These fake alerts convinced victims to type their usernames and passwords into a website controlled by the miscreant, allowing him to ransack their iCloud and Gmail accounts. Majerczyk, the son of two retired Chicago cops, was eventually collared by FBI agents probing "Celebgate" – the moment in 2014 when private nude photos of Kate Upton, Jennifer Lawrence, Ariana Grande and other stars were splashed on 4Chan and Reddit.
The pictures and videos were stolen from the victims' cloud accounts. During questioning, Majerczyk told the Feds he just wanted to "see things through other people's eyes." In a deal with prosecutors last July, he pleaded guilty to one count of unauthorized access to a protected computer to obtain information. “[Majerczyk] not only hacked into email accounts – he hacked into his victims’ private lives, causing embarrassment and lasting harm,” said the FBI's Deirdre Fike. “As most of us use devices containing private information, cases like this remind us to protect our data. Members of society whose information is in demand can be even more vulnerable, and directly targeted.” In addition to his sentence, handed down on Tuesday this week, Majerczyk was ordered to pay $5,700 to foot one celebrity victim's therapy bills.
The FBI also confiscated the hacker's Gateway computer, another desktop system, his iPhone, and various items of storage media. "At the time of the offense, Mr Majerczyk was suffering from depression and looked at pornography websites and internet chat rooms in an attempt to fill some of the voids and disappointments he was feeling in his life," his lawyer, Thomas Needham, told the court [PDF]. "After accessing the personal information and photographs for his personal viewing, he learned that others were distributing these private images on the internet. Mr Majerczyk did not realize the extent of this crime and was deeply affected by it. He immediately began seeing a therapist." According to his lawyer, there is no evidence that Majerczyk leaked any of the purloined pictures online. US prosectors did not charge him with the distribution of the images. Meanwhile in October last year, Ryan Collins, 36, of Pennsylvania, was jailed for 18 months for stealing similar snaps from people's accounts. Neither he nor Majerczyk have been directly accused of spreading the swiped selfies – a devastating leak that became known as The Fappening. Majerczyk's lawyer said his client was wracked with guilt and had had panic attacks since raiding his victims' private files.
Since it's said that he didn't upload the pictures to message boards, was a first-time offender, and pleaded guilty early, he received a relatively light sentence.
Still, the judge wasn't happy. "The conduct is abhorrent," said US district judge Charles Kocoras during this week's sentencing hearing in Illinois. "It's a very, very trying time that we live in." ® Sponsored: Continuous lifecycle London 2017 event.
DevOps, continuous delivery and containerisation. Register now
Spangenberg said that when the company got word of a pending police raid, it was standard practice to delete data and destroy equipment. "I would be called when governmental agencies raided Uber's offices due to concerns regarding noncompliance with governmental regulations," he said. "In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber's information.
I would then be tasked with purchasing all new equipment for the office within the day." Uber did not respond to the allegations in the statement, citing a policy against commenting on active litigation.
The company did, however, provide The Register with a statement on the allegations made to the Center for Investigative Journalism. "It's absolutely untrue that 'all' or 'nearly all' employees have access to customer data, with or without approval.
And this is based on more than simply the 'honor system': we have built [an] entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs," Uber said. "This could include multiple steps of approval – by managers and the legal team – to ensure there is a legitimate business case for providing access." ® Sponsored: Want to know more about PAM? Visit The Register's hub
According to a new survey, about 40 percent of Americans would alongside giving up their favorite food.
To what lengths would you go to ensure online privacy?
According to a new survey, about 40 percent of Americans would refrain from sex and give up their favorite food to avoid cybersecurity headaches.
Password management firm Dashlane last week reported that nearly four in 10 people would sacrifice lovemaking for a year if in return they could stop worrying about being hacked, identity theft, or losing access to one or more of their online accounts.
Such drastic measures, however, are not necessary if simple password rules are followed—which, based on a continued stream of successful attacks, we clearly aren't all doing.
"The nature of online security has changed dramatically," Dashlane CEO Emmanuel Schalit said in a statement. "Five to 10 years ago, cybersecurity was about protecting devices with anti-virus software.
Today, data isn't on our devices, but in the cloud—and the best line of defense we have to protect this data are passwords."
"This survey data continues to highlight an unfortunate trend—even with breaches happening to everyone from companies and celebrities to consumers, people are continuing to engage in risky password behavior," Schalit said.
