Op-Ed: Doing “God’s Work” from the “Dark Side”

“Prosecutors like to say they are “doing God’s work” by representing the interests of victims. An ex-prosecutor I interviewed for my book, Making a Case for Innocence, used those words when I asked her why some prosecutors are willing to lie or hide evidence to get a conviction, and why some prosecutors seem more focused on winning cases than getting to the truth.

“At the end of the day, we want justice,” she said.

A vague answer, at best.

Still, it might explain the tunnel vision I see infecting some prosecutors: Too many of them seem so driven in their mission to “put the bad guys away,” that they become overconfident in their rightness and are tempted to bend the rules—all to ensure a “mission accomplished.”

I admit, it rubs me the wrong way when a government employee suggests that justice is only served by a conviction. Putting “bad guys” away is all well and fine, but some prosecutors seem to forget that not everyone sitting at the defendant’s table is a “bad guy.”

To a degree, it’s a problem of philosophy: Many prosecutors are in the business of pursuing guilt, so they see it everywhere. To a hammer, everything looks like a nail. And many police departments view themselves more as law enforcers than as society’s protectors, or as crime preventers.

Meanwhile, many criminal defense attorneys and investigators feel as strongly as prosecutors do that they are doing “God’s work.” By protecting the rights of people charged with crimes, they counterbalance the power of prosecutors and police, and thus, make our system fairer for all.

We don’t know the exact number of innocent people currently incarcerated, but we can estimate based on exoneration rates:”

Read More

How New Tech Knows If a Fingerprint Is ‘Alive’

“It’s a classic, if gruesome, staple of Hollywood action movies. The villain, desperate to gain access to the secret government vault, tricks the biometric security system by opening the door with the severed finger — or dangling eyeball — of the security guard.

In the real world, fake fingerprints and other forms of biometric spoofing pose serious challenges to the security community. Just this week, a team of Japanese researchers proved how easy it is to copy someone’s fingerprints from a “peace” sign selfie. A few years back, a hacker scanned the fingerprints of the German defense minister using a publically available press photo. The same hacker once fashioned a fake thumb out of wood glue to fool Apple’s Touch ID sensor.

But before you toss your new iPhone out the window or put on gloves every time you take a selfie, you might want to hear about a new technology that can tell if a biometric image like a fingerprint or an iris scan is really “alive.”

Matthew Valenti is the West Virginia University site director for the Center for Identification Technology Research, a multi-institution collaboration that has developed and patented anti-spoofing technology based on something called liveness detection.

“There are subtle features that are only present in a living person,” Valenti told Seeker. “Your fingers, for example, have tiny pores in them, and the signal processing algorithms used to scan your fingerprint can look for the presence of sweat in your pores. A spoof wouldn’t have that.”

Valenti’s colleague Stephanie Schuckers at Clarkson University is a pioneering researcher in liveness detection. She has tested her perspiration algorithms against fake fingers made out of wax and Play-Doh, and also a few dozen cadaver fingers from the morgue. Schuckers’ algorithms are the core technology behind NexID Biometrics, a private company claiming that its software can spot a fake fingerprint with 94 percent to 98 percent accuracy.

Still, liveness detection is so new that you won’t even find it on the latest biometric gadgets like the new MacBook Pro. So should we be concerned that hackers and identity thieves are scouring Instagram looking for fingerprints to steal?”

Read More

NW suburban families file lawsuit in transgender locker room case

A group of 51 suburban families filed a federal lawsuit against their Illinois school district, the U.S. Department of Education and the U.S. Justice Department on Wednesday, alleging that the district is violating students’ privacy and safety by allowing transgender students to use restrooms and locker rooms of the gender with which they identify.

Northwest suburban Township High School District 211 was forced to do so by the Department of Education, which charged that not accommodating the locker room choice of one transgender student who filed a complaint with the federal agency was a violation of Title IX, which prohibits discrimination on the basis of sex.

But the lawsuit filed by Alliance Defending Freedom and the Thomas More Society, on behalf of the 73 parents and 63 students, maintains that the 1972 federal law actually authorizes schools to retain single-sex restrooms and locker rooms, and Title IX is being unlawfully redefined by the Department of Education, which has overstepped into Congress’ purview in broadening its interpretation.

