years/

It’s perfectly legal for British spies to break the law, Britain’s secretive spy court has ruled – making a mockery of other laws intended to keep eavesdropping agencies and others under effective control.

Sweeping away campaign group Privacy International’s legal objections, judges Lord Justice Singh, Lord Boyd and Sir Richard McLaughlin ruled: “It is clear from the words of the policy itself (in particular para. (9)) that it does not confer any immunity from criminal prosecution on anyone.”

Privacy International and four other campaign groups including the Pat Finucane Centre and Reprieve had sued over a government policy allowing MI5 spies to break the law. In a 3-2 majority verdict, the Investigatory Powers Tribunal (IPT) gave this spying activity the green light.

In an exercise of legal clever-clogsing intended to let spies pretend to the gullible that they haven’t got official top cover for breaking the law with impunity, as they now unquestionably do, the Investigatory Powers Tribunal ruled that MI5 has the “power” to break the law but not to award itself “immunity”.

The difference was not explained fully, though the judges hinted that, in theory, legal arguments to stop a prosecution of a law-breaking British spy would be based on the “public interest”.

PI noted in a statement bemoaning the judgment that this was the first time the IPT had ever published a ruling that included dissent from the five tribunal members. The two dissenters were Charles Flint QC and Professor Graham Zellick QC.

Ilia Siatitsa, a legal officer from Privacy International, said: “Today, the Investigatory Powers Tribunal decided that MI5 can secretly give informants permission to commit grave crimes in the UK, including violence. But two of its five members produced powerful dissenting opinions, seeking to uphold basic rule of law standards.”

“As one of them put it, it is wrong to ‘open the door to… powers of which we have no notice or notion, creating uncertainty and a potential for abuse’. We think the bare majority of the IPT got it seriously wrong. We will seek permission to appeal to protect the public from this abusive secretive power.”

The judgment also referred to the Spycatcher case, where lifelong MI5 scientist Peter Wright – who had been cheated out of 15 years of pension contributions – wrote a warts-and-all memoir of life in the Security Service between the late 1940s and the late 1970s after retiring to the safety of Australia.

An enraged British establishment sued in the late 1980s to stop the publication of Wright’s memoirs, which contained all kinds of names and detail about analogue and early digital spy tactics, political intrigues of the 1960s and 70s (among other things, writing “Cecil King, one of our agents”) and the explosive claim that the head of MI5 had been a Russian double-agent. The attempt to block publication failed.

Human-rights warriors crack on with legal challenge to UK’s lax surveillance laws

READ MORE

Sir John Donaldson, one of the judges in the Spycatcher case, said: “It would be a sad day for democracy and the rule of law if the Service were ever to be considered to be above or exempt from the law of the land. And it is not. At any time any member of the Service who breaks the law is liable to be prosecuted. But there is a need for some discretion and common sense.”

Long after Wright’s death, the officially sanctioned history of MI5 published in 2009 described him as one of “the most damaging conspiracy theorists in the history of the Security Service”.

The Investigatory Powers Tribunal is largely seen as a technical exercise in public accountability rather than a practical one. Last year it admitted that Peeping Toms from all three UK spy agencies had been breaking the law for 15 years before declaring it wouldn’t do a thing about it.

Nonetheless, not all of the legal establishment agrees: the Supreme Court brought it back within the pale with a ruling that its decisions are subject to appeal, despite laws establishing the IPT having been explicitly written to ensure they couldn’t be. ®

Sponsored:
Beyond the Data Frontier

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/20/investigatory_powers_tribunal/

Mayor LaToya Cantrell anticipates the recent cyberattack to exceed its current $3 million cyber insurance policy.

The city of New Orleans is planning to increase its cyber insurance policy to $10 million following a Dec. 13 ransomware attack that will likely exceed its current $3 million policy, Mayor LaToya Cantrell confirmed this week. She did not give an estimate of the attack’s cost.

