United Kingdom

Lauri Love Ruling 'Sets Precedent' For Trying Hacking Suspects in UK (theguardian.com) 222

A high court ruling blocking extradition to the US of Lauri Love, a student accused of breaking into US government websites, has been welcomed by lawyers and human rights groups as a precedent for trying hacking suspects in the UK in future. From a report: The decision delivered by the lord chief justice, Lord Burnett of Maldon, is highly critical of the conditions Love would have endured in US jails, warning of the risk of suicide. Lawyers for the 33-year-old, who lives in Suffolk, had argued that Love should be tried in Britain for allegedly hacking into US government websites and that he would be at risk of killing himself if sent to the US. There was cheering and applause in court on Monday when Burnett announced his decision. He asked supporters to be quiet, saying: "This is a court, not a theatre." In his judgment, Burnett said: "It would not be oppressive to prosecute Mr Love in England for the offences alleged against him. Far from it. Much of Mr Love's argument was based on the contention that this is indeed where he should be prosecuted

Family of 'Swat' Victim Sues Kansas Police, Lawmakers Propose 40-Year Jail Terms (cbsnews.com) 291

An anonymous reader brings more updates about the 'Swat' call that led to a fatal police shooting: The gamer who dared another gamer to send police officers to his home had offered the address where he used to live, until his family was evicted in 2016. While he may also be charged for the fatal shooting that followed, the victim's family has now sued the city of Wichita as well as its police officers, with their attorney saying the city "is trying to put all the blame on the young man in California who placed the swatting call. But let's be clear: the swatter did not shoot the bullet that killed Andy Finch. That was an officer working under the direction of the Wichita Police Department."

The attorney points out that the 911 caller in California provided a description of the house which didn't match the actual house in Kansas, adding "How can Wichita police department officers not be trained to deal with this type of situation...? Prank calls are not new," according to CBS News. "The lawsuit cites FBI crime statistics showing Wichita has a ratio of one shooting death for every 120 officers -- a number that is 11 times greater than the national ratio and 12 times greater than the ratio in Chicago."

Meanwhle, Kansas lawmakers have introduced a new bill proposing a penalty of 10 to 40 years in prison if a swatting call ends in a person's death, which would also cause the offense to be prosecuted as murder.

One lawmaker argues that the bill is necessary because under the current system if a person phones in a swat call, "there's really no consequence for his actions."

Investigators Crack DB Cooper Code, Identify Suspect With Possible CIA Connections (seattlepi.com) 133

An anonymous reader quotes the Seattle Post-Intelligencer: A private investigative team announced Thursday morning that members now believe D.B. Cooper was a black ops CIA operative possibly even involved with Iran-Contra, and that his identity has been actively hidden by government agents. The 40-member cold-case team comprised of several former FBI agents and led by Thomas and Dawna Colbert made its latest reveal after a code breaker working with the team found connections in each of five letters allegedly sent by Cooper in the days following the famed hijacking in 1971.

What's more, several people who knew Colbert's top suspect, a man named Robert W. Rackstraw, have noted possible connections to the CIA and to top-secret operations, Colbert said. "The new decryptions include a dare to agents, directives to apparent partners, and a startling claim that is followed by Rackstraw's own initials: If captured, he expects a get-out-of-jail card from a federal spy agency," Colbert said in a news release... In a brief phone call last year, Rackstraw only told SeattlePI to verify Colbert's claims; he didn't issue a denial, or comment further on Colbert's investigation...

Late last year, Colbert's team obtained a fifth letter allegedly sent by Cooper that Colbert said supports a possible FBI cover-up, but also included random letters and numbers. A code breaker on Colbert's team was able to decode the letters and numbers and find they pointed to three Army units Rackstraw was connected to during his military service in Vietnam. The code was meant to serve as a signal to his co-conspirators that he was alive and well after the jump, Colbert said... Another letter, in which Cooper claimed to be CIA openly, also had the letters "RWR" at the end -- the initials of Robert W. Rackstraw, according to Colbert.


