"Slippery Slope" defined...

slippery-jpgWay back in law school we learned a term called the "slippery slope." In academia, it usually has a negative connotation because it usually means..."the beginning of the end."

Imagine you are standing on some rocks next to a roaring river. The rock you are on is dry, but as you step forward, you step onto a wet rock. It's slippery and it slopes towards the river... whoosh, you slip on the rock and slide down into the river. There was nothing you could do, the events were set in motion by powers beyond your control (gravity dude).

In law, the term is used when a decision is made that, in all likelihood, will lead to other decisions similar to the original one. If the first decision was bad, then the following ones will be equally as bad if they follow the first. And since our legal system is based on "stare decisis", prior decisions must be given due respect and usually must be followed.

The term is used so often that, to me, it has become akin to the boy who cried wolf. Not every decision made that is termed the "slippery slope" results in bad things happening, but I fear that a recent decision in the United Kingdom may be the definition of the "slippery slope."

There is a website called "The Pirate Bay" that arguably facilitates illegal activity. It essentially allows its visitors or "users" to share files. Usually those files are not supposed to be shared (copied music or movies for example).

The courts in the UK have just ordered the various ISPs (Internet Service Providers) to block access to The Pirate Bay. That's right, if you live in England, get Internet access from one of the major players over there, you won't be able to visit The Pirate Bay.

So, if the courts are willing to order the blocking of certain Internet sites are the days of a free and open Internet over?

According to a recording industry chief executive, "The High Court has confirmed that The Pirate Bay infringes copyright on a massive scale..."

Thank you sir. The site is hosted in Sweden and the Swedish authorities already found the site operators guilty of "helping people circumvent copyright controls." (BBC Article) Resolution is pending...IN SWEDEN...!

 

There are sites out there that will allow you to mask your IP address (basically your "license plate" when you surf the net) so that your Internet usage cannot be tracked. These sites claim that there are plenty of legal reasons to do so, so they are allowed to exist.

As a former prosecutor, I am familiar with the myriad ways that criminals can hide their tracks or at least make it incredibly difficult to find them on the Internet. I would ask myself all the time "how can this service be legal, it seems to have no legitimate purpose..."

There are sites out there that will teach you how to kill someone. There are sites out there for just about every horrible aspect of humanity. There are also sites out there that may be teaching someone how to save the world, solve global warming and many other really good things. Our Government here is allowed to "seize" websites once a court order is obtained. Our Government can break down your door if they get a search warrant. There is a difference between this behavior an blocking access without addressing the source.

The British judiciary just gave private companies an end around. Forget taking down the source, just order access to the offending site blocked and force compliance on that issue...much easier, right?

There is a mountain of evidence to suggest that The Pirate Bay website operators knowingly engage in behavior that facilitates crime.  In order to bring them to justice I would have had to prove it - beyond a reasonable doubt. It appears the Swedish authorities did just that.

But here.... the British courts just ordered the access to the site shutdown. Do they really think that's going to make a difference? If the whole Napster thing taught us anything, it's that copy/paste isn't going away anytime soon, it just changes address.

To sum it up:

Access to The Pirate Bay is blocked because of copyright infringement.

Access to "how to join jihad" is blocked because of national security concerns.

Access to "candidate x's website" is blocked because candidate x's positions are far too radical for the general populous to be reading.

Access to "The Internet" is blocked because, well, we're just not ready yet.

And there you have the "slippery slope" folks.

 

MASS RMV DATA STOLEN - WHY?

Last Thursday two masked men, operating a stolen jeep, pulled up next to a courier's white van that was parked outside a MA RMV location, jumped out of the jeep and stole five bags from the courier's van. This is according to witness' accounts reported to police.

According to the MA Department of Transportation Press Secretary the private courier worked for the Registry of Motor Vehicles and the five bags contained documents not money. The documents included:

"Personal customer information is contained in the types of paperwork stolen. The records included names, dates of birth, addresses and license numbers. The types of paperwork stolen do not include the social security numbers of Massachusetts residents," she said.

