The National Security Agency has said that it will end its access to most bulk data collected under a controversial surveillance program in November, but keep records for litigation purposes.
The office of the Director of National Intelligence said in a statement that the bulk telephony data — the subject of leaks by former intelligence contractor Edward Snowden which shocked many in the US and abroad — would be destroyed “as soon as possible” to comply with a law passed by Congress in early June.
The statement said that during the 180-day transition period required under the USA Freedom Act, “analytic access to that historical metadata… will cease on November 29, 2015.”
But it added that “for data integrity purposes,” NSA will allow technical personnel to continue to have access to the metadata for an additional three months.
The NSA must preserve bulk telephony metadata collection “until civil litigation about the program is resolved, or the relevant courts relieve NSA of such duties.”
The data kept for litigation “will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata on expiration of its litigation preservation duties.”
Law enforcement agencies from 20 countries collaborated to cripple a major computer hacking forum, and U.S. officials filed criminal charges against a dozen people associated with the website, the U.S. Department of Justice announced.
Darkode.com on is displaying a message saying the site and domain had been seized by the FBI and other law enforcement agencies.
Darkode, a password-protected online forum for criminal hackers, represented one of the gravest threats to the integrity of data on computers across the world, according to David Hickton, U.S. attorney for the Western District of Pennsylvania. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”
Five of the defendants face charges in Hickton’s district.
Darkode allowed hackers and other cybercriminals to sell, trade and share information and tools related to illegal computer hacking, the law enforcement agencies alleged.
Before becoming a member of Darkode, prospective participants were allegedly vetted through a process that included an invitation by a member, the DOJ said in a press release. The prospective member then pitched the skill or products he or she could bring to the forum.
Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware, the DOJ said.
The takedown of the forum and the charges announced Wednesday came after the FBI’s infiltration of Darkode’s membership.
Congress must pass a new wiretap law that requires social media websites and operators of other Internet communication tools to share customers’ communications with law enforcement agencies the same way that telecom carriers do, Michael Steinbach, assistant director of the FBI’s Counterterrorism Division, said Wednesday.
Congress should use the Communications Assistance for Law Enforcement Act (CALEA) as a model for new rules focused on Internet-based communications, Steinbach told the U.S. House of Representatives’ Homeland Security Committee. His comments build upon the FBI’s call in recent months to expand CALEA to Internet communications tools. Agency Director James Comey first called for a CALEA rewrite to cover encrypted mobile phone data last October.
CALEA requires telecom carriers and equipment vendors to build wiretap capabilities into their products or networks, and critics have accused the FBI of wanting Congress to mandate encryption backdoors in technology products. But the FBI isn’t asking for backdoors, Steinbach said.
“We’re not talking about large-scale surveillance techniques,” he said. “We’re not looking at going through a backdoor or being nefarious; we’re talking about going to the company and asking for their assistance.”
Instead, the FBI wants access to stored or ongoing Internet communications after it shows evidence of criminal or terrorist activity and gets a court order, he said. The FBI needs help from Congress and from communications providers to make that happen, Steinbach said.
“We understand privacy,” he said. “Privacy above all other things, including safety and freedom from terrorism, is not where we want to go.”
The Rebirth of The Pirate Bay that we reported on recently could be a sham site set up by the FBI with the intention of snagging punters.
It could not be, but there are increasing suspicions that this is the case, and there were probably some clues at the time.
We reported on the Pirate Bay relaunch earlier this week, saying that there was some kind of divide between the members of the site.
The new service was considered to be something of a spin-off that had done away with a number of administrators in order to be more hands-off.
However, it has the hallmarks of something that is hands-on, according to Twitter messages from an account used by the Anonymous hacker collective.
Questions were raised about the new site, including the passing of the old admins and the decision to use Cloudflare integration.
In some cases people pointed to FBI-like flags. The use of Cloudflare suggests that user information might be exposed to the warrant-like demands of the surveillance agencies.
— TheAnonMessage (@TheAnonMessages) February 1, 2015
The Pirate Bay people have denied that the site is a puppet for the FBI and have explained away the use of Cloudflare in a statement sent to TorrentFreak.
“We have seen that there has been some question to why we are using Cloudflare. This is only initially to handle the massive load on the servers. It will be removed shortly,” the statement said.
But, while the Pirate Bay is linked with the US-based Cloudflare it will be associated with the risk of national security investigations and warrants. Cloudflare has not commented.
TorrentFreak added in a later article that the Pirate Bay has moved away from its previous service provider, Trabia, and is now the guest of an unknown, or hidden, provider.
Taken together these things add up to a site that you may choose not to use. Of course, it might not be an FBI plant, and it might be the FBI, or someone else, that has started raising suspicions in order to keep people away from the magnetic phoenix. Take care out there.
