TIME Courts

Federal Court Ruling Supports NSA’s Phone Data Collection

NSA headquarters Fort Meade maryland
NSA/Getty Images The NSA headquarters in Fort Meade, Md.

The court reversed a ruling that found the NSA program unconstitutional

(WASHINGTON) — A federal appeals court has ruled in favor of the Obama administration in a dispute over the bulk collection of phone data on millions of Americans.

The U.S. Court of Appeals for the District of Columbia Circuit on Friday reversed a lower court ruling that said the program likely violates the U.S. Constitution’s ban on unreasonable searches.

But the impact of the ruling is uncertain, now that Congress has passed legislation designed to replace the program over the next few months.

The court sent the case back for a judge to determine what further details about the program the government must provide.

The uproar over the surveillance program began in 2013 when former NSA contractor Edward Snowden leaked details to news organizations.

TIME Security

What to Know About the Ashley Madison Hack

LONDON, ENGLAND - AUGUST 19:  The Ashley Madison website is displayed on August 19, 2015 in London, England. Hackers who stole customer information from the cheating site AshleyMadison.com dumped 9.7 gigabytes of data to the dark web on Tuesday fulfilling a threat to release sensitive information including account details, log-ins and credit card details, if Avid Life Media, the owner of the website didn't take Ashley Madison.com offline permanently.  (Photo by Carl Court/Getty Images)
Carl Court—2015 Getty Images The Ashley Madison website is displayed on August 19, 2015 in London, England.

The company is now offering a big bounty for any info

Avid Life Media, the parent company of hacked extramarital affairs website Ashley Madison, has placed a bounty on its attackers’ heads. After hackers leaked troves of data about Ashley Madison’s users, Avid Life wants to figure out whodunnit. And it’s prepared to pay hundreds of thousands of dollars for information about the guilty party.

Here’s what you need to know about the Ashley Madison hack and the bounty:

What did hackers take from Ashley Madison and why?

The Ashley Madison hackers have posted personal information like e-mail addresses and account details from 32 million of the site’s members. The group has claimed two motivations: First, they’ve criticized Ashley Madison’s core mission of arranging affairs between married individuals. Second, they’ve attacked Ashley Madison’s business practices, in particular its requirement that users pay $19 for the privilege of deleting all their data from the site (but, as it turns out, not all data was scrubbed).

How money much is Avid Life Media offering for tips?

Ah, cutting to the chase. The sum is $500,000 for information leading to the capture of the perpetrator (or perpetrators). But Avid is a Canadian company, paying out the prize in Canadian dollars. In American greenbacks, that’s about $377,000.

When did the company announce the reward?

Toronto Police Services Superintendent Bryce Evans announced the bounty during a Monday press conference, saying: “Today I can confirm that Avid Life Media is offering a $500,000 reward to anyone providing information that leads to the identification, arrest, and prosecution of the person or persons responsible for the leak of the Ashley Madison database.”

So what do we know about the hackers so far?

We know the person or group calls itself “Impact Team,” which is new to the cybercriminal scene as far as anyone can tell, at least under that monicker. If anyone involved in the investigation has any clue about Impact Team’s true identity, then that information has yet to be publicly disclosed.

Any other leads?

Back in July when the company received its first threats, Avid Life Media CEO Noel Biderman said his team was closing in on the culprit, who he said he believed to be somebody who did contract work with the company.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman had told investigative cybersecurity reporter Brian Krebs. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

But Biderman seems to have dropped that narrative — we haven’t heard much in the way of that assertion since.

Has anyone else proposed any theories?

Oh yes. Earlier this week, antivirus software pioneer John McAfee, who has a reputation as a renegade in the security community, laid out his own conclusions, the result of his analysis of the dumped data and Impact Team manifestos. He believes the data was stolen by a former female employee.

Not everyone is convinced by McAfee’s analysis, though. A writer at Gizmodo, for instance, found it to be “subjective,” “offensive,” and “obscenely sexist.” You can read McAfee’s reasoning here.

Ouch. So that’s really all we have to go off of?

There’s another lead I haven’t mentioned. Dan Goodin over at Ars Technica has a good rundown. Basically, we know a few details about the server that was used to host the leaked file containing the emails of Biderman, the company’s CEO. It’s operated by a Dutch Internet service provider called Ecatel Ltd. As Goodin explains, for those with a technical bent:

The box seeding the torrent was located at 94.102.63.121. Police and private investigators working feverishly to identify the people who hacked Ashley Madison and published user profiles, transactions, credit-card data, and a wide range of other sensitive data will almost certainly try to perform a forensic analysis of the physical server. They undoubtedly will want to know how the server was accessed. If the hackers didn’t use Tor or a similar anonymity service, the investigators may be able to collect clues from the IP address used to log in to the box.

