Showing posts with label Crime. Show all posts
An American security researcher has published a file containing 10 million usernames and their corresponding passwords for education purposes, opening himself up to the possibility of criminal prosecution.
The researcher, Mark Burnett, released the trove of data on Monday in an effort to further the work of others who are similarly interested in studying online security and user behavior.
“Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world,” he wrote on his personal website.
“A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security,” Burnett wrote. “So I built a data set of ten million usernames and passwords that I am releasing to the public domain.”
Yet while Burnett boasts a decade-and-a-half of IT security experience and has co-authored no fewer than seven books on the topic, he acknowledges in this week’s blog post that publishing his research, even for academic purposes, poses a potentially serious legal risk for himself.
In singling out the court issues recently encountered by Barrett Brown – a Texas-based writer who received a 63-month sentence in January for sharing a web link containing similarly sensitive data – Burnett says he also risks becoming the subject of a federal probe by dumping his own trove of data on the web.
“The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers. Suddenly even linking to data was an excuse to get raided by the FBI and potentially face serious charges. Even more concerning is that Brown linked to data that was already public and others had already linked to,” Burnett wrote.
Indeed, US District Court Judge Sam Lindsay sentenced Brown, 31, last month, after the writer pleaded guilty to charges of obstruction, making internet threats, and accessory after the fact to the unauthorized access of a protected computer, receiving in turn a punishment of only a few years after having previously faced upwards of a century behind bars.
Although the bulk of that sentence stems from the plea Brown entered concerning internet threats – he admitted in court that he broke the law by intimidating and harassing a federal agent by way of YouTube and Twitter (a felony) – Judge Lindsay said his decision was reached after considering that Brown had shared a publicly available website address that contained a trove of sensitive details, including credit card information pilfered from private intelligence firm Stratfor by hacktivist group Anonymous. Prosecutors had previously charged Brown with trafficking in stolen authentication features for copying a link containing the information from one IRC chat room and pasting it into another, but a high-profile campaign endorsed by the likes of the Electronic Frontier Foundation and the Committee to Protect Journalists led to those counts, and others, being dropped before a plea agreement was reached. Nevertheless, Judge Lindsay said last month that the conduct was relevant to the matters at hand before the court, and thus factored it in when deciding on a sentence.
This week, Burnett wrote that he compiled a list of around 10 million usernames and passwords – absent the domain information that would reveal where the accounts could be used – that “is or was at one time generally available to anyone and discoverable via search engines in a plaintext” and posted them on websites where compromised data is commonly hosted.
Although Burnett sees no issue with what he’s doing, he wrote that the Brown sentencing may have set a rather unfortunate precedent for security researchers.
“Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature,” he wrote. “If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.”
“In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.”
Attorneys for Brown argued similarly when they said their client had no intention of furthering accessibility to stolen credit card data by sharing a link, but was more concerned with analyzing inner-office emails stolen from the intelligence firm’s computer network. Later, that correspondence was published by anti-secrecy group WikiLeaks and subsequently formed the basis for dozens of news stories.
“Ultimately, to the best of my knowledge these passwords are no longer be valid and I have taken extraordinary measures to make this data ineffective in targeting particular users or organizations. This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain,” Burnett wrote.
“Having said all that, I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment. I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me,” he continued.
 |
| Rosemary Namubiru in court. |
IN a bid to prevent her from contracting HIV, the baby who was allegedly exposed to the virus after a nurse injected her with HIV-infected blood has been put on preventive treatment.
Buganda Road Court in Kampala on Monday charged the 65-year old nurse, Rosemary Namubiru with attempted murder.
She was arrested last week for injecting the two-year-old baby with HIV-infected blood.
According to the police, Namubiru who is HIV-positive, was arrested at Victoria Medical Centre on Lumumba road in Nakasero, Kampala where she worked and had reportedly committed the crime.
The parents of the victim had taken her to the health facility for treatment when the incident occurred.
Police earlier revealed that Namubiru was arrested following complaints by the baby’s parents, who claim to have seen her inject their baby using an unsterilized syringe that she had also used on herself.
Nicholas Opio, Victoria Medical Centre's lawyer said the facility tested the baby and found her HIV-negative.
Opio further revealed that the baby has now been put on Post-exposure Prophylaxis (PEP).
According to the World Health Organisation (WHO), Post-exposure Prophylaxis (PEP) is short-term antiretroviral treatment to reduce the likelihood of HIV infection after potential exposure, either occupationally or through sexual intercourse.
