TIME Security

Londoners Unwittingly Exchange First Born Children For Free Wi-Fi

Signed agreement that included a "Herod Clause," in experiment designed to show dangers of unguarded Wi-Fi hotspots

Not reading the small print could mean big problems, as a handful of Londoners who accidentally signed away their first born children in exchange for access to free Wi-Fi recently found out.

An experiment organized by the Cyber Security Research Institute was conducted in some of the busiest neighborhoods in London and intended to highlight the major risks associated with public Wi-Fi networks.

In June, researchers set up a Wi-Fi hotspot that promised network access to users who agreed to a set of terms and conditions. These included a “Herod Clause” offering free Wi-Fi if the user agreed to hand over their eldest child “for the duration of eternity.” The page was disabled after six people signed up.

Finnish security firm F-Secure, which sponsored the research, said it had decided not to enforce the clause. “As this is an experiment, we will be returning the children to their parents,” wrote the Finnish company in its report. “While terms and conditions are legally binding, it is contrary to public policy to sell children in return for free services, so the clause would not be enforceable in a court of law.”

The company urged people to take Wi-Fi security more seriously. Sean Sullivan, security advisor at F-Secure, told The Guardian: “People are thinking of Wi-Fi as a place as opposed to an activity…You don’t do unprotected Wi-Fi at home, why are you doing it in public?”

[The Guardian]

TIME Innovation

Five Best Ideas of the Day: September 26

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

1. Al-Shabaab is stronger a year after their horrific attack on a mall in Kenya, thriving on widespread resentment of Kenyan anti-Muslim policies which must be reformed.

By the International Crisis Group

2. The unnecessary separation of oral care from the rest of medical care under Medicaid puts the poor at risk of worse health and even death.

By Olga Khazan in the Atlantic

3. In these views from activists and intellectuals in Syria, we see rueful themes of a hijacked revolution and an intervention that may be coming too late.

By Danny Postel in Dissent

4. Adding a way to assess learning for students is the key to making education games work for schools.

By Lee Banville in Games and Learning

5. The toothless early warning system designed to head off future financial crises must be strengthened or it risks missing the next market cataclysm.

By the Editors of Bloomberg View

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME NFL

AP Source: Video Addressed to NFL Security Chief

Baltimore Ravens football player Ray Rice holds hands with his wife, Janay Palmer, as they arrive at Atlantic County Criminal Courthouse in Mays Landing, N.J., in May 2014.
Baltimore Ravens football player Ray Rice holds hands with his wife, Janay Palmer, as they arrive at Atlantic County Criminal Courthouse in Mays Landing, N.J., in May 2014. Mel Evans—AP

(ATLANTIC CITY, N.J.) — The video of Ray Rice punching his fiancee inside a casino elevator was sent to NFL headquarters to the attention of league security chief Jeffrey Miller in April, a law enforcement official says.

The NFL has repeatedly said no one with the league saw the violent images until TMZ Sports released the video earlier this month. Miller said Thursday through an NFL spokesman that he never received the video.

The official, who spoke on condition of anonymity because he wasn’t authorized to release details of the case, said he doesn’t know if Miller ever saw the DVD or opened the package. His only communication with the NFL was a 12-second voicemail on April 9 from league offices confirming receipt of the package, in which a woman says, “You’re right. It’s terrible.”

The official told the AP two weeks ago that he sent the video to the NFL, but asked the AP not to report that he had addressed the package to Miller. He eliminated that restriction Thursday.

“Since the NFLPA and NFL have launched separate investigations into the league and the Ravens’ handling of Ray Rice’s case, I want to make a few things clear. No one from the NFL ever asked me for the inside-elevator video,” the official said Thursday. “I mailed it anonymously to Jeff Miller because he’s their head of security. I attached a note saying: ‘Ray Rice elevator video. You have to see it. It’s terrible.’ I provided a number for a disposable cellphone and asked for confirmation that it was received. I knew there was a possibility Mr. Miller may not get the video, but I hoped it would land in the right hands.”

Miller, in London preparing for the Raiders-Dolphins game Sunday, issued a statement to the AP Thursday night through an NFL spokesman.

“I unequivocally deny that I received at any time a copy of the video, and I had not watched it until it was made public on September 8,” he said.

Miller joined the league in 2008 as director of strategic security and was promoted to chief security officer in April 2011. Before joining the NFL, Miller spent nearly six years as the commissioner of the Pennsylvania State Police. He worked for the state police for 24 years.

