The NSA is using its network of servers around the world to monitor botnets made up of thousands or millions of infected computers. When needed, the agency can exploit features of those botnets to insert its own malware on the already compromised computers, through a technology codenamed Quantumbot, German news magazine Der Spiegel reported.
One of the secret documents leaked by former NSA contractor Edward Snowden and published by Der Spiegel contains details about a covert NSA program called DEFIANTWARRIOR that’s used to hijack botnet computers and use them as “pervasive network analysis vantage points” and “throw-away non-attributable CNA [computer network attack] nodes.”
This means that if a user’s computer is infected by cybercriminals with some malware, the NSA might step in, deploy their own malware alongside it and then use that computer to attack other interesting targets. Those attacks couldn’t then be traced back to the NSA.
According to the leaked document, this is only done for foreign computers. Bots that are based in the U.S. are reported to the FBI Office of Victim Assistance.
The NSA also intercepts and collects data that is stolen by third-party malware programs, especially those deployed by other foreign intelligence agencies, if it is valuable. It refers to this practice as “fourth party collection.”
In 2009, the NSA tracked a Chinese cyberattack against the U.S. Department of Defense and was eventually able to infiltrate the operation. It found that the Chinese attackers were also stealing data from the United Nations so it continued to monitor the attackers while they were collecting internal UN data, Der Spiegel reported.
It goes deeper than that. One leaked secret document contains an NSA worker’s account of a case of fifth party collection. It describes how the NSA infiltrated the South Korean CNE (computer network exploitation) program that targeted North Korea.
“We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data,” the NSA staffer wrote in the document. “However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about.”
In other words, the NSA spied on a foreign intelligence agency that was spying on a different foreign intelligence agency that had interesting data of its own.
Sometimes the NSA also uses the servers of unsuspecting third parties as scapegoats, Der Spiegel reported. When exfiltrating data from a compromised system, the data is sent to such servers, but it is then intercepted and collected en route though the NSA’s vast upstream surveillance network.
The Federal Bureau of Investigation (FBI) is looking to shore up its security capabilities by hiring the brightest and best bodies out there.
The agency has publicly petitioned for persons in the usual way, and has posted employment information about a range of roles.
The roles, not to mention most of what we have reported about the agency, suggest that the FBI has a real, concentrated focus on cybercrime and cyber knowhow.
“The FBI seeks highly talented, technically trained individuals who are motivated by the FBI’s mission to protect our nation and the American people from the rapidly evolving cyber threat,” said Robert Anderson, executive assistant director for the Bureau’s criminal, cyber, response and services branch.
“What we want are people who are going to come and be part of a team that is working on different very complex types of investigations and to use their skills in that team environment.”
We often hear that the security and law agencies are fighting an arms race against their enemies, and the FBI suggested that the people that it employs will have the most rewarding job available.
This suggests that it will be open to people who are not happy with their current role, which seems counter to its earlier advice.
“One thing that no one else can offer is the mission and the camaraderie and the teamwork the FBI brings to the table,” added Anderson.
“The biggest thing you can offer to anyone that comes to work at the FBI is the mission and the scale of investigations. It doesn’t matter where you go, it doesn’t matter who you work for, you can’t get that anywhere else but the FBI.”
A range of jobs are open to application until 20 January. The FBI will presumably have relatively strict policies (PDF) on the kind of people it prefers to employ.
The statement adds that “preferred backgrounds” range from computer programming to digital forensics and “even ethical hacking”.
Quick law enforcement access to the contents of smartphones could save lives in some kidnapping and terrorism cases, FBI Director James Comey said in a briefing with some reporters. Comey said he’s concerned that smartphone companies are marketing “something expressly to allow people to place themselves beyond the law,” according to news reports.
An FBI spokesman confirmed the general direction of Comey’s remarks. The FBI has contacted Apple and Google about their encryption plans, Comey told a group of reporters who regularly cover his agency.
Just last week, Google announced it would be turning on data encryption by default in the next version of Android. Apple, with the release of iOS 8 earlier this month, allowed iPhone and iPad users to encrypt most personal data with a password.