“Protecting students from inappropriate exposure to the opposite sex is not only perfectly legal, it’s a school district’s duty,” said Jeremy Tedesco, senior counsel of Alliance Defending Freedom.

“Allowing boys into girls’ locker rooms, a setting where girls are often partially or fully unclothed, is a blatant violation of student privacy.

The school district should rescind its privacy-violating policies, and the court should order the Department of Education to stop bullying school districts with falsehoods about what federal law requires.”

Read More

Roses are red, violets are blue, Valentine’s Day means DDoS for you

“Net scum have bashed florists with distributed denial of service attacks over Valentine’s Day in a bid to extract ransoms, security analysts say.

The attacks affected almost a dozen florists who were customers of security company Incapsula, and likely many others not monitored by the firm.

Security bods Ofer Gayer and Tim Matthews say one of their florist customers received a ransom note after a distributed denial of service attack.

“Of those sites (with inflated traffic), 23 per cent showed a sharp increase in attack traffic,” the pair say.

“There does not appear to be a trend in attacks against all online florists, but rather targeted attacks.”

Some sites received attacks that sent a flood of over 20,000 requests a second. In one instance the content distribution network provider counted the attack as legitimate traffic, bringing down the site “with a great loss of revenue”.

Attackers are in some instances attempting to exploit the Shellshock vulnerability against florists in a bid to breach the sites.

Distributed denial of service attacks are a common extortion tool in the lead up to big public events. Betting companies are understood to routinely pay off attackers who threaten to knock the sites offline during major sporting events.”

View More

26 Mobile Phone Models Contain Pre-Installed Spyware

Over 190.3 million people in the US own smartphones, but many do not know exactly what a mobile device can disclose to third parties about its owner. Mobile malware is spiking, and is all too often pre-installed on a user’s device.

Following its findings in 2014 that the Star N9500 smartphone was embedded with extensive espionage functions, G DATA security experts have continued the investigation and found that over 26 models from some well-known manufacturers including Huawei, Lenovo and Xiaomi, have pre-installed spyware in the firmware.

However, unlike the Star devices, the researchers suspect middlemen to be behind this, modifying the device software to steal user data and inject their own advertising to earn money.

“Over the past year we have seen a significant increase in devices that are equipped with firmware-level spyware and malware out of the box which can take a wide range of unwanted and unknown actions including accessing the Internet, read and send text messages, install apps, access contact lists, obtain location data and more—all which can do detrimental damage,” said Christian Geschkat, G DATA mobile solutions product manager.

Further, the G DATA Q2 2015 Mobile Malware Report shows that there will be over two million new malware apps by the end of the year.

During the second quarter of 2015, researchers saw 6,100 new malware samples every day. By comparison, in the first quarter of 2015, they saw about 4,900 malware apps per day, representing an increase of almost 25% quarter over quarter.

Additionally, the first six months of 2015 has already broken all previous malware records—over a million new Android malware strains (1,000,938) were discovered within just six months. In those six months, the analysts have already discovered almost as many Android malware instances as in the whole of 2013.

“An estimated 2.5 billion people worldwide use a smartphone or tablet to go online. Chatting, surfing and shopping are possible anytime, anywhere thanks to smartphones and tablets. At the same time, the number of mobile malware apps has sharply increased in the past three years,” added Geschkat.

In the second half of 2015, G DATA security experts expect yet another significant increase in Android malware instances—in tandem with that malware becoming more refined.

“Hacking Team, an IT company that develops a wide range of malware for intelligence services and governments, suffered a cyber-attack this year,” the report noted. “After this attack, corporate data and source code for an Android malware strain were published. G DATA security experts expect cyber criminals to exploit this easily accessible knowledge base and publish large numbers of more mature Android malware.”

View Source

How To Avoid Collateral Damage In Cybercrime Takedowns

Internet pioneer and DNS expert Paul Vixie says ‘passive DNS’ is way to shut down malicious servers and infrastructure without affecting innocent users.
Botnet and bad-actor IP hosting service takedowns by law enforcement and industry contingents have been all the rage for the past few years as the good guys have taken a more aggressive tack against the bad guys.

These efforts typically serve as an effective yet short-term disruption for the most determined cybercriminal operations, but they also sometimes inadvertently harm innocent users and providers, a problem Internet pioneer and DNS expert Paul Vixie says can be solved by employing a more targeted takedown method.