City employees first detected suspicious activity early that Friday morning, IT director Kimberly LaGrue told news station 4WWL. Officials say they did not receive a ransom request and all data can be recovered. They did not mention a time frame; however, officials took roughly 4,000 computers offline and are in the process of cleaning them up and investigating them. New Orleans’ Fire Department, Police Department, and Emergency Medical Services are running.

The New Orleans attack reportedly started with a phishing email. It’s believed the Ryuk strain of ransomware was used in this attack, Bleeping Computer reports, citing files uploaded to VirusTotal. The day after the incident, memory dumps of suspicious files were uploaded containing several references to both Ryuk and the city of New Orleans.

This attack arrived in the midst of a ransomware crisis for the United States, where 11 new school districts have been targeted since October, and municipalities including New Orleans and Pensacola are recovering from attacks. A total of 72 US school districts or educational institutions have suffered ransomware campaigns. Up to 1,040 schools may have been hit.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/new-orleans-to-boost-cyber-insurance-to-$10m-post-ransomware/d/d-id/1336687?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The technique is notable because it can be implemented using low-cost, standard hardware components.

A team of researchers has published a paper showing “perfect secrecy cryptography” on a chip. The technique, the researchers say, is resistant to even quantum computer exploitation because it uses correlated chaotic wavepackets, which are mixed in inexpensive silicon chips.

The research paper, published in the journal Nature, says the second law of thermodynamics and the exponential sensitivity of chaos unconditionally protect this scheme.

“Perfect secrecy” is the term for a concept patented by Gilbert Vernam in 1919 and proved by Claude Shannon to be unbreakable (when properly implemented). The three main properties of perfect secrecy are a message is encrypted by a bitwise XOR operation using a random key that is as long as the text to be transmitted, it is never reused in whole or in part, and it is kept secret.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/research-team-demonstrates-perfect-secrecy-implementation/d/d-id/1336688?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The acquisition adds fraud detection and prevention to the application delivery company’s tool collection.

F5 has announced the acquisition of Shape, a company with products and services in the antifraud and abuse category. According to the companies, F5 will pay approximately $1 billion for the privately held Shape.

In a blog post to employees, F5 CEO François Locoh-Donou wrote that Shape is currently mitigating more than 1 billion application attacks a day. The acquisition, he said, will help F5 compete in its next targeted areas of growth: cloud, software, and AI/machine learning.

Shape Security is F5’s second major acquisition of 2019, coming after the May purchase of Web application server company NGINX.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/f5-pays-$1-billion-for-shape/d/d-id/1336689?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Hear me, Ebenezer Everybody! Tonight you shall be visited by three spirits. The ghosts of the passwords you’ve used on your email account, your online bank account, your Twitter account, your Instagram account, your… OK, scratch that, you’ll be visited by at least 100 truly terrible password ghosts.

Their breath is foul, because some of us have reused them until they’ve begun to compost – an odor that attracts swarms of hackers who’ll use them to try to get into not just one breached account, but ALL of your accounts while they’re at it.

They’re spirits, because wow, these things are old. Seriously, are we seeing you again, “123456?”

Yes, we are.

Once again, it’s end-of-the-year, worst-passwords listicle time, and once again, “123456” reins supreme as the king of bad passwords on SplashData’s annual worst password list.

Just like it did last year. And in every year since 2013, when it knocked “password” from its number one spot.

Last year, SplashData evaluated more than five million leaked passwords to see how often they showed up. Since 2011, it’s been publishing the list based on millions of passwords leaked in data breaches. SplashData didn’t actually say how many breached passwords they analyzed for this year’s list, which it published in two sets of 50: here’s the worst 1-49, and here’s the worst 50-100.

Last year, tired of nagging users about using these clunkers, I instead took websites to task. Users are clearly never going to stop using “123456,” “123456789,” “qwerty” or “password” – 2019’s top four most commonly breached passwords – so how about if websites and services simply stop allowing users to choose passwords that are on the list of worst passwords?

