now browsing by tag
#sextrafficking | Convict gets 55 years in prison for luring women into sex trade with drugs | #tinder | #pof | #match | romancescams | #scams
_________________________ A county judge this week handed down a prison sentence for the second of two men convicted on charges related to human trafficking and prostitution throughout southeastern Pennsylvania. Barry […] View full post on National Cyber Security
Couple Ties the Knot After 17 Years of Dating, Photos Shared Online | #facebookdating | #tinder | #pof | romancescams | #scams
– A couple who share three kids have finally taken the step towards the altar – A lady revealed on Facebook that her aunt tied the knot after dating her […] View full post on National Cyber Security
#sextrafficking | Owner of illegal massage parlor that engaged in sex trafficking sentenced to over 33 years in prison | #tinder | #pof | #match | romancescams | #scams
_________________________ “Omar Taylor is a coercive sex trafficker who pursued and exploited vulnerable victims for his own financial profit,” United States Attorney Erica MacDonald said in a statement. “The 400-month […] View full post on National Cyber Security
Tinder rapist Nevin’s sentence increased by two-and-a-half years | #tinder | #pof | romancescams | #scams
Tinder rapist and serial sex offender Patrick Nevin has had his 12-year jail term increased by two-and-a-half years, after the State appealed the undue leniency of his sentence. he Court […] View full post on National Cyber Security
The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested millions of people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
Cathay said at the time that the intruders also accessed 403 expired credit card numbers, as well as 27 credit card numbers that didn’t have a CVV attached.
This wasn’t a one-time security fail, the ICO said. All that data was at risk for over four years.
Cathay, which is based in Hong Kong, first realized in March 2018 that its database had been hit by a brute-force attack. As we’ve explained previously, you can think of such an attack like this:
→ Brute force is the way you open those cheap bicycle locks with wheels numbered 0 to 9 if you forget the code. You turn the dials to 0-0-0 and then click round systematically, counting up digit by digit, until the lock pops open.
Once it found that its database had been rifled through in 2018, Cathay Pacific hired a cybersecurity firm and subsequently reported the incident to the ICO.
Investigations found that the airline lacked appropriate security to secure customers’ data from October 2014 to May 2018. The data was exposed for longer than that, though: Cathay said in October 2018 that its system had been compromised at least seven months prior. As the New York Times reported, Cathay learned in May 2018 that passenger data had been exposed after first discovering suspicious activity on its network in March.
Why didn’t the company announce the breach earlier? It didn’t say.
The incident led to the exposure of a huge trove of personal data belonging to 111,578 people from the UK and about 9.4 million more worldwide.
The ICO says that Cathay Pacific’s systems were entered via a server connected to the internet. Enabled by what the office called a “catalog of errors,” crooks managed to install data-harvesting malware. The security sins turned up by the ICO’s investigation included some basic ones: for example, the ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection.
Steve Eckersley, ICO Director of Investigations:
People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.
This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.
The fine imposed on the company would have caused a lot more hurt if the breach had been discovered after the General Data Protection Regulation (GDPR) went into effect.
In July 2019, the ICO flexed its new GDPR muscles for real, imposing record fines on Marriott and British Airways (BA) for their data breaches. It said it was looking to fine BA a record £183.39 million (US $229.34 million at the time) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.
Marriott’s breach was similar to Cathay Pacific’s, given that attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.
Though it escaped the weight of the GDPR hammer, the ICO Says that Cathay Pacific’s breach was “a serious contravention” of Principle 7 of the 1998 Data Protection Act, which states that “appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.”
For full details on the fine, check out the ICO’s Monetary Penalty Notice.
Latest Naked Security podcast
The post Cathay Pacific fined over crooks slurping its database for over 4 years – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
ST. LOUIS -Melissa Scanlan, known as ‘The Drug Llama,’ has been sentenced to 160 months in federal prison in the United States District Court for the Southern District of Illinois for trafficking fentanyl throughout the United States via the ‘dark web,’ engaging in an international money laundering conspiracy, and distributing fentanyl that results in death.