You may remember, that’s one of the same ways the FBI concluded that North Korea was behind the Sony hack.

Is there any hope of finding these hackers?

Maybe, but no one can say for sure. Lots of cybercriminals get away with plenty of bad stuff, especially if they’re located far outside the reaches of Western law enforcement. But other bounty programs have seen success, like Microsoft’s [fortune-stock symbol=MSFT”] takedown of the infamous Rustock spam email botnet. That came with a $250,000 prize.

Who should we contact when we’ve cracked the case?

This slide from the Toronto police’s presentation should answer that:

Ashley Madison police contact

 

TIME Ashley Madison

‘John Doe’ Files a Potential Class Action Lawsuit Against Ashley Madison

Homepage of Ashley Madison website displayed on iPad, in photo illustration taken in Ottawa
Chris Wattie—Reuters The homepage of the Ashley Madison website.

The anonymous user is accusing the website of inflicting emotional distress

Another potential class action lawsuit has been filed against Ashley Madison’s parent company Avid Life Media.

This time the plaintiff is an anonymous California resident and Ashley Madison user who goes by the name “John Doe.”

Doe is filing on behalf of all U.S. residents who signed up for the website, alleging that Ashley Madison did not take “necessary and reasonable precautions” regarding security. Among the plaintiff’s accusations, the class action complaint lists negligence and inflicting emotional distress.

The document refers to “the recent rise of massive security breaches on the Internet,” arguing that Avid Life Media should have been aware of the risk and taken precautions to prevent a security breach, especially considering the “particularly sensitive” information users trusted the site to protect.

Ashley Madison supposedly offered a $19 “scrub” option that promised to delete users profiles so they would be untraceable. The suit alleges that Avid Life Media simply collected the money and neglected to scrub the profiles. Doe also accuses the company of not informing users of the breach in a timely manner and neglecting to inform them of its extent.

The lawsuit follows a recent hack of the Ashley Madison website by a group called the Impact Team, which downloaded “highly sensitive personal, financial, and identifying information of the website’s some 37 million users,” the lawsuit said.

The hacker group said it would make the information public if the website was not shut down in August.

TIME Autos

How Carmakers Are Banding Together to Fight Hackers

Chrysler Issues Recall On 850,000 Sport Utility Vehicles
Joe Raedle—Getty Images 2014 Jeep Cherokees are seen on a sales lot on April 2, 2014 in Miami, Florida.

After some high-profile incidents

As automobiles become more connected to the Internet, drivers will become more vulnerable to hackers. That’s why major automakers are teaming up to try and make sure their cars can’t be hacked.

Companies like Ford, General Motors and Toyota are working through the Alliance of Automobile Manufacturers and the Association of Global Automakers to create an Information Sharing and Analysis Center, reports Automotive News. The data-sharing center should be operational by the end of the year, that publication reports.

Computer hackers targeting vehicles have made several big headlines in the past year. Just last month, it was reported that hackers were able to disrupt a Jeep Cherokee being driven by a Wired journalist. In theory, hackers can manipulate advanced car functions like automated parking to affect vehicles’ movement, a potentially massive safety issue.

 

TIME Security

Toronto Police Investigating Possible Ashley Madison Suicides

Hackers Release Confidential Member Information From The Ashley Madison Infidelity Website
Carl Court—Getty Images A detail of the Ashley Madison website on Aug. 19, 2015.

After hackers leak info about users of cheating website

Toronto police are looking into two suicide reports with possible ties to the Ashley Madison hacking scandal, law enforcement officials said at a news conference Monday.

Toronto Police Superintendent Bryce Evans said details about both cases remain sparse. He added that the police’s investigation would be directed at finding the hackers responsible for leaking more than 30 million email addresses and credit card numbers from Ashley Madison, a Canada-based website that helps married men and women arrange affairs.

“Your actions are illegal and will not be tolerated,” said Evans. “This is your wake up call.”

Evans also announced that Ashley Madison parent company Avid Life Media is offering a $500,000 reward to anyone providing information that leads to the arrest of the hackers. Still, the hackers may be well outside the jurisdiction of Canadian police.

