National Cyber Security

Matthew Keys, the 26-year-old deputy social media editor at Reuters charged with assisting computer hackers, has emerged as the latest lightning rod in the continuing battle between proponents of Internet freedom and the Justice Department.

A federal indictment of Mr. Keys filed in California on Thursday met an online cacophony of protests against the 1984 computer crime law under which he was charged, the Computer Fraud and Abuse Act.

The indictment says that Mr. Keys, who previously worked as a Web producer at KTXL Fox 40, a Sacramento-based television station that, like The Los Angeles Times, is owned by the Tribune Company, provided a user name and password to hackers associated with the group Anonymous. Those hackers then changed a headline on a Times online article from “Pressure Builds in House to Pass Tax-Cut Package” to “Pressure Builds in House to Elect CHIPPY 1337,” a reference to another hacking group.

Each of the three charges against Mr. Keys could result in fines of as much as $250,000, with possible prison terms of as many as five years in one count and as many as 10 in the other two. The Tribune Company spent more than $5,000 to update its systems in response to the attack, the indictment says.

The aggressive tactics by prosecutors come amid an uptick in prominent cyberattacks in recent months. Last week, President Obama met with chief executives to discuss online security, which has become a hot issue on Capitol Hill.

In Mr. Keys’s case, the scale of the potential punishment relative to the actual harm caused — the vandalism to the Web site was quickly fixed — raised comparisons to the potential sentence in the indictment of Aaron Swartz, a 26-year-old computer programmer and Internet freedom advocate. Accused of breaking into a university system to download an archive of scholarly papers, Mr. Swartz committed suicide in January.

“Anyone horrified by the amount of jail time” Mr. Keys faced should join in calling for Congressional reform of the computer fraud act, Trevor Timm, an advocate and blogger at the Electronic Frontier Foundation, a nonprofit that supports an open Internet, wrote in a Twitter post on Thursday.

Still, it is not clear that an overhaul of the fraud act would change the damage charges Mr. Keys is facing. Orin S. Kerr, a former computer crimes prosecutor who now is a legal scholar at George Washington University, said that the part of the fraud act covering damage to a computer, which Mr. Keys was accused of violating, was more straightforward than the part involving authorized access, which Mr. Swartz was charged with violating; some scholars, including Mr. Kerr, have called those provisions overbroad.

Moreover, several legal specialists said that even if Mr. Keys were convicted on all three charges, they most likely would be collapsed into a single offense for purposes of calculating a sentence since they involved the same basic conduct. The sentencing guidelines would then be consulted in light of Mr. Keys’s previous criminal history, if any, and the economic harm caused by the vandalism — including any overtime or outside consultants piad to audit the system after the intrusion was discovered.

Mark Eckenwiler, a former deputy chief of the Justice Department’s computer crime section, said that statutory maximums cited in department news releases are “purely theoretical” in most cases, and that it would be inappropriate for the department to speculate at the start of the case about what an eventual sentence would be.

“The truth is that a lot of first-time offenders may well come in the very bottom band” of the sentencing guidelines, he said.

Nevertheless, Mr. Keys’s defense team stoked the furor. “I think hackers are the new Communists for the D.O.J.,” Tor Ekeland, a Brooklyn-based lawyer representing Mr. Keys, said in an interview. He maintained his client’s innocence and said that he intended to “vigorously litigate” the charges.

Jay Leiderman, a criminal defense lawyer in Ventura, Calif., known for representing computer hackers affiliated with Anonymous, is also representing Mr. Keys.

The case against Mr. Keys struck a particular nerve because of his outsize, and outspoken, online presence. A popular and at times volatile figure in the world of social media, Mr. Keys is in many ways emblematic of the new-media landscape. The writer of what was described by Time magazine as one of the 140 best Twitter feeds, Mr. Keys quickly used his feed to discuss the indictment and assure his nearly 25,000 Twitter followers that he was “fine.”

Mr. Keys is among a coterie of young journalists adept at social media who see their stars rise quickly and often are snapped up by major media organizations, said Sree Sreenivasan, chief digital officer at Columbia.

“At a young age you can have more influence than at any time in journalistic history,” Mr. Sreenivasan said, adding, “and the mistakes you make at a younger age are more visible than ever before.”

A Thomson Reuters spokesman said on Friday that Mr. Keys had been suspended with pay. “Any legal violations, or failures to comply with the company’s own strict set of principles and standards, can result in disciplinary action,” the company said in a statement, adding that Mr. Keys joined Reuters in 2012; the apparent crimes occurred in December 2010.

Supporters of Mr. Keys echoed criticism that reached a high pitch in January, when online activists accused prosecutors of trying to bully Mr. Swartz into pleading guilty. An article in Slate was posted on Friday under the headline “Has the Justice Department Learned Anything from the Aaron Swartz Case?”

Last week Attorney General Eric Holder Jr. was questioned at a Congressional oversight hearing on whether there had been prosecutorial misconduct in the Swartz case. Mr. Holder called the case tragic but defended prosecutors’ conduct, noting that they had offered Mr. Swartz several versions of a plea deal that would involve only a few months of prison time.

