Undercover Feds on Social Networking Sites Raise Questions: Via Threat Level.

The next time someone ties to “friend” you on Facebook, it may turn out to be an undercover fed looking to examine your private messages and photos, or surveil your friends and family, according to an internal Justice Department document obtained by the Electronic Frontier Foundation.

The 33-page document shows that law enforcement agents from local police to the FBI and Secret Service have been logging on to MySpace and other sites undercover to communicate with suspects, read private postings and view photos and videos that are restricted to a user’s friends, according to the Associated Press.

The document also describes techniques for verifying alibis — such as checking messages posted by a suspect on Twitter disclosing his whereabouts at the time a crime was committed — and uncovering information that might point to illegal activity, such as photos depicting a suspect with expensive jewelry, a new car or even a weapon.

The document says that evidence from social networking sites can: [ Read more ... ]

The dark side of DNA: Via The Globe and Mail.

The only real evidence in a first-degree murder charge against Mr. Turner, the golden sheen of DNA appeared certain to become a silver bullet in the hands of the Crown.

"I told my lawyer, Jerome Kennedy, that there was no way in the world it was true," Mr. Turner recalled in an interview. "He believed me. He said that I was too stupid to commit that crime and leave no evidence."

A lucky hunch by Mr. Kennedy - now Newfoundland's Minister of Health - saved Mr. Turner from a life behind bars. He sought the name and DNA profile of every technician who had worked at the RCMP lab. It turned out that the technician who had tested the ring had also been working on the victim's fingernails a few inches away, creating a strong possibility of contamination.

The technician conceded at Mr. Turner's 2001 trial that she had also contaminated evidence in two previous cases. [ Read more ... ]

TJX Hacking Conspirator Gets 4 Years: Via Threat Level.

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. [ Read more ... ]

Feds Can Search, Seize P2P Files Without Warrant: Via Threat Level.

The authorities do not need court warrants to view and download files trading on peer-to-peer networks, a federal appeals court says.

Wednesday’s 3-0 ruling by the 9th U.S. Circuit Court of Appeals concerned a Nevada man convicted of possessing child pornography as part of an FBI investigation. Defendant Charles Borowy claimed the Fourth Amendment required court authorization to search and seize his LimeWire files in 2007.

The San Francisco-based appeals court, however, cited the nation’s legal standard, reiterating that warrants are required if a search “violates a reasonable expectation of privacy.” (.pdf)

Borowy, the court noted, “was clearly aware that LimeWire was a file-sharing program that would allow the public at large to access files in his shared folder unless he took steps to avoid it.”

The defendant, however, claimed he had a reasonable expectation of privacy because he thought he had turned off LimeWire’s share feature. [ Read more ... ]

Rulings Leave Online Student Speech Rights Unresolved: Via Threat Level.

Do American students have First Amendment rights beyond the schoolyard gates?

The answer is yes and no, according to two conflicting federal appellate decisions Thursday testing student speech in the online world.

“Ultimately, the Supreme Court is going to have to decide if there ever is a time students have full-fledged First Amendment rights,” said Frank LoMonte, executive director of Virginia-Based Student Press Law Center. He’s one of the attorneys in the cases the 3rd U.S. Circuit Court of Appeals decided.

The U.S. Supreme Court has never squarely addressed the parameters of off-campus, online student speech, but might soon. So far, lower courts appear to be guided by a 1969 high court ruling saying student expression may not be suppressed unless school officials reasonably conclude that it will “materially and substantially disrupt the work and discipline of the school.”

In that landmark case, the Supreme Court said students had a First Amendment right to wear black armbands to protest the Vietnam War. But that precedent, which addressed on-campus speech, is now being applied to students’ online speech four decades later.

One of the cases favoring student speech decided Thursday concerns a senior and honors student. In 2005, the Pennsylvania high school student was suspended 10 days after he created a mock MySpace profile of his principal. [ Read more ... ]

Katie’s Law May Change New York’s Approach to DNA Sample Collection: Via PogoWasRight.org » Legislation.

If you are convicted of a violent crime in the state of New York, you are required to provide a DNA sample to authorities. This is kept on file and used by law enforcement to help identify the perpetrators of future crimes. Key to this practice is the idea that a DNA sample is taken after an individual has been found guilty.

This could soon change, however, if New York lawmakers pass Katie’s Law. The law would give law enforcement the right to take DNA samples from anyone arrested for a violent crime.

Arrest vs. Conviction

It is important to note the difference: DNA samples would be taken from suspects following arrest, rather than conviction. This means that someone who is wrongly accused and arrested would be required to submit a DNA sample and, even if acquitted, would have his or her most personal information listed next to convicted criminals’ information. [ Read more ... ]

Guilty Plea in ‘Anonymous’ DDoS Scientology Attack: Via Threat Level.