At the NFL, Miller’s responsibilities include overseeing investigative programs and services. He is also in charge of event security and game integrity. When players get arrested, the NFL’s corps of investigators rarely get involved, leaving that to local law enforcement. The league’s security operatives gather court documents and police reports available to the public, but don’t ordinarily interview witnesses or gather evidence independently.

It remains unclear what happened to the video once it arrived at league offices. There are two NFL executives named Jeffrey Miller, but the law enforcement official didn’t know that, and intended it to go to the chief of security. The official said he wanted to make sure the NFL had the video before deciding on Rice’s punishment.

“My intention wasn’t to bring down Commissioner Goodell or anyone else at the NFL,” he said.

He said he didn’t know the identity of the woman who left him the voicemail. He said he chose Miller because of his law enforcement background, even though he didn’t know him personally.

Rice, a former Pro Bowl running back for the Baltimore Ravens, was arrested in Atlantic City on an assault charge for hitting Janay Palmer in February. A police summons stated that Rice had struck Palmer with his hand, knocking her unconscious. Rice has been accepted into New Jersey’s pretrial intervention program, which enabled him to avoid jail time and could result in having the charge expunged from his record.

Initially, Goodell suspended Rice — who has since married Palmer — for two games. After criticism, Goodell announced new stiffer penalties for future domestic violence cases. After video of the punch in the casino elevator was released, the Ravens cut Rice and Goodell suspended him indefinitely.

League and Ravens officials said they requested the video from law enforcement but were denied. ESPN and others have reported that the Ravens had a detailed description of the video shortly after Rice was arrested.

After the AP reported that the video was sent to NFL headquarters, Goodell announced that former FBI Director Robert Mueller would lead an internal investigation. That probe is ongoing, and there is no timetable for its completion.

The law enforcement official said he does not want to speak to NFL investigators, and Mueller, who is now in private practice with a Washington law firm with deep ties to the NFL, has no subpoena power. “I know nothing else about this case,” the official said.

Former FBI Chief of Staff Aaron Zebley, who is working with Mueller on the investigation, didn’t immediately return a call seeking comment.

TIME Security

Experts Say ‘Bash’ Bug Is a Major Vulnerability But Not a Major Threat

computer virus
Getty Images

Cybersecurity experts explain why the Bash bug might actually not be as risky as the Heartbleed bug discovered earlier this year

When the Heartbleed software bug was disclosed in April, there was no shortage of publicizing its risks and defensive measures—and for good reason. And the Bash bug, discovered Wednesday, is prompting similar widespread fear. The security flaw is named after a vulnerable piece of software, Bash, that’s built into several ubiquitous operating systems, including Apple’s Mac OS X.

“People were taking Heartbleed very seriously,” said Jim Reavis, CEO of cybersecurity firm Cloud Security Alliance. “If people don’t take Bash seriously, it’ll become a self-fulfilling prophecy.”

Cybersecurity experts like Reavis don’t doubt that the Bash bug is dangerous: it is, and it needs urgent attention. The afflicted Bash software, released in 1989, is an open source software that was built-in to Linux and Mac OS operating systems and then widely integrated into many corporate and personal computer programs, experts said. Preliminary estimates say it could impact up to 50 percent of Internet-connected servers, according to Darien Kindlund, director of threat research at FireEye, a network security company.

“Bash is yet another type of open source software that has been reused, repurposed,” Kindlund said.

But the threat posed by the Bash bug—it could theoretically remotely command computers and extract private information—is overblown, cybersecurity experts told TIME. Average computer users aren’t likely to be directly targeted by hackers, experts said. And for the vulnerability to be triggered, the attacker would need to deliver content to the user, and then get the user to execute Bash with that content, according to Kindlund. Normal web browsing, emailing or other common activities do not involve calling Bash. What average users should be worried about are more traditional hacking techniques, like phishing emails and links to malicious websites, said John Gunn of VASCO Data Security.

“There are so many other methods that have a high degree of success that would take priority over [Bash as a hacking tool],” Gunn said. “The vulnerability really exists for large organizations that may have servers running Linux.”

Companies who have web servers that aren’t updated internally on a frequent basis may be most at risk because they continue to use old technology, according to Kindlund. Some companies who still store private data on Internet-facing servers—an outdated practice, as it makes sensitive information more vulnerable—or do not have strong security may vulnerable as well, but they can take precautions by inspecting each and every of their Linux-based servers, said Tanuj Gulati, CTO of Securonix, a security intelligence firm.

