News briefs: July - August
The ‘Serious Crime Bill’ makes significant changes to the Computer Misuse Act
»The Queen's Speech in the Houses of Parliament proposed a total of 11 new laws, including a ‘Serious Crime Bill' which will make significant changes to the 1990 Computer Misuse Act.
The Serious Crime Bill will seek to introduce deeper sanctions for corrupt accountants, solicitors and cyber-criminals. One of the changes will see the government amend the Computer Misuse Act 1990 to “ensure sentences for attacks on computer systems fully reflect the damage they cause.” This would ensure maximum jail sentences of up to 14 years for serious cyber-attacks.
»Ecommerce giant eBay confirmed that it had suffered a data breach and urged its 145 million active customers to change their passwords.
A company representative said at the time that the attack on the company's corporate network had come via compromising an employee's log-in credentials, allowing hackers to access a database containing user passwords. The firm said that that financial details had not been taken: “There is no evidence that any financial information was accessed or compromised; however we are taking every precaution to protect our customers,” said eBay spokesperson Kari Ramirez.
The company – which owns PayPal – has since received criticism for its delay in response and poorly communicating in the aftermath of the data breach, while it has warned users to watch out for phishing attacks.
»Political tensions between US and China continue to grow after the two countries accused each other of engaging in cyber espionage.
The FBI first charged five officers from China's Liberation Army with cyber espionage crimes against private companies and put them on the FBI's Most Wanted list.
This prompted the Chinese government to call the US to halt its “unscrupulous surveillance over the rest of the world”. An article in the state-run China Youth Daily newspaper also accused US technology companies Cisco and Microsoft of aiding surveillance, claiming that Cisco “carries on intimately with the US government and military, exploiting its market advantage in the Chinese information networks, playing a disgraceful role and becoming an important weapon in the US exploiting its power over the internet.”
The agency report adds that the US secret surveillance activities include collecting nearly five billion phone call records worldwide every day and plugging Yahoo and Google's main communications networks to steal data on hundreds of millions of customers.
»Infamous former LulzSec leader Hector Xavier Monsegur, also known as “Sabu”, received a reduced “time served” sentence (7 months in 2012), some three years after his arrest in June 2011, thereby freeing him from prison.
Sabu admitted to countless cybercrimes against major global corporations but saw his sentence reduced after agreeing to co-operate with the US government, which he did throughout his incarceration.
Wired.com reported that he provided “crucial, detailed information regarding computer intrusions committed by (hacking) groups, including how the attacks occurred, which members were involved, and how the computer systems were exploited once breached.” This “contributed directly to the identification, prosecution and conviction of eight of his major co-conspirators,” including fellow LulzSec members based in the UK: Ryan Ackroyd, aka “Kayla” of Doncaster; Jake Davis, aka “Topiary” of London; and Mustafa Al-Bassam, aka “T-Flow."
»The FBI-led Operation Tovar saw the agency work with Europol and the UK's National Crime Agency as well as various other law enforcement agencies, universities and security vendors to disrupt and take-down the Gameover Zeus and CryptoLocker botnets, which were said to have infected some 500,000 PCs.
The simultaneous action resulted in the P2P command and control infrastructure of Gameover Zeus being operated safely out of servers at the US Department of Justice, as well as the arrest of alleged perpetrator Evgeniy Bogachev.
»UK shoe retailer Office was hit by a data breach in late May and admitted that the compromised information included customer names, addresses and Office account passwords. No financial data was stolen.
»A PCI DSS audit utility tool, called Card Recon, was reportedly hacked by cyber-criminals to seek out Visa, MasterCard, Amex and other payment card data on IT systems.
Numaan Huq, a senior threat researcher with Trend Micro, discovered a three-year-old development version of Card Recon, a commercial DLP utility designed for use by retailers to ensure PCI DSS compliance of their IT systems.
“It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards,” he says in his analysis. Criminals, he reasons, need to check and validate the data they have stolen, which they then sell in the underground carder marketplace.
“Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility,” he explained.
»Microsoft - backed by Verizon and the Electronic Frontier Foundation (EFF) - has filed to challenge federal prosecutors' `right' to demand access to its data stored in an Irish data centre.
The legal challenge - filed through the US courts this past June - is reportedly being watched by the European Commission, since the court order could be advanced to come under the USA Patriot Act.
Under the Act, the US government has defined rights of access to all data held by US companies, no matter where in the world it is stored. This has been a deciding factor in many European corporates – as well as the UK government - opting not to store their data with US cloud computing services.