35 years in prison should do the trick
Cut the perp some slack and give him 35 years in prison plus a $50 billion fine. Keep him in prison until he pays up.
The international hacker who confessed to stealing tens of millions of payment card numbers amassed a fortune worth more than $2.7m, including more than $1m in cash buried in his backyard in Miami. Albert "Segvec" Gonzalez agreed to forfeit the ill-gotten booty in a guilty plea that was formally entered in federal court in …
If credit card companies used proven cryptography methods then stolen credit card numbers wouldn't be a problem.
The idea that credit card "security" lies in a 16 digit number and a hard to guess date is stupid, but the fact that these IDs can then be used in an infinite number of replay attacks is insane.
RSA security keychains have been around forever, and although they aren't the cure all, at least they would stop reply attacks. Honest to god I hope Nokia kicks the shit out of the PCI with their new payment system.
Really good solutions have existed for so long it's embarrassing.
If the banks are really that afraid of loosing customers to change, then they should at least let those of us who care use a secure payment system, and let all the other fools continue to use use their 16 + 3 digits.
"What's the point of burying money if you're going to crack under pressure and reveal where it is?"
Who's to say that's all his liquid cash? Or even most? Or even a significant portion? If you are planning for a contingency where you know you're going to end up talking until they're satisfied, why not have a sacrificial anode handy?
I get the part about Visa numbers in unencrypted files, on hackable servers, on unsecured wireless links. What I don't get is how these guys use that information to get cash from ATMs. Of course if you know how to do it, we don't want you to post it here. But I'm really curious. Is the ATM system really that weak?
I have a seven-digit number - my customer number, which is only known to me and the bank - never written down, plus a card of 4-digit numbers always kept in a secret, hidden place <strikeout>under my mattress</strikeout> which I use for each transaction in sequence, then cross out*. THEN, I need another 4-digit number, on the same card to confirm the transaction.
If I enter, say, one number out of sequence, I'm prompted twice more for the correct number - but only if it's no more than two adrift on the card. If I fail again, take passport/driving licence to bank, wait 3 days for new codes to arrive. By registered mail, for which I have to present valid photo-ID again at post office to collect.
*Actually, I don't cross them off. I memorise the index number of the last 4-digit number I used. Safer that way.
Cheks/Cheques? Bank teller looks at them, and when finished laughing sends to the local antique store to be valued.
If I were this twa*t, and buried a million Finmarks, I'd get nowt, 'cos the period for exchanging them for €'s has expired. Bit like burying 2 million 10 shilling notes, I guess, doing a Ronnie Biggs, then trying to cash-the-stash. Apart from getting queer looks from the tellers - who haven't seen a ten-bob note, the Rozzers would be down faster than if someone had shouted 'Litter-dropper!!!'
Wow, this guy's a serious brand whore. BMW, Tiffany, Rolex, Glock... he just has to have the name brand versions! Maybe if he was a little more thrifty, he could have stolen less money, maintained a lower profile, maybe stayed out of jail for a longer. Or indefinitely. Makes me want to start a life of crime just to show people how it's done.
[*] Well, actually a Glock 27 is a pretty good value, and it doesn't really pay to cheap out on firearms...but to point that out would totally ruin the flow.
(Paris, because I said "brand whoring". Heh heh.)
It's no secret, it's a man in the middle attack. If you can get in a position where you can read the (unencrypted?) transmission of the card number and the PIN to the merchant for verification, you've got what you need...it's the people who introduced a wireless network into this equation that need shooting.
A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.
The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.
"The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.
India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.
The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.
"The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.
Some research into the potentially exploitable low-power state of iPhones has sparked headlines this week.
While pretty much no one is going to utilize the study's findings to attack Apple users in any meaningful way, and only the most high-profile targets may find themselves troubled by all this, it at least provides some insight into what exactly your iOS handheld is up to when it's seemingly off or asleep. Or none of this is news to you. We'll see.
According to the research, an Apple iPhone that goes asleep into low-power mode or is turned off isn't necessarily protected against surveillance. That's because some parts of it are still operating at low power.
The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.
The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.
ICE did not respond to The Register's request for comment.
In brief San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations.
According to an SFPD training document obtained by Motherboard [PDF]: "Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads."
It indicates that police officers will receive additional information about how to access this evidence, and added: "Investigations have already done this several times."
Comment Many information security practices use surveillance of users' activities. Logging, monitoring, observability – call it what you will, we have built a digital panopticon for our colleagues at work, and it's time to rethink this approach.
The flaws of surveillance-based infosec are already appreciated. The European Court of Justice (ECJ) recently found that mass surveillance of the population was an unjustified intrusion into privacy, even when the goal is to combat serious crime. Why, then, do we consider it reasonable to implement invasive surveillance to address the flawed computer systems we choose to use?
Does watching staff 24x7 really make things more secure?
Appian has been awarded more than $2 billion in damages from Pegasystems for "trade secret misappropriation."
It's an eyewatering sum, and came in a verdict received from a jury in the Circuit Court for Fairfax County, Virginia following a seven-week trial.
Appian is all about building apps and workflows rapidly with its low-code platform. The Pega platform is similarly concerned with speedy software building with a low-code approach. However, it appears that one party was a bit too interested in the other, resulting in a violation of the Virginia Computer Crimes Act and a misappropriation of Appian's trade secrets.
Infosec outfit Cybereason says it's discovered a multi-year – and very successful – Chinese effort to steal intellectual property.
The company has named the campaign "Operation CuckooBees" and attributed it, with a high degree of confidence, to a Beijing-backed advanced persistent threat-slinger going by Winnti – aka APT 41, BARIUM, and Blackfly.
Whatever the group is called, it uses several strains of malware and is happy to construct complex chains of activity. In the attack Cybereason claims to have spotted, Winnti starts by finding what Cybereason has described as "a popular ERP solution" that had "multiple vulnerabilities, some known and some that were unknown at the time of the exploitation."
Google's bug hunters say they spotted 58 zero-day vulnerabilities being exploited in the wild last year, which is the most-ever recorded since its Project Zero team started analyzing these in mid-2014.
This is more than double the earlier record of 28 zero-day exploits detected in 2015. And miscreants are still using the same old techniques to get away with their mischief.
"With this record number of in-the-wild zero-days to analyze we saw that attacker methodology hasn't actually had to change much from previous years," wrote Google security researcher Maddie Stone in Project Zero's third annual review of exploited programming blunders.
Google has made changes to its Play Store policies, effectively banning third-party call-recording apps beginning May 11, claiming it seeks to close alternative use accessibility APIs for things other than accessibility.
Google has for a while blocked real call recording on Android 6 and over the microphone on Android 10. Developers have been using accessibility APIs as a workaround to enable the recording of calls on Android.
Accessibility Service APIs are tools that offer additional services that can help those with disabilities overcome challenges. Using these services against their designed intentions, i.e. to achieve a goal not geared at overcoming disabilities, remains the only way for third-party apps to record calls.
Biting the hand that feeds IT © 1998–2022