Read more of this story at Slashdot.

Read more of this story at Slashdot.

Read more of this story at Slashdot.

One of the masterminds behind the $9 million hack into RBS WorldPay received a six-year suspended sentence in Russia, according to local reports Wednesday.

Viktor Pleshchuk, 29, who pleaded guilty to his role in the heist, also got four years of probation and was ordered to pay $8.9 million in restitution. He received a reduced sentence for cooperating with authorities.

Pleshchuk, of St. Petersburg, was a graduate of Tomsk State University of Control Systems and Radioelectronics and worked as a sales manager for an e-commerce company when he participated in what the U.S. has called “perhaps the most sophisticated and organized computer fraud attack ever conducted.”

The sentencing hearing was held behind closed doors out of security concerns, according to Fontanka. The defendant’s family had received anonymous calls from someone trying to ascertain what information Pleshchuk had provided authorities. That information apparently included the names of his criminal associates — most of them mules whose sole task was withdrawing stolen funds from ATMs — as well as the location of about $60,000 that authorities found stashed in safety deposit boxes and luggage lockers at train stations.

Pleshchuk faces separate charges in the U.S, where he and several others were indicted last November in Atlanta, Georgia, for the RBS hacks. Other defendants include Sergei Tsurikov, 26, of Talinn, Estonia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3.”

Last month, Tsurikov was extradited from Estonia to the U.S. where he was arraigned in the Northern District of Georgia on charges that he helped coordinate the global bank card heist. Pleshchuk was arrested by the Russian Federal Security Service, or FSB, earlier this year, but because the U.S. lacks an extradition treaty with Russia was tried in Russia instead. It’s unlikely he will have to face charges in the U.S. unless he travels outside Russia and is nabbed in a country that is more amenable to U.S. extradition requests.

The RBS WorldPay hack involved cracking PINs for bank cards and netted the culprits more than $9.5 million in less than 12 hours. Pleshchuk’s role, according to a U.S. indictment against him, involved exploiting vulnerabilities in RBS’s computer network.

RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a number of electronic payment processing services, including debit card transactions, electronic benefits transfer payments (EBT), prepaid cards, credit card and ATM-processing services. The processor discovered in November 2008 that intruders had accessed account details for 100 payroll cards — offered by some employers as a paperless alternative to paychecks.

The hackers compromised RBS WorldPay’s database encryption to raise the amount of funds available on the compromised cards and boost their daily withdrawal limits. In some case, the hackers raised the limits to $500,000.

According to the U.S. indictment, Tsurikov conducted reconnaissance of RBS’s computer network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access. Pleshchuk allegedly developed the method for cracking the encrypted PINs.

Once the hackers raised the account limits, they provided an army of cashers with 44 cards programmed with the account details. In a global coordinated heist, the cashers simultaneously hit more than 2,000 ATMs with the fraudulent cards, netting about $9.5 million in less than 12 hours.

The hackers, still embedded in RBS’s network, were able to observe the withdrawals of funds from ATMs in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals. Once the mission was completed, the hackers tried to erase their tracks on the RBS network.

The four hacking suspects each face a maximum sentence of up to 20 years in prison in the U.S. for conspiracy to commit wire fraud and other wire-fraud counts, and up to five years in prison for conspiracy to commit computer fraud as well as up to five or 10 years for each count of computer fraud. They also face a two-year mandatory minimum sentence for aggravated identity theft and fines up to $3.5 million dollars.

Photo: Ell Brown/Flickr

See also:

• Alleged Carder ‘BadB’ Charged in $9 Million ATM Heist
• Alleged Carder ‘BadB’ Busted in France
• Suspect in RBS WorldPay Hack Extradited to the U.S.
• Russia Arrests Alleged Mastermind of RBS WorldPay Hack
• 4 Hackers Indicted in $9.5 Million Bank Card Attack
• 5 More Indicted in Probe of International Carding Ring
• PIN Crackers Nab Holy Grail of Bank Card Security
• Big Box Breach: The Inside Story of Wal-Mart’s Hacker Attack
• Global ATM Caper Nets Hackers $9 Million in One Day

Original article at Threat Level

Read more of this story at Slashdot.

The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.

The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion detection sensors on non-military government networks, and helps other civil agencies respond to hack-attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.

But in a case of physician, heal thyself, the agency — which forms the operational arm of DHS’s National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for DHS’s inspector general ran a sweep using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high risk security holes on US-CERT systems.