Vixie, CEO of FarSight Security, which detects potentially malicious new domain names and other DNS malicious traffic trends, says using a passive DNS approach would reduce or even eliminate the chance of collateral damage when cybercriminal infrastructure is wrested from the attackers’ control. Vixie will drill down on this topic during his presentation at Black Hat USA in August.

Takedowns typically include seizing domains, sinkholing IPs, and sometimes physically removing equipment, to derail a botnet or other malicious operation.

Perhaps the most infamous case of collateral damage from a takedown was Microsoft’s Digital Crimes Unit’s takeover of 22 dynamic DNS domains from provider No-IP a year ago. The move did some damage to Syrian Electronic Army and cybercrime groups, but innocent users were also knocked offline. Microsoft said a “technical error” led to the legitimate No-IP users losing their service as well, and No-IP maintained that millions of its users were affected.

The issue was eventually resolved, but not after some posturing in hearings on Capitol Hill, and debate over whether Microsoft was getting too heavy-handed in its takedown operations.

Vixie says the key to ensuring innocent users and organizations don’t get swept up in the law enforcement cyber-sweep is get a more accurate picture of just what is attached to and relying on the infrastructure in question. “There is a tool that you can use to find out [whether] the Net infrastructure belongs to bad guys so you don’t target anything else” that shares that infrastructure and is not malicious, Vixie says.

Passive DNS is a way to do that, says Vixie. With passive DNS, DNS messages among DNS servers are captured by sensors and then analyzed. While Vixie’s company does run a Passive DNS database, he says he’s advocating that investigators and task forces doing botnet or domain takedowns use any passive DNS tool or service.

Vixie says the two-part challenge in takedowns to date has been ensuring law enforcement “got it all” while not inadvertently cutting off innocent users and operations in the process.

Passive DNS not only can help spot critical DNS name servers, popular websites, shared hosting environments, and other legit operations so they aren’t hit in a takedown operation, he says, but it can also help spot related malicious domains that might otherwise get missed. That helps investigators drill down to the malicious tentacles of the operation, according to Vixie.

Vixie in his talk at Black Hat also plans to lobby for researchers and service providers to contribute data to passive DNS efforts.

Meanwhile, it’s unclear what long-term effects takedowns have had on the cybercrime underground. “I’m involved in the same [volume] of [takedown] cases than I ever was. The trend of bad guys is on an upward swing,” Vixie says.

View Source

PENTAGON’S PLAN ALLOWING PERSONNEL TO ACCESS CLASSIFIED INFO FROM MOBILE DEVICES

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.
View Source

Introducing Night Sights for Kahr® C-Series Pistols

Pomona, NY – Night sights have grown in popularity over the last few years, due primarily to the growing interest in personal protection.

Because night sights work in low, or no light situations, it makes them perfect for home protection, especially if the need arises to seek out your weapon very quickly in the dark.

Kahr Firearms Group has just announced that some of their C-Series pistols will now be offered with night sights. Three of their most popular 9mm models; the CM9093N, CW9093N, and the CT9093N will now be available with night sights.

All three models feature a black polymer frame, matte finish stainless steel slide, a drift-adjustable white bar-dot combat rear sight, and a pinned in polymer front night sight.

The CM9 features a 3.1” barrel length; an overall length of 5.42”, a slide width of .90”, the height is 4.0” and weighs in at just 14 oz.

It has a 6+1 capacity and comes with one 6-round flush floorplate magazine.

The CW9 features a 3.56” barrel, an overall length of 5.9” and a height of 4.5”. It weighs 15.8 oz. without the magazine.

Capacity is 7+1, and comes with one 7-round stainless magazine.

Lastly, the CT9 offers a 3.965” barrel, an overall length of 6.5”, a slide width of .90”; height is 5.08” and weighs just 18.5 oz. without the magazine.

Capacity is 8+1 and comes standard with one 8 rd. stainless magazine. Cost of the three models featuring night sights is $499 for the CM9093N, $495 for the CW9093N, and $485 for the CT9093N.

Recently, Kahr Firearms Group announced that effective June 1, 2015 through September 30, 2015, Kahr will send one free magazine with the purchase of specific C-Series guns, which includes these 3 models with the night sights.

To receive a coupon for a free magazine, just log onto the Kahr website at www.kahr.com/MagPromo2015.asp and fill out the online form or download the coupon, fill it out and mail, email, or fax it along with a copy of the firearm receipt and the firearm serial number.