Health insurer Anthem Inc, which has nearly 40 million U.S. customers, has confirmed that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees.
The No. 2 health insurer in the United States said the breach did not appear to involve medical information or financial details such as credit card or bank account numbers.
The information accessed during the “very sophisticated attack” did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said.
Anthem said that it immediately made every effort to close the security vulnerability and reported the attack to the FBI. Cybersecurity firm FireEye Inc FEYE. said it had been hired to help Anthem investigate the attack.
The company did not say how many customers and staff were affected, but the Wall Street Journal earlier reported it was suspected that records of tens of millions of people had been taken, which would likely make it the largest data breach involving a U.S. health insurer.
Anthem had 37.5 million medical members as of the end of December.
“This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information,” U.S. Rep. Michael McCaul, a Republican from Texas and chairman of the Committee on Homeland Security, said in a statement late Wednesday.
The NSA is using its network of servers around the world to monitor botnets made up of thousands or millions of infected computers. When needed, the agency can exploit features of those botnets to insert its own malware on the already compromised computers, through a technology codenamed Quantumbot, German news magazine Der Spiegel reported.
One of the secret documents leaked by former NSA contractor Edward Snowden and published by Der Spiegel contains details about a covert NSA program called DEFIANTWARRIOR that’s used to hijack botnet computers and use them as “pervasive network analysis vantage points” and “throw-away non-attributable CNA [computer network attack] nodes.”
This means that if a user’s computer is infected by cybercriminals with some malware, the NSA might step in, deploy their own malware alongside it and then use that computer to attack other interesting targets. Those attacks couldn’t then be traced back to the NSA.
According to the leaked document, this is only done for foreign computers. Bots that are based in the U.S. are reported to the FBI Office of Victim Assistance.
The NSA also intercepts and collects data that is stolen by third-party malware programs, especially those deployed by other foreign intelligence agencies, if it is valuable. It refers to this practice as “fourth party collection.”
In 2009, the NSA tracked a Chinese cyberattack against the U.S. Department of Defense and was eventually able to infiltrate the operation. It found that the Chinese attackers were also stealing data from the United Nations so it continued to monitor the attackers while they were collecting internal UN data, Der Spiegel reported.
It goes deeper than that. One leaked secret document contains an NSA worker’s account of a case of fifth party collection. It describes how the NSA infiltrated the South Korean CNE (computer network exploitation) program that targeted North Korea.
“We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data,” the NSA staffer wrote in the document. “However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about.”
In other words, the NSA spied on a foreign intelligence agency that was spying on a different foreign intelligence agency that had interesting data of its own.
Sometimes the NSA also uses the servers of unsuspecting third parties as scapegoats, Der Spiegel reported. When exfiltrating data from a compromised system, the data is sent to such servers, but it is then intercepted and collected en route though the NSA’s vast upstream surveillance network.
The Federal Bureau of Investigation (FBI) is looking to shore up its security capabilities by hiring the brightest and best bodies out there.
The agency has publicly petitioned for persons in the usual way, and has posted employment information about a range of roles.
The roles, not to mention most of what we have reported about the agency, suggest that the FBI has a real, concentrated focus on cybercrime and cyber knowhow.
“The FBI seeks highly talented, technically trained individuals who are motivated by the FBI’s mission to protect our nation and the American people from the rapidly evolving cyber threat,” said Robert Anderson, executive assistant director for the Bureau’s criminal, cyber, response and services branch.
“What we want are people who are going to come and be part of a team that is working on different very complex types of investigations and to use their skills in that team environment.”
We often hear that the security and law agencies are fighting an arms race against their enemies, and the FBI suggested that the people that it employs will have the most rewarding job available.
This suggests that it will be open to people who are not happy with their current role, which seems counter to its earlier advice.
“One thing that no one else can offer is the mission and the camaraderie and the teamwork the FBI brings to the table,” added Anderson.
“The biggest thing you can offer to anyone that comes to work at the FBI is the mission and the scale of investigations. It doesn’t matter where you go, it doesn’t matter who you work for, you can’t get that anywhere else but the FBI.”
A range of jobs are open to application until 20 January. The FBI will presumably have relatively strict policies (PDF) on the kind of people it prefers to employ.
The statement adds that “preferred backgrounds” range from computer programming to digital forensics and “even ethical hacking”.
Quick law enforcement access to the contents of smartphones could save lives in some kidnapping and terrorism cases, FBI Director James Comey said in a briefing with some reporters. Comey said he’s concerned that smartphone companies are marketing “something expressly to allow people to place themselves beyond the law,” according to news reports.
An FBI spokesman confirmed the general direction of Comey’s remarks. The FBI has contacted Apple and Google about their encryption plans, Comey told a group of reporters who regularly cover his agency.
