Threat Level Privacy, Crime and Security Online

ACTA Draft: No Internet for Copyright Scofflaws

acta1The United States is nudging the international community to develop protocols to suspend the internet connections of customers caught downloading copyrighted works, according to a leaked draft of the Anti-Counterfeiting Trade Agreement.

The United States is leading the 2-year-old, once-secret negotiations over the so-called ACTA accord. The Jan. 18 draft, about 56 pages and labeled “confidential,”  just surfaced, and follows a string of earlier, less comprehensive leaks.

The leak shows that the treaty, if adopted under the U.S. language, would for the first time hold internet service providers responsible when customers download infringing material, unless those ISPs take action by “adopting and reasonably implementing a policy to address the unauthorized storage or transmission of materials protected by copyright or related rights.”

The specific ISP policy suggested in a footnote “is providing for the termination in appropriate circumstances of subscriptions and accounts on the service provider’s system or network of repeat infringers.”

Continue Reading “ACTA Draft: No Internet for Copyright Scofflaws” »

Tags: , , , ,

Law Enforcement Appliance Subverts SSL

packet_forensics

That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.

“If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.

The company in question is known as Packet Forensics, which advertised its new man-in-the-middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington, D.C., wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.

According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will.” And, “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

Continue Reading “Law Enforcement Appliance Subverts SSL” »

Tags: , ,

Shoplifting Couple Jailed for eBay Toy Sales

screen-shot-2010-03-23-at-33134-pm

A California couple that bragged on national television about shoplifting toys — which included Lego and Star Wars-themed toys — have been sentenced to more than a year in prison each after being busted selling the hot goods on eBay.

Matthew and Laura Eaton were indicted in September, more than a year after they appeared on the Dr. Phil show bragging about their escapades. They told viewers they earned about $3,500 per week selling the goods they pilfered from outlets surrounding their suburban San Diego home.

Continue Reading “Shoplifting Couple Jailed for eBay Toy Sales” »

Tags: , ,

Lawmakers Eyeing National ID Card

Lawmakers are proposing a national identification card — what they’re calling “high-tech, fraud-proof Social Security cards” — that would be required for all employees in the United States.

The proposal by Sen. Charles Schumer (D-New York) and Sen. Lindsay Graham (R-South Carolina) comes as the states are grappling to produce another national identification card at the behest of the Department of Homeland Security. Virtually none of the states are in compliance with this Real ID program — adopted in 2005 — requiring state motor vehicle bureaus to obtain and internally scan and store personal information like Social Security cards and birth certificates for a national database.

Graham, left, and Schumer, are calling for national ID cards to combat illegal immigration.

Graham, left, and Schumer, are calling for national ID cards to combat illegal immigration.
Photo: AP

Now comes a bid for a second card.

Continue Reading “Lawmakers Eyeing National ID Card” »

Tags: , , , ,

Gonzalez Accomplice Gets Probation for Selling Browser Exploit

ieA computer security professional who sold Internet Explorer exploit code to credit card hacker Albert Gonzalez was sentenced Tuesday in Boston to three years probation and a $10,000 fine.

Jeremy Jethro, 29, was paid $60,000 by Gonzalez for a zero-day exploit against Microsoft’s browser, “the purpose and function of which was to … enable the conspirators to unlawfully gain access to, and redirect, individual’s computers,” according to court records.

Gonzalez led a team of hackers who gained unauthorized access to company networks and stole more than 90 million credit and debit card numbers, though it’s not clear what role, if any, the $60,000 zero-day played in the attacks. Jethro’s attorney, Stacey Richman, told Threat Level the exploit was a dud.

“The exploit never worked,” she said. “None of them worked. There was a question of potentially two [exploits] and neither of them worked.”

Jethro pleaded guilty to a misdemeanor conspiracy charge for providing the malware. Under Tuesday’s sentence, Jethro will be confined at home, under electronic monitoring, for the first six months of his three-year-long probation.

Richman said Jethro did not know Gonzalez’s intended use for the exploit. She also said the judge took into consideration her client’s life change in 2006 when he turned to Christianity and “renounced any aspect of any wrongful behavior.”