A Nebraska man is pleading guilty in federal court to a computer-disruption charge for his role in the 2008 distributed denial-of-service attack that temporarily shuttered Church of Scientology websites, the authorities said Tuesday.

Los Angeles federal prosecutors said Brian Thomas Mettenbrink, 20, signed a plea agreement Friday admitting his role in the January 2008 attack (.pdf) –- bringing to two the number of defendants convicted in Anonymous’ attack on Scientology. Next week, Mettenbrink is expected to officially enter his plea, which carries a year sentence, prosecutors said.

“He took their websites down,” Assistant United States Attorney Erik M. Silber said in a brief telephone interview from Los Angeles. [ Read more ... ]

Heartland hacker pleads guilty in third case: Via Computerworld Cybercrime/Hacking News.

The hacker who enabled the theft of millions of credit card numbers has pleaded guilty to two counts of conspiracy and will receive a prison term of at least 17 years.

Albert Gonzalez, the hacker, has already pleaded guilty in two other cases related to the theft. As part of his plea agreement in those cases, in Boston and New York, he agreed to ask for no less than 15 years in prison and the government agreed to ask for no more than 25 years. [ Read more ... ]

Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack: Via Threat Level.

The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.

While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”

Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network. The breach cost TJX $200 million, according to its 2009 SEC filing. [ Read more ... ]

Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases: Via Threat Level.

Albert Gonzalez, who has admitted hacking into TJX and other companies, has filed a plea agreement in charges that he breached Heartland Payment Systems, Hannaford, 7-Eleven and two other companies.

Under the terms of the agreement, Gonzalez, a former Secret Service informant, will plead guilty to two counts of conspiracy to gain unauthorized access to computers, and to commit wire fraud. Prosecutors have agreed to seek a sentence of no more than 25 years, to run concurrent with his sentence in two other pending cases. Gonzalez had agreed to ask the court for no less than 17 years in prison.

Gonzalez is currently facing a sentence of between 15 and 25 years in two combined cases out of Massachusetts and New York, involving the hacks of TJX and Dave & Buster’s restaurants. The New Jersey agreement would add two years to the minimum time he could seek. [ Read more ... ]

FBI Linguist Guilty of Leaking Classified Documents to Blog: Via Threat Level.

An Israeli-American lawyer who worked as an FBI linguist pleaded guilty Thursday to providing an unidentified blogger with classified documents derived from U.S. communications intelligence.

Shamai Kedem Leibowitz, 39, of Silver Spring, Maryland, pleaded to one felony count of disclosing to an unauthorized party five documents that were classified “secret” that he obtained through his work with the FBI.

Leibowitz leaked the documents to the unnamed blogger in April 2009. The blogger — identified as “Recipient A in court filings — then wrote a post based on the classified documents.

“As a trusted member of the FBI ranks, Leibowitz abused the trust of the FBI and the American public by using his access to classified information for his own purposes,” said FBI Special Agent in Charge Richard A. McFeely in a press release. [ Read more ... ]

Ohio Justices - Cell Phone Searches Require Warrant: Via NYTimes.com .

COLUMBUS, Ohio (AP) -- The Ohio Supreme Court said Tuesday police officers must obtain a search warrant before scouring the contents of a suspect's cell phone, unless their safety is in danger.

The American Civil Liberties Union of Ohio described the ruling as a landmark case. The issue appears never to have reached another state high court or the U.S. Supreme Court.

The Ohio high court ruled 5-4 in favor of Antwaun Smith, who was arrested on drug charges after he answered a cell phone call from a crack cocaine user acting as a police informant.

Officers took Smith's cell phone when he was arrested and, acting without a warrant and without his consent, searched it. They found a call history and stored numbers that showed Smith had previously been in contact with the drug user. [ Read more ... ]

Cyberthief Seeks Hit Man to Kill Informant: Via Threat Level.

A convicted credit card thief and bank fraudster has pleaded guilty to solicitation of murder. He attempted to put out a contract on a federal informant.

Pavel Igorevich Valkovich, 28, admitted last week that he discussed hiring a hit man to kill the unidentified informant in a drive-by shooting. He submitted his guilty plea the first day of his trial on the murder-for-hire charge.

According to authorities, last January, Valkovich discussed paying a hitman $10,000 (.pdf) to kill the informant. In the conversation with someone he met in prison, he indicated that he wanted a silencer used in the murder. [ Read more ... ]

Court Rejects Request to Consolidate TJX Hacker Cases: Via Threat Level.