As reported by the Gloucester Times

Apparently between 500-600 customers were affected.

The police are saying it was a targeted theft, but that maybe the men thought the bags contained money. These guys used a car that had been recently stolen and had a second get-a-way car parked nearby.

This seems like a lot of work to go through to steal 500-600 people's registry transaction paperwork. The "they thought the bags had money" theory seems more likely.

But... if the bad guys had this thing so planned out, why didn't they know that the bags didn't contain money? Does the courier usually have the Registry's money, but only had the paperwork on this particular morning? That is an important question.

The other important question is: exactly what information was taken? Was there something about the information that would be valuable? The registry took care to say that no "social security numbers" or "credit card information" was taken. But if the stolen information was in the right (wrong) hands, what could they do with it?

 

Usually a theft like this involves access to inside information. It's not like these guys would sit outside the Wilmington branch of the RMV every day to learn the courier's schedule. That might happen in the movies, but in my experience, criminals are just too lazy to do that leg work. They will either know someone on the inside who can tell them the schedule, or one of them IS on the inside and works for either the RMV of the courier service. Either way, the information should have included the fact that no money would have been in those bags or we have yet another example of "world's stupidest criminals."

 

From a data security standpoint, this crime should serve as notice to those companies still using data in paper form that they are not immune from being "hacked." This incident is technically a data breach, right? And since it involves a State agency, different rules apply.

Executive Order 504 requires Massachusetts State Agencies to protect "Personal Information." Because M.G.L. 93H and 201 CMR 17 do not apply to public entities, this order seeks to close a loophole with one big exception: penalties for non-compliance... or lack thereof.

Since it appears that the courier was a private company and the RMV is a State agency, they would have had to execute a contract with specific language regarding the protection of Personal Information of Massachusetts residents. Exec Order 504 commands it.

So, what at first blush appears to be a couple of bungling idiots taking the wrong bags (or the right bags on the wrong day) may turn into an "investigation" into the lack of protection afforded 500-600 Massachusetts' residents personal information.

Did the contract between the RMV and the courier have the appropriate language?

Did the courier have the appropriate protections in place?

How much will this incident cost the courier? The State? There are procedures under Exec Order 504 that must be followed.

 

Until I hear that this courier usually carried money I will presume that the theft of information was the goal of the bad guys' actions. I mean, these guys stole a car just hours before this crime, had a second car ready to go, wore masks, and pulled this off at 9:00am? If you go to all that trouble and don't know exactly what's in those bags you deserve to serve time for stealing paper...

 

 

Major Credit Card Processor hacked - is the sky falling?

skyFalling.bmpLast Friday, I was reading my daily dose of Brian Krebs' blog, KrebsOnSecurity.com, and read his story about a company called Global Payments Inc. being hacked. He didn't name the company on Friday, the Wall Street Journal did later in a story. Either way, we now know the company's name now.

Global Payments Inc. is a credit card payment processor, or "acquirer", or “merchant acquirer” in industry terms. Firms like this are basically middle men between the various retail or other business establishments who take credit cards and the banks who issue them. The credit card industry has layers. Banks issue credit cards to the people. The people want to use their cards to buy things, so retailers set up accounts with "acquirers" in order to be able to take credit cards. Visa runs a particular network, VisaNet, that ties all these different entities together.

When you use your credit card, you are essentially saying, "I promise to pay my bank back." You are promising to pay your bank back because it's actually the bank who is going to pay the business where you used your card. Now the bank can't be going all over the world trying to pay all the places where you used your card. Well, I suppose they could, but they don't. Enter the next layer...the acquiring bank, and in this story, the breached entity.

The acquiring bank spends their time setting up merchant contracts with the various entities that would like to accept credit cards. They then handle the mundane task of collecting money from your bank in order to pay the merchant, minus a small fee of course.