She said Jethro, who is currently working in the computer industry “had spent the years since then entirely in a very proper manner.”

He’s the third person to be sentenced for conspiring with Gonzalez in criminal activity. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing a sniffer to Gonzalez that helped him siphon card data from TJX’s corporate network. Watt was also ordered to pay restitution to TJX in the amount of $171.5 million.

Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez.

Gonzalez is scheduled to be sentenced this week in Boston for his role in the hacks of TJX, Dave & Busters, Hannaford Brothers, 7-Eleven and Heartland Payment Systems. He faces a sentence of between 17 and 25 years. Prosecutors are asking for the latter.

18:30:  This article was updated to add comment from Richman, and to correct an error.  Jethro’s charge did not link him to Gonzalez’s credit card thefts.

Image: BlubrNL/Flickr

See Also:

Tags: , , , ,

Russia Arrests Alleged Mastermind of RBS WorldPay Hack

Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay.

Viktor Pleshchuk, 28, of St. Petersburg, was arrested by the Russian Federal Security Service, or FSB, according to the Sunday Mail, which broke the story last week in the United Kingdom.

The Financial Times confirmed the arrest this week, adding that Pleshchuk was among “several suspects” arrested. The paper didn’t name the other suspects or say when any of them were arrested. The arrests are being touted by some as signaling a new era of cooperation between Russian and U.S. authorities.

Pleshchuk was indicted in the United States last November with Sergei Tsurikov, 25, of Tallinn, Estonia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3.” The government described the caper as “perhaps the most sophisticated and organized computer fraud attack ever conducted.”

The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking.
Continue Reading “Russia Arrests Alleged Mastermind of RBS WorldPay Hack” »

Tags: ,

Secret Service Paid TJX Hacker $75,000 a Year

albert2_crop_small

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

“It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,” says former federal prosecutor Mark Rasch. “It’s probably the only thing he was doing — other than hacking into TJX and making millions of dollars.”


Gonzalez’s salary highlights how entwined he was with the government at the time he participated in the largest identity theft crimes in U.S. history. Gonzalez, 28, is set for sentencing this week on three indictments covering nearly every headline-making bank-card theft in recent years, including intrusions at TJX, Office Max, Hannaford Brothers, 7-Eleven and Heartland Payment Systems (which alone exposed magstripe data on 130 million credit and debit cards). The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years.

Rasch says Gonzalez’s $75,000 is nothing compared to the million-dollar payouts some undercover informants get for high-risk, high-value cases such as Mafia investigations. But Gonzalez’s payments dwarf the meager handouts given previous computer crime informants.

Continue Reading “Secret Service Paid TJX Hacker $75,000 a Year” »

Tags: , , , ,

Rich Get Richer in ‘Hot News’ Stock-Tip Fight

screen-shot-2010-03-19-at-124716-pmA well-known financial news aggregator is being ordered by a federal judge to delay publication of prominent financial analysts’ buy and sell recommendations to allow the well-to-do the first crack at capitalizing on that trading research.

The 3-year-old litigation, brought by Barclays Capital, Merrill Lynch, Morgan Stanley and others, rests on the so-called “hot news” doctrine the Supreme Court first recognized in a 1918 case concerning the unauthorized and immediate republication of wire service reports.

A New York federal judge said Theflyonthewall.com breached the doctrine, which allows suits for re-reporting time sensitive “hot news.” Research that Theflyonthewall.com re-posted or alluded to on its site was designated for the banks’ clients that earn the firms not less than $50,000 to $100,000 in trading commissions yearly, U.S. District Judge Denise Cote ruled.

Continue Reading “Rich Get Richer in ‘Hot News’ Stock-Tip Fight” »

Tags: , , ,

Unprecedented 25-Year Sentence Sought for TJX Hacker

Computer hacker Albert Gonzalez deserves a quarter-century behind bars for leading a gang of cyberthieves who stole tens of millions of credit and debit card numbers from a transaction processor and several giant retail chains, federal prosecutors argued in a court filing Thursday night.

