Judges Approves $9.5 Million Facebook ‘Beacon’ Accord: Via Threat Level.

A federal judge on Wednesday approved a $9.5 million settlement to a class action lawsuit challenging Facebook’s program that monitored and published what users of the social networking site were buying or renting from Blockbuster, Overstock and other locations.

The case concerned allegations Facebook’s now defunct “Beacon” program breached federal wiretap and video-rental privacy laws. Terms of the settlement, in which Facebook denied any wrongdoing, require the site to finance what the deal calls a “Digital Trust Fund” that would issue more than $6 million in grants to organizations to study online privacy.

The social networking site will have a seat on the fund’s three-member board — a fact that was a big bone of contention (.pdf) in the privacy community, but one U.S. District Judge Richard Seeborg in San Jose, California, said Wednesday was immaterial.

“There has been no pervasive showing that the foundation will be a mere publicity tool for Facebook,” (.pdf) Seeborg wrote.

Seeborg gave preliminary approval to the deal last year, but finalized it Wednesday after reviewing objections. [ Read more ... ]

Investigators: Businesses buying your credit card number: Via NorthWest Cable News.

$10 here. $15 there. 

By putting little charges on your credit card  some companies are making tens of millions of dollars a year. These are businesses that you never gave your credit card number to.

Some consumer groups call it fraud, but it may be perfectly legal.

Christie Frison-Thornton, of Rainier, spotted a $19.95 charge just a few weeks ago.   A company called "Privacy Matters" billed her credit card.

"I thought what the heck is this? Cause I really did not have a clue," said Frison-Thornton. [ Read more ... ]

NetFlix Cancels Recommendation Contest After Privacy Lawsuit: Via Threat Level.

Netflix is canceling its second $1 million Netflix Prize to settle a legal challenge that it breached customer privacy as part of the first contest’s race for a better movie-recommendation engine.

Friday’s announcement came five months after Netflix had announced a successor to its algorithm-improvement contest. The company at the time said it intended to expand the amount of information it gave to researchers in hopes that its recommendation system — a key part of Netflix’s customer retention strategy — would get even better. That was then followed with a warning by prominent data privacy lawyers that the new dataset was easily de-anonymized.

Those fears were highlighted in December, when an in-the-closet lesbian mother sued Netflix for privacy invasion, alleging the movie-rental company made it possible for her to be outed when it disclosed insufficiently anonymous information about nearly half-a-million customers as part of its $1 million contest. [ Read more ... ]

TJX Hacking Conspirator Gets 4 Years: Via Threat Level.

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. [ Read more ... ]

Wiseguys Indicted in $20 Million Online Ticket Ring: Via Threat Level.

A ring of ticket brokers was indicted Monday in connection to an elaborate hacking scheme that used bots and other fraudulent means to purchase more than 1 million tickets for concerts, sporting events and other events.

The defendants made more than $28 million in profits from the re-sale of the tickets between 2002 and 2009.

According to the federal indictment (.pdf) in New Jersey, the defendants set up a nationwide network through which they were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and Tickets.com put in place to thwart automated ticket buying.

The defendants did business as Wiseguy Tickets and Seats of San Francisco, and used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks. [ Read more ... ]

Record 13-Year Sentence for Hacker Max Vision: Via Threat Level.

PITTSBURGH — A skilled San Francisco-based computer intruder was sentenced to 13 years in federal prison Friday for stealing nearly two million credit card numbers from banks, businesses and other hackers — receiving the longest hacking sentence in U.S. history.

Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to 1,000 different banks, who tallied the fraudulent charges on the cards at $86.4 million. [ Read more ... ]

Facebook Denies ‘All Wrongdoing’ in ‘Beacon’ Data Breach: Via Threat Level.

Facebook is denying it illegally breached the privacy of its users in a proposed $9.5 million settlement to a class action challenging its program that monitored and published what users of the social-networking site were buying or renting from Blockbuster, Overstock and other locations.