“The Apples or the Amazons or the Googles of the world aren’t the ones I’m worried about the most,” Reavis said. “But it could be some big companies that use this technology, but simply don’t have an awareness budget, or not taking this seriously.”

Still, many companies already have protection mechanisms in place that would prevent Bash from inflicting significant harm. Most servers can detect anomalous traffic and behavior, and many already take precautionary efforts by keeping records offline where they are inaccessible, Gunn said.

“What this Bash vulnerability depends on is a lot of other failures,” Gunn added. “This isn’t a single point of failure, whereas in Heartbleed, it was.”

Numerous patches for the Bash bug have already flooded the market. While security researchers have claimed the patches are incomplete, experts agree that fully fixing the vulnerability would take years. Additionally, that there have not been any known major breaches using Bash has also boosted security experts’ confidence that the bug may not pose a widespread threat.

“Most vulnerabilities of value are either shared or sold in the hacking community,” Gunn said. “If this had been a viable hacking method, it would’ve been exchanged in the hacking community, and it has not.”

But fact that Bash may not pose a major threat to individuals or companies doesn’t mean its danger should be understated, experts agreed.

“You saw a lot of worry about [Heartbleed], and there really wasn’t much that happened. The economy didn’t grind to a halt. Cities didn’t black out,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “It’s a vulnerability. A flaw.”

 

TIME White House

Behind the Scenes with the Secret Service

A rare look into the life of the silent guards who keep watch over the White House

Photographer Brooks Kraft, a regular contributor to TIME, has been shooting the White House for 14 years, spanning a period that includes the 2000 election controversy, the terrorist attacks of Sept. 11, 2001, the Iraq War, a global financial crisis and more.

Through Kraft’s work at 1600 Pennsylvania there has been the quiet force behind the camera, silent and standing sentry, that quite literally keeps life going at the White House: The Secret Service.

Founded in 1865 to squash the production of counterfeit U.S. currency, today the Secret Service bears the burden of responsibility to protect the President and other VIPs, including the President’s family, presidential candidates and visiting dignitaries.

In light of recent security breaches at the White House, TIME takes a closer look at the men responsible for ensuring the President’s safety.

 

TIME Security

Here’s How Home Depot Could Have Combated Hacking

Experts say retailers should invest in detection rather than prevention

As Home Depot continues to assess the damage caused by a security breach that gave hackers access to 56 million credit and debit cards, tech experts say large retailers should turn their attention to addressing breaches quickly instead of trying to prevent all of them.

“Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?” asked cyber crime expert Brian Krebs, framing the issue rhetorically. “The best you can do is stop the bleeding as soon as possible when they do get in.”

At Home Depot, where hackers used malware to collect customer data at cash registers, it reportedly took nine months for the breach to be identified and stopped allowing for the damage to affect millions of customers.

Companies face myriad and evolving ways their data can be breached, making protecting data akin to a game of whac-a-mole. Once one potential threat is identified, hackers have already begun trying to get through another way. Instead of devoting all their resources to chasing the threats, companies should focus on minimizing the time it takes to identity those breaches, said Brian Foster, chief technology officer at cyber security firm Damballa.

“There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet,” he said. “The attackers only have to find one door in whereas Home Depot has to secure all their doors and before they do that they need to know where all the doors are at.”

But even if retailers like Home Depot switch focus to detection from protection, experts say they need to do a better job securing data. And, for retailers, the first place to look is the “point of sale system” where the transaction occurred (the cash register for traditional retailers).

“Some enhancement of that logical access in the point of sale would have been able to harden the system significantly,” said Guy Levy, senior vice president at technology security firm Usher. “This is part of what any big retailer that employs pos systems should be doing now. They should all be scrutinizing their systems very, very hard.”

Despite the recommendations of security experts, many companies remain reluctant to devote the funding to change. But dealing with massive security breaches almost always costs more in the long-term than instituting preventive measures would have cost. Home Depot said the breach at the company will cost at least $62 million.

“It takes awhile to update your technology, to understand the threat,” said Anup Ghosh, founder and CEO of technology security firm Invincea. “But the most expensive dollar spent in security is spent after a breach.”