A federal judge in Massachusetts has rejected a request from U.S. attorneys to consolidate a New Jersey case against Albert Gonzalez, who has admitted hacking more than 120 million credit card numbers from Heartland Payment Systems, with two other cases against him in Massachusetts.

Gonzalez, a former Secret Service informant known by the online nicks “segvec” and “Cumbajohnny,” was charged in New Jersey in August with stealing more than 130 million debit and credit cards. The feds say Gonzalez, along with two unnamed Russian hackers, stole the card from New Jersey-based card processor, Heartland Payment Systems, and networks for Hannaford Brothers, 7-Eleven and two other unnamed national retailers. [ Read more ... ]

TJX Hacker to Plead Guilty to Heartland Breach: Via Threat Level.

Admitted TJX intruder Albert Gonzalez has entered into a plea agreement on charges that he hacked into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two other unnamed national retailers.

The revelation comes in a filing made by Gonzalez’s attorney in U.S. District Court in New Jersey, where the Heartland charges were filed in August.

A federal judge on Tuesday officially transferred the New Jersey case to Massachusetts, where Gonzalez is seeking to merge it with two other cases in which he’s already pleaded guilty.

Gonzalez, a former Secret Service informant known by the online nicks “segvec” and “Cumbajohnny,” was charged in New Jersey in August, along with two unnamed Russian hackers. They were accused of stealing more than 130 million debit and credit cards from card-processing company Heartland and the other target companies. [ Read more ... ]

"Godfather of Spam" goes to prison for four years: Via Law & Disorder Section - Ars Technica.

Alan Ralsky, the so-called "Godfather of spam" was yesterday sentenced by a federal judge in Detroit to spend the next 51 months of his life in prison for wire fraud, mail fraud, and violations of the CAN-SPAM act.

Not content simply to move boxes of pills or to sign people up for new mortgages, Ralsky's operation instead pulled in millions of dollars through "pump and dump" schemes of thinly traded stocks in companies you've never heard of. [ Read more ... ]

Court Silences CIA Operative Despite Yellowcake Scandal: Via Threat Level.

Valerie Plame Wilson cannot publicize details of her work as a CIA operative, even though a government official already outed her as an agent in an attempt to discredit her husband, Joseph C. Wilson, a federal appeals court says.

Plame Wilson, who served as chief of the unit responsible for weapons proliferation issues related to Iraq, argued that confidentiality agreements she signed to win her employment more than two decades ago should be nullified. The CIA has prohibited her from discussing her pre-2002 employment in her 2007 memoir, Fair Game: My Life as a Spy, My Betrayal by the White House.

She maintained the confidentiality agreement should be set aside because government officials leaked to the press that she was an agent. Also, as part of a battle to obtain retirement benefits, her 20-year-employment status became part of the congressional record.

Given that she has been revealed as a operative, the First Amendment allows her to sidestep her confidentiality agreement, she argued.

But the appeals court, in siding with a lower court and a CIA review board prohibiting her from describing her work prior to 2002, said the nation’s national security could be compromised (.pdf) by the disclosures she’d planned in her book. In addition, the court said, it was irrelevant whether it was widely known that she was working under cover. [ Read more ... ]

A court decision that reflects what type of country the U.S. is: Via Salon: Glenn Greenwald.

It's not often that an appellate court decision reflects so vividly what a country has become, but such is the case with yesterday's ruling by the Second Circuit Court of Appeals in Arar v. Ashcroft (.pdf).  Maher Arar is both a Canadian and Syrian citizen of Syrian descent.  A telecommunications engineer and graduate of Montreal's McGill University, he has lived in Canada since he's 17 years old.  In 2002, he was returning home to Canada from vacation when, on a stopover at JFK Airport, he was (a) detained by U.S. officials, (b) accused of being a Terrorist, (c) held for two weeks incommunicado and without access to counsel while he was abusively interrogated, and then (d) was "rendered" -- despite his pleas that he would be tortured -- to Syria, to be interrogated and tortured.  He remained in Syria for the next 10 months under the most brutal and inhumane conditions imaginable, where he was repeatedly tortured.  Everyone acknowledges that Arar was never involved with Terrorism and was guilty of nothing.  I've appended to the end of this post the graphic description from a dissenting judge of what was done to Arar while in American custody and then in Syria. [ Read more ... ]

Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack: Via Threat Level.

Wal-Mart was the victim of a serious security breach in 2005 and 2006 in which hackers targeted the development team in charge of the chain’s point-of-sale system and siphoned source code and other sensitive data to a computer in Eastern Europe, Wired.com has learned.