First 'Jackpotting' Attacks Hit US ATMs (krebsonsecurity.com) 101

Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.


FBI Warns of Email Death Threats Demanding Bitcoin (abc7.com) 95

An anonymous reader writes: "I will be short. I've got an order to kill you," the note said, demanding $2,800 in U.S. dollars or Bitcoin. "I switched from being upset about it to, 'I need to get the word out'," one of its targets told a local newscaster. They filed a report through the FBI's web site.

"If only 1% of people send money -- there's no overhead for them; that's money in the bank," one FBI agent tells the news team. A quick Google search finds recent reports of two nearly identical threats using the same text.

"I have been thinking for a long time whether it is worth sending this notice, and decided that you still have the right to know... I've got an order to kill you, because some of your activity causes trouble to several people... I decided to break some rules, as this will be my final order... As soon as I receive the funds, I will forward you the name of the man [this] order came from, and all other information I have."

United States

A 15-Year-Old Convinced Verizon He Was the Head of the CIA (newsweek.com) 143

schwit1 shares an interesting story. Newsweek reports: A British teenager managed to obtain access to sensitive U.S. plans about intelligence operations in different Middle East countries by acting as former CIA Director John Brennan, a court heard on Friday. Kane Gamble, 18, researched Brennan and used the information he gathered to speak to an internet company and persuade call handlers to give him access to the spy chief's email inbox in 2015. He pretended to be both a Verizon employee and Brennan to access Brennan's internet account.

Astonishingly, Gamble managed to gain access to Brennan's emails and his addressbook, as well as his iCloud storage. He even managed to remotely access the iPad of Brennan's wife... Gamble, aged 15 at the time, also persuaded a helpdesk at the FBI that he was the then deputy director Mark Giuliano... In October 2017, Gamble pleaded guilty to 10 charges, including eight charges of "performing a function with intent to secure unauthorized access" to the computers and two of "unauthorized modification of computer material."


Two More Gamers May Be Charged in Fatal Kansas 'SWAT' Shooting (kansas.com) 170

A newly-released affidavit reveals that money was at stake in a game of Call Of Duty: World War II which led to the fatal real-life police shooting of Andrew Finch. The Wichita Eagle reports: Investigators learned that Shane Gaskill, who lives in Wichita, was involved in an online video game with other people when he accidentally [virtually] shot and killed one of his teammates in the online game. The teammate who was killed in the game became "extremely upset" and began talking trash to Gaskill, the affidavit says. The dispute escalated until the teammate, who the document identifies as Casey Viner of North College Hill, Ohio, threatened via Twitter to "SWATT" Gaskill, according to the affidavit. Gaskill replied, "Please try some s---." He then posted the address...
Viner "is considered a suspect in several 'swatting' incidents in Cincinnati," reports the Los Angeles Times, adding that prosecutors are still deciding whether these two gamers should also face criminal charges.

Meanwhile, Kansas officials have been informed that the third gamer who actually made the phone call, 25-year-old Tyler Barriss, matches the voice on a fake 2015 bomb threat, and is already the subject of an open investigation by an FBI Joint Terrorism Task Force.

Crooks Created 28 Fake Ad Agencies To Disguise Massive Malvertising Campaign (bleepingcomputer.com) 36

An anonymous reader quotes a report from Bleeping Computer: A group of cyber-criminals created 28 fake ad agencies and bought over 1 billion ad views in 2017, which they used to deliver malicious ads that redirected unsuspecting users to tech support scams or sneaky pages peddling malware-laden software updates or software installers. The entire operation -- codenamed Zirconium -- appears to have started in February 2017, when the group started creating the fake ad agencies which later bought ad views from larger ad platforms. These fake ad agencies each had individual websites and even LinkedIn profiles for their fake CEOs. Their sole purpose was to interface with larger advertising platforms, appearing as legitimate businesses. Ad security company Confiant, the one who discovered this entire operation, says ads bought by this group reached 62% of ad-monetized websites on a weekly basis. All in all, Confiant believes that about 2.5 million users who've encountered Zirconium's malicious ads were redirected to a malicious site, with 95% of the victims being based in the U.S.
The Courts