Sites and services could do even more, we suggested – they could, say, disallow creation of any of the 10,000 worst passwords. Or maybe use rate limiting, which gives even the weakest password a serious upgrade. Limiting the number of times a user can try a wrong password means that attacks take a long time. Attackers have to be far more circumspect about how many guesses they make: as we noted, all you have to do is ask the FBI about how inconvenient, or impossible, it can make the task of forcing your way in past an unknown login.

Clearly, there’s still work to be done. Bad passwords are still being cooked up, and reused, though they don’t have to be. If you’d like a short, easy way to pick a proper password, you can watch our video:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And if a website gives you the option to turn on two-factor authentication (2FA or MFA), by all means, turn it on. It will protect you even if you use something like a) “banana” (#97 on this year’s listicle), b) “whatever” (#58), or c) “cookie” (#95).

Maybe SplashData is tired of nagging users, too. Maybe that’s why it released the listicle without a lot of verbiage. Instead, it compiled a video full of imagery, including a) a kid dancing with a banana, b) comedian Mindy Kaling slapping her forehead, c) a bunny stealing a baby’s cookie.

Its pure, simple advice:

Don’t catch your passwords on this list …

Our own pure, simple commentary, based on this joyous season’s not-so-joyous password predictability:

Deck the halls with password failure,
fail fail fail fail fail, fail fail, fail, fail!

Here’s hoping the new year brings us all good health, fewer breaches, and passwords that are as unique as snowflakes!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6BuJWYChc5Q/

When it comes to computing, Vladimir Putin is old-school. Reports surfaced this week that the president of Russia is still using Windows XP as his primary operating system.

Photos released by the 67-year-old world leader’s press service showed the operating system, released in 2001, running on computers in his Kremlin office, along with others at Novo-Ogaryovo, his official residence near Moscow.

Microsoft stopped supporting XP along with Office 2003 in April 2014, only issuing emergency patches for the operating system in 2017 and 2019 to prevent worms from spreading. It means that Putin is using an obsolete OS that Microsoft has long advised people to abandon.

Putin is a noted technophobe with a disdain for smartphones who doesn’t like using the internet either. He’s also no dummy, so before you begin facepalming, it’s worth digging into the detail. First off, he’s a former KGB officer well versed in intelligence and information gathering, and he understands what omnichannel communication does to a leader’s attack surface. Also, when you get to that level of authority, you can just have people come and whisper things to you while you gaze thoughtfully into the distance and stroke the hounds.

The other reason is more procedural. Russia wouldn’t officially allow Putin to use a more up-to-date version of Windows for anything meaningful involving state secrets, according to state documents. XP appears to be the last system certified by the country’s Federal Service for Technical and Export Control (FSTEC). FSTEC extended its own certification of Windows XP until December 2016, but with that date long since past it isn’t clear what happened next. The Service admits in those documents that using XP past the expiry date is dangerous. It explained [translated]:

…the termination of the release of updates for certified versions of the Windows XP operating system in combination with the probable discovery of new vulnerabilities in them will lead to the possibility of realizing threats to the security of confidential information processed in these information systems. In addition, it is forecasted an increase in interest in the Windows XP operating system from certain categories of violators.

FSTEC apparently extended its certification for XP to allow for the introduction of another certified operating system. Russia has long planned to move to its own OS, a version of Linux called Astra, which is now gaining traction. In the meantime, the Service has advised governmental Windows XP users to disconnect from the internet and from corporate LANs, which suggests that Putin might be, like, really into Minesweeper right now.

Russia’s government has taken an increasingly adversarial stance to Western technology of late. In November, it banned the sale of smartphones, computers and smart TVs that don’t have Russian software pre-installed. That came shortly after it signed a law enabling it to control access to content – both inside and outside Russia – if it decides that there is an emergency. That’s effectively a parallel internet that would also enable Russia to raise the drawbridge if it decided that it didn’t like the rest of the internet anymore.

In any case, Putin’s isn’t the only example of a modern institution still using Windows XP. British nuclear submarines do as well, but it’s a special custom version. We also don’t know what FSTEC and its partners might have done to tinker with the version that Putin’s using.