The new firearm must have been purchased during the summer promotion period to qualify. Any form submitted without a copy of the receipt and the serial number will not qualify for the magazine promotion. Allow 6 weeks for processing, shipping and delivery.

For more information about Kahr Firearms Group products, log onto www.kahr.com.


View Source

Five Major Banks Agree to Plead Guilty to Felony Charges

Agreements by Citicorp, JPMorgan Chase & Co., Barclays PLC, The Royal Bank of Scotland plc, and UBS AG to plead guilty to felony charges were announced today by the FBI, the Department of Justice, and the Commodity Futures Trading Commission during a press conference in Washington, D.C.

Four of the banks—Citicorp, JPMorgan, Barclays, and RBS—have agreed to plead guilty to conspiracy to manipulate the price of U.S. dollars and euros exchanged in the foreign currency exchange spot market and will pay criminal fines totaling $2.5 billion. According to Assistant Attorney General Bill Baer, “The dollar-euro spot market is as big as it gets. Every day, about $500 billion worth of dollars and euros are traded in this market. Trading on the dollar-euro spot market is five times larger than all U.S. stock exchanges combined.”

The fifth bank, UBS, agreed to plead guilty and pay a $203 million criminal penalty for breaching the non-prosecutive agreement it had previously entered regarding manipulation of the London Interbank Offer Rate (LIBOR), a benchmark interest rate used worldwide.

The investigation, conducted by the FBI’s Washington Field Office (WFO), uncovered illegal activity that began as early as December 2007. Currency traders from four of the banks—self-described members of “The Cartel”—used an exclusive electronic chat room and coded language to manipulate exchange rates. The result of their actions inflated the banks’ profits while harming countless consumers, investors, and institutions around the globe. Said WFO’s Assistant Director in Charge Andrew McCabe, “This investigation represents another step in the FBI’s ongoing efforts to find and stop those responsible for complex financial schemes for their own personal benefit.”

In addition to paying large criminal fines, all five banks have agreed to a three-year period of corporate probation which, if approved by the court, will require regular reporting to authorities. The banks will continue cooperating in the ongoing investigation, and the plea agreements don’t preclude the prosecution of individuals for related misconduct.

The case, said U.S. Attorney General Loretta Lynch, serves as a reminder that the U.S. government intends to “vigorously prosecute all those who tilt the economic system in their favor, who subvert our marketplaces, and who enrich themselves at the expense of American consumers.”

Press release
Remarks by WFO Assistant Director in Charge Andrew McCabe
Remarks by Attorney General Loretta Lynch
Remarks by Assistant Attorney General Bill Baer

View Source

Yahoo teams up with Google on encrypted webmail

LAS VEGAS — Your webmail will be safer from prying eyes — at some point next year.

That’s the promise that Yahoo and Google are making to their mail service users, who together make up the vast majority of webmail users. More than 425 million people use Gmail, with Yahoo Mail usage estimated at 273 million.

Longtime security industry veteran Alex Stamos, who was named Yahoo’s new chief information security officer earlier this year, told attendees of the Black Hat hacker and security conference here on Thursday that at some point in 2015, Yahoo Mail would not only be encrypted end-to-end, but would be compatible with the end-to-end encryption that Google is working on for Gmail.

When that happens, it will create a secure way to email between the two services. The contents of an email protected by end-to-end encryption are hidden and much harder to tamper with. They can not be viewed by any intermediary, including the webmail provider itself.

Yahoo encrypted webmail at the data center level earlier this year, but encrypting emails sent between accounts has proven elusive so far.

Encryption in webmail is difficult to implement for a number of reasons. It’s currently extremely difficult for most people to use, and tech titans have concerns about losing customers if their services slow down because of encryption.

Similar to Google’s approach, Yahoo will be leveraging the security community to improve the encryption. Stamos said that Yahoo will release the encryption source code sometime this fall, “so that the open source community can help us refine the experience and hunt for bugs.”

“We don’t have any other providers to talk about yet, but the hope is that this is open and will be adopted by many others in the email ecosystem,” said a Yahoo spokeswoman.

How important is webmail encryption to Google and Yahoo? It’s a big enough brass ring that Stamos said they’re working together on the project.

Read More