Five Charged in Largest Hacking Scheme Ever Prosecuted in US

The U.S. Attorney's Office today unsealed an indictment charging four Russians and a Ukrainian with a multi-million hacking scheme that netted 160 million credit card numbers from several major American and international corporations.

The charges stem from hacking attacks dating back to 2005 against several global brands, including the NASDAQ exchange, 7-Eleven, JC Penney, Hannaford, Heartland, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

The five men that are being indicted are Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialized in penetrating networks and gaining access to the corporate victims' systems.

- Roman Kotov, 32, of Moscow, allegedly specialized in mining the networks compromised by Drinkman and Kalinin to steal valuable data.

- Mikhail Rytikov, 26, of Odessa, Ukraine, allegedly offered anonymous web-hosting services for the others to hide their illegal activities.

- Dmitriy Smilianets, 29, of Moscow, allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.

Two of the five men Drinkman and Smilianets  have been captured while traveling in the Netherlands last year and they have been extradited to the United States to face charges while the other three men remain at large.  Court documents show the men took user names and passwords, identification, credit and debit card numbers that correspond to personal identification information of cardholders.

The men gained access to systems by using an SQL injection attack as their initial entry point.  Once the networks were breached, they used malware to create a back door to maintain their access to these systems.  The men also used sniffers to identify, collect, and steal data from victims and used the stolen data and sold it to others.  As their punishment, they face a five year prison sentence for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud.

Social network to let you set passwords for apps on Facebook and enlist friends to help log into blocked account

Facebook is set to announce new security features that will let people set passwords for third-party apps and get help from friends when they can’t access their accounts.

When your Facebook account is hijacked and you can’t get in, the new Trusted Friends feature lets you select three to five friends who can be trusted to help you get access to your account.

Facebook is also bulking up security for in-system apps by allowing you to create a password to access certain apps.  To use App passwords, click on Account Settings, then select Security Tab and the “App passwords” section.  This will generate a password that you don’t need to remember, just enter it along with your email when logging into an application.

Five Factors InfoSec Teams Should Consider When Deploying to the Cloud

A recent survey of cloud users ranging from cloud beginners to the more experienced cloud users report that the challenges of cloud such as security, governance, and compliance declined as cloud maturity increased.  They also brought to mention that there are five factors that all InfoSec departments should consider when thinking about cloud deployments:

Clear organizational policies: have a clear policy about the security responsibilities.

Access controls: know the details around access controls in the cloud.

Protect data in transit: ask detailed questions about data in transit.

Data protection in a database: how does your cloud vendor handle data protection?

System monitoring: leverage a system that implements fill logging, monitoring, archiving, and retention of operational and service data through multiple channels for both system event logs and custom monitoring parameters.

European Union Increases Penalties for Cybercriminals and Hackers

The European Union has decided to raise prison sentences for people found guilty of hacking, data breaches, and cyber-attacks.  Lawmakers from 28 nations have decided to assign harsher penalties to include increased prison sentences.  A person will receive two years for illegally accessing information systems and at least five years for cyber-attacks against infrastructure such as power plants, water systems, and transportation networks.

Other cybercrimes that receive penalty increases were the illegal interception of communications or the creation of tools for this purpose.  Also, any company that’s found guilty of using these tools or hires hackers to steal data will also be liable under the new law.

The only country that didn’t sign onto the new rules was Denmark because they want to keep their own sentences.  This is the first update to such laws since 2011 when lawmakers agreed to tougher penalties for cybercrimes.  The U.S. is working hard to clamp down on cybercriminals also.  Last month, members of the U.S. House of Representatives Intelligence Committee proposed a new cyber theft law that would target hackers based in other countries.  Back in May, a group of senators proposed a similar bill call the “Deter Cyber Theft Act” to protect commercial data from foreign hackers and governments.