An $80 Million Cyber Crime in 1999 Foreshadowed Modern Threats

Two decades ago, computer viruses—and public awareness of the tricks used to unleash them—were still relatively new notions to many Americans.

One attack would change that in a significant way.

In late March 1999, a programmer named David Lee Smith hijacked an America Online (AOL) account and used it to post a file on an Internet newsgroup named “alt.sex.” The posting promised dozens of free passwords to fee-based websites with adult content. When users took the bait, downloading the document and then opening it with Microsoft Word, a virus was unleashed on their computers.

On March 26, it began spreading like wildfire across the Internet.

The Melissa virus, reportedly named by Smith for a stripper in Florida, started by taking over victims’ Microsoft Word program. It then used a macro to hijack their Microsoft Outlook email system and send messages to the first 50 addresses in their mailing lists. Those messages, in turn, tempted recipients to open a virus-laden attachment by giving it such names as “sexxxy.jpg” or “naked wife” or by deceitfully asserting, “Here is the document you requested … don’t show anyone else ;-) .” With the help of some devious social engineering, the virus operated like a sinister, automated chain letter.

The virus was not intended to steal money or information, but it wreaked plenty of havoc nonetheless. Email servers at more than 300 corporations and government agencies worldwide became overloaded, and some had to be shut down entirely, including at Microsoft. Approximately one million email accounts were disrupted, and Internet traffic in some locations slowed to a crawl.

Within a few days, cybersecurity experts had mostly contained the spread of the virus and restored the functionality of their networks, although it took some time to remove the infections entirely. Along with its investigative role, the FBI sent out warnings about the virus and its effects, helping to alert the public and reduce the destructive impacts of the attack. Still, the collective damage was enormous: an estimated $80 million for the cleanup and repair of affected computer systems.

Finding the culprit didn’t take long, thanks to a tip from a representative of AOL and nearly seamless cooperation between the FBI, New Jersey law enforcement, and other partners. Authorities traced the electronic fingerprints of the virus to Smith, who was arrested in northeastern New Jersey on April 1, 1999. Smith pleaded guilty in December 1999, and in May 2002, he was sentenced to 20 months in federal prison and fined $5,000. He also agreed to cooperate with federal and state authorities.

The Melissa virus, considered the fastest spreading infection at the time, was a rude awakening to the dark side of the web for many Americans. Awareness of the danger of opening unsolicited email attachments began to grow, along with the reality of online viruses and the damage they can do.

Read More

Facebook shuts down 1 million accounts per day but can’t stop all ‘threats

Menlo Park California Aug 26 2017Facebook turns off more than 1 million accounts a day as it struggles to keep spam, fraud and hate speech off its platform, its chief security officer says.

Still, the sheer number of interactions among its 2 billion global users means it can’t catch all “threat actors,” and it sometimes removes text posts and videos that it later finds didn’t break Facebook rules, says Alex Stamos.

“When you’re dealing with millions and millions of interactions, you can’t create these rules and enforce them without (getting some) false positives,” Stamos said during an onstage discussion at an event in San Francisco on Wednesday evening.

Stamos blames the pure technical challenges in enforcing the company’s rules — rather than the rules themselves — for the threatening and unsafe behavior that sometimes finds its way on to the site.

Facebook has faced critics who say its rules for removing content are too arbitrary and make it difficult to know what types of activity it will and won’t allow.

Political leaders in Europe this year have accused it of being too lax in allowing terrorists to use Facebook to recruit and plan attacks, while a U.S. Senate committee last year demanded to know its policies for removing fake news stories, after accusations it was arbitrarily removing posts by political conservatives.

Free speech advocates have also criticized its work.

“The work of (Facebook) take-down teams is not transparent,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, which advocates for free speech online.

“The rules are not enforced across the board. They reflect biases,” says Galperin, who shared the stage with Stamos at a public event that was part of Enigma Interviews, a series of cybersecurity discussions sponsored by the Advanced Computing Systems Association, better known as USENIX.

Stamos pushed back during the discussion, saying “it’s not just a bunch of white guys” who make decisions about what posts to remove.