The only real role that Visa or MasterCard or American Express (the credit card "brands" if you will) play is to facilitate communications amongst the relevant parties. Of course they'd tell you that it's their brands that make the whole non-cash world go. And to some extent, they are correct. When your card is swiped VisaNet sends a message to the bank asking if it's ok to use your card, VisaNet is also equipped to answer that question if the bank doesn't answer fast enough. (remember, you're standing there hoping you paid your last bill...waiting for that machine to answer)

To complicate matters further, there can be yet another layer between the actual store wishing to take credit cards and the acquirer. Because it's not relevant to this discussion, I will leave a full credit card industry analysis for another day. Suffice to say that if there is a way to make money in the credit card industry, the companies have figured it out.

This particular acquirer is rather large. Most are. They make a very little on individual transactions so they need lots of transactions to make real money. Global Payments makes real money. They are a public company listed on the New York Stock Exchange. Take a look at this graph which shows Global's stock price, before, during and after they announced the breach. (GRAPH)

The loses piled up so fast, that NYSE halted trading of Global's stock around noon time on Friday. In the wake of the announced breach, VISA announced that they would be dropping Global as a processor. Well, not exactly "dropping" them apparently, but rather delisting them from a "registry" of processors (acquirers, merchant acquirers, etc) who meet certain data security requirements. You see, VISA, MasterCard and the rest of the "brands" hold all the cards. They get to decide who is a processor, and more importantly, who is not. Or in this case, who is on the good list and who is on the naughty list. Very Santa-ish of them.

The number of credit card numbers stolen in this breach is either unknown, still being established or being "managed" in order to do the least damage. Global says that "less than 1.5mil had been 'exported'." Interesting choice of words. Please check out Brian Krebs story on that issue here. This company probably processes(ed?) billions of transactions a day...  will they ever know what was actually taken?

All this matters because of the costs that come next. Let's say it's 2mil cards lost. If each card costs say $3 to replace, that's $6mil. Now say half of them want credit protection. At $6 per person that's another $6mil. If Global loses business because Visa "delisted" them, that's another cost (amount unknown). Don't check my math, these are extremely rough numbers and every situation has different costs. I am confident that the costs will be profound however. Ponemon Inc. puts the average cost of a data beach at $214 per record. (x 1 mil? x 2 mil? x 10mil?)

And let’s not forget about that stock price graph I showed you. Global lost approximately 14% of their stock value. Based on what I know about their annual income, stock price and their market capitalization – (which is just about nothing) – I assume that 14% is a lot, a real lot of money.

A law firm, Levi & Korsinsky has announced that they are "investigating potential claims against the board of directors of Global Payments, Inc."

If I own stock in a company and that company performs so poorly because of its management, I can sue the company - well, actually, I sue the Board of Directors on behalf of the company - you see shareholders own the company. I do not purport to be an expert on so-called Shareholder Derivative lawsuits, or Federal Securities class actions, but I do know that you'd be wise to hire a lawyer (or lots of them) if one of these showed up on your company's doorstep. It looks like the folks over at Levi & Korsinsky are cooking something up.

In the wake of a data breach there are huge costs associated with the clean-up, notifications of affected parties, lost business or brand damage, litigation or potential litigation, regulatory action and other related costs. The down side here is pretty down.

But look on the bright side... a computer science degree is getting more popular by the day. You can be good or bad but definitely rich.

 

 

Afterword:

Dear Credit Card Industry:

I don't really care if every credit card processor on the planet gets hacked. I simply would like to be assured that even if they do, the costs will not trickle down to me. I will participate in your cash-less society so long as these pesky data breach things don't impact my bottom line. Please tell me the sky is not falling.

Signed, Concerned Customer

 

Dear Concerned Customer:

The sky is not falling. We are dedicated to providing the most secure environment for credit card transactions, but alas our world is awash with a certain element intent on hurting our efforts. Since we are all in this world together, we must all share the costs. We will certainly do our best to make it seem like it's not costing you anything, when in fact it is. You don't really expect us to pay for these crimes, do you?