Comey’s remarks, prompted by a reporter’s question, came just days after Ronald Hosko, president of the Law Enforcement Legal Defense Fund and former assistant director of the FBI Criminal Investigative Division, decried mobile phone encryption in a column in the Washington Post.
Smartphone companies shouldn’t give criminals “one more tool,” he wrote. “Apple’s and Android’s new protections will protect many thousands of criminals who seek to do us great harm, physically or financially. They will protect those who desperately need to be stopped from lawful, authorized, and entirely necessary safety and security efforts. And they will make it impossible for police to access crucial information, even with a warrant.”
Representatives of Apple and Google didn’t immediately respond to requests for comments on Comey’s concerns.
An intruder stole log-in credentials from the company’s vendor and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5, the company said.
The chain is the latest victim in a series of security breaches among retailers such as Target Corp, Michaels Stores Inc and Neiman Marcus.
Home Depot Inc said last week some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than the breach at Target Corp.
More than 12 of the affected Jimmy John’s stores are in Chicago area, according to a list disclosed by the company.
The breach has been contained and customers can use their cards at its stores, the privately held company said.
Jimmy John’s said it has hired forensic experts to assist with its investigation.
“Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online,” Jimmy John’s said.
The Champaign, Illinois-based company said stolen information may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date.
Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
Credit and debit card information belonging to customers made purchases at 51 UPS Store Inc. locations in 24 states this year may have been illegally accessed as the result of an intrusion into the company’s networks.
In a statement on Wednesday, UPS said it was recently notified by law enforcement officials about a “broad-based malware intrusion” of its systems.
A subsequent investigation by an IT security firm showed that attackers had installed previously unknown malware on systems in more than four-dozen stores to gain access to cardholder data. The affected stores represent about 1% of the 4,470 UPS Store locations around the country.
The intrusion may have exposed data on transactions conducted at the stores between Jan. 20 and Aug. 11, 2014. “For most locations, the period of exposure to this malware began after March 26, 2014,” UPS said in a statement.
In addition to payment card information, the hackers also appear to have gained access to customer names, as well as postal and email addresses.
Each of the affected locations is individually owned and runs private networks that are not connected to other stores, UPS added. The company provided alist of affected locations.
The breach is the third significant one to be disclosed in the past week. Last Thursday, grocery store chain Supervalu announced it had suffered a malicious intrusion that exposed account data belonging to customers who had shopped at about 180 of the company’s stores in about a dozen states. The breach also affected customers from several other major grocery store chains for which Supervalu provides IT services.
The U.S. Marshals Service on Friday auctioned off about 30,000 bitcoins seized during a raid on Silk Road, an Internet black-market bazaar where authorities say illegal drugs and other goods were being sold.
An online auction took place over a 12-hour period on Friday for the bitcoins, valued at nearly $17.7 million. It consisted of nine blocks of 3,000 bitcoins and one block of 2,657 bitcoins. The Marshals Service has said it would notify the winning bidders today.
A spokeswoman for the Marshals Service declined to say how many bids the office received. Among those who said they registered to participate in the auctions were SecondMarket and Bitcoin Shop Inc.
Silk Road was shutdown after an FBI raid in September 2013 as agents took control of its server and arrested a Texas man, Ross Ulbricht, that the authorities said owned and operated the website.
The auction was for 29,655 bitcoins contained in files residing on its servers, which were forfeited in January.
Chris DeMuth, a partner at Rangeley Capital who had been considering bidding, said last week the chance the Marshals Service gets the market price for the bitcoins is low.
“Anyone could pay market prices on existing exchanges,” he said. “So the key question is how much of a discount do bidders want.”
The Marshals are holding about 144,342 additional bitcoins found on computer hardware belonging to Ulbricht that were subject to a civil forfeiture proceeding.
Ulbricht, 30, is scheduled to face trial Nov. 3. He has pleaded not guilty to the four counts against him, including money laundering conspiracy and engaging in a continuing criminal enterprise.
U.S. authorities have separately charged three men – Andrew Jones, Gary Davis and Peter Nash – in connection with their alleged roles in assisting Ulbricht in operating Silk Road.