MONEY identity theft

Here’s What To Do About the Home Depot Hack

Home Depot says hackers have stolen tens of millions of its customers' payment card information. Here's how to protect yourself.

On Thursday, Home Depot acknowledged that hackers were able to access 56 million credit and debit cards when the retailer’s systems were cracked this April. The company says all malware has been removed from its U.S. and Canadian networks, but hackers have had access to card numbers as recently as September. If you’ve shopped at Home Depot within the past six months, here’s what you need to know:

Home Depot is providing free identity protection. The company is working with AllClear ID to give identity theft protection services, including credit monitoring, to all customers who have shopped at Home Depot since April 2014. To sign up, either go to this web page or call 1-855-252-0908, and AllClear will assign you an identity theft investigator.

Check your statements frequently. Credit card users shouldn’t worry too much about their number being stolen because credit card companies limit individual liability to $50. Of course, if you don’t identify fraudulent charges, your credit card company won’t cover them — so make sure to at least check your monthly credit-card statements.

Debit card users should be more vigilant about scrutinizing account activity — going back to April and going forward on a regular basis. The reason is that fraudulent charges are covered by banks for just 60 days after you receive a statement with such charges on it. The Home Depot data breach lasted months, so you could already be on the hook for purchases you didn’t make. Home Depot says AllClear’s identity theft protection service “will do the work to recover financial losses,” but it’s unclear what that means in the case of debit cards. (AllClear declined to comment on its partnership with Home Depot, and did not immediately respond to general questions about how debit card fraud is handled.) Home Depot claims there is no evidence that crooks obtained debit card PINs, but a company spokesperson would not say whether or not other information, like customer names, was stolen.

Stolen card info can be sold to and used by other fraudsters long after a breach — there’s a secondary market for this kind of stuff — so it’s a good idea to check your debit account activity as often as several times per week. Your debit spending is not only more vulnerable to fraud, but also can be more damaging. You won’t be out of pocket for bogus credit card payments; with debit card fraud, by contrast, the money is actually gone from your account until the issue is cleared up.

Look into getting a chip and pin payment card. Chip and pin payment cards are more secure, and offer an additional level of security by requiring users to enter a pin even when paying with a credit card. Matt Schulz, senior industry analyst at CreditCards.com, recommends consumers call their bank and ask about upgrading to a chip and pin card. This technology hasn’t been widely rolled out yet, but some bank already offer upgrades Schulz says most banks should offer this type card within the next year.

Try to relax. As these breaches become more common, it’s important not to panic each time a business is compromised. Instead, always practice good security habits, like creating strong passwords for e-commerce and frequently checking your payment cards’ transaction history.

MORE:

MONEY 101: What should I do if my wallet is lost or stolen?

MONEY 101: What should I do if I have been a victim of a data breach?

TIME Security

Experts Doubt ISIS Could Launch Major Cyberattack Against the U.S.

A member loyal to the ISIL waves an ISIL flag in Raqqa
A member loyal to ISIS waves an ISIS flag in Raqqa, Syria in June 29, 2014. Reuters

Experts say the Islamist militants' social media savvy doesn’t translate into a real cybersecurity threat against the U.S.

The Islamist militants who have taken over swathes of Syria and Iraq have proven remarkably adept at using 21st century technology.

In the Islamic State of Iraq and Greater Syria’s (ISIS) drive to establish what it calls a new caliphate, the group has gathered between 20,000 and 31,500 fighters, partly thanks to its recruitment campaign over social media networks like Facebook, Twitter and YouTube. Widely disseminated video footage of executed American and British citizens have become ISIS’s tools for terror; the Internet is ISIS’s vehicle.

Today, ISIS’s adroit use of modern technology is raising a new specter: cyberterrorism. Several prominent national security experts and cyber analysts warned this week that ISIS could someday threaten the United States, elevating fears about the West’s vulnerability to a cyberattack.

“ISIS has already had success in utilizing technology, using the web for recruiting, distribution of terrorist information and scare tactics,” David De Walt, the chief executive of tech security company FireEye told the Financial Times this week. Now, De Walt said, “[w]e’ve begun to see signs that rebel terrorist organizations are attempting to gain access in cyber weaponry.”

And on Tuesday, National Security Agency Director Michael Rogers warned that the U.S. needs to bolster its defenses against digital attacks from terrorist groups like ISIS.