TIME Security

Hackers Release Data From Cheating Website Ashley Madison Online

The published data includes names, addresses and even credit card transactions

The group of hackers that previously stole massive amounts of user data from popular cheating website Ashley Madison appear to have carried out their threat to publish that data on the Internet, releasing almost 10 gigabytes containing numerous details about the site’s customers on Tuesday.

A total of 9.7 gigabytes of data stolen from the controversial website — which boasts the slogan “Life is short. Have an affair” — was published to the dark web (an encrypted section of the Internet that requires special software to use) and is only accessible through a Tor browser, Wired magazine reported.

The data dump reportedly includes the login details of about 32 million users — all seeking extramarital or illicit affairs — and also provides a staggering amount of information such as their names, email and street addresses, how much they have spent on the site and even what they are looking for in a potential cheating partner.

The hackers, who call themselves Impact Team, had threatened in July that they would release user data from Ashley Madison and Established Men — a sister site that connects wealthy men to “young, beautiful women” — unless Avid Life Media (ALM), the Toronto-based company that owns both sites, did not take them down immediately. While the hackers’ main objective is to expose the site’s customers for their questionable morals, they also targeted what they say are ALM’s fraudulent business practices.

While they had earlier said that the $19 fee Ashley Madison charges customers to wipe their user data clean does not actually get rid of the information completely, the post announcing Tuesday’s dump contained additional allegations.

“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles,” the post — titled “Time’s Up!” — reads. “90-95% of the actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”

“We have explained the fraud, deceit and stupidity of ALM and their members,” an earlier paragraph of the Impact Team statement says. “Now everyone gets to see their data.”

Avid Life Media released a statement of its own late Tuesday, condemning the cyberattack and saying they are “actively monitoring and investigating this situation” while cooperating with law-enforcement authorities in the U.S. and Canada, where the company is headquartered.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the statement reads. “We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

Read next: A Creepy Amount of Tinder Users Aren’t Even Single

Listen to the most important stories of the day

TIME Volkswagen

Volkswagen Spent Years Hiding This Huge Security Flaw

Volkswagen Group Delivers Over 9 Million Vehicles In 2012
Sean Gallup—Getty Images

The flaw enables the theft of many luxury, keyless vehicles, report says

2015 may go down as the year when we all realized that our cars are vulnerable to hackers.

First we had a report from a U.S. Senator on the security risks facing new car owners, and then the news that Fiat had recalled 1.4 million cars to address security flaws. And this week a paper is being presented at the USENIX security conference in Washington, D.C., on a security flaw affecting “thousands of cars from a host of manufacturers,” according to a Bloomberg News report.

We could have known about these risks for some time, as the paper was actually written two years ago, but car makers like Volkswagen fought in court to keep the information private. According to Bloomberg:

“Keyless” car theft, which sees hackers target vulnerabilities in electronic locks and immobilizers, now accounts for 42 percent of stolen vehicles in London. BMWs and Range Rovers are particularly at-risk, police say, and can be in the hands of a technically minded criminal within 60 seconds.

Security researchers have now discovered a similar vulnerability in keyless vehicles made by several carmakers. The weakness – which affects the Radio-Frequency Identification (RFID) transponder chip used in immobilizers – was discovered in 2012, but carmakers sued the researchers to prevent them from publishing their findings.

TIME You Asked

You Asked: What Is Ransomware?

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

How to avoid paying hackers to give your computer back

There you are, surfing the web — maybe you’re catching up with Facebook friends, or perhaps you’re reading the news — and seemingly out of nowhere, a window pops up, stopping your computer in its tracks. And there’s only one way to make it go away — pay up.

It’s an absurd scenario, the kind you might find in a movie, right? Tell that to the thousands of people who have been hit with these so-called “ransomware” attacks to date.

“It actually is a phenomenon,” says Candid Wueest, Symantec’s principal threat researcher. Wueest investigates all sorts of bugs that attack computers and mobile devices via the Internet. The first known cases of ransomware date back to 2005, says Wueest, but infections have increased every year since. And last year, ransomware incidents exploded 113% compared to the year before.

“At the moment we’re probably around 30,000 infections per day around the globe,” says Wueest.

There are many different ransomware viruses floating around the web. But in general, they work like Trojan horses, infecting your computer without you knowing. But in this case, the bugs aren’t corrupting your files, they’re locking them down. Ransomware can encrypt everything from your documents to your photos, and without the correct password to unlock them, you may never be able to open these files again. To get that password, you have one option: follow the ransomware’s instructions, which usually involves making a payment to hackers in the amount of — get this — $300.

