A group of hackers known as the “Sandworm Team”, allegedly from Russia, has found a fundamental flaw in Microsoft Windows (a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012) and turned it into a Russian cyber-espionage campaign targeting NATO, European Union, telecommunications and energy sectors – by pulling emails and documents off computers from NATO, Ukrainian government groups, Western European government officials, and also the energy sector and telecommunications firms, according to new research from iSight Partners, a Dallas-based cybersecurity firm.
Photo credit: iSight Partners.
Here’s an interesting chart on how to use Tor to browse the web anonymously:
The Tor Project is a free software and an open network that shields your online identity and thus helps you maintain privacy by defending against network surveillance:
But Tor can still be compromised and multiple layers of security is recommended:
“I think this is bigger than Ebola right now because 500 million people are infected and they don’t know it. But it’s not them, it’s their smartphone,” said Gary Miliefsky, CEO of SnoopWall, a counterveillance software company focused on helping consumers and enterprises protect their privacy on all of their computing devices including smartphones, tablets and laptops.
“The top 10 flashlight apps today that you can download from the Google Play Store are all malware. They’re malicious, they’re spying, they’re snooping and they’re stealing.”
The personal data stolen from our smartphones – including contacts, emails, messages, bank account details, photos, video, etc – are then sold to cybercriminals in 3 countries: China, India and Russia, according to Miliefsky, a founding member of the US Department of Homeland Security who has advised two White House Administrations on cybersecurity matters.
More information below from SnoopWall press release:
Dropbox reportedly “appears” to have been hacked after anonymous hackers claimed to have compromised some 7 million accounts with several hundreds of usernames and passwords leaked in plain text so far, and with full leak promised if they received donations to their bitcoin address.
Dropbox, however, has denied claims of any data breach:
“Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.”
Advice: Change your password immediately. And just like the recent iCloud hack, think hard before you post anything personal and confidential online.
The Tokyo District Court ordered Google Japan last Thursday to follow Europe’s recent “right to be forgotten” ruling and remove the search results of a Japanese man’s past relations with a criminal organization following his complaint of violation into his privacy.
According to the judge preceding the case, some of the Google results “infringe personal rights” and had harmed the plaintiff.
The European Court of Justice ruled in May that anyone living in the European Union and Europeans living outside the region could ask search engines to remove links if they believed the online contents breached their right to privacy and are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”
But despite the uproar and headlines in the aftermath, the dirty little secret is that nothing has really changed. What Google has effectively done is to remove results from name search of those names approved to be deleted but only on its European websites. The same results remain on the Google US homepage and all its non-European sites.
Furthermore, Google is only removing the results but not the links. Its European sites may have deleted the results for a search on a specific name but a search for the same name accompanied by other key words may still churn out the same results.
In an earlier Shhh-cretly column, I explained with examples why there is a limit on the extent of privacy and any attempt to manually and selectively remove the Google search contents, successful or otherwise, is like playing God.
In his first UK public appearance via satellite link from Moscow at the Observer Ideas festival on Sunday, Edward Snowden warned that British spy agencies are using digital technology to conduct mass population surveillance without any checks and balances at all and thus overreaching and encroaching on privacy rights in a way that he characterized as even worse than the US NSA had managed.
“In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive.”
Mark your calendar. The 24th of October has been set for the official release of “Citizenfour”, a long anticipated ground-breaking documentary by Laura Poitras, premiered at the New York Film Festival on Friday night, which reveals a behind-the-scene and intimate portrait of Edward Snowden and his leak of NSA documents as it unfolded at the Mira hotel in Hong Kong last year.
Poitras and former Guardian columnist Glenn Greenwald flew from New York to Hong Kong early June 2013 to meet Snowden for the first time. This documentary captures minute by minute their tense initial encounters and the many days of questioning, cross-examining and waiting for the Guardian greenlight to their explosive exposé that changed the world to this day.
Here’s an interesting story from BuzzFeed about a “little-noticed” court ruling from the US Justice Department – that the government has the right to impersonate someone’s identity, create a phony Facebook account in that person’s name, post racy photos found on that person’s seized phone – all without that person’s knowledge – in order to reach out to suspected criminals.
The world is still coming to grips with the snooping of personal information by the NSA, GCHQ and the likes in this post-Snowden era. But to commandeer one’s identity, without one’s knowledge, to catch criminals (or terrorists for that matter)? Has that gone too far, endangering one’s life?
(Btw check out this article on how to detect fake Facebook profiles.)