“I don’t look at what necessarily was charged as much as what was offered in terms of how the case might have been resolved,” Mr. Holder said.

Mr. Kerr, the former prosecutor, said the Justice Department had noted the maximum statutory punishments in news releases in part for their deterrent effect — to dissuade others from committing similar crimes — and not because they were realistic. “It’s mostly for show,” Mr. Kerr said.

Anonymous, the global collective of loosely organized “hacktivists” who have used computer attacks to protest political causes, has recently faced particular scrutiny. In August, Higinio O. Ochoa III, a member of an offshoot of Anonymous, was sentenced to two years in prison after he pleaded guilty to defacing Web sites and stealing confidential data when he tapped into several law enforcement computers. In 2011, hackers associated with the group targeted the Sony Corporation’s PlayStation online network, costing the company around $171 million.

“They’re an organization that should be taken seriously, and anyone who is thinking about their network and their security should consider them a force to be reckoned with,” said Edward Schwartz, chief security officer for RSA, the security arm of the EMC Corporation.

“There are three categories of hackers: Russian criminals trying to rob us blind; the Chinese who are trying to steal our secrets; and then there’s Anonymous, and a lot of them are like merry pranksters,” said Chester Wisniewski, a senior security adviser at the electronic security firm Sophos. He added: “We’re treating them all the same.”

According to the F.B.I., Mr. Keys went by the name “AESCracked” and in Internet chat rooms offered hackers access to the Fox 40 computer systems and e-mail addresses. “That was such a buzz having my edit on the LA Times,” a user named “sharpie” suspected of being associated with Anonymous wrote, according to the indictment. Mr. Keys is said to have responded, “Nice.”

When compared with recent attacks by Chinese hackers on media organizations including The New York Times, Mr. Keys’s apparent crime is “nothing,” said Josh Shaul, chief technology officer at Application Security Inc., a New York-based provider of database security software. “It’s like someone handed you the keys to a building and you used them to get in.”

Source: http://www.nytimes.com/2013/03/18/technology/outcry-over-computer-crime-indictment-of-matthew-keys.html?pagewanted=all&_r=0

Hi Tech Crime Solutions

http://computer-security-expert.com, http://www.GregoryDEvans.net, http://ParentSecurityOnline.com, http://www.hackerforhireusa.com

The U.S. Congress may need to create stiffer penalties for criminal computer hacking to deter the growing number of attacks on U.S. government agencies and businesses, some lawmakers said Wednesday.

Congress may revisit the Computer Fraud and Abuse Act (CFAA), the oft-amended law first passed in 1984, in an effort to counter widespread cyberattacks on U.S. computers, said Representative Jim Sensenbrenner, a Wisconsin Republican and chairman of the House of Representatives Judiciary Committee’s crime subcommittee.

[ ROUNDUP: 4 Internet privacy laws you should know about ]

Congress needs to respond to the recent reports of attacks from China and other countries, Sensenbrenner said during a subcommittee hearing.

“The United States has been the subject of the most coordinated and sustained computer attacks the world has ever seen,” he said. “The systematic and strategic theft of intellectual property by foreign governments threatens one of America’s most valuable commodities: our innovation and hard work.”

Lawmakers didn’t provide concrete ideas at the hearing on how they would update the CFAA. Several indicated they will work on cybersecurity legislation in the coming months.

While some lawmakers called for stronger computer hacking laws, others questioned whether there’s a need. Hearing participants didn’t mention the controversial Massachusetts prosecution of activist hacker Aaron Swartz, who committed suicide earlier this year, but some lawmakers’ questions and witness statements seemed to refer indirectly to the case.

The CFAA is “remarkably vague,” said Orin Kerr, a professor at the George Washington University Law School in Washington, D.C. Some courts have ruled that an employee who violates his employer’s computer-use policy violates the law, and the U.S. Department of Justice has suggested that an Internet user who violates a website’s terms of use is also acting illegally, he said.

“The lower courts are deeply divided on the statute’s scope, with some courts concluding that the law is remarkably broad,” he said. “As a result of this confusion, the meaning of the law presently varies depending on which part of the country you happen to be in. This situation is intolerable.”

Kerr called on Congress to step in and clarify the CFAA. “The law should both punish what should be punished and ensure that innocent conduct is not criminalized,” he added.

Robert Holleyman, president and CEO of BSA, a software trade group, called for updates to the law and for appropriate prosecutions. “It is important for laws and law enforcement to be strengthened in appropriate proportions, so that innocent and minor infractions are not over-penalized, but serious crimes are effectively deterred,” he said.

Holleyman also called for more congressional focus on cybersecurity research and development, for legislation to make cyberthreat information-sharing easier and for a national data breach notification law.