Kim Dotcom Sues New Zealand For $6.8 Billion In Damages Over Erroneous Arrest (torrentfreak.com) 216

An anonymous reader quotes a report from the BBC: Kim Dotcom, the founder of file-sharing site Megaupload, is suing the New Zealand government for billions of dollars in damages over his arrest in 2012. The internet entrepreneur is fighting extradition to the U.S. to stand trial for copyright infringement and fraud. Mr Dotcom says an invalid arrest warrant negated all charges against him. He is seeking damages for destruction to his business and loss of reputation. Accountants calculate that the Megaupload group of companies would be worth $10 billion today, had it not been shut down during the raid. As he was a 68% shareholder in the business, Mr Dotcom has asked for damages going up to $6.8 billion. He is also considering taking similar action against the Hong Kong government. As stated in documents filed with the High Court, Mr Dotcom is also seeking damages for: all lost business opportunities since 2012, his legal costs, loss of investments he made to the mansion he was renting, his lost opportunity to purchase the mansion, and loss of reputation.

Ecuador is Fighting Crime Using Chinese Surveillance Technology (scmp.com) 35

Ecuador has introduced a security system using monitoring technology from China, including facial recognition, as it tries to bring down its crime rate and improve emergency management, according to state-run Xinhua news agency. From a report: A network of cameras has been installed across the South American nation's 24 provinces -- keeping watch on its population of 16.4 million people -- using a system known as the ECU911 Integrated Security Service, Xinhua reported. Used by the country's police, armed forces and fire brigade, it went into operation in November 2016 and has an emergency response and monitoring system.

Tesla Owner Attempts Autopilot Defense During DUI Stop (arstechnica.com) 139

It turns out driving drunk is still illegal, even with a driver-assistance system active. "On Saturday, January 13, police discovered a man in his Tesla vehicle on the San Francisco-Oakland Bay Bridge," reports Ars Technica. "The San Francisco Chronicle reports that 'the man had apparently passed out in the stopped car while stuck in the flow of busy bridge traffic at 5:30pm, according to the California Highway Patrol." From the report: When police woke the man up, he assured officers that everything was fine because the car was "on autopilot." No one was injured in the incident, and the California Highway Patrol made a snarky tweet about it. Needless to say, other Tesla owners -- and people who own competing systems like Cadillac's Super Cruise -- should not follow this guy's example. No cars on the market right now have fully driverless technology available. Autopilot, Supercruise, and other products are driver assistance products -- they're designed to operate with an attentive human driver as a backup. Driving drunk using one of these systems is just as illegal as driving drunk in a conventional car.

Church Elder/'Jeopardy' Champion Charged With Computer Crimes (mlive.com) 102

Stephanie Jass, a record-setting, seven-time winner on Jeopardy, has been charged with two felonies for accessing the email accounts of two executives at the college where she worked as an assistant professor. An anonymous reader quotes MLive: Jass was able to access the accounts because of an April 24 issue with the college email system, hosted by Google. Frank Hribar, vice president for enrollment and student affairs, said there was network outage caused by loss of power. On April 25, users received a text message with a generic, standard passcode: "Please attempt to login to Gmail using this password. You should be prompted to change password after login..." Not everyone, however, was prompted to do so. Some did make the change using a tutorial. Some received an error and were unable to create a new password, the timeline states. Others did not alter the password at all. The method "worked just fine, had there not been manipulation of the system," said Hribar...

Jass, 47, of Tecumseh was charged in December with unauthorized access to a computer, program or network, and using a computer to commit a crime, both felonies... On May 5, the college deactivated Jass' email account and access to all other college software. The locks to her office door were changed and her desktop computer was confiscated, according to the timeline.