New Vision
The cyber-thieves managed to infiltrate card swipe systems at Target stores
US retail giant Target says up to 70 million customers had payment card and personal data stolen from the company's databases in December - 30 million more that it first thought.
Target said the thieves took credit card numbers, names, postal addresses, phone numbers and email addresses.
The data breach began on or around 29 November, known as Black Friday, one of the busiest shopping days of the year.
The company said customers would have "zero liability" for any fraud losses.
But this hasn't stopped some customers suing Target, claiming that Target failed to notify them of the breach before it was first reported and did not "maintain reasonable security procedures" to prevent the attack.
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Gregg Steinhafel, Target's chairman, president and chief executive officer.
Target is offering one year of free credit monitoring and identity theft protection to all its US customers.
Data-stealing code
Security researcher Brian Krebs, writing about the breach in December, said sources at credit card payment processing firms had told him the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores.
The thieves stole data between Thanksgiving and 15 December, said Target. This data is often sold on to criminals via underground marketplaces.
The largest ever credit card breach at a US retailer took place in 2007 when cyber-thieves managed to steal information related to almost 46 million credit and debit cards from TJ Maxx and Marshalls.
The thieves amassed the huge cache of data over an 18-month period after penetrating the retailers' computer network.
BBC
 |
| 65-year old Rose Namubiru was arrested at Victoria Medical Centre in Kampala. |
VICTORIA Medical Centre has confirmed that the nurse who is currently held by police on suspicion of injecting a baby with HIV infected blood, is their employee.
The parents of the victim had taken her to the health facility for treatment when Rosemary Namubiru, 65, allegedly carried out the act.
According Victoria Medical Centre lawyer Nicholas Opio, Namubiru started working at the health facility in 2011.
“She is a qualified nurse who was enrolled in 2011. We ask the public to respect the non derogable right of the accused person. We also ask the public to respect the privacy of the patient and the family in this investigation,” said Opio.
According to Opio, when police arrested the suspect on Monday, Victoria Medical Centre had already tested her for HIV and established that she had the virus.
“She (the suspect) said she was attempting to administer an injection to the victim (baby) when she (baby) started kicking-around, in the process striking the syringe, making it to prick her (nurse),” said Opio.
However, Opio says when the woman realized that the syringe had pricked her; she did not proceed with administering the injection and went to dress her wound before returning with a fresh syringe that she subsequently used to inject the baby.
Namubiru who is HIV positive, was arrested following complaints by the baby’s parents who claim to have seen her inject their child using the unsterilised syringe that she had also used on herself.
In her defence, Namubiru said she did not intend to inject the baby with the blood but had pricked herself by accident.
Opio says the facility is fully cooperating with the police to ensure that a thorough investigation into the case is undertaken.
 |
| Infected victims are given a time limit to release their data before they lose it forever |
A virulent form of ransomware has now infected about quarter of a million Windows computers, according to a report by security researchers.
Cryptolocker scrambles users' data and then demands a fee to unencrypt it alongside a countdown clock.
Dell Secureworks said that the US and UK had been worst affected.
It added that the cyber-criminals responsible were now targeting home internet users after initially focusing on professionals.
The firm has provided a list of net domains that it suspects have been used to spread the code, but warned that more are being generated every day.
Ransomware has existed since at least 1989, but this latest example is particularly problematic because of the way it makes files inaccessible.
"Instead of using a custom cryptographic implementation like many other malware families, Cryptolocker uses strong third-party certified cryptography offered by Microsoft's CryptoAPI," said the report.
"By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent."
Ransom dilemma
The first versions of Crytpolocker appear to have been posted to the net on 5 September.
Early examples were spread via spam emails that asked the user to click on a Zip-archived extension identified as being a customer complaint about the recipient's organisation.
Later it was distributed via malware attached to emails claiming there had been a problem clearing a cheque. Clicking the associated link downloaded a Trojan horse called Gameover Zeus, which in turn installed Cryptolocker onto the victim's PC.
By mid-December, Dell Secureworks said between 200,000 to 250,000 computers had been infected.
It said of those affected, "a minimum of 0.4%, and very likely many times that" had agreed to the ransom demand, which can currently only be paid in the virtual currencies Bitcoin and MoneyPak.
"Anecdotal reports from victims who elected to pay the ransom indicate that the Cryptolocker threat actors honour payments by instructing infected computers to decrypt files and uninstall the malware," added the security firm.
