Information Security Blog | Cyber Security Blog

Sreejith C

Information Security Blog | Cyber Security Blog
Read More

The co-founder of Liberty Reserve, the operator of what had been a widely-used digital currency, was sentenced to 20 years in prison on Friday for conspiring to help cyber criminals launder hundreds of millions of dollars using its services.

Arthur Budovsky, 42, was sentenced by U.S. District Judge Denise Cote in Manhattan, who said a substantial punishment was warranted for his role in running a money laundering operation that prosecutors said was of unprecedented scope.

"Sad to say, Mr. Budovsky used his enormous talents here in a way that led to widespread harm," she said.

Budovsky, who pleaded guilty in January to conspiracy to commit money laundering, was also ordered to forfeit USD122 million and fined USD500, 000. He said nothing in court as his lawyer, John Kaley, argued for less than 15 years in prison.

"Remorse has been exhibited here," he said.

But Assistant U.S. Attorney Christian Everdell sought the maximum 20-year sentence given Budovsky's role "at the helm of this sweeping enterprise."

Liberty Reserve operated a widely used digital currency, processing more than USD8 billion in financial transactions and earning Budovsky over USD25 million, prosecutors said.

Much of its business came from criminals seeking to launder proceeds from Ponzi schemes, credit card trafficking, identity thefts and computer hacking, prosecutors said.

The company was shuttered in May 2013 as Budovsky was arrested amid U.S. efforts to crack down on the use of digital currencies including bitcoin to evade law enforcement and launder money.

Four other people pleaded guilty, including Liberty Reserve co-founder Vladimir Kats, who is set to be sentenced next week.

Budovsky and Kats, who met as teenagers working as camp counsellors in Brooklyn, previously were convicted in 2006 on New York state charges for operating an earlier digital currency exchange as an unlicensed money transmitting business.

They launched Liberty Reserve in 2005, and after their arrests, moved it to Costa Rica, where Budovsky became a citizen.

Liberty Reserve users would buy and redeem its digital currency, LR, through third-party exchangers who in turn bought and sold LR in bulk from Liberty Reserve, authorities said.

Users did not have to validate their identities, prosecutors said, allowing an undercover Secret Service agent to establish an account for a "Joe Bogus" from "Completely Made Up City, New York, United States."

Of USD7.26 billion in transactions by Liberty Reserve's top 500 accounts, USD2.6 billion were for investment opportunities, mostly Ponzi schemes, prosecutors said.

The case is U.S. v. Kats et al, U.S. District Court, Southern District of New York, No. 13-00368.

Read More

Are movie true, can your phone really be tracked?

Tuesday, 10 May 2016 05:30

In the movies, people on the run are often hunted down because of their cell phones. There are countless scenes where expensive smartphones are smashed to bits, or dropped in rivers, to evade capture by nefarious government operatives or well-equipped mobsters.

Hopefully you’re not in that situation. But if you were, do you really need to go that far? We asked the experts what information your cell phone is really broadcasting about you, how to protect yourself, and what it would take to truly go off the grid.

The simple options don’t work

If you suspected your phone were being tracked and wanted to start covering your tracks without snapping it in half, your first bet might be to simply turn on airplane mode. That won’t cut it.

“Every phone has two operating systems,” explains Gary S. Miliefsky, CEO of SnoopWall, “One that connects to cellular networks, and one that interfaces with the consumer. Airplane mode may only disable features in the consumer facing operating system, such as Android or iOS, but not in the OS used between the phone and the carrier network. A phone may be giving out a ‘ping’ and you’d never know it.”

Communicating at all with a cell tower could expose you

It doesn’t even need to be sending out GPS coordinates — communicating at all with a cell tower could expose you. By comparing the signal strength of your cell phone on multiple cell towers, someone looking for you can approximate your location with triangulation. This requires access to data from your mobile network, which should keep it out of reach for criminals, but carriers can be compelled to provide that data to law-enforcement agencies.

So how about removing the SIM card?

“Removing the SIM may work to stop most cyber criminals, but every phone has a built-in feature set of identifiers that may be detected via tools like Stingray devices now used by the police and military, as well as fake 2G cell towers put up by the NSA,” Gary explains, “Forcing a phone to 2G means no encryption and it’s easily detected and tracked.”

Stingrays are also known as cell-site simulators, or IMSI catchers. They mimic cell phone towers and send out signals that can trick your cell phone into replying with your location and data that can be used to identify you. And they’re surprisingly widely used.