The police report "indicates Jass accessed emails while using an internet network at First Presbyterian Church of Tecumseh, where she served as an elder."

iPhone X Purchase Leads To Police, Battering Ram, and Handcuffs (cbslocal.com) 411

An anonymous reader quotes CBS SFBayArea: On one recent morning, Rick Garcia and his wife Shannon Knuth woke up to a posse of San Francisco police officers at their front door. "I peered through the peephole and I saw a police officer and a battering ram," Garcia said. "We heard 'SFPD' and 'warrant,' and I was like 'what's going on?'" Knuth remembers. It felt like a nightmare yet it was real. Garcia says that within seconds he was dragged into the hallway of his apartment complex, handcuffed, then whisked away to the Taraval Station.... Meanwhile Knuth, who had just got out of the shower, was ordered to sit on the couch... After rifling through the apartment Knuth says the officers finally told her what they were looking for: Her husband's iPhone X.

According to the warrant, it was stolen but Knuth showed them the receipt which proved her husband bought it. Once the officers realized their mistake they called the police station and a squad car brought Garcia home. "They gathered their pry bar and their battering ram and they left," he said. So how could a mistake like that happen? It's still unclear but it turns out Garcia and Knuth bought the iPhone at an Apple store at Stonestown Galleria just a few weeks after 300 iPhone Xs were stolen from a UPS truck in the mall parking lot.

One former police chief says the way it was handled "kind of boggles the mind...

"This was clearly an incident that should have just been a knock and talk, a couple detectives come to the door, knock on the door and they would have gathered the same info that they gathered after they put him in handcuffs and hauled him off to jail."
United States

Apple and Google Are Rerouting Their Employee Buses as Attacks Resume (mashable.com) 292

Slashdot reader sqorbit writes: Apple runs shuttle buses for it's employees in San Francisco. It seems someone who is not happy with Apple has decided to take out their anger on these buses. In an email obtained by Mashable, Apple states "Due to recent incidents of broken windows along the commute route, specifically on highway 280, we're re-routing coaches for the time being. This change in routes could mean an additional 30-45 minutes of commute time in each direction for some riders." It has been reported that at least four buses have had windows broken, some speculating that it might caused by rubber bullets.
"Around four years ago, people started attacking the shuttle buses that took Google employees to and from work, as a way of protesting the tech-company-driven gentrification taking place around San Francisco," remembers Fortune, adding "it seems to be happening again."

At least one Google bus was also attacked, according to the San Francisco Chronicle, which adds that the buses "were not marked with company logos, and the perpetrators are suspected of broadly targeting technology shuttle buses rather than a specific company."

China's Smartphone Maker OnePlus Says Up To 40,000 Customers Were Affected by Credit Card Security Breach (theverge.com) 8

sqorbit writes: OnePlus, a manufacturer of an inexpensive smartphone meant to compete with the iPhone, states that data from 40,000 customers credit card information was stolen while purchasing phones from its website. Even as the company has just confirmed the breach, it says the the script stealing information had been running since November. It is not clear whether this was a remote attack or the attack happened from within the company. Credit purchases on the OnePlus site have been suspended and will remain that way while an investigation takes place. [...] Earlier this week, OnePlus had temporarily shut down credit card payments on its website following reports that customers' payment details were stolen after they bought goods through its online store. The company says it's disabling credit card payments "as a precaution," but will still be accepting purchases through PayPal. The investigation began after a poll posted by users on OnePlus' forums found that many customers had experienced the same problem.

Instant Messaging Company Snap Threatens Jail Time for Leakers (cheddar.com) 92

An anonymous reader shares a report: Snap has a simple message to its employees: leak information and you could be sued or even jailed. The chief lawyer and general counsel of Snapchat's parent company, Michael O'Sullivan, sent a threatening memo to all employees last week just before The Daily Beast published an explosive story with confidential user metrics about how certain Snapchat features are used. "We have a zero-tolerance policy for those who leak Snap Inc. confidential information," O'Sullivan said in the memo, a copy of which was obtained by Cheddar. "This applies to outright leaks and any informal 'off the record' conversations with reporters, as well as any confidential information you let slip to people who are not authorized to know that information."