“[T]he sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime, which is appropriate because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation’s history,” wrote Boston-based Assistant U.S. Attorney Stephen Heymann. “He knowingly victimized a group of people whose population exceeded that of many major cities and some states.”

The government also disputed a defense claim that Gonzalez suffers from Asperger’s disorder, a mild form of autism that was grounds for a slightly reduced sentence in a previous hacking prosecution.

Gonzalez, 28, is set for sentencing next week on three indictments covering virtually every headline-making bank-card theft in recent years, including intrusions at TJX, DSW Shoe Warehouse, Office Max, Hannaford Brothers, 7-Eleven, and Heartland Payment Systems, which alone exposed magstripe data on 130 million credit and debit cards. He performed the intrusions while an informant for the Secret Service.


The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years.

In December, Gonzalez’s lawyer, Martin Weinberg, argued for the low end of the sentencing range, pointing out that Gonzalez cooperated with the government against his U.S. co-conspirators and two Eastern European hackers known as “Grigg” and “Annex.” Weinberg also argued that Gonzalez was driven by a psychological obsession with computers, submitting a report by a defense-paid psychiatrist that found the hacker’s behavior consistent with Asperger’s disorder.

Over defense objections, a federal judge allowed a government-paid psychiatrist to also examine the hacker, and that expert came to a different conclusion, noting that Gonzalez appears to have no problems forging social and romantic relationships.

“I found considerable evidence of Mr. Gonzalez’s substance abuse and probable antisocial personality disorder,” wrote Dr. Mark Mills, in a report (.pdf) also filed Thursday. “I found no evidence of Asperger’s disorder or internet addiction.”

Heymann added that Gonzalez’s leadership role also belies the Asperger’s claim. “Those with Asperger’s are almost by definition not leaders,” he wrote. “Instead they are followers, often perceived as peripheral, isolated and strange.”

Continue Reading “Unprecedented 25-Year Sentence Sought for TJX Hacker” »

Tags: , ,

Accusations Fly in Viacom, YouTube Copyright Fight

screen-shot-2010-03-18-at-22531-pmGoogle deliberately weakened its copyright compliance standards after it acquired YouTube in 2006 so it “would profit from illegal downloads,” Google co-founder Sergey Brin once said, according to a Friday filing by Viacom in its infringement suit against the company.

YouTube, in its own Friday filing and in a blog post, said it was legally immune to copyright infringement claims -– even if it knowingly hosted copyrighted works on its video-sharing site. One reason was that Viacom — which owns MTV, BET, Paramount and other media concerns — had a marketing practice of secretly uploading its own videos to YouTube, some of the same works at issue in the case.

“Viacom alone has uploaded thousands of videos to YouTube to market hundreds of its programs and movies, including many that are works in suit,” Google wrote. “Given the broad scope of marketing, YouTube could not be charged with knowledge of infringement (.pdf) merely because it came across a video that was clearly from a professionally produced television show or movie.”

Google added that, “Both before and well into this litigation, Viacom’s own monitoring agent, BayTSP, identified as ‘infringing’ many videos that had in fact been posted to YouTube with Viacom’s permission.” Google added that “the only way that YouTube knew which clips Viacom actually wanted to remove at any given time was from the takedown notices it received.”

screen-shot-2010-03-18-at-22724-pm1Each company’s filing, which ask a New York judge to rule in their favor before trial, was guided by thousands of documents the parties turned over to one another as part of the discovery stage of the 3-year-old litigation. Viacom is seeking $1 billion in damages in a case testing the depths of immunities under the Digital Millennium Copyright Act.

Viacom claims YouTube has lost the so-called “safe harbor” protection of the Digital Millennium Copyright Act. The DMCA, adopted in 1998, provides internet service providers like YouTube immunity from infringement lawsuits if, among other things, they promptly remove copyrighted content at the request of the rightsholder.

Continue Reading “Accusations Fly in Viacom, YouTube Copyright Fight” »

Tags: , , ,
« OLDER POSTS
See more Threat Level