The American Civil Liberties Union has a map and list of federal agencies known to use cell-site simulators, which includes the FBI, the DEA, the Secret Service, the NSA, the U.S. Army, Navy, Marshals Service, Marine Corps, National Guard, and many more. For obvious reasons, it’s not an exhaustive list.

What about Wi-Fi?

At short range, you can be tracked by Wi-Fi. Every time you turn Wi-Fi on, your phone is sending out a signal that includes your unique MAC address, which is kind of like a fingerprint for digital devices. This kind of technology is already being used by stores to track your movements. It’s not ideal for surveillance, because of the limited range, but if someone has obtained your MAC address it could be used to deduce something like when you enter or leave a specific building.

Read More

Qualcomm flaws to hit damages to Android!!

Monday, 09 May 2016 05:30

"The vulnerability was introduced when Qualcomm provided new APIs as part of the "network_manager" system service, and subsequently the "netd" daemon, that allow additional tethering capabilities, possibly among other things. I would say that there is probably a large portion of devices on the market that are vulnerable". The issue affects both flagship and non-flagship devices that use Qualcomm chips and/or Qualcomm code, meaning that hundreds of models are affected and likely millions of gadgets.

"The patch for this issue is not in AOSP. Qualcomm had modified the "netd" daemon", Mandiant said in an advisory. "People are using the code for a variety of projects, including Cyanogenmod (a fork of Android)", the researchers noted. Handset makers have to include the patch in their updates, then work with the cellular carriers to actually deliver the software to individual devices. In layman's terms, the manufacturers themselves probably don't know for sure all devices that are affected... A Google representative said Nexus devices were never affected. We are not aware of any exploitation of this vulnerability. Mandiant says it can be exploited either by a hacker physically unlocking an unprotected device, or by the user installing a malicious application.

 "Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong". "It's hard to believe that any antivirus would flag this threat", Mandiant wrote in a blog. Android is no stranger to being the subject of cybercrime attacks, with Google needing to continually extend and improve the security needs to ensure users stay safe. In this case, the app would be able to execute commands as the "radio" user, which means it has access to other system resources, such as Phone and Telephony Providers, and to system settings such as WRITE_SETTINGS_SECURE (change key system settings), BLUETOOTH_ADMIN (discover and pair Bluetooth devices), WRITE_APN_SETTINGS (change APN settings), DISABLE_KEYGUARD (disable lock screen).

 However, Android Gingerbread (2.3.x), Ice Cream Sandwich MR1 (4.0.3), Jellybean MR2 (4.3), KitKat (4.4), and Lollipop (5.0) are all vulnerable to some degree. This vulnerability has been identified as CVE-2016-2060 which exists in a software package maintained by Qualcomm and if exploited, can grant the attacker access to the victim's SMS database, phone history, and more. "There is no performance impact or risk of crashing the device", the report added. The vulnerability seems to affect all Android devices with Qualcomm chips and/or Qualcomm code. Fayette Advocate

Read More

The US Supreme Court has approved a change in Rule 41 of the Federal Rules of Criminal Procedure, so judges across the country now have the authority to issue warrants for remote electronic searches outside their district.

That means that a judge can grant an FBI agent in, say, New York, permission to hack into a computer in San Francisco, or potentially any city in the world, in order to further their investigation.The court documents pertaining to the matter indicate that a warrant will be granted if a suspect uses tools to hide their identity, such as Tor.

The amendment, first introduced in 2014, seems intended as a step towards keeping pace with the ever-changing world of cyber crime, but it raises privacy and security issues that tech firms like Google say require further debate.

It comes just a week after a Massachusetts judge dismissed evidence obtained by the FBI using a network investigative technique in a case involving a Dark Web site that distributed images of child sexual abuse. It was Rule 41 that rendered the FBI’s findings invalid in court.

Privacy advocates are concerned that the government is attempting to grant itself this kind of power to snoop on just about anyone while disguising it as a procedural rule. It’s a problem because, as Oregon Senator Ron Wyden, who has vowed to mobilize opposition to the update notes, “This rule change could potentially allow federal investigators to use one warrant to access millions of computers, and it would treat the victims of the hack the same as the hacker himself.”

The change is yet to come into play – Congress has until December 1 to share its thoughts on the matter. If it fails to do so, the amended rule will become law. The trouble is, both chambers of Congress have to agree on how to address it, and that seems unlikely, given the current gridlock in the legislature ahead of the presidential election.