Internal documents reveal for the first time that the nation’s largest retailer was among the earliest targets of a wave of cyberattacks that went after the bank-card processing systems of brick-and-mortar stores around the United States beginning in 2005. The details of the breach, and the company’s challenges in reconstructing what happened, shed new light on the vulnerable state of retail security at the time, despite card-processing security standards that had been in place since 2001.

In response to inquiries from Wired.com, the company acknowledged the hack attack, which it calls an “internal issue.” Because no sensitive customer data was stolen, Wal-Mart had no obligation to disclose the breach publicly.

Wal-Mart had a number of security vulnerabilities at the time of the attack, according to internal security assessments seen by Wired.com, and acknowledged as genuine by Wal-Mart. For example, at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company networks in unencrypted form. [ Read more ... ]

Federal Reserve Chairman Hit by High-Tech Pickpocket Ring: Via Threat Level.

Identify theft isn’t just for the little people.

Federal Reserve Board chairman Ben Bernanke and his wife are among the victims of the tech-savvy pickpocket and ID theft ring Cannon to the Wiz, Newsweek reported Tuesday.

Threat Level readers will remember that Wiz is a national ring of some 200 light-fingered scammers that kept police around the country on their toes for at least two years. The group was led by Clyde Austin Gray Jr., 52, of Waldorf, Maryland, who went by the names “Big Head” and “Poochie.” Gray pleaded guilty in July to conspiracy to commit bank fraud in a scheme that resulted in losses of at least $2.1 million from 10 financial institutions. Nine other co-conspirators have been charged to date. [ Read more ... ]

‘The Analyzer’ Pleads Guilty in $10 Million Bank-Hacking Case: Via Threat Level.

Ehud Tenenbaum, aka “The Analyzer,” quietly pleaded guilty in New York last week to a single count of bank-card fraud for his role in a sophisticated computer-hacking scheme that federal officials say scored $10 million from U.S. banks.

The Israeli hacker was arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks. But before Canadian authorities could prosecute him, U.S. officials filed an extradition request to bring him to the States.

Prosecutors alleged in an extradition affidavit that Tenenbaum hacked into two U.S. banks, a credit- and debit-card distribution company and a payment processor, in what they called a global “cash-out” conspiracy. But he was only charged with one count of conspiracy to commit access-device fraud and one count of access-device fraud. [ Read more ... ]

Real Black Hats Hack Security Experts on Eve of Conference: Via Threat Level.

LAS VEGAS — Two noted security professionals were targeted this week by hackers who broke into their web pages, stole personal data and posted it online on the eve of the Black Hat security conference.

Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site.

The files taken from Kaminsky’s server included private e-mails between Kaminisky and other security researchers, highly personal chat logs, and a list of files he has purportedly downloaded that pertain to dating and other topics. [ Read more ... ]

Studios Demand Court Shutter Pirate Bay: Via Threat Level.

Hollywood is urging a Swedish court to shutter The Pirate Bay, the world’s most notorious BitTorrent tracker. The site’s four co-founders were convicted of facilitating copyright infringement.

“They’ve been sentenced to prison for criminal activities but haven’t stopped carrying out those activities,” Monique Wadstad, the lawyer for Disney, Universal, Warner Bros and Columbia Pictures told English-language Swedish media.

Pirate Bay administrators Fredrik Neij, Gottfrid Svartholm Warg and Peter Sunde were found guilty in April of facilitating copyright infringement, along with Carl Lundström, who was accused of funding the five-year-old operation. [ Read more ... ]

'We Traced the Cyberwar -- It's Coming From Inside the Country!' - Via Threat Level:

A 20-year-old man named Dmitri Galushkevich is the first cyber solider to face justice for launching one of the attacks in last year's "cyber war" against Estonia, AFP reports. [ Read more ... ]

Safe From Unlawful Searches and Seizures? - Via ACLU Blog - U.S. Supreme Court:

Today the U.S. Supreme Court heard Virginia v. Moore, a Fourth Amendment case that's been wending through the judicial system for nearly five years.

The petitioner, David Lee Moore, happened to be driving by police officers Anthony and McAndrew on February 20, 2003, in Portsmouth, Va., at just about the moment that Detective B.J. Karpowski was alerting them to keep an eye out for an ex-con nicknamed "Chubs," who was believed to be driving with a suspended license.

The "Chubs" Karpowski was referring to was Christopher Delbridge, a man just released from a federal prison whose driving privileges the detective knew were suspended. But, as Moore's luck would have it, he shared with Delbridge this unfortunate nickname. In fact, "Chubs" is the name that officer Anthony knew Moore by. Moore also happened to be driving on a suspended license.

And so it came to pass that cops looking for Delbridge that day, found Moore. [ Read more ... ]