This case was part of a months-long, coordinated national operation involving the Drug Enforcement Administration St. Louis Division, the Food and Drug Administration – Office of Criminal Investigations, the United States Postal Inspection Service, the Department of Homeland Security, United States Customs and Border Protection, the United States Attorney’s Office for the Southern District of California, and the United States Attorney’s Office for the Southern District of Illinois.
‘With accessibility of fentanyl, it is imperative that the Drug Enforcement Administration and its law enforcement partners exploit all distribution avenues utilized by drug traffickers in Scanlan’s case,’ said DEA St. Louis Division Special Agent in Charge William J. Callahan. ‘Scanlan distributed poison in our community that resulted in death and she is now being held accountable.’
The crimes for which Scanlan was sentenced are as follows: one count of conspiracy to distribute fentanyl, five counts of distributing fentanyl, one count of selling counterfeit drugs, one count of misbranding drugs, one count of conspiracy to commit international money laundering, and one count of distribution of fentanyl resulting in death. The 32-year old San Diego native pleaded guilty to those charges in October 2019. Scanlan’s co-conspirator, Brandon Arias, 34, was previously sentenced to nine years in federal prison for his role in the conspiracy.
Facts disclosed in open court revealed that Scanlan and Arias created an account on ‘Dream Market,’ a dark web marketplace where users buy and sell illegal substances and services, and used that account to sell substantial quantities of narcotics while operating under the moniker, ‘The Drug Llama.’ The charged fentanyl distribution conspiracy lasted from October 2016 to August 2018, during which time Scanlan sold approximately 52,000 fentanyl pills throughout the United States.
According to court records, Scanlan and Arias made over $100,000 from their dark web drug trafficking and split the money evenly. Court records also demonstrated Scanlan’s participation in an international money laundering conspiracy with Mexican cartel members, as well as her role in aiding and abetting the distribution of fentanyl pills to a woman identified as A.W., who later died.
Commenting on the case, U.S. Attorney Steven D. Weinhoeft assailed the culture of criminality that exists on the dark web.
‘Criminals like Melissa Scanlan who recklessly flood our communities with opioids may think they can evade detection in the shadowy corners and back alleys of the internet,’ said U.S. Attorney Weinhoeft. ‘But they will find no quarter there. Where they go, we will follow. With the collaboration of outstanding investigators at our partner agencies, we will use every tool and method available to find these people and prosecute them to the fullest extent of the law.’
‘Illicit opioid distribution, whether online or through conventional drug distribution methods, and the resulting overdoses and deaths, are a continuing national crisis. Those who contribute to that crisis through their illegal actions will be brought to justice,’ said Special Agent in Charge Charles L. Grinstead, FDA Office of Criminal Investigations Kansas City Field Office. ‘We are fully committed to disrupting and dismantling illegal prescription drug distribution networks that misuse the internet at the expense of public health and safety.’
The dark web is an underground computer network that is unreachable by traditional search engines and web browsers, creating a seeming anonymity to users. This false cloak has led to a proliferation of criminal activity on dark web marketplaces, like the one used by Scanlan and Arias.
American Conservative Movement
Join fellow patriots as we form a grassroots movement to advance the cause of conservatism. We have two priorities until election day: Stopping Democrats and supporting strong conservative candidates. We currently have 7500+ patriots with us in a very short time. If you are interested, please join us to receive updates.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Singapore’s crime rate highest in 9 years; online scams up by 54% – The Independent News
Source: National Cyber Security – Produced By Gregory Evans SINGAPORE — The crime rate in Singapore in 2019 is at its highest since 2010. While other types of crimes decreased, online scams increased by 54.2 percent from 2018. The Singapore Police Force (SPF) released the Annual Crime Brief 2019 on Wednesday (Feb 5). Overall, the country’s crime […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Victims of the Ashley Madison data breach are again under attack, this time, via email. In 2015, ‘Impact Team’ dumped 32 million Ashley Madison users’ personal information, credit card and payment details, passwords, security question answers and ‘preferences’ on the dark web, after Avid Life Media […] View full post on AmIHackerProof.com
In March of last year, Mark Zuckerberg made a dramatic pledge: Facebook would apply end-to-end encryption to user communications across all of its platforms by default. The move would grant strong new protections to well over a billion users. It’s also not happening any time soon.