Folks continue to hand out passwords like Halloween candy: Dashlane's study suggests 45 percent of Americans have trusted someone, or been entrusted, with a password for email (23 percent) and streaming services (21 percent).
Netflix passwords, for example, are shared among family and friends; the company even acknowledges it happens.
But if any part of that password aligns with another an individual relies on to keep them safe elsewhere, distribution is a white flag of surrender to hackers looking to access personal information.
People are understandably more protective of passcodes linked to money. Passwords for online stores were shared much less often (14 percent), as is the case for banking logins including investment accounts and student loans (9 percent).
Insurance providers are the least shared (6 percent), which makes sense, because who wants to talk about insurance?
Based on responses from more than 2,000 US adults, the study also concluded that younger Americans (millennials aged 18 to 34 who grew up using the Internet) are more trusting and trusted than older generations (64 percent vs. 37 percent), and that married people are less likely to part with passwords (41 percent vs. 49 percent).
A quarter of those surveyed believe that sharing a social media password is more intimate than sex.
But copulation isn't the only forfeiture folks are willing to make: Four in 10 people would rather pass up their favorite food for a month than go through a password reset process.
For more, see PCMag's review of the Dashlane 4 password manager and the slideshow above.
The only differences between the two tests were (i) in the line-ups of participating products in each; and (ii) in the names of the tests themselves: Comparative Test of Business Security Products and Comparison of ‘Next-Generation’ Security Products. Strange? A little.
So let me tell you what’s afoot here: why these practically identical tests were conducted at the same time. It’s well-known already (to folks interested in IT security) how some cybersecurity vendors try to avoid open, public testing and comparisons with other products – so as not to expose their inadequacy.
But by not taking part in such tests the marketing machinery of these vendors loses a crucial bit ton of leverage: all potential customers – mostly corporate ones – always consult independent tests run by dependable specialist organizations.
So, what were they to do? A solution was found: to join up with other ‘next-gen’ developers to be tested together and separately (no ‘traditional AV’ allowed!), to hide behind a convenient methodology, and coat it all with the BS buzz term ‘next generation’. Days after the testing the ‘next-gen’ participants published their own interpretations of the results based on dubious logical deduction, manipulation of figures, and biased marketing rhetoric.
And you guessed it – those interpretations brought them all to the same conclusion, that ~ “here, finally, it’s been publicly proven how next-gen reigns supreme over traditional products”! Really? Ok, time we turned on the Babel fish… Is it really true that next-gen products are great? And if so great… – great compared to what? Let’s compare the results of the ‘next-gen’ test with the above-mentioned twin-test – i.e., the same test (using the exact same methodology), only with different (non ‘next-gen’) participating products. Important: the true quality of protection should be judged by the figure outside the brackets that corresponds to protection rate, not detection rate, since there’s no point in just detecting attacks but still then letting them take place, i.e., not stopping them. Protection from malware in different scenarios and false positives: Protection against exploits: Well, I can hear how the clanging of medals in the next-generation camp seems to have come to a sudden halt, while their ‘victorious’ self-published reports can now be seen for what they really are: mere attempts to intentionally deceive users ‘in the best traditions of misleading test marketing‘. Judge for yourself: One participant in its press release appears to have forgotten to tell anyone about its bombing on protection from exploits (28%), while also seeming to have switched its results on the protection rate in the WPDT scenario (100% instead of 98%). Another participant also kept quiet about its modest result on protection from exploits (82%), but proudly called its… last-but-one place in the contest in this category as “…outperform[ing] other endpoint security competitors in exploit protection”.
It also preferred not to mention its coming last in the AVC scenario test, but that didn’t stop it claiming that mythical ‘legacy AV’ (whatever that is) simply MUST be replaced by its products. A third participant decided to get straight to the point by laying claim to the crown of the ‘most next-gen of all’, having received, nothing short of a blessing certification from this test lab to replace mythical ‘legacy AV’ with its next-gen products: The Babel fish has a few other questions regarding this test. The methodology used this time for testing protection against malicious programs was simpler than that used in the regular full-fledged Real World Protection Test by which other (non-‘next-gen’) products are normally certified.
In the Real World Protection Test, each month for a year six times more real cyberattack scenarios (WPDT) are used.