We just really hope that he’s using Office 2000, complete with Clippy, the annoying* virtual avatar that kept butting in to offer unwanted assistance. We can just imagine the message: “It looks like you’re trying to destabilise another country’s democratic process using an army of fake social media accounts. Would you like help?”

---

* Although someone a has soft spot for Clippy…

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qLEmcJPcH-g/

In November, US Senators Josh Hawley and Chris Coons wrote to Facebook boss Mark Zuckerberg to ask him an important privacy question – does Facebook continue to track the locations of its users even when they’ve told it not to?

This week, in a reply leaked to The Hill, they got their answer: Yes.

The fuss started with a September change to the wording of Facebook’s policy for gathering location data outlined in the blog in Understanding Updates to Your Device’s Location Settings.

Formulated earlier in 2019 in response to changes in the way Android 10 and iOS 13 manage location settings, Facebook’s explanation of how it planned to manage this going forward sounded ambiguous.

On the one hand it stated:

You’re in control of who sees your location on Facebook. You can control whether your device shares precise location information with Facebook via Location Services, a setting on your phone or tablet.

Clear enough, surely, and yet in the next paragraph, it was qualified:

We may still understand your location using things like check-ins, events and information about your internet connection.

Which anyone who’d read this far would probably have been confused by.

Facebook seems to be allowing users to opt-out of location tracking by one route (GPS, say) while reinstating much of the same tracking through other routes (software events, IP addresses, noticing the Wi-Fi networks someone uses or is near).

Senators Hawley and Coons remain unconvinced. Facebook claims its users are in control of their location privacy, but this is only partly true, said Coons:

The American people deserve to know how tech companies use their data, and I will continue working to find solutions to protect Americans’ sensitive information.

No escape

How should Facebook users who’d rather the company didn’t know their location make sense of this apparent stand-off?

One answer is to be realistic about how today’s internet economy works. Companies like Facebook make their money from advertising and one of the things that matters to advertisers is where a user is located.

That is to say, the adverts these platforms think a Facebook user will be interested in depends on which country, city or even street they are in. Not having this data at all would be a big loss.

Luckily for them, as we’ve already mentioned above, there are lots of ways to get this information.

Many assume GPS is the big reveal but, in fact, another route (which also works indoors) is to infer location by noticing someone’s proximity to local, fixed, Wi-Fi networks and cell towers. Facebook is far from the only company which has found itself in hot water over the privacy implications of this.

A year ago, a 43-strong group of European consumer organisations alleged that Google’s location tracking breaches the EU’s General Data Protection Regulation (GDPR).

This can be curtailed to some extent via Android’s Web and App Activity but most users will either not know to do this or not grasp the implications of ignoring the setting, it was alleged.

Only weeks before, Google and Facebook were hit by separate class action lawsuits in California which claimed both companies continued to collect location data even when users thought they’d turned it off.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2grE-GBLP8Y/

On or about 15 December 2016, a troll sent a seizure-inducing GIF via Twitter to an epileptic journalist, Kurt Eichenwald.

The alleged troll, John Rayne Rivello, was indicted for aggravated assault for allegedly triggering an epileptic seizure that caused a complete loss of Eichenwald’s bodily functions and mental faculty and impaired the author, mentally and bodily, for several months.

Last week, three years after the attack on Eichenwald, Rivello was scheduled for a court hearing (which was postponed). He’s expected to plead guilty.

And three years later, during National Epilepsy Awareness Month in November, an army of trolls carried on the assaults, taking over the Epilepsy Foundation’s Twitter handle and hashtags to attack anybody who’s following, the foundation said on Monday:

The attacks, which used the Foundation’s Twitter handle and hashtags to post flashing or strobing lights, deliberately targeted the feed during National Epilepsy Awareness Month when the greatest number of people with epilepsy and seizures were likely to be following the feed.

The foundation says it’s filed formal criminal complaints with law enforcement that describe what it says is a series of attacks on its Twitter feed that are similar to the kind launched against Eichenwald. Eichenwald has said that he received dozens of flashing tweets after the initial attack, and that the FBI was informed of them all.

