TIME Crime

‘Revenge-Porn King’ to Plead Guilty and Face Imprisonment

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

Hunter Moore is charged with hacking into victims' email accounts and posting their nude photos on his website

The owner of a “revenge porn” website, accused of posting stolen nude photos of women online, has agreed to plead guilty to federal computer-hacking and identity-theft charges, prosecutors announced Wednesday.

The Los Angeles Times reports that Hunter Moore was dubbed the “king of revenge porn” for running a website called IsAnyoneUp.com, on which explicit photos of women, stolen from their personal email accounts, were posted.

Moore, 28, also paid Charles Evans to hack into computers and steal nude photos from victims’ accounts. Evans is due to go on trial March 17.

Moore faces up to seven years in prison. He is set to appear back in court on Feb. 25.

[L.A. Times]

MONEY cybersecurity

Hackers Use Malware to Steal $300 Million From Banks

Hackers used malware attached to phishing emails to compromise the security systems of more than 100 banks across the world, according to a new report from security firm Kaspersky.

TIME Hacking

Hackers Steal $1 Billion in Massive, Worldwide Breach

Russian Retail-Sales Growth Unexpectedly Gains Amid Ruble Crisis
Bloomberg/Getty Images

A prominent cybersecurity firm says that thieves have infiltrated more than 100 banks in 30 countries over the past two years

Hackers have stolen as much as $1 billion from banks around the world, according to a prominent cybersecurity firm. In a report scheduled to be delivered Monday, Russian security company Kaspersky Lab claims that a hacking ring has infiltrated more than 100 banks in 30 countries over the past two years.

Kaspersky says digital thieves gained access to banks’ computer systems through phishing schemes and other confidence scams. Hackers then lurked in the institutions’ systems, taking screen shots or even video of employees at work. Once familiar with the banks’ operations, the hackers could steal funds without raising alarms, programming ATMs to dispense money at specific times for instance or transferring funds to fraudulent accounts. First outlined by the New York Times, the report will be presented Monday at a security conference in Mexico.

The hackers seem to limit their scores to about $10 million before moving on to another bank, Kaspersky principal security researcher Vicente Diaz told the Associated Press. This helps avoid detection; the crimes appear to be motivated primarily by financial gain. “In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

[New York Times]

TIME Cybercrime

This Could Be the End of User Name and Password

Superintendent of the New York State Department of Financial Services Benjamin Lawsky Interview
Scott Eels—Bloomberg/Getty Images Benjamin Lawsky superintendent of the New York State Department of Financial Services, speaks during a Bloomberg Television interview in New York on Nov. 24, 2014.

Anthem, J.P. Morgan hacks could lead to tougher online security.

A top New York State regulator is “very likely” to impose new cyber-security rules on much of the banking and insurance industries after high profile cyber-intrusions at Anthem and JP Morgan Chase, law enforcement officials tell TIME.

The move could spell the beginning of the end for a decade-long debate among state and federal regulators over whether to require companies to go beyond the simple user name and password identity checks required to access many computer networks at the heart of America’s financial system and could affect everyone from employees at those firms to the consumers they serve.

Early investigations in the Anthem case suggest foreign hackers used the user name and password of a company executive to get inside Anthem’s system and make off with personal data for 80 million people, including names, addresses and Social Security numbers, the law enforcement officials tell TIME. Anthem had invested in extensive cyber defenses in recent years, but the officials say initial investigations suggest the theft could have been averted if the company had embraced tougher methods for verifying the identity of those trying to access its systems.

That shortcoming reflects systemic weaknesses found throughout the industry in an upcoming study by the New York State Department of Financial Services, a version of which was reviewed by TIME. Among the most worrying findings was a marked level of over-confidence among insurance industry officials regarding the security of their systems. “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here,” says Benjamin Lawsky, the department’s superintendent.

While many big health, life and property insurers boast robust cyber-defenses, including encryption for data transfers, firewalls, and anti-virus software, many still rely on relatively weak verification methods for employees and consumers, and have lax controls over third-party vendors that have access to their systems and the personal data contained there, according to the report. The study follows a similar review by Lawsky’s office of the banking sector late last year that led to tighter cyber-examinations for banks doing business in New York.

As the fourth-largest state and the home to many of the corporations in question, New York could affect consumers in other states with its decisions.

For more than a decade, federal and state regulators have debated measures to require increased security at banks and insurance companies that handle the financial and personal details of hundreds of millions of Americans. In 2005, the federal body charged with setting the examination standards for federal regulators concluded [pdf] that simple user name and password systems were “inadequate” for “transactions involving access to customer information or the movement of funds to other parties,” but stopped short of requiring tighter measures. Updated guidance in 2011 [pdf] also stopped short of requiring them.