What Zuckerberg didn’t spell out at the time is just how difficult that transition would be to pull off, and not just in terms of political hurdles from encryption-averse law enforcement or a shift in Facebook’s business model. Encrypting Facebook Messenger alone represents a herculean technical challenge. According to one of the Facebook engineers leading the effort, a version of Messenger that’s fully end-to-end encrypted by default remains years away.
“I’ll be honest right now and say we’re still in a place of having more questions than answers,” said Jon Millican, Facebook’s software engineer for Messenger privacy, in a talk today at the Real World Crypto conference in New York. “While we have made progress in the planning, it turns out that adding end-to-end encryption to an existing system is incredibly challenging, and involves fundamentally rethinking almost everything.”
Millican’s presentation at the conference, in fact, wasn’t about how Facebook plans to pull off the transition to default encryption for Messenger, which currently offers the feature only through its Secret Conversations mode. Instead, it seemed aimed at explaining the many hurdles to making that transition, and asking the cryptography community for ideas about how to solve them.
Millican readily admitted that means Facebook users shouldn’t expect to see a default encryption rollout for several years. That also likely means the company’s planned integration of WhatsApp, Facebook, and Instagram messaging will take at least as long, given that all three would likely need to be end-to-end encrypted to avoid undermining the existing default protections in WhatsApp.
“We publicly announced the plan years in advance of being able to actually ship it,” Millican said of Messenger’s encryption rollout in an interview with WIRED ahead of his conference talk, while declining to say when exactly Facebook expects the rollout to be complete. “There are no imminent changes coming here. This is going to be a long process. We’re dedicated to getting this right rather than doing it quickly.”
“If this is taking several years, maybe they’re not putting their money where their mouth is.”
Matthew Green, Johns Hopkins University
Facebook Messenger’s bounty of features—video calls, group messaging, GIFs, stickers, payments, and more—almost all currently depend on a Facebook server being able to access the contents of messages. In an end-to-end encrypted setup, only the people at the ends of a conversation would possess the keys on their devices to decrypt messages, requiring that more of Messenger’s mechanics be moved to apps and browsers. Facebook’s servers would act only as blind routers, passing messages on without being able to read them—which also keep them safer from government agencies or other snoops.
Millican argues that getting to that point will require rebuilding every feature of Facebook Messenger from the ground up. “We’re looking at a full-stack rethink and re-architecture of the entire product,” he says. “We’re not just adding end-to-end encryption to a product, we’re building an end-to-end encrypted product.”
Facebook has, of course, already carried out the sort of billion-user transition to default encrypted messaging that it now says is so difficult. In 2016, Facebook-owned WhatsApp enabled default end-to-end encryption for all its billion-plus users. But Millican points out that transition also took years, despite the WhatsApp of 2016 having been much simpler than Facebook Messenger in 2020. He points to key differences in the two apps; WhatsApp doesn’t support multiple devices, beyond a desktop program that essentially routes messages via the user’s phone. And it doesn’t back up messages to a server so that they’re available when you reinstall the app. Messenger does both.
Apple may present another model of how to achieve the sort of massive end-to-end encrypted network Facebook has committed to create: It’s managed to build rich features and end-to-end encryption by default into iMessage. But it doesn’t have the sort of full-featured, independent web interface that Facebook Messenger offers, which presents other challenges, since it’s designed to allow users to send messages from any device. (WhatsApp’s web interface, like its desktop app, only works when it’s linked with a user’s phone.)