Just last week, Google announced it would be turning on data encryption by default in the next version of Android. Apple, with the release of iOS 8 earlier this month, allowed iPhone and iPad users to encrypt most personal data with a password.
Comey’s remarks, prompted by a reporter’s question, came just days after Ronald Hosko, president of the Law Enforcement Legal Defense Fund and former assistant director of the FBI Criminal Investigative Division, decried mobile phone encryption in a column in the Washington Post.
Smartphone companies shouldn’t give criminals “one more tool,” he wrote. “Apple’s and Android’s new protections will protect many thousands of criminals who seek to do us great harm, physically or financially. They will protect those who desperately need to be stopped from lawful, authorized, and entirely necessary safety and security efforts. And they will make it impossible for police to access crucial information, even with a warrant.”
Representatives of Apple and Google didn’t immediately respond to requests for comments on Comey’s concerns.
An intruder stole log-in credentials from the company’s vendor and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5, the company said.
The chain is the latest victim in a series of security breaches among retailers such as Target Corp, Michaels Stores Inc and Neiman Marcus.
Home Depot Inc said last week some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than the breach at Target Corp.
More than 12 of the affected Jimmy John’s stores are in Chicago area, according to a list disclosed by the company.
The breach has been contained and customers can use their cards at its stores, the privately held company said.
Jimmy John’s said it has hired forensic experts to assist with its investigation.
“Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online,” Jimmy John’s said.
The Champaign, Illinois-based company said stolen information may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date.
Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
Credit and debit card information belonging to customers made purchases at 51 UPS Store Inc. locations in 24 states this year may have been illegally accessed as the result of an intrusion into the company’s networks.
In a statement on Wednesday, UPS said it was recently notified by law enforcement officials about a “broad-based malware intrusion” of its systems.
A subsequent investigation by an IT security firm showed that attackers had installed previously unknown malware on systems in more than four-dozen stores to gain access to cardholder data. The affected stores represent about 1% of the 4,470 UPS Store locations around the country.
The intrusion may have exposed data on transactions conducted at the stores between Jan. 20 and Aug. 11, 2014. “For most locations, the period of exposure to this malware began after March 26, 2014,” UPS said in a statement.
In addition to payment card information, the hackers also appear to have gained access to customer names, as well as postal and email addresses.
Each of the affected locations is individually owned and runs private networks that are not connected to other stores, UPS added. The company provided alist of affected locations.
The breach is the third significant one to be disclosed in the past week. Last Thursday, grocery store chain Supervalu announced it had suffered a malicious intrusion that exposed account data belonging to customers who had shopped at about 180 of the company’s stores in about a dozen states. The breach also affected customers from several other major grocery store chains for which Supervalu provides IT services.
The U.S. Marshals Service on Friday auctioned off about 30,000 bitcoins seized during a raid on Silk Road, an Internet black-market bazaar where authorities say illegal drugs and other goods were being sold.
An online auction took place over a 12-hour period on Friday for the bitcoins, valued at nearly $17.7 million. It consisted of nine blocks of 3,000 bitcoins and one block of 2,657 bitcoins. The Marshals Service has said it would notify the winning bidders today.
A spokeswoman for the Marshals Service declined to say how many bids the office received. Among those who said they registered to participate in the auctions were SecondMarket and Bitcoin Shop Inc.
Silk Road was shutdown after an FBI raid in September 2013 as agents took control of its server and arrested a Texas man, Ross Ulbricht, that the authorities said owned and operated the website.
The auction was for 29,655 bitcoins contained in files residing on its servers, which were forfeited in January.
Chris DeMuth, a partner at Rangeley Capital who had been considering bidding, said last week the chance the Marshals Service gets the market price for the bitcoins is low.
“Anyone could pay market prices on existing exchanges,” he said. “So the key question is how much of a discount do bidders want.”
The Marshals are holding about 144,342 additional bitcoins found on computer hardware belonging to Ulbricht that were subject to a civil forfeiture proceeding.
Ulbricht, 30, is scheduled to face trial Nov. 3. He has pleaded not guilty to the four counts against him, including money laundering conspiracy and engaging in a continuing criminal enterprise.
U.S. authorities have separately charged three men – Andrew Jones, Gary Davis and Peter Nash – in connection with their alleged roles in assisting Ulbricht in operating Silk Road.
Bitcoin prices were up 3.1 percent Friday at $597.41 per coin, according to the digital currency exchange CoinDesk.
Sally Beauty Holdings acknowledge on Monday that it too was a victim of a data breach, an incident that may have occurred alongside a project to update point-of-sale terminals at its U.S. stores, a recent regulatory filing shows.
The Denton, Texas, based company, which has more than half of its 4,669 stores in the U.S., said it found evidence that fewer than 25,000 records containing credit card data were accessed and possibly removed, according to a statement.