Jacqueline French, M.D., chief medical and innovation officer of the Epilepsy Foundation and professor of Neurology at NYU Langone Health’s Comprehensive Epilepsy Center, says that while not many people are susceptible to these types of seizures, the results can be severe. Some people aren’t even aware that they’re susceptible until it happens, she said:

Flashing lights at certain intensities or certain visual patterns can trigger seizures in those with photosensitive epilepsy. While the population of those with photosensitive epilepsy is small, the impact can be quite serious. Many are not even aware they have photosensitivity until they have a seizure.

The attacks are particularly vile, given the vast reach of Twitter – like a terrorist attack, they’re designed to target as many people as possible. The organization’s director of legal advocacy, Allison Nichol:

These attacks are no different than a person carrying a strobe light into a convention of people with epilepsy and seizures, with the intention of inducing seizures and thereby causing significant harm to the participants. The fact that these attacks came during National Epilepsy Awareness Month only highlights their reprehensible nature.

The foundation told CNET that it counted at least 30 such attacks. It’s not clear how many people were affected.

A Twitter spokesman told CNET that the platform is committed to making Twitter safer by offering the option of preventing media from autoplaying in users’ Timelines and barring GIFs from appearing when someone searches for “seizure” in GIF search.

If Twitter determines accounts are dedicated to causing offline harm, they will be permanently suspended. We’re exploring additional options to help protect the people on Twitter from this type of abuse.

How to turn off autoplay on Twitter

This is a rather tucked-away setting. Here’s how to find it on desktop browsers:

1. Log in to Twitter
2. In the left sidebar, select More
3. Select Settings and Privacy
4. In the General section, select Data usage
5. In the Autoplay section, select Never

In the Twitter mobile app:

1. Tap on the Your profile icon
2. Select Settings and Privacy
3. In the General section, select Data usage
4. In the Autoplay section, select Never

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SluZeVlpPlA/

A Lithuanian hacker will spend the next five years behind bars for masterminding a massive $120m (£92.05m) business email compromise involving Facebook and Google.

The New York Southern US District Court on Thursday handed Evaldas Rimasauskas the 60 month sentence, along with a bill for $26,479,079 in restitution, after he admitted to one count of wire fraud. He had faced a maximum of 30 years in prison.

This came after Rimasauskas pled guilty to overseeing the phishing scam that allowed him to collect money transfers from Google and Facebook under the guise of a Taiwanese equipment manufacturer.

According to the guilty plea Rimasauskas entered back in March of this year, he pulled off the massive cash scam by creating lookalike domains and email accounts for Quanta, a Far Eastern contract manufacturer that builds, among other things, server components.

Those fake accounts were then used to contact employees at both Facebook and Google between 2013 and 2015 and supply them with phony invoices that each of the tech giants thought were for real purchases (they were, mind you, likely doing business with the real Quanta while this was going on.)

Rimasauskas then directed his victims to make wire payments into overseas accounts he controlled.

While these sort of business email compromise attacks are hardly new concepts, it is rare to see one succeed against two companies of this size and net such a large payout for the attacker. When all was said and done, it was estimated that the two tech giants filled Rimasauskas’ coffers to the tune of just over $120m.

VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

READ MORE

He was indicted on the charge just before Christmas of 2016, got picked up by Lithuanian police in March of 2017, made his initial US court appearance in August of that year, and finally agreed to take the guilty plea on one count of wire fraud in March of 2019.

Now, almost exactly three years after his indictment was filed under seal, Rimasauskas has been given the five-year prison term. Following his release, he will also face deportation to Lithuania.

“Evaldas Rimasauskas devised an audacious scheme to fleece U.S. companies out of more than $120m, and then funneled those funds to bank accounts around the globe,” boasted US attorney Geoffrey Berman, prosecutor in the case.

“Rimasauskas carried out his high-tech theft from halfway across the globe, but he got sentenced to prison right here in Manhattan federal court.” ®

Sponsored:
Beyond the Data Frontier

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/20/facebook_google_hacker_five_years/