Employee of central coast bank arrested for stealing nearly $110,000, mostly from elderly customers

An Arroyo Grande woman was arrested Tuesday by special agents with the FBI on charges of stealing money from a federally insured financial institution.

Brenda Bautista Hurtado, 25, was taken into custody without incident after being named in a three-count indictment returned by a federal grand jury last Friday.

The indictment accused Hurtado of stealing money while employed last year at the U.S. Bank branch in Arroyo Grande. The indictment alleges that Hurtado stole nearly $100,000 from two customers’ accounts, as well as another $10,000 in cash from the bank’s vault.

The investigation in this case revealed that Hurtado secretly accessed U.S. Bank’s computer system and changed the contact information for the accounts of two elderly customers at the bank. After changing their contact information, Hurtado then allegedly closed these accounts and took out cashier’s checks for the balance of each account.

When one of the customers came to the bank and learned that his account had been closed, Hurtado went into the bank’s vault and took $10,000 in cash. Hurtado then went to Mexico for several weeks before returning to the United States. She was arrested this morning in Guadalupe, California, where she has been staying for the past few months.

The indictment alleges that Hurtado stole $50,907 on February 24, 2010 and another $48,163 on February 26, 2010. The indictment further alleges that Hurtado stole $10,000 in cash from the bank vault on June 7, 2010.

An indictment contains allegations that a defendant has committed a crime. Every defendant is presumed to be innocent until and unless proven guilty in court.

Each count of theft by a bank employee carries a statutory maximum penalty of 30 years in federal prison and a fine of up to $1 million.

Iran to establish first cyber command

Islamic Revolution Guards Corps Brigadier General Masood Jazayeri has said Iran plans to establish the country’s first cyber command.

The Islamic Republic has completed the preliminary studies on the cyber command, Jazayeri told the Mehr News Agency on Tuesday.

The general outlines of the cyber command have been prepared and have been examined by the Supreme National Security Council, the Supreme Council of the Cultural Revolution, and senior officials of the Armed Forces, he explained.

On June 23, 2009, the U.S. secretary of defense directed the commander of U.S. Strategic Command (USSTRATCOM) to establish USCYBERCOM. Initial operational capability was attained on May 21, 2010. USCYBERCOM reached full operational capability on October 31, 2010.

In addition to the United States, some European countries have also established similar organizations to counter cyber threats posed to their interests.

Chinese search engine Baidu sued by New Yorkers

China’s biggest search engine, Baidu was sued on Wednesday by eight New York residents who accused China’s biggest search engine of conspiring with the country’s government to censor pro-democracy speech, Reuters reported.

The lawsuit claims violations of the U.S. Constitution and according to the plaintiffs’ lawyer is the first of its type.

It was filed more than a year after Google Inc declared it would no longer censor search results in China, and rerouted Internet users to its Hong Kong website.

Baidu did not return a request for a comment.

According to the complaint filed in the U.S. District Court in Manhattan, Baidu acts as an “enforcer” of policies by the ruling Communist Party in censoring such pro-democracy content as references to the 1989 Tiananmen Square military crackdown.

This censorship suppresses the writings and videos of the plaintiffs, who are pro-democracy activists, to the extent that they do not appear in search results, the complaint said.

It also violates laws in the United States because the censorship affects searches here, according to the complaint.

“We allege a private company is acting as the arm and agent of a foreign state to suppress political speech, and permeate U.S. borders to violate the First Amendment,” Stephen Preziosi, the lawyer for the plaintiffs, said in an interview.

Preziosi said the alleged censorship also violates federal and New York civil rights laws, as well as New York’s human rights law, on the grounds that “an Internet search engine is a public accommodation, just like a hotel or restaurant.”

The lawsuit seeks $16 million in damages, or $2 million per plaintiff, but does not seek changes to Baidu’s policies.

“It would be futile to expect Baidu to change,” Preziosi said. The plaintiffs live in the borough of Queens in New York City and on Long Island.

China’s Internet censorship practices are viewed as reflecting its belief that keeping a tight grip on information helps the government maintain control. There have been mounting concerns in China that open dissent on the Internet could contribute to destabilizing the country.

Searches for terms deemed sensitive by Chinese censors are routinely blocked, and search engines such as Baidu voluntarily filter searches.