That follows its statement on March 5 that it was investigating “rumors” of a breach but had no reason to believe any credit card or consumer data had been lost.
The data it now says was likely stolen is known as “Track 2″ card data. Payment cards have a magnetic stripe on the back that contains three data tracks. Track 2 data contains only the card number and expiration data. Track 1 data contains the card number, expiration data and cardholder’s name, and Track 3 is rarely used.
Forensic investigators from Verizon are working with Sally Beauty along with the U.S. Secret Service.
“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation,” the company said.
“As a result, we will not speculate as to the scope or nature of the data security incident,” it said.
A representative of a public relations firm for Sally Beauty said the company could not comment further.
Sally Beauty’s annual report for fiscal 2013 shows the company undertook large IT infrastructure upgrade projects worldwide, including installing a new POS system for 2,450 stores in the U.S.
Target and Neiman Marcus blamed recent data breaches on malicious software that had been installed on POS systems, which are modern, software-driven cash registers that process card payments.
Target’s POS terminals were infected with a type of malware called a “RAM scraper.” The malware recorded payment card details after a card was swiped and the unencrypted data briefly sat in a system’s memory.
Sally Beauty wrote in its annual report that the POS system is expected to provide benefits such as enhanced tracking of customer sales and store inventory reports.
Sprint Corp and the federal government both agreed to fight in court over how much money law enforcement agencies owe the wireless provider for help the company was required to give investigators who wanted to tap phone calls.
The Obama administration filed a suit in U.S. District Court in San Francisco on Monday, alleging that Sprint overcharged the government $21 million for expenses it incurred while complying with court-ordered wiretaps and other surveillance help.
Sprint said it plans to defend the matter “vigorously.”
Telecommunications companies, including Sprint, are routinely asked to assist with investigations by helping facilitate phone surveillance such as wiretaps or so-called “pen registers,” which record data about phone calls, though not their content.
The companies are required to maintain equipment and facilities to be ready to assist. They are allowed to request reimbursements for related “reasonable expenses.”
In the case, San Francisco U.S. Attorney Melinda Haag alleged that Sprint “knowingly submitted false claims” to the FBI, Drug Enforcement Administration, Marshals Service and other law enforcement agencies from January 1, 2007 to July 31, 2010, inflating costs by about 58 percent.
The lawsuit said Sprint violated the anti-fraud law known as the False Claims Act and went against the federal regulations that prohibit carriers from using the reimbursements for wiretap cooperation to pay for updates to their equipment, facilities and services.
“Because Sprint’s invoices for intercept charges did not identify the particular expenses for which it sought reimbursement, federal law enforcement agencies were unable to detect that Sprint was requesting reimbursement of these unallowable costs,” the Justice Department said in the lawsuit.
Sprint, however, said its invoices to the federal agencies fully complied with the law that requires the government to reimburse reasonable costs incurred in assisting law enforcement agencies with electronic surveillance.
“We have fully cooperated with this investigation and intend to defend this matter vigorously,” said Sprint spokesman John Taylor.
The False Claims Act is the U.S. government’s main tool for recovering money when it think it has been defrauded, usually by a contractor such as an arms maker or hospital chain.
Federal Bureau of Investigation (FBI) has arrested five people, two of whom ran websites, on suspicion of offering or using hacking on demand services.
In a statement the FBI said that it has picked up two website operators and three users in an international operation involving the cooperation of Romanian, Indian and Chinese authorities.
The five domestic suspects have been charged with obtaining unauthorized access to email accounts, and the FBI thinks they will all plead guilty.
Mark Anthony Townsend, 45, of Cedarville, Arkansas and Joshua Alan Tabor, 29, of Prairie Grove, Arkansas are accused of operating a password sourcing hacking website called needapassword.com.
The other three, John Ross Jesensky, 30, of Northridge, California, Laith Nona, 31, of Troy, Michigan, and Arthur Drake, 55, of the Bronx, New York are charged with buying services from hacking websites, including one deal that was worth over $20,000.
The global swoop saw four people arrested in Romania, and a number of websites including zhackgroup.com, spyhackgroup.com, rajahackers.com, clickhack.com, ghostgroup.org and e-mail-hackers.com have been shut down.
Indian authorities arrested Amit Tiwari, who ran www.hirehacker.net and www.anonymiti.com, while in China the hiretohack.net website has been smacked down.
“As part of an international law enforcement operation involving Romania, India, and China, federal prosecutors have charged two operators of a United States based e-mail hacking website, as well as three customers of other hacking websites based in other nations, with computer fraud offenses,” said the FBI in a statement.
“These charges are the product of an international investigation coordinated by the Federal Bureau of Investigation, which received the assistance of the United States Air Force Office of Special Investigations and the Naval Criminal Investigative Service.”