Government Set Up A Fake Facebook Page In This Woman’s Name
A DEA agent commandeered a woman’s identity, created a phony Facebook account in her name, and posted racy photos he found on her seized cell phone. The government said he had the right to do that.
Chris Hamby BuzzFeed Staff
Posted on Oct. 7, 2014, at 7:16 a.m.
The Justice Department is claiming, in a little-noticed court filing, that a federal agent had the right to impersonate a young woman online by creating a Facebook page in her name without her knowledge. Government lawyers also are defending the agent’s right to scour the woman’s seized cellphone and to post photographs — including racy pictures of her and even one of her young son and niece — to the phony social media account, which the agent was using to communicate with suspected criminals.
The woman, Sondra Arquiett, who then went by the name Sondra Prince, first learned her identity had been commandeered in 2010 when a friend asked about the pictures she was posting on her Facebook page. There she was, for anyone with an account to see — posing on the hood of a BMW, legs spread, or, in another, wearing only skimpy attire. She was surprised; she hadn’t even set up a Facebook page.
The account was actually set up by U.S. Drug Enforcement Administration special agent Timothy Sinnigen.
Not long before, law enforcement officers had arrested Arquiett, alleging she was part of a drug ring. A judge, weighing evidence that the single mom was a bit player who accepted responsibility, ultimately sentenced Arquiett to probation. But while she was awaiting trial, Sinnigen created the fake Facebook page using Arquiett’s real name, posted photos from her seized cell phone, and communicated with at least one wanted fugitive — all without her knowledge.
The Justice Department’s headquarters in Washington, D.C., referred all questions to the DEA, which then declined to answer questions and, in turn, referred inquiries to the local U.S. attorney’s office in Albany, New York. That office did not respond to multiple requests for an interview.
A Facebook spokesman declined to comment on the case. The site’s “Community Standards” say, “Claiming to be another person, creating a false presence for an organization, or creating multiple accounts undermines community and violates Facebook’s terms.” The spokesman said there is no exception to this policy for law enforcement.
Meanwhile, the bogus Facebook page remains accessible to the public, BuzzFeed News found.
Leading privacy experts told BuzzFeed News they found the case disturbing. “It reeks of misrepresentation, fraud, and invasion of privacy,” said Anita L. Allen, a professor at University of Pennsylvania Law School.
The experts also agreed that the case raises novel legal and ethical questions. There is a long tradition of deceptive practices by police that are legal, they noted. For example, officers assume a false identity to go undercover. “What’s different here,” said Ryan Calo, a professor at the University of Washington School of Law, is that the agent assumed the identity of a real person without her explicit consent.
“The technologies we have now are enabling all sorts of new uses,” said Neil Richards, a professor at the Washington University School of Law. “There are a whole bunch of new things that are possible, and we don’t have rules for them yet.”
The DEA’s actions might never have come to light if Arquiett, now 28, hadn’t sued Sinnigen, accusing him in federal district court in Syracuse, New York, of violating her privacy and placing her in danger.
In a court filing, a U.S. attorney acknowledges that, unbeknownst to Arquiett, Sinnigen created the fake Facebook account, posed as her, posted photos, sent a friend request to a fugitive, accepted other friend requests, and used the account “for a legitimate law enforcement purpose.”
The government’s response lays out an argument justifying Sinnigen’s actions: “Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”
That argument is problematic, according to privacy experts. “I may allow someone to come into my home and search,” said Allen, of the University of Pennsylvania, “but that doesn’t mean they can take the photos from my coffee table and post them online.”
“I cannot imagine she thought that this would be a use that she consented to,” the University of Washington’s Calo said.
“That’s a dangerous expansion of the idea of consent, particularly given the amount of information on people’s cell phones,” said Elizabeth Joh, a professor at the University of California, Davis, School of Law.
The government’s court filing confirms that Sinnigen posted a photo of Arquiett “wearing either a two-piece bathing suit or a bra and underwear,” but denies “the characterization of the photograph as suggestive.”
This picture is no longer on the Facebook page, but others are. An album called “Sosa,” her nickname, shows her in a strapless shirt and large hoop earrings or, in another, lying face-down on the hood of the BMW, legs kicked up behind her. “At least I still have this car!” reads a comment supposedly posted by her.
The DOJ also acknowledges that Sinnigen posted photos of Arquiett’s son and niece, who were then clearly young children.
Arquiett’s current attorneys declined requests to interview her. But court documents tell much of her story.