Signed, Anonymous (we pwned again!)

 

 

Lulz Sec Tango Down

LulzSec-Arrested.jpgLulzSec

Tango

Down

 

In the Spring of 2011, the digital world seemed to be under attack from a group who called themselves “LulzSec.” I wrote about this group’s activities several times and was not pleased about the targets they chose. On more than one occasion this group targeted law enforcement agencies and released personal information about the agents and employees of these agencies, potentially putting them at risk of physical harm. At the time, it seemed like this morally challenged, yet technically literate, group of individuals simply could not be stopped.

 

As with many things in life, truth is much stranger than fiction. This story is an example of just that. In June of 2011, the FBI arrested a guy named Hector Xavier Monsegur a/k/a “Sabu.” He is alleged to be the so called leader of this group, LulzSec. I recently re-read some Internet chat logs involving LulzSec and it does seem that Sabu gave directions and others sought out his approval, thus it is highly likely that he is their leader. He did not have complete control over the group, however. Certainly hacks occurred that Sabu didn't either know about or participate in (Stratfor perhaps) After the arrest of Sabu, law enforcement did what they do best, they flipped Sabu. Based on the fact that Sabu, now “Hector”, is unemployed, lives in public housing in NYC and has two small children, getting him to cooperate was probably a foregone conclusion.

 

“Hey Hector, would you like to see your children without a thick piece of glass in between you and them? Because if you go to jail and get held on bail, that’s exactly what’s going to happen to you. Oh, and by the way, you'll probably lose your public housing status due to criminal charges... But, hey, we’re the FBI and we can make arrangements that you will be able to stay on the street and in your house with your kids, you just have to do us a couple of favors…”

 

And perform favors, it appears, is exactly what Hector did. From June 2011 until just last week, Hector was pretending to be the leader of LulzSec, yet working for the FBI the whole time. In August of 2011, Hector (as Sabu) had an online chat with someone going by “Virus.” This “virus” character flat out said that Sabu was working for the Government, and, well, he was right! Maybe “virus” is an agent, maybe a cooperator, or maybe just a very astute individual. See this exchange from August 11, 2011:

 

Virus (10:35:01 PM):  you offered me pay for "Jennifer"'s Comcast data like a month or two back

Virus (10:35:12 PM):  all I'm saying is, FBI informants do that

 

Sabu (10:47:56 PM):  nice

Virus (10:48:31 PM):  anyway, I'm ending this convo, quiet frankly, I don't care if you're working with the feds to clean up the mess you created and getting your so called "friends" arrested

 

Sabu (11:02:50 PM):  go call the fbi and say you got sabu logs

Sabu (11:02:58 PM):  that'll get you SOMETHING

Virus (11:02:59 PM):  I'm absolutely positive, you already got raided, and are setting your friends up and when they're done draining you for information and arrests they'll sentence you and it'll make nose (sic)

 

During this exchange, Hector (Sabu) was probably sitting next to his FBI handler.  Working with cooperators can be an ethical challenge. You have to allow the cooperator to continue in his devious ways without allowing them to cause any real damage. (at least in the wake of Whitey Bulger they should be thinking this way) Remember when “Anonymous” claimed to have intercepted a call between the FBI and the UK Met Police?  The FBI would (should?) have known about this and maybe even watched them do it… risky, maybe. But if you listen to the call with the knowledge we have today, you have to wonder if they all knew they were being listened to, because they said a whole lot of nothing… And the key names were “bleeped” out of the released recording. So other than a possibly embarrassing moment, no real harm done.

 

During Hector’s time as an informant, he was able to deliver: “Kayla” (UK), “Topiary” (UK), “pwnsauce” (Ireland), “palladium” (Ireland) and “Anarchaos” (Chicago, US), to the FBI. After these individuals were arrested, the FBI issued the quote of the week:

We are chopping off the head of LulzSec...