China also blocks social networking sites Facebook, Flickr, Twitter and Google’s YouTube, and President Hu Jintao has called for additional oversight and “mechanisms to guide online public opinion.

Google effectively pulled out of China last spring by redirecting inquiries on its main Chinese-language search page to a website in Hong Kong, avoiding direct involvement in any censorship by the “Great Firewall of China.”

India prepares crisis management plan to counter cyberattacks

India’s Minister of State for Communications & Information Technology, Sachin Pilot in a written reply informed Rajya Sabha that the Government has taken several measures to detect and prevent cyber attacks/espionage. The reply stated that as per existing computer security guidelines issued by Government, no sensitive information is to be stored on the systems that are connected to Internet.

The Government has also formulated Crisis Management Plan for countering cyber attacks and cyber terrorism for implementation by all Ministries/ Departments of Central Government, State Governments and their organizations and critical sectors. The organizations operating critical information infrastructure have been advised to implement information security management practices based on International Standard ISO 27001.

Ministries and Departments have been further advised to carry out their IT systems audit regularly to ensure robustness of their systems. The Indian Computer Emergency Response Team (CERT-In) has already empanelled a number of penetration testing professionals through a stringent mechanism of selection to carryout audits. National Informatics Centre (NIC), providing services to Ministries/Departments is continuously strengthening the security of the network operated by them and its services by enforcing security policies, conducting regular security audits and deploying various technologies at different levels of the network to defend against the newer techniques being adopted by the hackers from time to time.

The Information Technology Act, 2000 as amended by the Information Technology (Amendment) Act, 2008 which came into force on 27.10.2009 provides legal framework to address the issues connected with hacking and security breaches of information technology infrastructure. Section 70 of the Act provides to declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system. Section 70B has empowered Indian Computer Emergency Response Team to serve as national nodal agency in the area of cyber security.   The Indian Computer Emergency Response Team (CERT-In) scans the Indian Cyber Space to detect traces of any untoward incident that poses a threat to the cyber space. CERT-In performs both proactive and reactive roles in computer security incidents prevention, identification of solution to security problems, analyzing product vulnerabilities, malicious codes, web defacements, open proxy servers and in carrying out relevant research and development. Sectoral CERTs have been functioning in the areas of defence and Finance for catering critical domains. They are equipped to handle and respond to domain specific threats emerging from the cyber systems.

CERT-In has published several Security Guidelines for safeguarding computer systems from hacking and these have been widely circulated. All Government Departments/ Ministries, their subordinate offices and public sector undertakings have been advised to implement these guidelines to secure their computer systems and information technology infrastructure. CERT-In issues security alerts, advisories to prevent occurrence of cyber incidents and also conducts security workshops and training programs on regular basis to enhance user awareness.   Ministry of External Affairs has also issued a comprehensive set of IT security instructions for all users of MEA and periodically updates them on vulnerabilities. The Indian Missions abroad have been regularly sending information on safe computing practices. All personnel posted to Indian Missions and Posts abroad are being imparted IT security training.

US Strategy for Cyberspace says that US will retaliate hostile acts in cyberspace with military means

“When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means – diplomatic, informational, military, and economic – as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.”

That isn’t a proposal from a technically challenged US Senator, but the text from the new US International Strategy for Cyberspace. This means you DDoS US and they’ll retaliate with missiles. This is perhaps the most extreme defense strategy against cyberattacks that any country has ever proposed, leave alone implementing it.

The new US cyberspace policy is meant to encourage ‘responsible behavior’ and oppose those who would seek to disrupt networks and systems, thereby dissuading and deterring malicious actors, while reserving the right to defend these vital national assets as necessary and appropriate. According to the policy, the United States will continue to strengthen its network defenses and its ability to withstand and recover from disruptions and other attacks. For those more sophisticated attacks that do create damage, US will act on well-developed response plans to isolate and mitigate disruption to its machines, limiting effects on our networks, and potential cascade effects beyond them.

The new policy has come in the wake of increasingly number of attacks on critical infrastructure that can potentially disrupt power, water and other utility services in the United States. More so, US on many occasions has indicated that they have ‘concrete evidence’ that the cyber attacks on their military websites and sensitive establishments have been coming from China, which is increasingly getting hungry for information.

