#classified

NSA Contractor, Reality Winner (yes, that is her real name) was arrested on June 3rd for leaking classified information to an online news outlet, The Intercept. This document alleged that the Russian General Main Staff Intelligence Directorate (GRU), had attempted to break into a company that sells voting registration equipment prior to the 2016 US presidential election.Although the document does not disclose whether the hack had any impact on the outcome of the election, this leak is the latest in bad publicity for the NSA. In the Intercept report on June 5th, it claims in August 2016, Russia's military intelligence agency "executed a cyber attack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials days before [the] election," as disclosed by an 'anonymous' source, who strangely enough had already been taken into custody. Yes, Winner, who held a top-secret security clearance and worked as a government contractor in Georgia with Pluribus International, when confronted about the incident confessed immediately and was arrested before the article was even published. You may recall the Intercept as the site that has been publishing NSA documents leaked by Edward Snowden since 2014, whom Winner had 'retweeted' prior to the incident.How was Winner caught so quickly? Well, The Intercept contacted the NSA on May 30 and turned over a copy of the report to verify the authenticity of that document prior to publication. As it turns out, Winner emailed a printed and scanned copy of it to the publication, rather than emailing the PDF directly. According to security experts, newer printers print nearly invisible yellow dots that track down exactly when and where any document is printed. That allowed the FBI to discover that the document was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017, at 6:20 and according to NSA record, they can tell who used the printer at that time. The FBI also found that Winner 'had email contact' with The Intercept. She is facing a count of 'gathering, transmitting or losing defense information,' and may get up to 10 years behind bars if she is convicted.

Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations. -NSA document

Let's explore some of the issues more thoroughly. Read 'Encryption Software and Combating Cyber Crime' for insight.

#ponzischeme  

In the digital world, even the unscammable can get scammed. That's what happened to those who invested in Bitcoin mining services from companies 'GAW Miners' and 'ZenMiner.' Now, con man Homero Joshua Garza is paying the price after losing his case to the United States Securities and Exchange Commission (SEC). According to the SEC, Garza used the "lure of quick riches" in order to get about 10,000 people to invest in the bitcoin mining scheme, earning him about $20 million. Bitcoin mining was originally used as a simple way to secure the virtual currency before the idea became popular. You need computational power to solve complex equations, and when these have been solved, you are awarded units of the virtual currency. Homero Joshua Garza offered shares to investors in the companies' Bitcoin mining operation but did not own enough computing power for the mining promised. Instead, he used cash from new investors to reward earlier joiners, which is nothing but a fraudulent "ponzi" scheme, as described by the SEC.In the June 2nd ruling, the US District of Connecticut federal court sided with SEC and agreed to order that both GAW Miners and ZenMiner pay $10,384,099 jointly in disgorgement and prejudgment interest, as well as $1,000,000 fees in damages. Since then, GAW Miners and ZenMiner companies have now been shut down, but the case against Garza is ongoing.  Keep in mind that the price of Bitcoin today is about $2,904 per coin. In 2014, when Garza began running the bogus schemes from his home in Connecticut, 1 BTC was equal to $450, meaning the $20 Million funds Garza took from the investors today worth around $150 million. A point that the Register has pointed out, saying "there would have been more than enough to keep the investors happy and have millions of dollars still left in the bank." Looks like Bitcoin bit back. Ouch.

Most investors paid for a share of computing power that never existed -the SEC

You've heard of mining, but what about blocking? Read 'Emerging Ransomware Threats' for details.

#handitover

This week, the US Supreme Court has agreed to take up the case against Timothy Ivory Carpenter, who was sentenced to 116 years in jail for robbing six cellular telephone stores at gunpoint, partially on the basis of months of cellphone location records, turned over without a warrant. The outcome of this case could mean police would be required to obtain warrants to get cellphone location data pertaining to the phones of criminal suspects. According to Carpenter's lawyer, the prosecutor did not seek warrants based on probable cause, rather, they requested the records under the Stored Communications Act, which has a lower standard and allows phone companies to disclose records when the government shows “specific and articulable facts showing that there are reasonable grounds to believe” that records at issue “are relevant and material to an ongoing criminal investigation." While the records do not reveal Carpenter's conversations, they do detail a five-month span in 2010 and 2011, when his cellphone connected with cell towers in the vicinity of the robberies. The court argued that Carpenter had no reason to believe that his cellphone records would be kept private, given that the records simply show where his phone connected with cell towers, without giving away any information about call content.A US court had ruled that police could access phone location data without a warrant, but lower courts in many states, including Montana, Maine, Minnesota, Massachusetts, and New Jersey, have ruled the opposite. Their rulings indicate phone records are constitutionally protected. This is not the only cellphone related law that is under debate. In two similar cases in Florida, one defendant was sentenced to six months jail for allegedly refusing to reveal his iPhone passcode, while a second defendant walked free after he claimed he forgot his passcode. The United States Court ruled that police can force defendants to decrypt their electronic devices, as long as it does not violate the Fifth Amendment right that prevents any citizen from having to incriminate themselves. However, it appears US judges have different opinions on how to punish those who do not compel the order to unlock their phones. This could mean yet another decision for the Supreme Court in the future.

Because cellphone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause. The time has come for the Supreme Court to make clear that the long-standing protections of the Fourth Amendment apply with undiminished force to these kinds of sensitive digital records. -Nathan Freed Wessler, an American Civil Liberties Union

Want more on the law's perspective? Hear from SME Max Alexander in this video, 'Cellphone Search and Seizure Laws.'

#factbyte

Since early 2016, eCommerce fraud has been declining in most industries, with two notable exceptions: Department Stores and Jewelry and Precious Metals. The resulting decrease in total fraud from Q1 2016 to Q1 2017 is -34.7%.

#securitychallenge

Test your log analysis knowledge in a revolutionary way and gain hands-on experience necessary to become a security professional. In the Log Analysis skill assessment, you will detect failed processes, network outages, or protocol failures, and determine data trends, among other tasks. It is especially useful if you’re interested in a security or audit compliance, forensics, security incident responses or system troubleshooting position.The log analysis skill assessment is designed around industry recognized performance-based exam objectives and allow you to measure your performance against other players. This next-generation, high-fidelity simulation learning and skill assessment environment will allow you to get a measure of your strengths and weaknesses amongst various cyber security learning objectives and industry-recognized competencies.Not only will the Log Analysis skill assessment allow you to develop your practical skills, but it will also test your critical thinking. This ‘Jeopardy Style’ challenge prompts you to answer questions and complete tasks in a range of categories.Do you have what it takes to beat your opponents?Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.