Technically, the sums vary, but $300 is the average. “We’ve seen some which ask for $500 or even $700, but that seems to be over the top,” says Wueest, who notes that some ransomware even has dynamic pricing depending on the country you’re in. For instance, a virus in the U.S. might ask for $700, but that same bug in India will only require for $500 for the password.

In other words, the key for the hackers behind this scheme is asking for enough money to make the hustle worthwhile, but not so much that the victim can’t afford to pay. And even though the payouts are just hundreds of dollars at a time, quick math shows ransomware is a multi-million dollar industry.

The savviest ransomware not only capitalizes on users’ precious data — like irreplaceable family photos or the only draft of an in-progress novel — but it can also prey on their deepest fears. For example, one virus displays a screen warning users the FBI is on to all those movies they’ve downloaded illegally. And sure enough, lots of people who get that fake warning pay a fine to avoid prosecution. “Many people may have something in their closet that they think maybe was illegal,” says Wueest. “A lot of them started to pay.”

What can you do if you fall victim to ransomware? Sometimes it’s not much, as hackers’ methods are getting more advanced all the time. “The newest versions [of ransomware viruses] have strong, state-of-the-art cryptography which is used all over the Internet, like online banking and e-commerce,” says Wueest. And every victimized computer has its own distinct decryption key — so there’s no secret password that will magically open these locks.

That’s not to say that computers are completely defenseless. According to the FBI, the government is taking proactive steps to shut down these viruses before they reach your computer. And authorities worldwide are working with digital security companies like Symantec to find the digital kidnappers and bring them to justice. But these hackers can be hard to catch because work they in small, anonymous groups located in far-flung countries with largely ineffectual law enforcement.

“We track a few different groups,” says Wueest. “One group made $34,000 in its first month — that’s a pretty good income for a small group.”

But there are ways to protect yourself from these schemes. First, back up your data regularly. Keep your information in a safe place offline, because under the right circumstances ransomware can infect networked storage or even cloud-connected drives. Secondly, use anti-virus software. Ransomware can infect computers in different ways, like launching through email attachments or via malicious code embedded on a website — but anti-virus software is designed to catch these bugs before they take hold. And finally, keep your software and operating system up-to-date. Many viruses exploit weaknesses in older computer programs, which is one reason software developers are constantly issuing patches and bugging you to install them.

Failing these three measures, if you’re infected, you may just have to pay up to free your data. But there’s a catch: Should you actually trust these thieves to provide the decryption key? “We have seen instances where that actually is true and people did get data back, but we don’t recommend it,” says Wueest. That’s because even if you do manage to wring your files from hackers’ grasp, the money you pay them will further fuel their nefarious efforts. And by making you admit defeat, they’ll become emboldened and continue to shake down other Internet users. In other words, the best defense is avoiding ransomware before it takes hold of your computer in the first place.

TIME Markets

Hackers Allegedly Stole Insider Info To Make Big Trades

U.S. Stocks Make Encouraging Positive Turn After Slump
Spencer Platt—Getty Images Traders work on the floor of the New York Stock Exchange on January 14, 2014 in New York City.

The group made millions, officials say

A group of financial fraudsters worked with foreign hackers to access unpublished press releases and trade on the information therein, federal authorities said Tuesday.

The U.S.-based traders worked with Eastern European computer hackers to target press release distribution companies in a scheme that netted over $100 million in ill-gotten gains. Nine people have been arrested in the case, The New York Times reports.

This kind of stock-trading cybercrime has become a growing problem for law enforcement. In November, the cybersecurity firm FireEye [fortune-stock symbol=”FEYE”] published a report on a group that has been targeting pharmaceutical and health care executives in order to get ahold of confidential information, likely for an illegal edge in the markets.

The latest incident appears to echo a 2005 case against an Estonian financial services firm called Lohmus Haavel & Viisemann, the Wall Street Journal notes. That group, which also stole press releases electronically, made off with nearly $8 billion before settling with the SEC for $14 million in the end.

At least six government agencies—the Federal Bureau of Investigation, the Securities and Exchange Commission, the Secret Service, the Department of Homeland Security and the U.S. attorney’s offices in Brooklyn and New Jersey—will bring the charges against the group, the Journal reports.

Your browser is out of date. Please update your browser at http://update.microsoft.com