Dropbox Lied About Data Security: Christopher Soghoian

Security researcher Christopher Soghoian has filed a complaint with the Federal Trade Commission alleging that online file storage service provider Dropbox has been making false claims to customers about the company’s protocols for securely storing data.

The crux of the complaint centers around statements made by Dropbox that lead customers to believe data submitted to the service for storage is always in an encrypted state, and only accessible in an unencrypted state by the client.

Soghoian has demonstrated that the company uses a process that leaves the data in an unencrypted form, making the information susceptible to examination by Dropbox employees, as well as government and court ordered searches for copyright infringements.

Soghoian wants the company to further revise advertising and onsite statements to more accurately reflect the security and encryption protocols used by Dropbox.

According to the complaint filed by Soghoian with the FTC:

 1. Dropbox has prominently advertised the security of its “cloud” backup, sync and file sharing service, which is now used by more than 25 million consumers, many of whom “rely on Dropbox to take care of their most important information.”12. Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.3. Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.

4. Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices.

5. If Dropbox disclosed the full details regarding its data security practices, some of its customers might switch to competing cloud based services that do deploy industry best practices regarding encryption, protect their own data with 3rd party encryption tools, or decide against cloud based backups completely.

6. Dropbox’s misrepresentations are a Deceptive Trade Practice, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of The Federal Trade Commission Act.

Dropbox officials have dismissed Soghoian’s accusations and maintain that no misrepresentations have been made to customers.

“We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private,” said company spokeswoman Julie Supan to Wired.com.

Nonetheless, multiple changes have been made in the wording the company uses on their website to explain security protocols, and Supan stipulates that some of Soghoian’s accusations have taken company statements out of context.

“In our help article we stated ‘Dropbox employees aren’t able to access user files.’ That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this. Also, to clarify we’ve never stated we don’t have access to encryption keys. We’ve made quite a few posts in our public forums over the years about this very fact and we are quite open with our community…” Supan stated.

Soghoian maintains that the language Dropbox uses is still a misrepresentation of the actual level of security employed by the company, and that the statements are no only confusing to consumers, but to security experts as well, noting a tweet by encryption expert Jon Callas which states:

“I deleted my Dropbox account. It turns out that they lied and don’t actually encrypt your files and will hand them over to anyone who asks.”

Mozilla defies DHS request to take down MafiaaFire Add-on

Immigration and Customs Enforcement, a division of DHS, has seized dozens of domains in an effort to crack down on piracy and copyright infringement, blocking access to the sanctioned websites via the most common domain URL.

From time to time, Mozilla receives government requests for information, usually market information and occasionally subpoenas. Recently the US Department of Homeland Security contacted Mozilla and requested that Mozilla remove the MafiaaFire add-on.  The ICE Homeland Security Investigations unit alleged that the add-on circumvented a seizure order DHS had obtained against a number of domain names. Mafiaafire, like several other similar  add-ons already available through AMO, redirects the user from one domain name to another similar to a mail forwarding service.  In this case, Mafiaafire redirects traffic from seized domains to other domains. Here the seized domain names allegedly were used to stream content protected by copyrights of  professional sports franchises and other media concerns.

Mozilla has initially refused a Department of Homeland Security request to remove the third-party tool. To evaluate Homeland Security’s request, Mozilla has asked them several questions similar to those below to understand the legal justification:

• Have any courts determined that the Mafiaafire add-on is unlawful or illegal in any way? If so, on what basis? (Please provide any relevant rulings)
• Is Mozilla legally obligated to disable the add-on or is this request based on other reasons? If other reasons, can you please specify.
• Can you please provide a copy of the relevant seizure order upon which your request to Mozilla to take down the Mafiaafire  add-on is based?

According to the Mozilla, they haven’t received any response from Homeland Security nor any court order so far.

One of the fundamental issues here is under what conditions do intermediaries accede to government requests that have a censorship effect and which may threaten the open Internet. Others have commented on these practices already.  In this case, the underlying justification arises from content holders legitimate desire to combat piracy.  The problem stems from the use of these government powers in service of private content holders when it can have unintended and harmful consequences.  Longterm, the challenge is to find better mechanisms that provide both real due process and transparency without infringing upon developer and user freedoms traditionally associated with the Internet.