Lawmakers also debated whether there should be mandatory minimum sentences under the CFAA. President Barack Obama’s administration is not calling for mandatory minimums as it has in the past. Jenny Durkan, U.S. attorney for the Western District of Washington, didn’t explain the reasoning behind the change in policy, other than saying judges need to have sentencing discretion and the administration’s priorities lie elsewhere.

Representative Bobby Scott, a Virginia Democrat, said mandatory minimum rules are unnecessary and sometimes “violative of common sense.”

Sensenbrenner disagreed. “Does the administration oppose mandatory minimums as a matter of principle, or don’t they think that the crimes that we’re talking about here deserve a mandatory minimum?” he said.

Source: http://www.networkworld.com/news/2013/031313-lawmakers-tougher-computer-hacking-laws-267675.html?page=1
http://www.networkworld.com/news/2013/031313-lawmakers-tougher-computer-hacking-laws-267675.html?page=2

Hi Tech Crime Solutions

The computers of highly-sensitive Defence Research and Development Organisation (DRDO) have reportedly been hacked.

The hacking is suspected to have been carried out by Chinese hackers and there are fears that some sensitive information could have been compromised.

When asked about it, defence minister A K Antony said, “Intelligence agencies are investigating the matter at this stage and I do not want to say anything else.”

The Minister was asked if the DRDO computer networks containing sensitive information were hacked and if information was compromised.

Commenting on the issue, DRDO spokesperson Ravi Gupta said, “as per our information, no computer or network of teh DRDO has been compromised.”

In the past also, such incidents have occurred and the defence ministry has taken several actions to stop the hacking of sensitive information pertaining to armed forces.

Recently, the Navy had to take action against some of its officers in the Eastern Command after their networks were hacked as they did not follow the standard operating procedures.

Source: http://articles.timesofindia.indiatimes.com/2013-03-13/india/37682187_1_drdo-chinese-hackers-development-organisation

Hi Tech Crime Solutions

(Reuters) – A computer hacker was sentenced on Monday to three years and five months in prison for stealing the personal data of about 120,000 Apple Inc iPad users, including big-city mayors, a TV network news anchor and a Hollywood movie mogul.

Andrew Auernheimer, 27, had been convicted in November by a Newark, New Jersey, jury of one count of conspiracy to access AT&T Inc servers without permission, and one count of identity theft.

The sentence imposed by U.S. District Judge Susan Wigenton in Newark was at the high end of the 33- to 41-month range that the U.S. Department of Justice had sought.

Prosecutors had said prison time would help deter hackers from invading the privacy of innocent people on the Internet.

Among those affected by Auernheimer’s activities were ABC News anchor Diane Sawyer, New York Mayor Michael Bloomberg, Chicago Mayor Rahm Emanuel and Hollywood movie producer Harvey Weinstein, prosecutors said.

“When it became clear that he was in trouble, he concocted the fiction that he was trying to make the Internet more secure, and that all he did was walk in through an unlocked door,” U.S. Attorney Paul Fishman said in a statement. “The jury didn’t buy it, and neither did the court in imposing sentence.”

Auernheimer had sought probation. His lawyer had argued that no passwords were hacked, and that a long prison term was unjustified given that the government recently sought six months for a defendant in a case involving “far more intrusive facts.”

The lawyer, Tor Ekeland, did not immediately respond to requests for comment on Monday. He has said his client would appeal.

Ekeland is also a lawyer for Matthew Keys, a deputy social media editor at Thomson Reuters Corp who was suspended with pay on Friday.
Keys was indicted last week in California on federal charges of aiding the Anonymous hacking collective by giving a hacker access to Tribune Co computer systems in December 2010.

The alleged events occurred before Keys began working at the website Reuters.com. Ekeland on Friday said Keys “maintains his innocence” and “looks forward to contesting these baseless charges.

INTERNET TROLL

Prosecutors called Auernheimer a “well-known computer hacker and internet ‘troll,’” who with co-defendant Daniel Spitler and the group Goatse Security tried to disrupt online content and services.

The two men were accused of using an “account slurper” designed to match email addresses with identifiers for iPad users, and of conducting a “brute force” attack to extract data about those users, who accessed the Internet through the AT&T servers.

This stolen information was then provided to the website Gawker, which published an article naming well-known people whose emails had been compromised, prosecutors said.

Spitler pleaded guilty in June 2011 to the same charges for which Auernheimer was convicted, and is awaiting sentencing.

Gawker was not charged in the case. In its original article, Gawker said Goatse obtained its data through a script on AT&T’s website that was accessible to anyone on the Internet. Gawker also said in the article that it established the authenticity of the data through two people listed among the names. A Gawker spokesman on Monday declined to elaborate.

AT&T has partnered with Apple in the United States to provide wireless service on the iPad. After the hacking, it shut off the feature that allowed email addresses to be obtained.

The case is U.S. v. Auernheimer, U.S. District Court, District of New Jersey, No. 11-00470.

Source: http://news.yahoo.com/computer-hacker-gets-3-1-2-years-stealing-202944917–finance.html

High Tech Crime Solutions