 

So here we are one year after the “LulzSec” incidents, is it over? Can corporations around the world express a sigh of relief?  Let’s not get ahead of ourselves…

 

LulzSec’s activity was annoying, embarrassing and yes, a crime. But they are not the most dangerous nor destructive group on this block. No sir. This was essentially a bunch of fairly bright, computer literate, kids. With their leader being all of 28 years old, their maturity level was apparent in their behavior. They were more like Internet graffiti artists than hard core hackers. But they did cause damage and now must pay.

I am glad to see that the FBI was able to break this group and wrap them up in a relatively short period of time. Hopefully, what happens next will send a message to the next “Lulz” group, that it’s just not worth it. This group wanted to have a cause, but if they did it was lost in translation because they became the definition of annoying.

Can any good come from this? In all likelihood, the LulzSec investigation with its international reach, was probably an excellent training op for law enforcement. That experience will be extremely valuable when the next Lulz rears its head – careful fellas, the FBI likes to chop off heads.

I am sure that we will continue to see Guy Fawkes masks and the headless logo of “Anonymous" for years to come. What will the FBI say if they take down Anonymous?

 

 

Video interview: Discussing Stratfor and Wikileaks with LXBN TV

Early this week I got the opportunity to be interviewed by Colin O'Keefe of LXBN TV on the subject of the Stratfor data breach and their emails ending up on WikiLeaks. In the interview, I explain the back story here, what type of information is showing up on WikiLeaks and how these types of cases are investigated and prosecuted. 

Of course, the day after this interview we find out that "Sabu" of LulzSec fame was cooperating with the FBI for nine months and served up, among others, the individual allegedly responsible for the Stratfor incident. Much more on this later...

Today is the Deadline for MA Data Privacy Law

On March 1, 2010, two years ago, the regulations associated with the Massachusetts Data Privacy Law went into effect. The regulations, found at 201 CMR 17, require business who possess “Personal Information” (PI) of Massachusetts’ residents to protect that data in fairly specific ways. Arguably, the most important aspect of the regulations was the requirement that all businesses have a “Written Information Security Program” or WISP. But there are certainly other important regulations, one of which comes into effect today, March 1, 2012.

March 1, 2012 is the deadline for those businesses who possess “PI” to address any third-party contracts where the third-party possesses or otherwise maintains PI on behalf of the business.

 

Let’s say you’re a large law firm who, by nature of the business, are in possession of a large amount of PI. Your firm processes hundreds or even thousands of cases each year. As each case comes to an end, the file gets boxed up and shipped out for storage for say, ten years. Contained in that box is the personal information of Massachusetts’ residents who were involved in the case. Your firm has used the same storage company for twenty years and so far things have seemingly been fine. (at least as far as you know) **NOTE: the “file” and the “box” could be, and probably are, electronic files as opposed to physical (paper) ones.

Under the regulations that come online today, your firm must now have, as part of its contract with the storage company, certain clauses or elements in that contract in order to comply with MA law. Specifically, the regulations require that the “owner” (see here: the large law firm) of the PI, must have a clause in their contract with the vendor (see here: storage company) that seeks to obtain the assurance that the vendor can protect the PI that it possess on behalf of the business.

The regulations require that owners/licensors of Personal Information of MA residents’ “oversee service providers” by selecting providers that are capable of maintaining appropriate security measures to protect PI and require by contract that the vendor implement and maintain such appropriate security measures to protect the PI. In addition, the contract should include a clause that requires the vendor, in the event of a loss or “breach” of that data, give notice to the owner as soon as is practicable and without reasonable delay. Cooperation between the owner of the PI and the vendor, or possessor of the PI is required as well. Cooperation is defined as vendor informing the owner of the breach; the date of the breach; and any steps taken by the vendor related to the breach. (M.G.L. c. 93H s. 3(a))

 

[ **NOTE: the above is not legal advice, and this blog post should not be considerer legal advice – if you have questions or concerns about this law, please consult competent legal counsel. ]

 

I suspect the large law firm who has been doing business with the storage company for twenty years will have no problem fixing up their contract. After all, the storage company wants their business.