“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia,” reads the report from assistant inspector general Frank Deffer.

Einstein, the government’s intrusion detection system, passed the security scan with flying colors, as did US-CERT’s private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun’s Java, and some Microsoft applications.

In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.

“To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures,” the report concludes.

In an appendix to the report (.pdf), which is dated August 18, the division wrote that it has patched its systems since the audit was conducted.

DHS spokeswoman Amy Kudwa said in a statement Wednesday that DHS has implemented “a software management tool that will automatically deploy operating system and application security patches and updates to mitigate current and future vulnerabilities.”

See Also:

• DHS Alarmed by Sticker of Suicide Bomber; Really a Graffiti Artis
• TSA Threatens Blogger Who Posted New Screening Directive
• What’s Up with the Secret Cybersecurity Plans, Senators Ask DHS
• The Virus That Ate DHS

Original article at Threat Level

Binyam Mohamed, a British resident, is among five plaintiffs who claim CIA torture

Citing the Obama administration’s evocation of the state secrets privilege, a divided federal appeals court agreed Wednesday to toss a lawsuit against a Boeing subsidiary accused of helping the CIA transport detainees to secret foreign prisons where they allegedly were tortured.

Ruling 6-5, a panel of the 9th U.S. Circuit Court of Appeals said it was bound by a 1953 Supreme Court precedent requiring judges to dismiss cases if litigating them could expose government secrets and imperil national security.

“This case requires us to address the difficult balance the state secrets doctrine strikes between fundamental principles of our liberty, including justice, transparency, accountability and national security,” Judge Raymond Fisher wrote for the majority. “Although as judges we strive to honor all of these principles, there are times when exceptional circumstances create an irreconcilable conflict between them. (.pdf)

“On those rare occasions, we are bound to follow the Supreme Court’s admonition that ‘even the most compelling necessity cannot overcome the claim of privilege if the court is ultimately satisfied that [state] secrets are at stake,’” Fisher continued.

The majority concluded that, “after much deliberation, we reluctantly conclude this is such a case.”

The outcome underscores that, at least insofar as the state secrets privilege is concerned, President Barack Obama has taken the same path of his predecessor, despite claims he would limit his use of the privilege. President Obama has continued to invoke the privilege in cases left over from the Bush administration, and has argued for it in newer cases as well.

Attorney General Eric Holder acknowledged a year ago that the government was continuing with pending Bush privilege assertions, but claimed it would only invoke the privilege when there’s a possibility of “significant harm” to the country, and wouldn’t use it to hide embarrassing or illegal government programs.

The state secrets privilege is a defense first recognized by the U.S. Supreme Court in a McCarthy-era lawsuit in 1953, and has been increasingly and successfully invoked by federal lawyers seeking to shield the government from court scrutiny. Generally, lawsuits in which national-security information may be divulged are tossed by judges at the government’s request.

The case decided Wednesday was brought by five foreign nationals who claimed the CIA, working with other governments, operated a so-called extraordinary rendition program to gather intelligence. The program, the court said, called for apprehending foreign nationals suspected of terrorism and secretly transferring them to foreign countries “to employ interrogation methods that would otherwise have been prohibited under federal or international law.”

The plaintiffs sued Jeppesen Dataplan, a California-based subsidiary of Boeing, which they accused of providing aircraft and “logistical support” to the alleged rendition program.

First the Bush administration, and then the Obama administration, urged the courts to toss the case based on the state secrets privilege. Then-CIA Director Michael Hayden said the lawsuit threatened to impose “exceptionally grave” damage to U.S. national security, an assertion later backed by Holder.

“Whether or not Jeppesen provided logistical support in connection with the extraordinary rendition and interrogation programs, there is precious little Jeppesen could say about its relevant conduct and knowledge without revealing information about how the United States government does or does not conduct covert operations,” the majority of the San Francisco-based appeals court noted.

In dissent, Judge Michael Daly Hawkins wrote that the majority dismissed the case prematurely, “before Jeppesen has even filed an answer to plaintiffs’ complaint.”

The plaintiffs, Hawkins wrote for the minority, should be given a chance to prove their case without classified information.