The post Facebook Says Encrypting Messenger by Default Will Take Years appeared first on National Cyber Security.
View full post on National Cyber Security
Looking at the security fails of 2019 is amusing but it ought to set against the progress by many in adopting best practice when drawing up the security ledger for the year.
Security success stories tend to start with establishing an effective security policy coupled with a training program and sound contingency planning, a collective approach often absent from organizations.
But businesses and public sector bodies are moving to improve the way they secure personal information, not least because of the harsh fines imposed by tightened data protection rules such as the EU’s General Data Protection Regulation (GDPR).
Requirements for companies to disclose breaches, whether under GDPR or many of the data breach notification laws found throughout the US, are among the main reasons why organizations are starting to become more open about any data loss that they may experience.
This has equally prompted change in the way a business collects and uses data, and how it keeps their customers informed. Increasingly, user or customer education is part of a company’s data security team remit.
Businesses are now finding, in part, that a perimeter security approach – building ever-higher walls around systems and data – is unsustainable. A strong data protection policy, in short, is better for business.
This approach is known as “data stewardship”.
Why it’s worth investing in data stewardship
“Data stewardship starts with an effective data strategy,” Dr. Sanjana Mehta head of market research strategy for EMEA at (ISC)², the security professional association, told The Daily Swig.
“This means asking fundamental questions such as: what data is an organization collecting? What is the purpose of storing or processing that data? And are the data subjects fully aware of and have they consented to these purposes?”
An organization should be collecting only the data it needs for its business process, and it should be informing the customer, citizen, or employee about why the data is needed, how it will be processed, and for how long it will be kept. The GDPR, for example, sets out – for citizens residing in the EU – a legal ‘right to be forgotten’.
Unless organizations practice good data stewardship, knowing the data that they hold and where that data is, they will not be able to meet the obligations set out under the legislation, or indeed any similar data protection law that is to pass in 2020.
“Organizations continuously tread a fine balance between optimizing data processing to inform strategic decisions which means providing more people access to more data and securing the interests of their data subjects, which means tightening access to data,” Dr. Mehta said.
READ MORE Swig Security Review 2019: Part II
Clean data is good for business
Good data management makes it easier to protect information. The business can target protection measures – including firewalls, encryption, and data loss protection tools – and train staff to reduce accidental data loss. This is hardly news to CISOs.
But minimizing data collection, and being clear about why data is needed, goes further. It is also about trust.
“I have been saying for a couple of years that you can’t have customer experience without permission,” Darren Guarnaccia, chief strategy officer at Crownpeak, a digital experience management company, told The Daily Swig.
“Part of that experience is trust… So much of that has been eroded through events of the last couple of years. Brands have to earn some of that back.”
This is why Guarnaccia advocates an open approach to data policies, as well as on-going training for employees. His views are echoed by Phil Slingsby, head of governance, standards and assurance at converged ICT services supplier GCI.
“As a tech company it’s easy to forget the importance of people,” Slingsby warns. “Privacy, in particular, is a human right, so it’s fundamentally focused on people.
He told The Daily Swig: “To be as effective as possible when it comes to data protection, we’ve had to get better at engaging with our people and integrating data protection into the fabric of how we do business.
“This has meant a shift in priority away from just being certificated to things like [the] ISO 27001 [security standard], and more towards ensuring that we are actually ‘doing the right things’ when it comes to data protection.”
Clear and relevant data collection policies are vital. Some organizations go further, and actively promote data and privacy protection to their customers, as well.
Mozilla, the organization behind the Firefox browser, promotes a free service for internet users to look up pwned passwords, for instance. The service holds breach data going back to 2007.
And Nest, the Google-owned smart home company, set up a service last year warning users about password breaches, even if they were found to affect rivals’ hardware.
YOU MIGHT ALSO LIKE Year in Review: Security needs a reboot in 2020
The post #hacking | New Years Resolution: Organizations push for proactive approach to security appeared first on National Cyber Security.
View full post on National Cyber Security