Bitcoin prices were up 3.1 percent Friday at $597.41 per coin, according to the digital currency exchange CoinDesk.
Sally Beauty Holdings acknowledge on Monday that it too was a victim of a data breach, an incident that may have occurred alongside a project to update point-of-sale terminals at its U.S. stores, a recent regulatory filing shows.
The Denton, Texas, based company, which has more than half of its 4,669 stores in the U.S., said it found evidence that fewer than 25,000 records containing credit card data were accessed and possibly removed, according to a statement.
That follows its statement on March 5 that it was investigating “rumors” of a breach but had no reason to believe any credit card or consumer data had been lost.
The data it now says was likely stolen is known as “Track 2″ card data. Payment cards have a magnetic stripe on the back that contains three data tracks. Track 2 data contains only the card number and expiration data. Track 1 data contains the card number, expiration data and cardholder’s name, and Track 3 is rarely used.
Forensic investigators from Verizon are working with Sally Beauty along with the U.S. Secret Service.
“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation,” the company said.
“As a result, we will not speculate as to the scope or nature of the data security incident,” it said.
A representative of a public relations firm for Sally Beauty said the company could not comment further.
Sally Beauty’s annual report for fiscal 2013 shows the company undertook large IT infrastructure upgrade projects worldwide, including installing a new POS system for 2,450 stores in the U.S.
Target and Neiman Marcus blamed recent data breaches on malicious software that had been installed on POS systems, which are modern, software-driven cash registers that process card payments.
Target’s POS terminals were infected with a type of malware called a “RAM scraper.” The malware recorded payment card details after a card was swiped and the unencrypted data briefly sat in a system’s memory.
Sally Beauty wrote in its annual report that the POS system is expected to provide benefits such as enhanced tracking of customer sales and store inventory reports.
Sprint Corp and the federal government both agreed to fight in court over how much money law enforcement agencies owe the wireless provider for help the company was required to give investigators who wanted to tap phone calls.
The Obama administration filed a suit in U.S. District Court in San Francisco on Monday, alleging that Sprint overcharged the government $21 million for expenses it incurred while complying with court-ordered wiretaps and other surveillance help.
Sprint said it plans to defend the matter “vigorously.”
Telecommunications companies, including Sprint, are routinely asked to assist with investigations by helping facilitate phone surveillance such as wiretaps or so-called “pen registers,” which record data about phone calls, though not their content.
The companies are required to maintain equipment and facilities to be ready to assist. They are allowed to request reimbursements for related “reasonable expenses.”
In the case, San Francisco U.S. Attorney Melinda Haag alleged that Sprint “knowingly submitted false claims” to the FBI, Drug Enforcement Administration, Marshals Service and other law enforcement agencies from January 1, 2007 to July 31, 2010, inflating costs by about 58 percent.
The lawsuit said Sprint violated the anti-fraud law known as the False Claims Act and went against the federal regulations that prohibit carriers from using the reimbursements for wiretap cooperation to pay for updates to their equipment, facilities and services.
“Because Sprint’s invoices for intercept charges did not identify the particular expenses for which it sought reimbursement, federal law enforcement agencies were unable to detect that Sprint was requesting reimbursement of these unallowable costs,” the Justice Department said in the lawsuit.
Sprint, however, said its invoices to the federal agencies fully complied with the law that requires the government to reimburse reasonable costs incurred in assisting law enforcement agencies with electronic surveillance.
“We have fully cooperated with this investigation and intend to defend this matter vigorously,” said Sprint spokesman John Taylor.
The False Claims Act is the U.S. government’s main tool for recovering money when it think it has been defrauded, usually by a contractor such as an arms maker or hospital chain.
Federal Bureau of Investigation (FBI) has arrested five people, two of whom ran websites, on suspicion of offering or using hacking on demand services.
In a statement the FBI said that it has picked up two website operators and three users in an international operation involving the cooperation of Romanian, Indian and Chinese authorities.
The five domestic suspects have been charged with obtaining unauthorized access to email accounts, and the FBI thinks they will all plead guilty.
Mark Anthony Townsend, 45, of Cedarville, Arkansas and Joshua Alan Tabor, 29, of Prairie Grove, Arkansas are accused of operating a password sourcing hacking website called needapassword.com.
The other three, John Ross Jesensky, 30, of Northridge, California, Laith Nona, 31, of Troy, Michigan, and Arthur Drake, 55, of the Bronx, New York are charged with buying services from hacking websites, including one deal that was worth over $20,000.
The global swoop saw four people arrested in Romania, and a number of websites including zhackgroup.com, spyhackgroup.com, rajahackers.com, clickhack.com, ghostgroup.org and e-mail-hackers.com have been shut down.
Indian authorities arrested Amit Tiwari, who ran www.hirehacker.net and www.anonymiti.com, while in China the hiretohack.net website has been smacked down.
“As part of an international law enforcement operation involving Romania, India, and China, federal prosecutors have charged two operators of a United States based e-mail hacking website, as well as three customers of other hacking websites based in other nations, with computer fraud offenses,” said the FBI in a statement.
“These charges are the product of an international investigation coordinated by the Federal Bureau of Investigation, which received the assistance of the United States Air Force Office of Special Investigations and the Naval Criminal Investigative Service.”
The bitcoin, valued by many for its anonymity, fell to $129 from over $140 a day before, according to a website for trading bitcoins, Mt.Gox. Earlier, the currency traded as low as $110.
Supporters say using bitcoins offers benefits including lower fraud risk and increased privacy, though critics argue the anonymity it offers makes the currency a magnet for drug transactions, money-laundering and other illegal activities.
The digital currency’s drop came after the FBI arrested alleged Silk Road owner Ross William Ulbricht, 29, known as “Dread Pirate Roberts,” on Tuesday in San Francisco.
Silk Road allowed tech-savvy sellers to post ads for drugs and other illegal products, which they sold for bitcoins and shipped to customers through the mail, according to the federal criminal charges filed against Ulbricht.
As well as Silk Road shoppers, drug traffickers who worried about the FBI tracking them down with data confiscated from Ulbricht may account for some of Wednesday’s bitcoin sell-off, said Garth Bruen, a security expert at Internet consumer group Digital Citizens Alliance.
“They’re going to be pouring all over his records, getting subpoenas for every piece of data and account he has ever used and trying to figure out who all these different dealers are,” said Bruen. “People are jumping ship.”
While bitcoins, which are not backed by a government or central bank, have begun to gain a footing among some businesses and consumers, they have yet to become an accepted form of payment on the websites of major retailers such as Amazon.com.
The charges against Ulbricht said that Silk Road generated sales of more than 9.5 million bitcoins, roughly equivalent to $1.2 billion. There are currently about 11.8 million bitcoins in circulation.
The Federal Bureau of Investigation (FBI) has issued a warning about the Syrian Electronic Army (SEA), the pro-Assad hacker group that has become adept at spearphishing attacks and Twitter account takeovers.
The warning is in a memo and comes to us via the security blog belonging to Matthew Keys.
Keys has reproduced the memo and shared it on Scribd. The document says that the SEA has been around since 2011 and has compromised a number of high profile media outlets.
It warns of attack methods that include spearphishing, DNS attacks and web defacements, and it reminds us that the SEA posted a story about US President Obama to the Associated Press.
“Please maintain heightened awareness of your network traffic and take appropriate steps to maintain your network security,” said the FBI memo. “If you detect anomalous or malicious traffic or network behavior, please contact your local FBI Cyber Task Force.”
The SEA acknowledged the FBI’s attention on its Twitter feed. It appeared unmoved by the glare of law enforcement publicity.
It has long played a game of whack-a-mole with websites like Facebook and Twitter, both of which regularly force it to change accounts. According to the SEA the group is on its 225th Facebook account.
It publishes details of its takeovers through these accounts, and on it’s own homepage, a Pinterest webpage and an Instagram account.
As well as hacking into media websites the hacker group has also struck mobile apps, DNS systems and the Australian web hosting business Melbourne IT. Doing all this has helped it to break onto the webpages of news media outfits like the Huffington Post, the BBC and Reuters.
U.S. regulators and law enforcement agencies were scheduled to meet on Monday with an advocacy group for Bitcoin, a digital currency that has been under fire for its alleged role in facilitating anonymous money transfers and supporting online purchases of illegal street drugs.
The meeting in Washington was arranged by the Treasury Department’s anti-money laundering unit at the request of the Bitcoin Foundation, an advocacy group of Bitcoin-related businesses.
It will be an opportunity for wide-ranging discussions about the digital currency, a Treasury official said.
Bitcoins, which have been around since 2008, first came under scrutiny by law enforcement officials in mid-2011 after media reports surfaced linking the digital currency to the Silk Road online marketplace where marijuana, heroin, LSD and other illicit drugs are sold.
In recent months, the U.S. government has taken steps to rein-in the currency and more regulatory action is expected.
Tokyo-based Mt. Gox, the world’s largest exchanger of U.S. dollars with Bitcoins, had two accounts held by its U.S. subsidiary seized this year by agents from the Department of Homeland Security on the grounds that it was operating a money transmitting business without a license.
The Federal Bureau of Investigation reported last year that Bitcoin was used by criminals to move money around the world, and the U.S. Treasury said in March that digital currency firms are money transmitters and must comply with rules that combat money laundering.
The Senate Committee on Homeland Security and Government Affairs launched an inquiry into Bitcoin and other virtual currencies earlier this month, asking a range of regulators to list what safeguards are in place to prevent criminal activity.
Samsung’s Galaxy Note 3 might not be arriving on shelves following its IFA unveiling as promptly as some might have hoped, with the UK bound eight-core model reportedly facing delays.
That’s according to Sammobile, which has heard that Samsung has delayed the octo-core model due to “overheating issues” with its latest Exynos 5 processor. This could see the release of the octo-core Samsung Galaxy Note 3 that reportedly was scheduled for a UK release being pushed back, while Samsung works on a more stable version of the processor.
There is some hope for those looking to buy a Galaxy Note 3, though, as Samsung reportedly will release a quad-core Qualcomm Snapdragon 800 model instead while it works on fixing the issues. Samsung reportedly will release that next month.
That shouldn’t hinder performance too much either, as the Samsung Galaxy Note 3 reportedly will launch with 3GB of RAM onboard and Google’s latest Android 4.3 Jelly Bean mobile operating system. This will be skinned with Samsung’s Touchwiz user interface that will feature a host of stylus-specific apps.
According to Sammobile, the phablet device will also feature a 5.68in full HD 1080p Super AMOLED display, a minimum of 32GB of internal storage expandable via microSD card, a 13MP rear-facing camera, a front-facing camera and a 3,200mAh battery. The website added that it will initially launch in black and white models, with a pink model to follow a few weeks later.
We’ll likely find out more at Samsung’s Unpacked IFA press conference on 4 September, where the firm is also expected to unveil its first smartwatch. We’ll be there to bring you all the latest.
The Federal Bureau of Investigation (FBI) has been accused of gathering data from the anonymous network known as TOR.
The FBI might be behind a security assault on the TOR network that grabs users’ information.
Security researcher Vlad Tsyrklevich said that the attack is a strange one and is most likely the work of the authorities.
“[It] doesn’t download a backdoor or execute any other commands, this is definitely law enforcement,” he said in a tweet about the discovery.
He went a bit further in a blog post, explaining that the Firefox vulnerability is being used to send data in one direction.
“Briefly, this payload connects to 188.8.131.52:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash,” he added.
“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA and not by blackhats.”
The bug is listed at Mozilla, and the firm has a blog post saying that it is looking into it.
Over the weekend a blog post appeared on the TOR website that sought to distant it from a number of closed down properties or hidden websites. It is thought that the shuttered websites, which were hosted by an outfit called Freedom Hosting, were home to the worst kind of abuses.
A report at the Irish Examiner said that a chap called Eric Eoin Marques is the subject of a US extradition request. He is accused of being in charge of Freedom Hosting.
“Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the TOR Network,” the TOR project said.
“The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The TOR Project, Inc., the organization coordinating the development of the TOR software and research.”