But what about the smaller businesses who use an outside IT company to run their computer systems? Let’s say the IT company stores the client’s data on servers located in the IT company’s offices; a sort of “private cloud” arrangement since he also stores other clients’ data of these servers as well. Or what if the small business uses a behemoth like Amazon Web Services for their cloud storage of data? Will the small business be in the position to “oversee” Amazon’s internal security apparatus? These small businesses are the entities that need to be made aware of this regulation, but I fear that their education in this area is lacking.

I suppose the answers to the above questions will lie in the regulator’s definition of “oversee.” The law seems to define “oversee” as selecting entities that are capable of providing the appropriate security measures. Will having boilerplate language in your contract be enough? I guess we will have to wait and see for that answer. (Again, please consult a lawyer if you find yourself in this situation)

 

P.S.

March 1, 2012 is also a special date because it’s the first anniversary of the Massachusetts Data Privacy Law Blog. Its official launch, live on the Internet, was March 1, 2011… We’ve had over 11,000 visitors and several thousand are returning readers. I thank you for your interest in this blog. I try to keep it light, but at the same time convey interesting material.

Thanks for reading.

Your author,

John.

 

 

Stolen Stratfor Information Ends up on Wikileaks

StratAnon.jpgAt the close of 2011 there was a data breach at a company called Strategic Forecasting. I wrote about it with a cynical view towards the company's internal security protocols. I also wrote, incorrectly,  that Stratfor was in the business of providing advice on security; they are in the business of providing an analysis of "intelligence." A sort of “wanna-be CIA.” I still stand by my statement that a company like this suffering a breach is unacceptable.

Today, I took a spin on Wikileaks because I heard that the stolen information showed up there. What a fascinating read. According to Wikileaks, they have five million internal Stratfor e-mails. They published some of those e-mails on Monday.

Stratfor issued a press release discussing the disclosure of these e-mails and in it claim that:

Some of the emails may be forged or altered to include inaccuracies; some may be authentic. We will not validate either.

That's a great way of saying, "ah, there's bound to be some stupid, embarrassing stuff in there, but ah, maybe those are the forged ones... and the brilliant ones are certainly authentic..." Their attempt at creating an atmosphere of “plausible deniability” falls well short in my mind. But really, what else could they do?

When I first read about the hack, I presumed that the information was the target and although credit card numbers were stolen, it was the information the "bad guys" were after. Little did I know that it wasn't that the "bad guys" wanted to “use” the information in a conventional sense, they merely wanted to publicize it. I get the distinct feeling that someone doesn’t agree with Statfor’s business operations. (that “someone” looks to be associated with Anonymous)

Stratfor seems to be a private CIA, at least that's what they seem to want to be. At the same time, and if you believe the e-mails, they think that government intelligence agencies don't have a clue. They claim to have “sources” around the world in many different locations and positions including journalists, diplomats, and possibly “high-ish” ranking military figures.

By releasing these e-mails, and if  you believe the content, we can all but conclude that Stratfor is in a shady business. Some tid bits: the Brazilian Government likes kickbacks when purchasing military equipment abroad according to one of their sources; Coca-Cola wanted to know if PETA would be actively protesting at the Vancouver Olympics; WalMart paid $16k for two background checks on potential employees; and my favorite: Venezuelan President Hugo Chavez apparently used Cuban doctors to operate on his supposed cancer and according to his second medical staff, the Russians, the Cuban doctors made serious errors… and now Chavez is seeking a third opinion from Chinese doctors because they use more “natural” means of treatment.

Now that it appears we know the real motive, public disclosure of private information, who gains? Do disclosures like this make the world a better place? Will this new release benefit Wikileaks? According to Wikileaks themselves, they're broke. Their boss is in the hoosegow (well, house arrest anyway) and they are still in the US Government's sights for that whole "Diplomatic Cables" disclosure. Do they think this will help their cause?