Bitcoin's Fluctuations Are Too Much For Even Ransomware Cybercriminals (theguardian.com) 84

Bitcoin's price swings are so huge that even ransomware developers are dialling back their reliance on the currency, according to researchers at cybersecurity firm Proofpoint. From a report: Over the last quarter of 2017, researchers saw a fall of 73% in payment demands denominated in bitcoin. When demanding money to unlock a victim's data, cybercriminals are now more likely to simply ask for a figure in US dollars, or a local currency, than specify a sum of bitcoin. Just like conventional salespeople, ransomware developers pay careful attention to the prices they charge. Some criminals offer discounts depending on the region the victim is in, offering cheaper unlocking to residents of developing nations, while others use an escalating price to encourage users to pay quickly and without overthinking things. But a rapidly oscillating bitcoin price plays havoc with those goals, Proofpoint says.

Software 'No More Accurate Than Untrained Humans' At Predicting Recidivism (theguardian.com) 166

An anonymous reader quotes a report from The Guardian: The credibility of a computer program used for bail and sentencing decisions has been called into question after it was found to be no more accurate at predicting the risk of reoffending than people with no criminal justice experience provided with only the defendant's age, sex and criminal history. The algorithm, called Compas (Correctional Offender Management Profiling for Alternative Sanctions), is used throughout the U.S. to weigh up whether defendants awaiting trial or sentencing are at too much risk of reoffending to be released on bail. Since being developed in 1998, the tool is reported to have been used to assess more than one million defendants. But a new paper has cast doubt on whether the software's predictions are sufficiently accurate to justify its use in potentially life-changing decisions.

The academics used a database of more than 7,000 pretrial defendants from Broward County, Florida, which included individual demographic information, age, sex, criminal history and arrest record in the two year period following the Compas scoring. The online workers were given short descriptions that included a defendant's sex, age, and previous criminal history and asked whether they thought they would reoffend. Using far less information than Compas (seven variables versus 137), when the results were pooled the humans were accurate in 67% of cases, compared to the 65% accuracy of Compas. In a second analysis, the paper found that Compas's accuracy at predicting recidivism could also be matched using a simple calculation involving only an offender's age and the number of prior convictions.


Facebook Is a 'Living, Breathing Crime Scene,' Says Former Tech Insider (nbcnews.com) 144

An anonymous reader quotes a report from NBC News: With more than 2 billion users, Facebook's reach now rivals that of Christianity and exceeds that of Islam. However, the network's laser focus on profits and user growth has come at the expense of its users, according to one former Facebook manager who is now speaking out against the social platform. "One of the things that I saw consistently as part of my job was the company just continuously prioritized user growth and making money over protecting users," the ex-manager, Sandy Parakilas, who worked at Facebook for 16 months, starting in 2011, told NBC News. During his tenure at Facebook, Parakilas led third-party advertising, privacy and policy compliance on Facebook's app platform. "Facebook is a living, breathing crime scene for what happened in the 2016 election -- and only they have full access to what happened," said Tristan Harris, a former design ethicist at Google. His work centers on how technology can ethically steer the thoughts and actions of the masses on social media and he's been called "the closest thing Silicon Valley has to a conscience" by The Atlantic magazine.

In response to the comments, Facebook issued a statement saying it is a "vastly different company" from when it was founded. "We are taking many steps to protect and improve people's experience on the platform," the statement said. "In the past year, we've worked to destroy the business model for false news and reduce its spread, stop bad actors from meddling in elections, and bring a new level of transparency to advertising. Last week, we started prioritizing meaningful posts from friends and family in News Feed to help bring people closer together. We have more work to do and we're heads down on getting it done."

The Almighty Buck

OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website (androidpolice.com) 63

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment.
Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."

Slashdot Top Deals