Read More

Justices Adopt New Privacy Rules for Cellphone Tracking

The Supreme Court says police generally need a search warrant if they want to track criminal suspects’ movements by collecting information about where they’ve used their cellphones.

The justices’ 5-4 decision Friday is a victory for privacy in the digital age. Police collection of cellphone tower information has become an important tool in criminal investigations.

The outcome marks a big change in how police can obtain phone records. Authorities can go to the phone company and obtain information about the numbers dialed from a home telephone without presenting a warrant.

Chief Justice John Roberts wrote the majority opinion, joined by the court’s four liberals.

Roberts said the court’s decision is limited to cellphone tracking information and does not affect other business records, including those held by banks.

He also wrote that police still can respond to an emergency and obtain records without a warrant.

Justices Anthony Kennedy, Samuel Alito, Clarence Thomas and Neil Gorsuch dissented. Kennedy wrote that the court’s “new and uncharted course will inhibit law enforcement” and “keep defendants and judges guessing for years to come.”

The court ruled in the case of Timothy Carpenter, who was sentenced to 116 years in prison for his role in a string of robberies of Radio Shack and T-Mobile stores in Michigan and Ohio. Cell tower records that investigators got without a warrant bolstered the case against Carpenter.

Investigators obtained the cell tower records with a court order that requires a lower standard than the “probable cause” needed to obtain a warrant. “Probable cause” requires strong evidence that a person has committed a crime.

Read More

Apple Closing iPhone Security Gap Used by Law Enforcement

Apple is closing a security gap that allowed outsiders to pry personal information from locked iPhones without a password, a change that will thwart law enforcement agencies that have been exploiting the vulnerability to collect evidence in criminal investigations.

The loophole will be shut down in a forthcoming update to Apple’s iOS software, which powers iPhones.

Once fixed, iPhones will no longer be vulnerable to intrusion via the Lightning port used both to transfer data and to charge iPhones. The port will still function after the update, but will shut off data an hour after a phone is locked if the correct password isn’t entered.

The current flaw has provided a point of entry for authorities across the U.S. since the FBI paid an unidentified third party in 2016 to unlock an iPhone used by a killer in the San Bernardino, California, mass shooting a few months earlier. The FBI sought outside help after Apple rebuffed the agency’s efforts to make the company create a security backdoor into iPhone technology.

Apple’s refusal to cooperate with the FBI at the time became a political hot potato pitting the rights of its customers against the broader interests of public safety. While waging his successful 2016 campaign, President Donald Trump ripped Apple for denying FBI access to the San Bernardino killer’s locked iPhone.

In a Wednesday statement, Apple framed its decision to tighten iPhone security even further as part of its crusade to protect the highly personal information that its customers store on their phones.

CEO Tim Cook has hailed privacy as a “fundamental” right of people and skewered both Facebook and one of Apple’s biggest rivals, Google, for vacuuming up vast amounts of personal information about users of their free services to sell advertising based on their interests. During Apple’s 2016 battle with the FBI, he called the FBI’s effort to make the company alter its software a “dangerous precedent” in an open letter.

Read More

Cyber attackers target state of Indiana, 144 universities

Nine Iranians were accused Friday of orchestrating years of cyberattacks on U.S. government agencies, the state of Indiana and hundreds of universities and businesses here and abroad in one of the largest state-sponsored hacking cases ever charged by the Justice Department.

A series of federal indictments and financial sanctions against Iranian individuals were announced by Deputy US Attorney General Rod Rosenstein, charging cyber activity against the United States. Federal prosecutors say the Iranians and an Iranian hacker network called the Mabna Institute illegally accessed Indiana state government computers and the computer systems of 144 U.S. universities.

Rosenstein and Justice Dept. officials would not name the 144 universities targeted by hackers in Iran, but numerous Midwestern universities are popular U.S. college destinations for Iranian students, including University of Illinois. At U of I, Iranian enrollment has jumped in recent years.

Federal agents said the hackers gained access to university databases and college library systems by using stolen login credentials belonging to university professors.

A spokesperson for U of I told the I-Team that as far as she knows, Illinois’ flagship university was not among those hacked.