Perhaps it will. You see, Wikileaks is merely a conduit for the information. They probably didn't take it. They just have the right connections to publish it. As Wikileaks will surely come under government scruitiny based on this latest release, the Wild Wild West will surely come to its aid. Perhaps that is what will save Wikileaks... and perhaps Wikileaks will become an idea and not one man's company. Maybe Julian Assange will face eventual justice for publishing those diplomatic cables but Wikileaks will live on, just in a different form.

If we learned one thing from 2011, stealing data is possible, in fact, it's probable. Give the hackivist enough time, and enough computing power, and they can do quite a bit of damage. Can we stop it? Do we think that law enforcement is still investigating the Sony breach? How about the Michael's breach, the Citi breach, the Epsilon breach...? These cases are building up faster than they can be solved.

This hack involved a private company and may perhaps cause some embarrassment to various entities. Do I think that this hack will cause the FBI to drop everything and go after the perpetrators? Not exactly. Well, let me qualify that answer. It depends. It depends on how close the leadership of the company is with the power structure of the United States. You see, the squeaky wheel gets the grease.

If you don’t recall the whole HB Gary incident, Google it. By understanding what happened to them, you will learn what Stratfor shouldn’t do in response, no matter who they think they are…

 

Public Enemy Number One?

If 2011 was "The Year of the Data Breach", then 2012 is fast becoming "The Year Anonymous Became Public Enemy # 1!"

Anonymous, Anonymouse, and "tools", are all terms I have used to describe this decentralized group of computer operators who use their skills to harass, embarass and otherwise annoy. If you think they're going away anytime soon, think again.

Let's have a look at just this month so far, and see what these folks have been up to:

 

I would put these in order, but does it matter... (These all happened in the last 16 days)

  "they" is Anonymous

  • Boston, West Virginia, and Salt Lake Police Departments - they just don't like cops
  • Basically the whole City of Oakland's leadership - they didn't like Occupy Oakland's end
  • Federal Trade Commission - they don't like ACTA, an international anti-counterfeiting treaty, and the FTC supports it
  • Croatian President's website - this Preseident does like ACTA, therefore, they don't like him
  • United Nations - apparently because it was easy, but maybe they don't like the whole world
  • CIA - any guesses why they did this one?
  • Mexican Chamber of Mines (Camimex) - they don't like the working conditions of miners
  • Syrian (soon to be ex-) President Bashar al Assad - any questions?
  • New Zealand Foreign Minister's email - they don't like recent NZ legislation on illegal downloading
  • Microsoft's India Store - apparently by a Chinese contingent of Anonymous, but no real reason
  • Brazilian banks: Banco do Brasil, Bradesco, Itau, HSBC - must be members of the 1%
  • Law Firm that was defending the Marine found guilty in the Iraqi town of Haditha killings - he didn't go to jail, the attorneys did their job... if Anons disagreed, wouldn't the judge have been a better target?
  • Westboro Baptist Church - go get 'em fellas... (and ladies)
  • NASDAQ, Chicago Board Options Exchange - damn the financial system, let's take it down
  • Combined Systems, US Corporation - makers of tear gas that was apparently shipped to Egypt
  • Symantec - high tech security company, Anons stole the souce code for PC Anywhere
  • State of Alabama - apparently AL has some "racist legislation" regarding immigrants
  • FBI - UK (Met Police) PHONE CALL!!! - the investigators tapped by the "investigees"
  • And apparently today they are launching "Operation Global Blackout", which is supposed to cause havoc all over the Internet - maybe this site is currently down...

 So, there's a snap shot of the last two weeks or so. If you think these are all harmless pranks, think again. The State of Alabama hack resulted in 46,000 citizen's personal information, including Social Security numbers being stolen. Where are they now? Do you think the thief cares?