To settle allegations that the social networking site’s “Beacon” program breached federal wiretap and video-rental privacy laws, Facebook is agreeing to seed what the agreement is calling a “Digital Trust Fund” that would issue more than $6 million in grants to organizations to study privacy. Facebook would have a seat on the fund’s three-member board — a move raising some eyebrows in the privacy community.

A fairness hearing on the issue is set for Feb. 26 in a San Jose, California, federal court. The judge presiding over the case, Richard Seeborg, gave preliminary approval to the deal three months ago. [ Read more ... ]

Wikileaks Meets Its Cash Goal — For Now: Via Threat Level.

The whistleblowing site Wikileaks has apparently raised the money it needs to continue operating for the time being, according to a message the organization sent out Wednesday night on Twitter.

“Achieved min. funraising [sic] goal. ($200k/600k); we’re back fighting for another year, even if we have to eat rice to do it,” read the tweet, without specifying whether it had raised the full $600,000 or just $200,000.

The site announced last December that it was ceasing day-to-day operations to focus on raising money. It said contributors could still send documents and tips through its anonymous submission tool. Last week, it was ceasing operations indefinitely because it had raised only $130,000 of the $200,000 it needed to maintain base operations annually. The site says it requires $600,000 to operate if it pays its staff of technologists and curators who sift through submissions to provide context for documents and other information valuable to its users.

The announcement page, beginning with: “We protect the world — but will you protect us?” has not changed, except to add that Wikileaks “will be back soon.” [ Read more ... ]

Hackers Steal Millions in Carbon Credits: Via Threat Level.

Credit card numbers are so passe. Today’s hackers know the real powerhouse data to steal is emission certificates.

That’s exactly what hackers went after last week when they obtained unauthorized access to online accounts where companies maintain their carbon credits, according to the German newspaper Der Spiegel.

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded. [ Read more ... ]

Anti-RIAA Site Folds: Via Threat Level.

Provocative website p2pnet.net, the online voice to one of the world’s most blistering and perpetual attacks on the Recording Industry Association of America, is shuttering amid financial doldrums. It was 9 years old.

“I can’t claim p2pnet has been protecting the world, but I’ve done my best to unspin some of the vested interest corporate spin, and expose a few of the lies and corruption,” the site’s voice and founder Jon Newton said in his “last post” Wednesday.

The Vancouver Island, British Columbia huckster is looking for donations or even a partnership in hopes of reviving the site that has become infamous for its mocking portrayal of the RIAA, which consists of Vivendi Universal, Sony BMG, EMI and Warner Music.

While Newton mocked the Motion Picture Association of America, the site is best remembered for referring to the RIAA as the “Big 4 Organised Music Cartel,” [ Read more ... ]

Google Puts New Focus on Outside Research: Via Bits Blog - NYTimes.com .

Google, like other leading technology companies, funds university research in fields where its interest and the interest of science coincide. Until now, the company has done that mainly with lots of smaller grants, typically $50,000 or so.

But Google is stepping up its funding. In a focused approach to be announced on Tuesday, the company is making a $5.7 million commitment to a dozen university research projects. The money is earmarked for four areas: machine learning, the use of cellphones as data collection devices in science, energy efficiency in computing and privacy.

“We’ve identified four extremely important areas, both to Google and to society,” said Alfred Spector, the company’s vice president of research and special initiatives. [ Read more ... ]

Pentagon’s Black Budget Tops $56 Billion: Via Danger Room.

The Defense Department just released its king-sized, $708 billion budget for the next fiscal year. Much of the proposed spending is fairly detailed - noting exactly how many helicopters the Pentagon plans to buy, and how many troops it plans on playing. But about $56 billion goes simply to “classified programs,” or to projects known only by their code names, like “CHALK EAGLE” and “LINK PLUMERIA.” That’s the Pentagon’s black budget.

Cobbling together this round figure for the military’s hush-hush projects is easier than it seems. The Pentagon’s separate ledgers for operations, research, and procurement all contain line items for “classified programs.” Add those to the non-sensical, all-caps programs, and you’ve got yourself a nice round estimate for the Pentagon’s secretive efforts. [ Read more ... ]

Bank sues victim of $800,000 cybertheft: Via Computerworld Security News.