American government officials said they’ve determined that the nine Iranians, in cooperation with the Islamic Revolutionary Guard Corps, were behind the hacking effort.

Investigators found 320 universities around the world were attacked along with several U.S. government entities, including the Department of Labor, United Nations, and the Federal Energy Regulatory Commission, they said. The Iranians allegedly targeted more than 100,000 email accounts of professors around the world. About half of the 8000 compromised accounts belonged to professors at U.S. universities.

Read More

Equifax says 143m Americans’ social security numbers exposed in hack

Credit monitoring company Equifax says a breach exposed the social security numbers and other data of about 143 million Americans.

After discovering the breach, but before notifying the public, three Equifax senior executives sold shares in the company worth almost $1.8m. Since the public announcement, the company’s share price has tumbled.

The Atlanta-based company said Thursday that “criminals” exploited a US website application to access files between mid-May and July of this year.

It said consumers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers were exposed. Credit card numbers for about 209,000 US consumers were also accessed.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said the company’s chairman and CEO Richard Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

The company said hackers also accessed some “limited personal information” from British and Canadian residents.

Equifax said it doesn’t believe that any consumers from other countries were affected.

Such sensitive information can be enough for crooks to hijack people’s identities, potentially wreaking havoc on the victims’ lives.

Financial institutions, landlords and other businesses draw on data from credit monitoring companies like Equifax to verify people’s identity and ensure they are suitable for leases and loans. This breach has given cybercriminals a treasure trove of data to assume the identities of those affected and carry out fraudulent transactions in their name.

“On a scale of one to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do.”

Ryan Kalember, from cybersecurity company Proofpoint said: “This has really called into question the entire model of how we authenticate ourselves to financial institutions. The fact that we still use things like mother’s maiden name, social security number and date of birth is ridiculous.”

The breach could also undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.

Equifax discovered the hack 29 July, but waited until Thursday to warn consumers. In the interim, as first reported by Bloomberg, chief financial officer John Gamble sold shares worth $946,374 and president of US information solutions Joseph Loughran exercised options to sell stock worth $584,099. President of workforce solutions Rodolfo Ploder also sold stock worth $250,458.

Ines Gutzmer, head of corporate communications for Equifax, said: “The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.”

Read More

A Look at Romanian ‘Hackerville’ Reveals Human Element of Cybercrime

“Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Cybercrime if often thought of as something that only happens within the generalized, invisible space of the internet. It is seen as virtual rather than physical, and those who commit cybercrime are thought of as anonymous individuals whose activities are all within the confines of the web. Run an image search for “hacker” or “cybercriminal” and you will see plenty of pictures of people with their faces hidden by hoods or masks, sitting alone in a dark room in front of a computer. But what if, instead of a hooded loner, the universal image of cybercrime was that of a group of neighbors in an impoverished part of the world, gathered together at a local cafe?

The latter is a new picture of cybercrime that researchers Jonathan Lusthaus and Federico Varese hope to make more people aware of in their recent paper “Offline and Local: The Hidden Face of Cybercrime.” The co-authors, working on the Human Cybercriminal Project out of the sociology department of the University of Oxford, traveled to Romania in 2014 and 2015 to study the oft-ignored real-world aspect of cybercrime in an area known to be a hub for one specific form of this crime—cyber fraud.

“Hackerville”

The town of Râmnicu Vâlcea, which has a population of around 100,000, has faced some economic setbacks in the last decade, including the loss of a major employer, a chemical plant; in addition, the average monthly salary in Romania as a whole (in 2014) was only €398 compared to €1,489 across the European Union. However, upon arriving in town, Lusthaus and Varese found themselves surrounded by luxury cars, “trendy” eateries, and shopping malls stocked with designer clothes and electronics. Though Râmnicu Vâlcea is poor “on paper,” the town seemed to be thriving, and interviews with Romanian law enforcement agents, prosecutors, cybersecurity professionals, a journalist, a hacker, and a former cybercriminal would soon give the researchers a clue as to why that might be.