Also, remember back to the Strategic Forcasting (Stratfor), I wrote about it here. Back in December, Anonymous both claimed and denied responsibility. Recently, however, clients of Stratfor have been receiving emails that are clearly "phishing" attempts. These emails purport to be from Stratfor informing the recipient that they need to click a link in order to assist with the "healing process" (my words, not theirs) of their data breach (link claims to load some protection program for the client). The link is actually to a malicious program designed to steal things like banking credentials.

So, it could be that Anonymous is pulling a Taliban (poppies are illegal where we're in power, but we own them all when we're not), and using the stolen information for financial crimes (not merely for protest purposes). Many times they post the information publicly to prove they did it. Along comes the wolves, and, well, Houston, we have a problem. (If a guy buys a gun, and then leaves it on a sidewalk, loaded, is that a problem?)

 

But ah ha, the US Senate recently released a long awaited piece of legislation, The Cybersecurity Act of 2012! Thank heavens...

Let me have just two more minutes of your time so I can give you the headlines of this piece of legislation:

...the Cybersecurity Act of 2012 would do the following:

Coordinate Cybersecurity Reseach and Development

Determine the Greatest Cyber Vulnerabilities

Protect Our Most Critical Infrastructure

Protect and Promote Innovation

Improve Information Sharing While Protecting Privacy and Civil Liabilities

Improve the Security of the Federal Government's Networks

Clarify the Roles of Federal Agencies

Strengthen the Cybersecurity Workforce

 

In the last 16 days, hackers have operated without abandon and caused mayhem. Let's hope that the next 16, and the 16 after that and the 16 after that, and so on, and so on... will get this bill on our President's desk so these folks can have a new target (whitehouse.gov) and make themselves public enemy number one.

 

 

PS - if you have Symantec's PC Anywhere... I'd be nervous.

 

Are You Kidding Me?

Cash Money.jpgSo I printed out an article to read just before Christmas, and am only getting to it now. It is written by Michael Riley of Bloomberg Businessweek, and it's called "Stolen Credit Cards Go for $3.50 at Amazon-like Online Bazaar."

Ok, I know all about these online bazaars, I know you can look up a credit card's information before you buy it... although I just found out you can test it first to make sure the bank didn't cancel it... you can shop by credit limit, billing location, and other relevant pieces of information.

If you live in Massachusetts you would probably want to have a card from Massachusetts; chances are if your stolen card is from California, someone's going to pick up on that whole distance problem and shut the card down on the first try...

For what I do, this is fairly straightforward stuff.

 

BUT wait just a minute and read this:

Cyberthieves stolen data worth $114 Billion / Year (source: Symantec)

All US bank robberies together worth $43 Million (source: FBI)

Global cocaine market worth $85 Billion (source United Nations)

 

Ok, Symantec IS a cybersecurity firm, so it behooves them to inflate the numbers, but they've been around a long time and should know better than to try to boondoggle their bread and butter market.

Bank Robberies.... MMMMMmillions.... Cocaine...BBBBBbillions. Sure, that makes sense.

But cyber crime...  really? The scale caught me by surprise. Unbelievable.

Anyway, just spend the 10 minutes to read this article and you'll get a pretty good overview of the current state of cyber crime.

http://www.businessweek.com/news/2011-12-28/stolen-credit-cards-go-for-3-50-at-amazon-like-online-bazaar.html

Boston Police Website Hacked

The Boston Police have (or should I say had), a very useful website called "BPDNEWS.COM" that fell victim today to some tom-foolery.

If you try to reach the site now, it asks for a password or will just error out. They must have taken it off-line.

If you were one of the lucky ones who accessed the site after the hack but before the take-down, you would have found a music video by KRS-ONE, a hip hop artist whose songs are not so flattering of the police.

Here are the local news stories about the hack: Channel 5 and Boston Herald.

Just when you think the whole "Occupy Boston" thing was over... they bring you back in. I used to visit that site regularly, it's pretty useful. I don't know if there was any data worth stealing attached to it, and for the sake of the BPD, I hope not.