In twist, Texas bank sues business customer, claiming cybertheft not its fault

A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.

In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.

Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.

PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." [ Read more ... ]

Lawyers Challenge Lowered Amount of ‘Shocking’ File Sharing Award: Via Threat Level.

Lawyers for a music file sharer said Monday they would challenge a judge’s order reducing from $1.92 million to $54,000 the amount their client, Jammie Thomas-Rasset, must pay the recording industry for copyright infringement of 24 songs.

The appeal concerns Friday’s head-spinning order by U.S. District Judge Michael Davis. The Minnesota federal judge dramatically lowered the amount a jury in June ordered Thomas-Rasset to pay — after being found liable in what at the time was the nation’s first Recording Industry Association of America file sharing case to reach trial. Most of the RIAA’s 30,000 lawsuits were settled out of court for a few thousand dollars during the record companies’ six-year litigation campaign, which is winding down.

Joe Sibley, Thomas-Rasset’s attorney, said in a telephone interview that even the reduced amount of damages is unconstitutionally excessive. It’s a penalty of 2,250 times an assumed $1 cost of a music download. [ Read more ... ]

Court Reduces ‘Shocking’ File Sharing Award: Via Threat Level.

A federal judge on Friday reduced a $1.92 million file sharing verdict to $54,000 after concluding the award for infringing 24 songs was “shocking.”

A federal jury in June found Jammie Thomas-Rasset liable in what at the time was the nation’s only Recording Industry Association of America file sharing case against an individual to go to trial. The Minnesota federal jury dinged her $1.92 million for infringing 24 songs. She asked the judge to set aside or reduce that $80,000 per song in damages.

U.S. District Judge Michael Davis agreed on Friday, and said the RIAA may have a retrial if it does not accept his ruling.

“The need for deterrence cannot justify a $2 million verdict for stealing and illegally distributing 24 songs for the sole purpose of obtaining free music,” Davis wrote. “Moreover, although plaintiffs were not required to prove their actual damages, statutory damages must bear some relation to actual damages.” [ Read more ... ]

Web Censor Seeks $2.2 Billion for China Hack: Via Threat Level.

A California web-filtering company says it is the victim of “one of the largest cases of software piracy in history.”

Lawyers for adult- and violent-content web-filtering company CYBERsitter claim in a federal lawsuit that the Chinese government purloined some 3,000 lines of its code from its servers as part of software for a national censorship project –- in which several international computer makers are accused of knowingly distributing throughout China.

“They are heavy allegations. Three thousand lines of code, approximately, were stolen. It was a serious thing that was done,” Elliot Gipson, a lawyer for Santa Barbara-based CYBERsitter, said in a telephone interview Thursday.

Gipson said about 56 million copies of China’s government censorship software, part of the so-called Green Dam project, were marketed with his client’s code in China last year.

The complaint, which seeks $2.2 billion in damages, (.pdf)  names Sony, Lenovo Group, Toshiba, ACER and, among others, ASUSTeK. [ Read more ... ]

FBI investigating online New York school district theft: Via Computerworld Cybercrime/Hacking News.

A New York school district has reverted to using paper checks after cybercriminals tried to steal about $3.8 million from its online accounts just before Christmas, prompting an FBI investigation.

For three days starting Dec. 18, cybercriminals started transferring money overseas from the accounts of the Duanesburg Central School District, which has two schools with about 950 students about 20 miles west of Albany, New York. [ Read more ... ]

Alleged Ponzi Mastermind Stanford Pwned in Antigua: Via Threat Level.

In early 2008, while federal investigators were busy looking into disgraced financier Robert Allen Stanford for his part in an alleged $8 billion fraudulent investment scheme, Eastern European hackers were quietly hoovering up tens of thousands of customer financial records from the Bank of Antigua, an institution formerly owned by the Stanford Group.