“Here, the ‘very subject matter’ of this lawsuit is Jeppesen’s involvement in an overseas detention program. Plaintiffs are neither parties to a secret agreement with the government, nor are they attempting, as the result of this lawsuit, to solicit information from the government on a ’state secret’ matter,” Hawkins wrote. “Rather, they are attempting to remedy ‘widespread violations of individual constitutional rights’ occurring in a program whose existence has been made public.”

See Also:

• Obama Dares Judge to Order Release Of NSA Spy Document
• Obama Stands Behind ‘State Secrets’ in Spy Case
• Court Says Bush Illegally Wiretapped Two Americans
• New Attorney General Orders Review of Bush-Era State Secrets Claims
• Secrecy Power Sinks Patent Case

Original article at Threat Level

Through this now years-long struggle, Craigslist’s legal position has been and remains absolutely, unequivocally correct: the Communications Decency Act of 1996 (or CDA) grants providers of “interactive computer services” an absolute shield against state criminal law liability stemming from material posted by third parties. Put simply, the law ensures that the virtual soapbox is not liable for what the speaker says: merely creating a forum in which users post ads that may violate state law plainly does not lead to liability for a web site operator.

The federal statutory immunity upon which Craigslist relies is not some clever loophole. Rather, the intermediary immunity provided by the CDA represents a conscious policy decision by Congress to protect individuals and companies who would otherwise be vulnerable targets to litigants who want to silence speech to which they object, illegal or not. We agree with Congress that a federal policy of holding lawbreakers liable for their own illegal behavior instead of holding intermediaries responsible for the illegal acts of others is the right one, both as a matter of fairness as well as an effective strategy by which speech and innovation can be encouraged and rewarded.

This clear protection plays an essential role in how the Internet functions today, protecting every interactive web site operator — from Facebook to Craigslist to the average solo blog operator — from potentially crippling legal bills and liability stemming from comments or other material posted to web sites by third parties. Moreover, if they were obligated to pre-screen their users’ content, wide swaths of First Amendment-protected speech would inevitably by sacrificed as web site operators, suddenly transformed into conservative content reviewers, permitted only the speech that they could be sure would not trigger lawsuits (or intimidating visits from the attorney general). The ability to encourage speech of all sorts without of fear of legal reprisal is a feature of the CDA 230 world, not a shortcoming, one that encourages the publication of a diverse range of viewpoints and not just those of rich and cautious media companies who can afford the financial risk of publication.

As the chief law enforcement officers of their respective states, the attorneys general certainly know that their legal threats are completely meritless. Yet these and other law enforcement officers have shown little regard for what the law actually requires and have instead embarked on a vigorous campaign to strong-arm a company into submission based on bogus legal threats that nonetheless play well to many of their constituents. This strategy might amount to good politics, especially in an election year, but it continues to show remarkable disdain for the bedrock legal principles that have largely served the Internet well over the past 15 years.

It didn’t have to be this way. Over the past two years, Craigslist repeatedly offered to go far above and beyond their legal obligations to work with law enforcement officials, offering to manually screen ads, require working phone and credit card numbers from ad posters (thereby creating digital footprints by which lawbreakers could be tracked), and help identify missing persons. Not surprisingly, however, having offered to do more than they law required but less than the AGs demanded, the AGs kept coming back for more, some flatly stating that the essential protections offered by CDA 230 should be repealed.

At least two lessons can be drawn from this latest skirmish in the battle between Craigslist and its critics. First, there sadly appears to be little upside to working with many of these law enforcement officials to resolve such important Internet policy disagreements. At each step of this public debate, the AGs have inevitably rewarded completely voluntary, non-mandatory offers of cooperation from Craigslist with further demands and insults. What possible motivation will other companies have to work with law enforcement to address similar concerns in the future?

Second, and more importantly, supporters of the First Amendment should loudly voice their opposition to this type of misguided rhetoric from elected officials. While Craigslist may have “voluntarily” shuttered its Adult Services section, they did so under constant threat from government officials who continually promised meritless lawsuits and even criminal prosecution if their target did not comply. No one (including Craigslist) disputes that sex trafficking is a reprehensible practice that should be vigorously opposed. The dispute lies in whether law enforcement officials should be permitted to bully and dragoon private web site operators into becoming de facto censors. Many, including EFF, profoundly disagree with the prospect of such a reimagined Internet, and the AGs at minimum owe it to the public to be honest about the First Amendment impact of what they are proposing.

Original article at EFF.org

Read more of this story at Slashdot.