“It’s something I’m watching,” Rogers said of ISIS’s aggressive use of Internet technology at a cybersecurity conference in Washington, D.C. “We need to assume that there will be a cyber dimension increasingly in almost any scenario that we’re dealing with. Counterterrorism is no different.”

But do we really need to fear a cyber attack from ISIS? As it turns out, probably not: ISIS’s social media savvy doesn’t necessarily translate into a real cybersecurity threat against the United States, and much of the talk about the group’s growing cyber-prowess overstates the point, experts told TIME.

“I don’t think anyone has any proof that there’s an imminent attack or that ISIS has acquired the manpower or the resources to launch an attack on the infrastructure of the United States,” said Craig Guiliano, senior threat specialist at security firm TSC Advantage and a former counterterrorism officer with the Department of Defense. “It could be a potential threat in the future, but we’re not there yet.”

ISIS, a group with little technological infrastructure, doesn’t have many resources to wage a cyberwar against the United States. Compared to larger, state-sponsored hacking operations, ISIS is miles behind. Chinese hackers, for instance, who have been accused of attacking U.S. businesses and government contractors, are reported to have wide-ranging support from Chinese authorities, with many of the hackers hailing directly from the Chinese army.

A few ISIS-related figures have been connected with cyberattacks or cybercrime. Abu Hussain Al Britani, a British hacker who has since moved to Syria and begun recruiting for ISIS, was jailed in 2012 for hacking into former Prime Minister Tony Blair’s Gmail account. One of the more prominent tech-savvy ISIS supporters, Al Britani maintains a Twitter account that calls for new ISIS recruits.

And a group called “Lizard Squad” that has claimed responsibility for high-profile cyberattacks that have brought down the websites of the Vatican, Sony and others has tenuously been linked to ISIS on the basis of tweets like this one:

But ISIS doesn’t appear to have the manpower to launch sophisticated attacks against the United States. “You need some resources. You need access to certain kinds of technology. You need to have hardcore programmers,” Jim Lewis of the Center for Strategic and International Studies said. “ISIS doesn’t have those capabilities.”

Unlike China’s state-sponsored hackers, who have a strong interest in attacking U.S. businesses to hawk trade secrets and intellectual property, ISIS is more concerned with taking real-world territory and controlling it. ISIS’ first priority is establishing control over the disparate desert regions from the outskirts of Aleppo in Syria to Falluja in Iraq and creating an Islamic caliphate—not an expensive and often intangible cyberwar against American websites.

“ISIS wants to conquer the Middle East, not hack websites in Omaha,” said Lewis.

That’s not to say that ISIS is incapable of launching an attack in the future. ISIS is believed to be well-funded, likely capable of purchasing simple malware on the black market and using it against the West. But the kinds of attacks ISIS would be able to carry out would likely be more of an annoyance than a debilitating strike on the United States’ infrastructure, the kind of attack that national security experts really worry about.

During the most recent spate of violence between Gaza and Israel, for example, hackers on both sides launched distributed denial of service (DDoS) attacks, which involves using multiple servers to overload a website and briefly disable it. That kind of attack is a far cry from shutting down power plants in the U.S. or attacking nuclear reactors. Still, the threat of a cyber strike, particularly against financial institutions as a means of funding ISIS’s expansion, may grow over time.

“ISIS is continuously looking for new ways to carry out high impact high visibility events to bring attention to their cause,” said John Cohen, recently the counterterrorism coordinator at the Department of Homeland Security and currently a professor at Rutgers University. “One has to speculate they are looking at the results of major cyber breaches such as Target or Home Depot and against critical infrastructure, and thinking about them as a potential avenue.”

TIME Security

Home Depot Breach Exposed 56 Million Credit Cards

US-ECONOMY-HOUSING
A Home Depot store is seen in Silver Spring, Maryland, on March 28. 2013. Jewel Samad—AFP/Getty Images

Cyber thieves pulled off a massive attack

Hackers had access to 56 million credit and debit cards when they breached Home Depot’s security system this year, the company said Thursday. The breach was even larger than the attack on Target last year, when 40 million cards were compromised.

The company said that thieves had placed malware software on cash registers in Home Depots throughout the U.S. and Canada from April to September. The malware has since been eliminated. The breach will cost the company at least $62 million.

“We apologize to our customers for the inconvenience and anxiety this has caused and want to reassure them that they will not be liable for fraudulent charges,” Chief Executive Frank Blake said in a statement.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser