On Q Professional Investigations

Identity surveillance schemes are thriving in developing countries but could “come back to bite” the West if allowed to continue as they are, a leading privacy group has warned.

Speaking at a London conference held by European security group EEMA on Wednesday, Privacy International executive director Gus Hosein told attendees that identity schemes “from the 1990s and 2000s” are “alive and well” in countries like Kenya and Pakistan.

He argued that such systems are problematic because they contain security holes and introduce dependencies on foreign suppliers, as well as social inequality.

More worryingly, they could be used to shape global standards in time if lawmakers decide “if they’re doing it there let’s do it here”, said Hosein.

He said that Western providers had created dependencies in countries like the Democratic Republic of the Congo (DRC), where data from a $200m biometric voting system was required to be stored only in the supplier’s European HQ.

Pakistan’s ID system suffers the same potential privacy risks and dependency, with data stored in a Canadian data center, he added.

“Can we deploy an identity solution which doesn’t create these dependencies? I haven’t seen a convincing system yet,” Hosein commented. “We have to pay attention to these issues or we’ll be taking lessons from the developing world and bringing them home.”

The ideas behind the UK’s abandoned national ID card scheme travelled to India but its attempt to implement a similar program was foiled by a Supreme Court ruling there, which said the system would introduce discrimination, Hosein explained. It then ended up in Rwanda.

SIM registration is another worrisome policy, spreading from African and Mediterranean countries to south-east Asia, introducing inequality, discrimination and social exclusion, he argued.

Hosein also cautioned that whether privacy breaches of such systems are intentionally caused by hacking attacks or accidental, “security is not easy to do”.

Read More

Washington DC July 16 2014 Business travelers have yet another security concern when they are on the road, particularly if they are frequent flyers at their hotels’ business centers.

According to new information reported on Krebs On Security, the U.S. Secret Service is warning business travellers that cyber criminals have been compromising hotel business center PCs with keystroke-logging malware. These programs allow thieves to steal personal and financial data from guests.

According to a non-public advisory for businesses released by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, suspects have already been taken into custody regarding data thefts at several hotels in the Dallas/Forth Worth Area.

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

This is the second entry into the news of a hotel breach. For six months, cyber-attackers breached the credit card payment system at The Houstonian Hotel. During the attack, hackers were able to access account information about an undisclosed number of customers, reports Bank Information Security.

“We have faced very similar breaches in the EU as well,” says Andrew Komarov, a point-of-sale malware expert and CEO of cybersecurity firm IntelCrawler. “There is a pretty big trend of hotels’ receptions’ POS terminals being compromised. Besides payment data, the bad actors can obtain sensitive PII [personally identifiable information] there as well about a hotel’s visitors.”

View Source

Citing a flood of lawsuits from applicants who were denied concealed carry permits because of objections from local law enforcement that were shrouded in secrecy, the Illinois State Police announced Monday that it will require a state review board to give more information about why applications are rejected.

The amendments direct the board to notify an applicant if their application is likely to be denied, giving them an opportunity to refute the objection.

The new rules, filed Thursday as emergency amendments and distributed publicly on Monday, are already in effect, according to the state police.

Under the previous system, the seven-member Concealed Carry Licensing Review Board met behind closed doors to consider objections raised by local officials, including an individual’s arrest record or other run-ins with police that did not result in criminal convictions. If the board sustained an objection, the applicant was notified by mail that their application had been denied, without any explanation as to why. Applicants were told that their only recourse was to take the matter to court, and more than 200 denied applicants sued.

The new rules were put in place less than a week after a Tribune report detailed the issue. State police spokeswoman Monique Bond said the board and the attorney general’s office “have been working on these rules for some time.”

Under the new rules, the board is required to notify an applicant if there is a credible objection to his or her application, give the basis of the objection and identify the agency that brought it. The applicant will have 10 days to respond.

Read More

J. Keith Mularski’s world has expanded greatly since he stopped selling discount furniture to join the FBI in 1998. Especially since he transferred from Washington, D.C., in 2005 to fill a vacancy in the Pittsburgh field office’s cyber squad — which he now heads.

Since then, Supervisory Special Agent Mularski has been recognized as a foremost expert on cyber crime. His profile has risen even more since the Justice Department used Mularski’s sleuthing to bring two indictments with worldwide ramifications.

In May, five Chinese Army intelligence officers were charged with stealing trade secrets from major manufacturers including U.S. Steel, Alcoa and Westinghouse.

In June, a Russian man was charged with leading a ring that infected hundreds of thousands of computers with identity-thieving software, then using the stolen information to drain $100 million from bank accounts worldwide.

Mularski, 44, said in April during an oral history interview for the National Law Enforcement Museum that he became a furniture salesman out of college because jobs were hard to come by then. He spent about five years in the business before joining the FBI.

“I was in private industry beforehand. But I’ve kind of always liked computers,” Mularski told The Associated Press during a recent interview.

All 56 FBI field offices have cyber squads. Mularski chose Pittsburgh largely because of family considerations — he grew up in suburban White Oak, the son of a steelworker.

“It kind of looked like cyber was the wave of the future,” Mularski said. “The majority of all my computer training was just on-the-job training at the bureau.”

It has proved remarkably effective.

Even before the Chinese and Russian cases made worldwide headlines, Mularski was making cyber waves.

He made his reputation infiltrating Dark Market in 2006. The worldwide Internet forum allowed crooks to buy and sell stolen identity and credit card information.

Mularski infiltrated the network by pretending to be a notorious Polish computer hacker using the screen name “Master Splyntr” — a takeoff on the cartoon rat who guides the Teenage Mutant Ninja Turtles.

Mularski was inspired while watching the cartoon character with his young son: “He’s a rat that lives underground. It was perfect,” he said.

Mularski befriended the criminal mastermind behind the site and persuaded him to let Mularski move the operation onto new computer servers. The servers happened to belong to the FBI, which led to more than 60 arrests worldwide.

Misha Glenny, a British journalist who specializes in cyber crime, wrote a book about the case called “Dark Market, How Hackers Became the New Mafia.”

“Keith Mularski is not without technical ability, but his real talent lies in convincing experienced cyber criminals that he is one of them and not a law enforcement officer,” Glenny told the AP.

His aw-shucks demeanor also makes him an ideal team player.

“He has an understanding of the whole grid, and then he develops relationships, whether it’s with victims, the private sector, and our international partners,” said David Hickton, the U.S. attorney in Pittsburgh.

Those partnerships are important because the United States doesn’t have extradition treaties to bring the Chinese and Russian suspects here for prosecution. Those defendants could be arrested if they travel into areas that cooperate with the U.S., but Hickton and Mularski said that’s not the only purpose served by those indictments.

“The best result is to be able to get cuffs on a guy,” Mularski said. “But you have to measure how you can impact each (criminal) organization.”

In the Russian case, Mularski got a federal judge in Pittsburgh to allow the Justice Department to monitor some 350,000 computers infected with malicious software, so the thievery could be stopped.

The Chinese indictment, meanwhile, was a “put up” to the Chinese government’s rumblings that the U.S. government should “shut up” about ongoing cyberspying allegations unless they could be proved, Mularski said.

Some cases produce a more tangible result.

Read More

WASHINGTON — Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.

The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network, according to the officials. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants for security clearances list their foreign contacts, previous jobs and personal information like past drug use.

In response to questions about the matter, a senior Department of Homeland Security official confirmed that the attack had occurred but said that “at this time,” neither the personnel agency nor Homeland Security had “identified any loss of personally identifiable information.” The official said an emergency response team was assigned “to assess and mitigate any risks identified.”

One senior American official said that the attack was traced to China, though it was not clear if the hackers were part of the government. Its disclosure comes as a delegation of senior American officials, led by Secretary of State John Kerry, are in Beijing for the annual Strategic and Economic Dialogue, the leading forum for discussion between the United States and China on their commercial relationships and their wary efforts to work together on economic and defense issues.

