WEEKLY DATA SECURITY NEWS ROUND UP Ed. 18 January 21-25, 2013
Key Trio of Large Cybercrime Ring Gets Taken Down
THIS WEEK’S BIG NUMBER $400,000 - The fine that U.K. Sony got slapped with by the ICO
For those with less experience in the field, this is exactly what real Cybercrime scenes look like. The man committing this particular Cybercrime had an extremely large finger.
The United States has charged three young East European men with running an international cyber theft ring that broke into a million computers, including at NASA. A trio that used malicious malware called the “Gozi Virus” to infiltrate computers across Europe and America are now in custody. Back in 2010, the designer and chief architect of the virus, Nikita Kuzmin, was detained on US soil in 2010 and pleaded guilty, pledging to cooperate with investigators. His two partners, “Miami” and “Virus, were nabbed at the end of 2012. Very cool aliases. FBI assistant director-in-charge George Venizelos had this to say: “This long-term investigation uncovered an alleged international cybercrime ring whose far-reaching schemes infected at least one million computers worldwide and 40,000 in the US, and resulted in the theft or loss of tens of millions of dollars” Prosecutors say the long scam unfolded between 2005 and 2012 and that the virus was “virtually undetectable in the computers it infected”. Well, now it looks like these three cybercrime leaders are going to be “virtually undetectable” outside of a prison cell. Best burn of 2013. Source: ABC News
DID YOU KNOW? The number one cause of Cybercrime leaders being caught is the incriminating and oversized fingerprint they leave behind on the CRT Monitors they have compromised.
Sony fined $400,000 for data breach
Sony, more like Bologne...Data Security practices which resulted in a $400,000 fine. Not my wittiest jab, but it’ll do.
In 2011, Sony’s Playstation network got hacked and compromised 77 million users’ personal data. It was an unfortunate situation, and the Information Commissioner’s Office (ICO) of the U.K. recognized that Sony was the victim of a “focused and determined criminal attack”. But just because Sony was targeted doesn’t mean it lets them off the hook. The ICO still said the cirumstances in which Sony was hacked was a “serious breach of the [U.K.’s] Data Protection Act (DPA). The U.K. government report on the incident found that Sony knew of a vulnerability in a 3rd party software that they used and even though the patches were available, they were not applied. This is gross negligence from Sony, and it’s surprising that they’re only getting punished this much. What’s the fine for a bank leaving the keycode to the vault under the carpet? If you break it down, Sony is only being fined ~$0.005 cents per compromised account. No, there’s no typo there, that’s ½ of 1 cent per account. SCEE is appealing the ruling of the ICO, but at this point $400,000 hardly seems like anything to fight over. If anything, they should be punished more heavily, and have it be a lesson for other companies in the EU and worldwide. If you’re managing sensitive information, it’s your responsibility as a company and organization to keep it as safe as you can within reasonable means. Sony failed to do this, and they’re getting a deserved slap on the wrist.
Google stands up for Gmail users, requires cops to get a warrant In the K logix Weekly, we’ve talked about the Petraeus Scandal and what it meant for our e-mail security. It sent a bit of a scare through the hill, and there were a lot of talks about revising the extremely outdated Electronic Communications Privacy Act (ECPA) e-mail privacy laws. Essentially, if the e-mail is older than 180 days, it’s fair game. This law was made so long ago, and doesn’t apply to how we conduct e-mail communications in our current day. Luckily, Google is at least denying some of the government requests for data, around 12% of American authority requests were turned down in the last half of the year according to their bi-annual Transparency report. “In order to compel us to produce content in Gmail we require an ECPA search warrant,” said Chris Gaither, Google spokesperson. “If they come for registration information, that’s one thing, but if they ask for content of e-mail, that’s another thing.” Well, in the case of Petraeus, Google didn’t say no because if the FBI comes knocking, you answer. But it looks like when authorities come looking for contents of an e-mail without any kind of warrant, Google will puff up its DID YOU KNOW? chest just a bit and reject the request. It’s nice to see, and it may be the future of data security and privacy in relation to authority for now. Since the ECPA is nearly impossible to update effectively, it will be up to companies to keep their information safe on all counts, even from authorities who request it without a proper warrant. Source: Ars Technica
The last time the Electronic Communications Privacy Act was updated was in 1986 when the “180 day rule” was put in the place.