According to a fraud investigator with firsthand knowledge of the break-in, the hackers responsible infiltrated a component of the Stanford Group’s network by exploiting vulnerabilities in the company’s web servers and databases. On the condition of anonymity, the investigator shared with this author files recovered from the breach, which were stored in plain text for at least several weeks on a website controlled by the attackers. This source said he forwarded the same information on to the FBI shortly after discovering it in early 2008.

Once inside Stanford’s network, the unidentified hackers appear to have swiped the credentials from an internal network administrator. They soon had downloaded the user names and password hashes for more than 1,000 employees of Stanford Financial, Stanford Group, Stanford Trust and Stanford International Bank. [ Read more ... ]

Feds Warn Small Businesses to Use Dedicated PC for Online Banking: Via Threat Level.

In the wake of a rash of hacks on computers owned by small businesses, the FBI and the American Banking Association have issued an alert advising businesses to use only a dedicated PC for online banking, according to USA Today.

The alert was issued after numerous small businesses, universities and local governments have been targeted by hackers who installed keystroke loggers on their machines to steal banking credentials and siphon millions of dollars from their bank accounts.

The alert advises businesses to dedicate a single computer for online banking activity that is never used for reading e-mail or surfing anywhere else on the web. Using a dedicated computer would lessen the chance of the computer being infected with malware that can help crooks drain a bank account through wire transfers and automated clearinghouse transfers. [ Read more ... ]

The Decade’s 10 Most Dastardly Cybercrimes: Via Threat Level.

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium. [ Read more ... ]

Hackers show it's easy to snoop on a GSM call: Via Computerworld Security News.

Computer security researchers say that the GSM phones used by the majority of the world's mobile-phone users can be listened in on with just a few thousand dollars worth of hardware and some free open-source tools.

In a presentation given Sunday at the Chaos Communication Conference in Berlin, researcher Karsten Nohl said that he had compiled 2 terabytes worth of data -- cracking tables that can be used as a kind of reverse phone-book to determine the encryption key used to secure a GSM (Global System for Mobile communications) telephone conversation or text message.

While Nohl stopped short of releasing a GSM-cracking device -- that would be illegal in many countries, including the U.S. -- he said he divulged information that has been common knowledge in academic circles and made it "practically useable." [ Read more ... ]

Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack: Via Threat Level.

The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.

While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”

Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network. The breach cost TJX $200 million, according to its 2009 SEC filing. [ Read more ... ]

7-Eleven Hack From Russia Led to ATM Looting in New York: Via Threat Level.

Flashback, early 2008: Citibank officials are witnessing a huge spike in fraudulent withdrawals from New York area ATMs — $180,000 is stolen from cash machines on the Upper East Side in just three days.  After a stakeout, police arrest one man walking out of a bank with thousands of dollars in cash and 12 reprogrammed cards. A lucky traffic stop catches two more plunderers who’d driven in from Michigan. Another pair are arrested after trying to mug an undercover FBI agent on the street for a magstripe encoder. In the end, there are 10 arrests and at least $2 million dollars stolen.

The wellspring of the dramatic megaheist turns out to be more prosaic than imagined: It started with a breach of the public website of America’s most famous convenience store chain: 7-Eleven.com. [ Read more ... ]

Heartland pays Amex $3.6M over 2008 data breach: Via Computerworld.

Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network.

This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.

The U.S. Department of Justice has charged Albert Gonzalez and several other accomplices with the hack, saying that Heartland was one of several companies that the hackers managed to break into using SQL injection attacks.

Other alleged victims include 7-Eleven and Hannaford Brothers. In total, the gang managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford, prosecutors allege. [ Read more ... ]

Netflix Spilled Your Brokeback Mountain Secret, Lawsuit Claims: Via Threat Level.

An in-the-closet lesbian mother is suing Netflix for privacy invasion, alleging the movie rental company made it possible for her to be outed when it disclosed insufficiently anonymous information about nearly half-a-million customers as part of its $1 million contest to improve its recommendation system.

The suit known as Doe v. Netflix (.pdf) was filed in federal court in California on Thursday, alleging that Netflix violated fair-trade laws and a federal privacy law protecting video rental records, when it launched its popular contest in September 2006. [ Read more ... ]