“It was rumored that some 1,000 people (in Râmnicu Vâlcea) are involved almost full-time in internet fraud,” Varese told me, explaining why the town sometimes nicknamed “Hackerville” became a key target of their research (although the authors point out, in their paper, that the more accurate term would be “Fraudville,” as scams are focused more on the sale of fake goods than hacking or the spread of malware).

Varese said major findings from their interviews in Râmnicu Vâlcea as well as the Romanian cities of Bucharest and Alexandria were that cybercriminals knew each other and interacted with each other at local meeting spots offline, such as bars and cafes; that they operated in an organized fashion with different people filling different roles; that many in the town were aware of the organized crime but either didn’t say anything or sought to become involved themselves; and that there have been several cases throughout the years of corrupt officials, including police officers, who accepted bribes from the fraudsters and allowed them to perpetuate their schemes without interference.

“These are almost gangs,” Varese said. “They are not the individual, lonely, geeky guy in his bedroom that does the activities, but it’s a more organized operation that involves some people with technical skills and some people who are just basically thugs.”

The paper describes a culture of local complacency, often under threat of violence by a network of seasoned cybercriminals. This picture is far from that of the anonymous, faceless hacker many have come to envision, and instead reveals how internet crime can become embedded in specific populations.

“Most people think of cybercrime as being a global, international sort of liquid problem that could be anywhere and could come at you from anywhere,” Varese said. “In fact, the attacks—the cybercrime attacks or the cyber fraud—really come from very few places disproportionately. So cybercrime is not randomly distributed in the world. It’s located in hubs.”

Cultural and Human Factors

I asked Varese two major questions—why Romania and why cybercrime, as opposed to other forms of profitable crime? He responded that a look at the country’s history reveals why, instead of weapons or drugs, criminals in Romania might turn instead to their computers.

“Romania is a very special place. Mainly because, during the dictatorship of Nicolae Ceaușescu—that was the communist dictator that ruled Romania from the 60s to the 90s—he emphasized the importance of technical education, and especially IT,” Varese explained. “There was a very good technical basis among people. When the internet arrived, a lot of Romanians built up their own micro-networks. And so it turns out that when the regime fell, Romania turned out to be a country which was very, very well-connected.”

The high level of technical education, combined with a high level of poverty and a high level of corruption—as shown in the paper, which points out that Romania’s score on Transparency International’s 2016 Corruption Perceptions Index is only 48 out of possible 100—created a perfect storm for a culture of cybercrime to grown, Varese said.

But Romania is not the only place where cybercrime is highly concentrated and where online activities are strongly tied to offline factors. Varese identifies Vietnam in Asia, Nigeria in Africa and Brazil in the Americas as three other cybercrime hubs. Varese and his coauthor also plan to take their future research to Eastern Europe, where “corruption and the technical and economic of legacy of communism” have created “a highly conducive environment for cybercrime,” their paper states.

Varese hopes this sociological research will help authorities recognize and manage the human element of cybercrime that is often ignored in the fight against online threats.”

Read More

This $18 key can protect you from hackers

By now you’ve probably heard you should be using two-factor authentication, often called 2FA, to log in to your accounts. If you’re using 2FA, you need an additional code to access your email, Facebook or other accounts. This is often sent via SMS, which may not be the most secure.

For instance, if you request a texted code, it could be intercepted by someone snooping on your mobile network or a hacker who has convinced a mobile operator to redirect your phone number. Further, when you don’t have cell service, you can’t get the text.

YubiKey, created by Yubico, is one solution. The $18 key connects to a USB port on your computer and tells a service, like Gmail, that you are you.

You simply plug it into your computer, touch it and your identity is authenticated. It automatically creates a one-time-use password to log in to an account, and because it’s a physical key, data can’t be intercepted in transit.

Security researchers say Yubikey is the best method to protect yourself from phishing, a common tactic that tricks a person into thinking a malicious message was sent by someone they trust.

Usually phishing attacks are used to gain access to your personal information, like emails or bank accounts.

Facebook added support for the security key in January.

“We added support for U2F Security Keys because they offer the best possible account protection against the potential risk of phishing,” Facebook security engineer Brad Hill said in a statement to CNN Tech.

It takes just minutes to set it up with services like Facebook and Gmail, which let you add it under Security Settings.