She was arrested in July 2010 and accused of participating in a conspiracy to distribute cocaine, an offense that could carry up to a life sentence. She pled guilty in February 2011, and, in a court filing, federal prosecutors recommended a reduced sentence, noting that she was not a significant player in the conspiracy and had promptly accepted responsibility.
Arquiett grew up in Watertown, New York, according to a motion on sentencing by her attorney in her criminal case. Her father was imprisoned when she was an infant. Her mother was an alcoholic and drug user, and her stepfather abused both Arquiett and her mother.
By 2008, Arquiett was dating Jermaine Branford, who authorities believed to be the head of a drug trafficking ring, the criminal complaint against Arquiett says. He also physically abused her, according to the sentencing motion her lawyer filed.
The government accused Arquiett of allowing Branford and his associates to process and store cocaine in her apartment and helping them contact other members of the drug ring and arrange transactions. Branford later pled guilty in federal court to conspiracy to distribute cocaine and received a sentence of almost 16 years.
Arquiett’s lawyer argued that Branford and his crew took advantage of her vulnerabilities. “To her, because they ‘took care’ of her, she considered them like family,” attorney Kimberly Zimmer wrote. “In fact, they preyed upon and used her.”
Arquiett, Zimmer wrote, wasn’t paid like other members of the drug ring, just given money on occasion to buy gas or other items. “At the time, although she knew that her co-defendants were distributing drugs and that she was helping them to do so, she considered the things that she did for Branford and the other co-defendants as ‘favors,’ ” Zimmer wrote.
Zimmer also noted Sinnigen’s actions. “Ms. Arquiett never intended for any of the pictures on her phone to be displayed publicly, let alone on Facebook, which has more than 800 million active users,” she wrote in the motion addressing sentencing. “More disturbing than the fact that the DEA Agents posted a picture of her in her underwear and bra is the fact that the DEA agents posted a picture of her young son and young niece in connection with that Facebook account, which the DEA agents later claim was used for legitimate law enforcement purposes, that is, to have contact with individuals involved in narcotics distribution.”
Taking all of this into account, a judge sentenced Arquiett to five years of probation, including six months of weekend incarceration and six months of home detention. This March, a probation officer certified that she had complied with the terms of her sentence and terminated her probation.
Photo credit: http://www.pitstopmedia.com/
Hollywood lawyer Marty Singer, of Los Angeles-based law firm Lavely & Singer, has written to Google chairman Eric Schmidt and founders Larry Page and Sergey Brin threatening to sue Google for US$100 million if the US search giant failed to remove the naked photos of their clients that were recently hacked and posted online.
Their clients include a dozen of Hollywood celebrities like Kate Upton, Amber Heard, Rihanna, Jennifer Lawrence, Ariana Grande and Cara Delevingne whose nude photos have been hacked and distributed online after hackers took advantage of a flaw in Apple’s password recovery system to gain access to their iCloud accounts.
Singer has accused Google of “blatantly unethical behavior” – as takedown requests were sent to the company days after the photos were leaked but those images remained on YouTube and blogs – and its failure “to act expeditiously, and responsibly to remove the images, but in knowingly accommodating, facilitating, and perpetuating the unlawful conduct. Google is making millions and profiting from the victimization of women”.
“The seriousness of this matter cannot be overstated. If Google continues to thumb its nose at my clients’ rights – and continues to both allow and facilitates the further victimization of these women – and disregards the demands of this letter, it does so at its own peril,” according to the letter (see below).
Google is no stranger to takedown requests.
A landmark ruling that originated from a Spanish court has led the European Court of Justice to rule last May that anyone living in the European Union and Europeans living outside the region could ask search engines to remove links if they believed the online contents breached their right to privacy and are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed”.
Following this controversial European “right to be forgotten” ruling, Google has started removing results from its search engine since late June.
Career intelligence officer Alex Younger is the new chief of MI6 Secret Intelligence Service (SIS), according to the British Foreign and Commonwealth Office (FCO) Friday.
The 51-year old Younger is now the new “M”, popularized in James Bond movies but otherwise known as “C” after the first head Sir George Mansfield Smith-Cumming, replacing Sir John Sawers who is stepping down after 5 years as chief of the country’s spy agency. The appointment is a sign of continuity of policy and strategy as Younger has served as the right-hand man for Sawers.
Younger has oversaw the agency’s worldwide intelligence operations the past 2 years. He had overseas postings in Europe and the Middle East and was the senior SIS officer in Afghanistan. He also led MI6′s work on counter-terrorism in the run up to the London Olympic Games 2012, according to the FCO.