And even adding RTTL and AVC scenarios doesn’t make up for this simplification. So why was simplification of the methodology and a division of the participants (into ‘next-gen’ and ‘business’) needed? Was it an indulgence to the next-gen vendors, which were afraid of flopping big-time on regular tests? How well would these developers do in a full-fledged test together with the technological leaders? And the last question: what is ‘next generation’? According to a comprehensive study by the SANS Institute conducted at the request of another self-proclaimed ‘next-gen’ vendor, the category ‘Next-generation AV’ covers all large vendors of cybersecurity solutions. Moreover, many ‘next-gen’ vendors do not qualify for the ‘Next-generation AV’ tag – especially when it comes to the level of effectiveness and protection from zero-day threats: I can’t say that I fully agree with above mentioned definition: absent from it are such important things as multi-level protection, adaptability, and the ability to not only detect but also prevent, react to and predict cyberattacks, which are all much more important for the user. However, even this definition unequivocally states that all products need to be tested as per one and the same methodology. Simplifying the WPDT-test and dividing the reports into ‘next-gen’ and ‘non-next-gen’ misleads customers, creates a basis for marketing maneuvering and manipulation, and even undermines the trust long invested in the independent labs running the tests. Take-Aways: First, (in spite of everything): I want to express my thanks to AV-Comparatives for finally being able to conduct a public test of several ‘next-gen’ products. Ok, so the methodology used was WPDT-lite, and the test results can’t be used to directly compare participants.
Still, as they say, you can’t have everything straight away – or – the first step is always the most difficult/crucial: the main thing is that ‘next-gen’ has finally been publically tested by an authoritative independent lab, which is just what we’d been wanting for a long time. Second: I hope that other independent test labs will follow AV-Comparatives’ example in testing ‘next-gen’ – preferably as per AMTSO standards – and, crucially, together with all vendors.
And I hope the vendors in turn, won’t throw obstacles in the test labs’ way. Third: When choosing a cybersecurity solution it’s necessary to take into account as many different tests as possible. Reliable products set themselves apart by constantly notching up stable top results in different tests by different independent labs over many years. And finally: Now, in the nick of time for the planning of budgets for next year, I hope ‘next-gen’ developers will allocate more resources to the development of technologies and participation in public tests, rather than on fancy advertising billboards, planned inaccuracies in press-releases, and expensive parties stuffed with celebrities. ‘Next-gen’ security products manipulate public tests Tweet PS – from Babel fish: “The word combination ‘next-generation security’ and its derivations in public communications – be they marketing material, advertising videos, white papers, or the arguments of a sales manager – can be a sign of aggressive telepathic matrixes directed at the promotion of pure BS, and thus necessitate a particularly astringent practical application of critical reason.” From the author: “I understood none of that, but fully agree with the fish – whatever it was it was babbling on about.”
Those efforts, which took place between November 2012 and September 2014, harvested account logins for entertainers and other prominent persons. Collins received a lighter penalty than the five years prison initially on the table for the guilty plea. The uploader or 'leaker' of the stolen images has not been found. ®
Collins stole personal information, including nude photos, from the celebrities. The photos were famously posted on 4chan and reddit in 2014.
Collins pleaded guilty to hacking the celebrities’ accounts in May, but he did not plead guilty to posting the images on the Internet. “Investigators have not uncovered any evidence linking Collins to the actual leaks or that Collins shared or uploaded the information he obtained,” the Department of Justice (DOJ) noted. According to The Guardian, Collins ran a phishing scheme from November 2012 to September 2014, sending celebrities e-mails that appeared to be from Apple and Google, requesting their user names and passwords. In a press statement, the DOJ wrote that Collins would illegally access respondents’ accounts and search for nude photos and videos. “In some instances, Collins would use a software program to download the entire contents of the victims' Apple iCloud backups,” the DOJ wrote. “In addition, Collins ran a modeling scam in which he tricked his victims into sending him nude photographs.” Collins apparently accessed at least 50 iCloud accounts and 72 Gmail accounts and stole information from more than 600 victims, not all of whom were celebrities. From the beginning, Apple maintained that the hacks weren’t the result of an iCloud vulnerability, but the fruit of a “very targeted attack on user names, passwords and security questions.” In the aftermath of the hack, some celebrities threatened Google with a $100 million lawsuit for failing to "act expeditiously and responsibly to remove the Images."