"According to reports from victims, payments may be accepted within minutes or may take several weeks to process."
However, Trend Micro, another security firm, has warned that giving into the blackmail request only encouraged the further spread of Cryptolocker and other copycat schemes, and said that there was no guarantee of getting the data back.
Safety steps
Dell suggested PCs be blocked from communicating with the hundreds of domains names it had flagged as being linked to the spread of Cryptolocker, and it suggested five further steps the public and businesses could take to protect themselves:
- Install software that blocks executable files and compressed archives before they reach email inboxes
- Check permissions assigned to shared network drives to limit the number of people who can make modifications
- Regularly back-up data to offline storage such as Blu-ray and DVD-Rom disks. Network-attached drives and cloud storage does not count as Cryptolocker can access and encrypt files stored there
- Set each PC's software management tools to prevent Cryptolocker and other suspect programs from accessing certain critical directories
- Set the computer's Group Policy Objects to restrict registry keys - databases containing settings - used by Cryptolocker so that the malware is unable to begin the encryption process
 |
| Bitcoins represent rich pickings for criminals |
Adverts on Yahoo's homepage were infected with malware designed to mine the Bitcoin virtual currency, according to security experts.
Yahoo confirmed that for a four-day period in January, malware was served in ads on its homepage.
Experts estimate that as many as two million European users could have been hit.
Security firm Light Cyber said the malware was intended to create a huge network of Bitcoin mining machines.
"The malware writers put a lot of effort into making it as efficient as possible to utilise the computing power in the best way," Light Cyber's founder Giora Engel told the BBC.
Lucrative market
Bitcoin mining malware is designed to steal computing power to make it easier for criminals to accumulate the virtual currency with little effort on their part.
"Generating bitcoins is basically guessing numbers," said Amichai Shulman, chief technology office of security firm Imperva.
"The first one to guess the right number gets 25 bitcoins and if you have a large volume of computers guessing in a co-ordinated way then you have a more efficient way of making money," he added.
Other than a computer running slower, victims will be unaware that their machine is being used in what could become known as a "bitnet".
It is a variation on the traditional botnet, networks of malware-infected computers used to churn out spam or bombard websites with requests in order to knock them offline.
Some experts estimate that such networks could be generating as much as $100,000 (£60,000) each day.
Since bitcoins have risen in value - at its peak one bitcoin was worth $1,000 - making it a lucrative market for online criminals.
"Bitcoin mining malware is the new frontier as criminal gangs look for new ways to make money," said Mr Engel.
Easy target
Yahoo acknowledged the attack in a statement earlier this week.
"From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines - specifically, they spread malware," the statement read.
It went on to say that users in America, Asia and Latin America weren't affected but did not specify how many European users were victims.
Fox IT, the Dutch cybersecurity firm which revealed the malware attack, estimates that there were around 27,000 infections every hour the malware was live on the site.
Over the period of the attack that could mean as many as two million machines were infected.
Such attacks may be hard to avoid, said Mr Shulman.
"For an ad platform it is virtually impossible to guarantee 100% malware free ads."
"There are many independent stakeholders involved in the process of web advertising, so from time to time any ad platform is bound to deliver malware."
THE police have arrested a 54 year old woman, Rosemary Namubiru for allegedly injecting a two year-old baby with blood infected with HIV/AIDS.
According to police, she was arrested on Monday in Victoria Medical Centre on Lumumba road, Kampala where she reportedly committed the alleged crime.
Police went to Victoria Medical Centre and carried out a search to find out whether she had an appointment letter but failed to get it, according to sources in police.
The woman was arrested following complaints from the child’s parents who found her injecting their child. When the police subjected her to a test, she was found to be carrying the HIV virus.
Speaking to the New Vision at Central Police Station in Kampala on Saturday, Kampala Metropolitan spokesman Ibin Ssenkumbi said Namubiru will soon be arraigned in courts of law for prosecution once investigations into the matter are concluded.
“She was caught injecting the baby with a syringe that she had earlier used on herself. When the investigations are over, police will send the file to the Directorate of Public Prosecution for sanctioning,” said Ssenkumbi.
The suspect is still held at Wandegeya police station, as investigations in the matter intensify. Police is also investigating allegations that the woman has been engaging in the act for pretty a long time.
Efforts to get a comment from the clinic’s owners proved futile.
In her defense, Namubiru said she did not intend to inject the baby with the blood but had pricked herself by accident.
Source: The New Vision