Computer intrusions have been a major source of discussion and disagreement between the two countries, and the Chinese can point to evidence, revealed by Edward J. Snowden, that the National Security Agency went deep into the computer systems of Huawei, a major maker of computer network equipment, and ran many programs to intercept the conversations of Chinese leaders and the military.

American officials say the attack on the Office of Personnel Management was notable because while hackers try to breach United States government servers nearly every day, they rarely succeed. One of the last attacks the government acknowledged occurred last year at the Department of Energy. In that case, hackers successfully made off with employee and contractors’ personal data. The agency was forced to reveal the attack because state disclosure laws force entities to report breaches in cases where personally identifiable information is compromised. Government agencies do not have to disclose breaches in which sensitive government secrets, but no personally identifiable information, has been stolen.

Read More

CHICAGO (WLS) — The ABC7 I-Team investigates a new law enforcement technology trend sweeping through the Chicago area. Local departments are gearing up with new tools designed to help fight crime in real time.

From cameras to wearable computers, new gadgets are not just helping you update your Facebook feed- they’re becoming vital tools for law enforcement.

New police gear is popping up across the Chicago area, from body-worn cameras at the Lake County Jail to new Taser cams carried by state police troopers. But is enough being done to look out for your privacy?

Chief Deputy Mike Walker’s traffic stops just got a brand new step. As he approaches a speeder, he flips a switch on his chest to turn on his new body-worn camera.

“We use them on all of the calls that we go to,” said Chief Deputy Walker, Dewitt County Sheriff’s Department.

Dash cams have been law enforcement tools for years, but now, police officers are being outfitted with wearable technology. The first step for many departments statewide lately has been body-worn cameras that catch in real time what’s really happening at a crime scene or on a hectic call.

“They don’t have to rely on what they’ve written down or their memory, they’ve got it on video,” said Chief Deputy Walker.

A tiny camera called the VievU, even helped Central Illinois’ Dewitt County Corrections officers catch an inmate who was faking shoulder problems.

“Well shortly after he went and had seen the nurse, one of our correctional officers observed him doing pushups in the cell so she turned on her VievU camera and got the video of that,” said Chief Deputy Walker.

Read More

Doris Teno, of Rockford, admits panicking when she recently took a call from someone claiming to be with the Treasury Department who complained that she and her husband hadn’t properly filed their taxes for 2010.

He told her she had to pay him $1,000 or the U.S. marshal would arrive at her house to arrest her and seize her properties.

“He threatened me, since I wasn’t cooperating,” she recalled. “And then he said he’d arrest my husband too.”

Teno was one of thousands nationwide targeted by scammers who pose in calls or emails as Treasury or Internal Revenue Service officials threatening arrest, deportation or loss of property, authorities say.

The thieves seek personal identification information, money orders or prepaid credit or debit cards in order to void the phony arrest warrants, according to Thomas Bruton, clerk of the U.S. District Court for the Northern District of Illinois.

The Better Business Bureau of Chicago and Northern Illinois estimated that victims have lost a combined $1 million.

The scammers claim to have arrest warrants for offenses ranging from missed jury duty to bank fraud and money laundering. The bogus warrants display logos of unspecified district courts and false case numbers.

The Better Business Bureau said wrongdoers leave voice mail messages warning victims to immediately contact the IRS or face legal consequences. Other voice mails have threatened arrest by deputy marshals for failure to pay taxes in full.

Read More

If you’re a Comcast cable customer, your home’s private Wi-Fi router is being turned into a public hotspot.

It’s been one year since Comcast (CMCSA) started its monster project to blanket residential and commercial areas with continuous Wi-Fi coverage. Imagine waves of wireless Internet emitting from every home, business and public waiting area.

Comcast has been swapping out customers’ old routers with new ones capable of doubling as public hotspots. So far, the company has turned 3 million home devices into public ones. By year’s end it plans to activate that feature on the other 5 million already installed.