The SIS, commonly known as MI6 (Military Intelligence, Section 6), is the British intelligence agency that supplies foreign intelligence to the British government. It was founded in 1909 and currently employs around 3,200 people with its headquarters in Vauxhall Cross, central London.
With the widespread use of social media during the week-long protests in Hong Kong, including attempts to find phone apps capable of defying potential shutdown of the power grid, this story from The Associated Press below (Credits to The Associated Press) is a timely stern reminder:
The Associated Press
Published: October 2, 2014
HONG KONG — The Chinese government might be using smartphone apps to spy on pro-democracy protesters in Hong Kong, a U.S. security firm said.
The applications are disguised as tools created by activists, said the firm, Lacoon Mobile Security. It said that once downloaded, they give an outsider access to the phone’s address book, call logs and other information.
The identities of victims and details of the servers used “lead us to believe that the Chinese government are behind the attack,” said a Lacoon statement.
China is, along with the United States and Russia, regarded as a leader in cyber warfare research. Security experts say China is a leading source of hacking attacks aimed at foreign governments and companies to computers in China.
The Chinese government has denied engaging in cyberspying and says China is among the biggest victims of hacking attacks.
Lacoon said it found two similar “malicious, fake” apps that appeared to be related. One targets phones that run Apple Inc.’s iOS operating system; the other is meant for phones using Google Inc.’s Android system.
The “very advanced software,” known as an mRAT, or multidimensional requirements analysis tool, “is undoubtedly being backed by a nation state,” the company said. Lacoon said it was calling the software Xsser.
“The Xsser mRAT represents a fundamental shift by nation-state cybercriminals from compromising traditional PC systems to targeting mobile devices,” the company said.
Such “cross-platform attacks” that target both Apple and Android phones are rare, which adds to signs a government is involved, Lacoon said. It said the app might be the first spyware for iOS created by a Chinese government entity.
In May, U.S. prosecutors charged five Chinese military officers with cyberspying and stealing trade secrets from major American companies. A security firm, Mandiant, said last year it traced attacks on American and other companies to a military unit in Shanghai.
Congratulations to The Guardian for winning an Emmy award in New York Tuesday night for its groundbreaking coverage on the Snowden revelations.
The multimedia interactive feature NSA Decoded by The Guardian emerged the winner in the new approaches: current news category at the news and documentary Emmy awards.
The interactive coverage, which includes interviews and discussions with key players like journalist Glenn Greenwald, former NSA employees, senators and members of US congress, helps the audience understand the facts and implications of Edward Snowden’s disclosures last year about the NSA’s mass surveillance program.
The Guardian has also won in April, along with the Washington Post, the Pulitzer prize for public service for their groundbreaking coverage of the Snowden revelations.
A short educational video on the impacts of mass surveillance on the average John Doe.
Tim Berners-Lee, the inventor of the web 25 years ago and director of the World Wide Web Consortium, spoke at the Web We Want Festival last Saturday whereby he, according to The Guardian, also called on Saturday for a bill of rights that would guarantee the independence of the internet and ensure users’ privacy.
“If a company can control your access to the internet, if they can control which websites they go to, then they have tremendous control over your life,” the British computer scientist said. “If a government can block you going to, for example, the opposition’s political pages, then they can give you a blinkered view of reality to keep themselves in power.
“Suddenly the power to abuse the open internet has become so tempting both for government and big companies.”
Below is Tim Berners-Lee at a TED Talk earlier this year.
In what could be equivalent to a nuclear bomb on Wall Street, former New York Federal Reserve Examiner Carmen Segarra has released some 46 hours worth of voice recordings, secretly taped with a small recorder on her keychain in 2012, that purportedly show bank regulators going soft and cozy with banking giant Goldman Sachs at a time when the New York Fed was expected to become a stronger regulator after the financial crisis of 2008.
To demonstrate a case in point from the recordings: “We’re looking at a transaction that’s legal but shady,” according to a New York Fed staffer in reference to a proposed Goldman Sachs financial transaction.
The secret recordings – released to both a reporter for ProPublica and radio program This American Life – show an unwillingness among some Fed supervisors to both demand specific information from Goldman about a transaction with Banco Santander and to strongly criticize what Segarra concluded was the lack of an appropriate conflict-of-interest policy at Goldman.
Segarra, who later suited the New York Fed for wrongful termination after her refusal to alter a critical examination of Goldman’s legal and compliance units, said her colleagues were too soft on those kinds of transactions and the banking industry in general.