“Security is the biggest issue on the internet,” Yubico CEO Stina Ehrensvard said. “For the internet to be secure … it should be the users who own and monitor and control what data they want to provide.”

Read More

Ancestry.com Helps Family of Dead Boy Find Man Posing as Him

“A Pennsylvania man who assumed the identity of a baby who died in Texas in 1972 has been arrested on charges of Social Security fraud and aggravated identity theft after the baby’s aunt discovered the ruse on Ancestry.com.

Jon Vincent, 44, was arrested in Lansdale, near Philadelphia, on Monday, but had also lived near Pittsburgh and York, Pennsylvania since 2003 — after first obtaining a Social Security card in the name Nathan Laskoski in 1996, federal prosecutors said. Vincent remained jailed Wednesday, when a federal magistrate ordered him to appear for arraignment May 2.

The real Nathan Laskoski died in December 1972, two months after he was born near Dallas. Vincent stole the dead child’s identity after escaping from a Texas halfway house in March 1996, and used the dead baby’s identity to start another life, prosecutors said. The Texas conviction was for indecency with a child, though the precise sentence Vincent was serving wasn’t immediately clear, said Michele Mucellin, a spokeswoman for the U.S. Attorney’s Office in Philadelphia.

Vincent lived in also lived in Mississippi and Tennessee under his assumed name, holding jobs, getting drivers’ licenses and even getting married and divorced as Laskoski before the scheme unraveled late last year, according to online court records.

That’s when Laskoski’s aunt did a search on Ancestry.com, a genealogy website.

In researching her family tree, Nathan Laskoski’s name came up as a “green” leaf on the website, which led to public records suggesting he was alive. The aunt told Laskoski’s mother, who did more research and learned that someone had obtained a Social Security card under her son’s name in Texas, as well as finding public marriage and divorce records, Laskoski’s mother filed an identity theft complaint with the Social Security Administration.

An investigator from the SSA’s Office of Inspector General took it from there in January, court records show.

Read More

Miami Student Sentenced for Cyberstalking on Facebook and Instagram

“A Miami student was sentenced yesterday for cyberstalking on Facebook and Instagram.

Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, and George L. Piro, Special Agent in Charge, Federal Bureau of Investigation (FBI), Miami Field Office, made the announcement.

Kassandra Cruz, 23, of Miami, Florida, was sentenced by U.S. District Judge Frederico A. Moreno to 22 months in prison, followed by three years of supervised release, a $100 special assessment, and $2,178.32 in restitution, stemming from her conviction on one count of cyberstalking, in violation of Title 18, United States Code, Section 2261(A)(2)(B).

According to court documents, beginning in June 2015, victim “S.B.” received a “friend” request from Cruz on her Instagram and Facebook accounts. In an effort to gain “S.B.’s” friendship, Cruz created a false persona on her Instagram account wherein she portrayed herself as a male who was an active duty U.S. Marine. Under that ruse, “S.B.” accepted the friend request.

From late June 2015 until September 2015, Cruz, posing as Giovanni, “liked” and commented on pictures “S.B.” posted on both her Instagram and Facebook accounts. However, when “S.B.” noticed that Cruz had begun “following” and “liking” all of her friends pages and posts, she became suspicious and “blocked” and “unfollowed” Cruz from her social media accounts.

As a result, Cruz threatened that “S.B.” would face repercussions at her job and with her family if she did not comply, and specifically threatened to expose “S.B.’s” past via social media. The threats to “S.B.” persisted from Cruz on social media and later via text messaging, and Cruz ultimately demanded on multiple occasions $100,000 in exchange for no further contact, adding that she “knew where “S.B.’s family lived and they should watch their backs because someone would be heading to…to deal with them.” In total, “S.B.” received over 900 unwanted calls and text messages since the beginning of 2016, and the extortionate and threatening messages continued until late April 2016. Ultimately, Cruz was arrested and taken into custody during a pre-arranged meeting in Miami.

Mr. Ferrer commended the investigative efforts of the FBI. This case is being prosecuted by Assistant U.S. Attorneys Jodi L. Anton and Francis Viamontes.

View Source