Anyone with an Xfinity account can register their devices (laptop, tablet, phone) and the public network will always keep them registered — at a friend’s home, coffee shop or bus stop. No more asking for your cousin’s Wi-Fi network password.

But what about privacy? It seems like Comcast did this the right way.t’s potentially creepy and annoying. But the upside is Internet everywhere.

Outsiders never get access to your private, password-protected home network. Each box has two separate antennae, Comcast explained. That means criminals can’t jump from the public channel into your network and spy on you.

And don’t expect every passing stranger to get access. The Wi-Fi signal is no stronger than it is now, so anyone camped in your front yard will have a difficult time tapping into the public network. This system was meant for guests at home, not on the street.

As for strangers tapping your router for illegal activity: Comcast said you’ll be guilt-free if the FBI comes knocking. Anyone hooking up to the “Xfinity Wi-Fi” public network must sign in with their own traceable, Comcast customer credentials.

Still, no system is foolproof, and this could be unnecessary exposure to potential harm. Craig Young, a computer security researcher at Tripwire, has tested the top 50 routers on the market right now. He found that two-thirds of them have serious weaknesses. If a hacker finds one in this Comcast box, all bets are off.

“If you’re opening up another access point, it increases the likelihood that someone can tamper with your router,” he said.

Read More

But this time he’s wearing Google Glass — and he’s after your iPad PIN.

Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google’s face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn’t even need to be able to read the screen — meaning glare is not an antidote.

The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode.

They tested the algorithm on passwords entered on an Apple (AAPL, Tech30) iPad, Google’s (GOOGL, Tech30) Nexus 7 tablet, and an iPhone 5.

Why should you be worried?

“We could get your bank account password,” researcher Xinwen Fu said.

The software can be applied to video taken on a variety of devices: Fu and his team experimented with Google Glass, cell phone video, a webcam and a camcorder. The software worked on camcorder video taken at a distance of over 140 feet.

Of course, pointing a camcorder in a stranger’s face might yield some suspicion. The rise of wearable technology is what makes this approach actually viable. For example, a smartwatch could stealthily record a target typing on his phone at a coffee shop without drawing much attention.

Fu says Google Glass is a game-changer for this kind of vulnerability.

“The major thing here is the angle. To make this attack successful the attacker must be able to adjust the angle to take a better video … they see your finger, the password is stolen,” Fu said.

Google says that it designed Glass with privacy in mind, and it gives clear signals when it is being used to capture video.

“Unfortunately, stealing passwords by watching people as they type them into ATMs and laptops is nothing new,” said Google spokesman Chris Dale. “The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device.”

Read More

KNOXVILLE (WATE) - A new Tennessee law that went into effect Tuesday will allow anyone who witnesses a child locked inside a hot car to break out the window and get the child to safety.

To show just how fast your car can heat up we decided to track the heat ourselves. We placed a thermometer in the back seat of a car at 4:00 pm. Tuesday afternoon. When we put the thermometer in the car, it read 91 degrees.

After 90 minutes in the back seat, the temperature rose to 108 degrees.

Authorities say the inside of a car can heat up and become deadly for a child in as little as 20 minutes.

It’s a parent’s worst nightmare forgetting your child in the backseat. Kristie Cavaliero and her husband never imagined it could happen to them but it did one morning when they changed their routine.

“In May of 2011, we lost our one year old daughter Sophia Ray when her father forgot to drop her off at day care one morning,” said Cavaliero.

Three hours had passed when they realized the mistake.

“It’s literally a perpetual nightmare, because you live everyday knowing that one of your children is missing at the dinner table,” said Cavaliero.

Cavaliero is now involved with KidsandCars.org a nonprofit child safety organization dedicated to preventing injuries and death to children in or around cars. The organization is in support of Tennessee’s new law allowing people to break into a car to rescue a trapped child.

“In the past people have been hesitant to take action when they do see a child left unattended in a car,” said Cavaliero.

Read More