MORE Apple Might Make Computers You Control With Hand Gestures

The primary federal regulator of big banks, the Office of the Comptroller of the Currency (OCC) says different banks need to assess their own risks in determining whether to use additional verification methods. Other regulators have worried that if one agency, like the New York State Department of Financial Services, tightens standards on its own, the result will be a patchwork of rules that make life difficult for banks doing business across the country.

Still, most agree that username and password security alone is increasingly vulnerable to hackers. As American Banker reports:

Most of the security breaches that occur in banking today use compromised credentials. More than 900 million consumer records have been stolen [in 2014] alone, according to Risk Based Security; 66.3% included passwords and 56.9% included usernames. According to Verizon’s latest Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76% of the breaches analyzed.

The additional measures New York State is likely to require are known as “multi-factor authentication” and include a range of approaches to verify the identity of those trying to sign on to a computer system. Options include sending a confirmation number to an individual’s cell phone, using a fingerprint or other biometric authentication, or using a separate identification source, like a swipe card.

Lawsky has not decided whether his new rule would require institutions to use multi-factor authentication only for employees and third-party vendors, or whether consumers would be required to use them too. However, requiring major banks and insurers under his purview—such as Barclays, Goldman Sachs, Anthem and others—to adopt multi-factor authentication could change the industry standard.

Lawsky says he is eager to see that change. “The password system should have been buried a long time ago, and its high time we buried it,” Lawsky tells TIME. “We really need everyone to go to a system of multi-factor verification. It is just too easy, whether through basic hacking or through phishing or stealing basic information, for hackers to get a password and a user name and then to get into a system,” he says.

MORE Why Your Passwords Are Easy To Hack

State and federal officials have argued that banking and insurance cyber vulnerabilities pose a threat not just to the accounts of individual consumers, but potentially to the stability of the entire financial system. The Obama administration’s recently released National Security Strategy says, “the danger of disruptive and even destructive cyber-attack is growing,” thanks to “malicious government, criminal, and individual actors,” targeting the networked infrastructure on which economy, safety, and health rely.

The New York State Department of Financial Services study of the insurance industry shows most are largely convinced they are confronting and defeating hackers. 58% claimed they had experienced no security breaches during the three years preceding the 2013-14 study, while 35% said they had only between one and five such incidents.

To some that suggests naiveté on the part of the industry. As FBI Director James Comey said last fall, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”

In addition to the new rules on identity verification, Lawsky expects to impose new requirements on third-party vendors that have access to insurance company databases. Those vendors often have lower cyber-security standards and are not required to describe those standards to the companies even though they often have full access to personal data held by the company.

Read next: The 7 Biggest Lies You’ve Been Told About Hacking

Listen to the most important stories of the day.

TIME Security

Chipotle Hackers Direct Racist Tweets at Obama

Changed company's logo to a swastika

Chipotle apologized and promised an investigation into racist tweets sent by hackers from the company’s Twitter account early Sunday morning.

In the early morning hours, the hackers changed the company’s avatar to a photo of swastika and tweeted racist remarks directed at President Barack Obama. Other tweets targeted the FBI and included other offensive language.

Chipotle’s Twitter biography was changed to say it was the official account of “@TUGFeds” and “@TheCeltic666.” Both accounts had been suspended as of Sunday afternoon.

TIME intelligence

U.S. Journalist Receives Five Years in Jail for Linking to Hacked Data

Europe Hacking Startfor
Cassandra Vinograd—AP The home page of the Stratfor website is seen on a computer monitor in London Wendesday Jan 11, 2012.

Barrett Brown must also pay $890,000 in restitution

An American journalist loosely affiliated with the Anonymous hacking collective was sentenced to 63 months in jail by a Dallas federal judge on Thursday for linking to hacked data from private global intelligence firm Stratfor in 2011.

Barrett Brown, 33, initially faced a sentence of over 100 years until he pled guilty last year to three reduced charges of obstructing a police search, issuing online threats and involving himself in the sharing of Stratfor data, reports the BBC.

“The government exposed me to decades of prison time for copying and pasting a link to a publicly available file that other journalists were also linking to without being prosecuted,” Brown said in a statement before the hearing.

Free speech activists allege Brown’s prosecution is based on his investigations into U.S. cybersecurity and intelligence contractors. He created Project PM in 2010 to probe intelligence leaks on a crowdsourcing platform.

“The U.S. government decided today that because I did such a good job investigating the cyber-industrial complex, they’re now going to send me to investigate the prison-industrial complex,” Brown said in a public statement after the sentencing, according to The Guardian.