Ceridian and Lookout Services promise better security after exposing 65,000 users’ data

Two companies that maintain large amounts of sensitive information about the employees of their business customers, including Social Security numbers, have agreed to settle US Federal Trade Commission charges that they failed to employ reasonable and appropriate security measures to protect the data, in violation of federal law. Among other things, the settlement orders require the companies to implement comprehensive information security programs and to obtain independent audits of the programs every other year.

The settlements with Ceridian Corporation and Lookout Services are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain. In complaints filed against the companies, the FTC charged that both Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including Social Security numbers, but failed to do so. These flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk. The FTC challenged the companies’ security practices as unfair and deceptive.

According to the FTC’s complaint against Ceridian, a provider to businesses of payroll and other human resource services, the company claimed, among other things, that it maintained “Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” However, the complaint alleges that Ceridian’s security was inadequate. Among other things, the company did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need. These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.

The other company, Lookout Services, Inc., markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint against Lookout, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.

Sony blames Anonymous for PSN and SOE hack

Sony has finally broken the ice and replied to the US Commerce Committee on the recent PlayStation hack that affected 77 million users and subsequent attack on Sony Online Entertainment that affected another 25 million users. In a formal letter addressed to members of the House Commerce Committee, Sony Computer Entertainment America, Kazuo Hirai suggests the rogue hacktivist movement Anonymous played a role in the massive customer data breach that now exceeds 100 million records.

Anonymous followers had previously taken credit for a distributed denial of service (DDoS) attack against the Sony websites in early April but refused any involvement in the later hack on PSN and SOE.

Initially, Sony representatives did not seek to connect the hacktivist group with the data breach event. That has changed now that forensic investigators have located a file on the hacked PSN systems named “Anonymous” and containing the movement’s tagline “We are Legion.”

The discovery was enough evidence for Sony’s chairman to state in the letter to Congress that Anonymous was at least partly to blame for the customer data loss event:

“Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous… Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks should understand that – whether they knew it or not – they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world,” Hirai’s letter said.

The letter to Congress also sought to counter criticism that Sony waited too long to notify authorities and customers of the breach, stating that the company only released information after it was confirmed in the investigation:

“Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence,” Hirai’s letter said.

Sony has provided a summary of Hirai’s letter to Congress:

In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:

1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.

We also informed the subcommittee of the following:

• Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.

• We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”

• By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.

• As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.

• Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.

• We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.

Facebook is the most appalling spying machine: Julian Assange

Julian Assange, the founder of online activist group Wikileaks has asserted that US intelligence and law enforcement agencies have established automated intelligence gathering operations on all major social networks and several of the largest internet-based companies including Facebook.

Assange alleges that the data mining interfaces were implemented with the cooperation of the companies in order to diminish the high costs associated with providing records on an individual basis.

The allegations were levied in an interview with Assange posted by Russia Today:

“Facebook in particular is the most appalling spying machine that has ever been invented. Here we have the world’s most comprehensive database about people, their relationships, their names, their addresses, their locations and the communications with each other, their relatives, all sitting within the United States, all accessible to US intelligence. Facebook, Google, Yahoo – all these major US organizations have built-in interfaces for US intelligence. It’s not a matter of serving a subpoena. They have an interface that they have developed for US intelligence to use,” Assange stated.

Assange’s accusations provide plenty of ammunition for the tinfoil hat conspiracy fanatics, but he stops short of actually claiming that the social network Facebook is actually a front for covert government domestic spying:

“Now, is it the case that Facebook is actually run by US intelligence? No, it’s not like that. It’s simply that US intelligence is able to bring to bear legal and political pressure on them. And it’s costly for them to hand out records one by one, so they have automated the process. Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them,” Assange continued.

The essential question is whether the data harvesting systems have been established prior to the passage of legislative changes to current wiretapping and surveillance laws.

Law enforcement officials claim that investigations are being stymied by the rapid change in communications platforms which have exceeded their ability to effectively execute search warrants in a timely manner.

The advent of new media like social networks, new communications channels like IM, IRC, VoIP, and new devices like smartphones, have rendered current laws governing wire tapping outdated, and officials want lawmakers to narrow the gap by addressing the issue with new legislation.

Assange’s allegations raise the question as to whether law enforcement and intelligence agencies may have established monitoring operations prior to Congressional consideration of the issue.