The hacker responsible for the Stratfor data breach, Jeremy Hammond, 30, is currently serving a 10-year prison sentence.

TIME Music

Israeli Man Arrested for Hacking Madonna’s Computer and Leaking Music

Madonna in New York in 2013.
Dimitrios Kambouris—Getty Images Madonna in New York in 2013.

The singer called the theft "a form of terrorism"

Israeli police arrested a man Wednesday who they suspect hacked into Madonna’s computer late last year and leaked demo versions of songs from her upcoming Rebel Heart album.

A month-long investigation from the cybercrime wing of Israel’s Lahav 433, an FBI-like organization, led authorities to arrest a 39-year-old, according to The Hollywood Reporter. A statement from Lahav 433 said it worked closely with the FBI and that the suspect allegedly “broke into the personal computers of several international artists over the past few months and stole” unreleased music that he then traded for money. Police put a gag order on the alleged hacker’s name, though local media in Israel have begun identifying the man as a former reality show contest from one of Israel’s singing competition programs.

Madonna, who in December rushed to release six songs from the album on iTunes in the wake of the leak, called the theft “a form of terrorism.”

Similarly, Björk announced Tuesday that she would suddenly release her new album, Vulnicura, on iTunes after the record leaked over the weekend, two months ahead of schedule.

[THR]

TIME Security

Teen Arrested For Holiday Attacks on PlayStation and Xbox

2014 BET Experience At L.A. LIVE - Fan Fest - AT&T, Geico, Poetic Jeans, Sneaker Con, Tennis, Xbox, Health And Wellness, Nickelodeon, Centric Centrified,  LA to the Bay
Rich Polk—Getty Images for BET A general view of atmosphere at the Fan Fest - AT&T, Geico, Poetic Jeans, Sneaker Con, Tennis, Xbox, Health And Wellness, Nickelodeon, Centric Centrified, LA to the Bay during the 2014 BET Experience At L.A. LIVE on June 29, 2014 in Los Angeles, California.

Both services went down around Christmas

An 18-year-old has been arrested in England for his alleged involvement in denial-of-service attacks that crippled Microsoft’s Xbox Live and Sony’s PlayStation Network over the winter holidays. In a denial of service attack, loads of bogus traffic are sent to a targeted server in hopes of knocking it offline.

The South East Regional Organised Crime Unit, a regional law enforcement agency in England said Friday that the man was arrested on suspicion of unauthorized access to computer material, unauthorized access with intent to commit further offenses and threats to kill.

The teen is also accused of “swatting,” or purposefully providing false information about a crime to law enforcement so that they respond to a location with tactical units. The head of the SEROCU’s cyber crime unit said that the 18-year-old had made hoax calls to U.S. officials using Skype, which lead to SWAT teams being deployed unnecessarily. The SEROCU said it has been working closely with the FBI on the case.

Both Xbox Live and PlayStation network were knocked offline Christmas Day due to denial-of-service attacks that prevented console owners from playing certain games online or streaming movies. A hacking group called Lizard Squad claimed responsibility for the attacks.

TIME Security

The 7 Biggest Lies You’ve Been Told About Hacking

internet-hacker-laptop
Getty Images

Hacking remains closer to your Facebook and email passwords than you may think

This story was originally published at the Daily Dot.

Online security is increasingly an issue rich for headlines as everyone from movie studios and celebrities to major retailers and CENTCOM find themselves the victims of digital infiltrators. However, “hacking” is also a very technical issue and, like many technical issues, one the media often gets wrong.

So as a citizen of the 21st century, it’s increasingly important to arm yourself with some basic facts about hacking, cybersecurity, and the real threats they pose, as well as those they don’t. With that in mind, here are seven common misconceptions you might have about hacking.

1) Taking down a site is akin to hacking that site

One of the most common headline-grabbing moves by so-called hackers is to take down their site through a DDoS attack. A group calling itself Lizard Squad has been using this method to take down the networks of Playstation and Xbox Live. It’s a common method of protest by the hacker collective Anonymous, which has used it against such varied entities as the Westboro Baptist Church and, most recently, French jihadists.

These are not “hacks,” however, in the traditional sense of the term. A “hacker” is defined by the National Initiative for Cybersecurity as “an unauthorized user who attempts to or gains access to an information system.” Taking down a website or even a server does not take so much effort and certainly doesn’t demand infiltrating the host of the target. All you need is a simple distributed denial of service, or DDoS.

A DDoS is a network of computers all sending data packets towards one server with the goal of overloading said server. Far from many individuals sending data from their computers, however, the most common form of DDoS consists of networks of computers—typically hacked for this purpose without their owners knowing—all being used to flood a particular target.

Read the rest of the story at the Daily Dot.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser