The
closed captioning that we receive from CBS in New York for tonight's
episode of Blue Bloods was hacked and unfortunately contained profanity
and other statements that do not represent those of News 9 or CBS. We
sincerely apologize for this and the lack of captioning for our hearing
impaired viewers.
CBS is currently investigating and will implement steps to insure that this does not happen again.
The News of the World’s Ian Edmondson has admitted he was involved in phone hacking. Photograph: Ray Tang/Rex Features
A former News of the World news executive has admitted he was
involved in phone hacking, 16 months after pleading not guilty to the
crime in the Old Bailey.
Ian Edmondson’s about-turn marks the final chapter in the
phone-hacking trial that ended in June with the conviction of Andy
Coulson and the acquittal of Rebekah Brooks, both former New of the
World editors.
Edmondson, 45, spoke only to confirm his name and to say “guilty” when asked to formally enter his plea.
He was charged with conspiring to hack phones between 3 October 2000
and 9 August 2006 together with the paper’s former editor Andy Coulson
and with hacker Glen Mulcaire, the paper’s former royal editor Clive
Goodman, its former newsdesk executives Greg Miskiw, Neville Thurlbeck
and James Weatherup, the paper’s former feature writer Dan Evans, and
other persons known and unknown.
Edmondson was one of the original eight defendants at the Old Bailey
trial but, for health reasons, was deemed “unfit” to continue on the
29th day of proceedings. He was deemed fit to stand trial in July.
Before he was released from trial, the jury heard how he was one of four news editors for whom convicted hacker Mulcaire worked.
Edmondson, who is now facing the possibility of jail, was bailed and will be sentenced at a date in November.
Edmondson’s barrister Sallie Bennet-Jenkins QC told the court that
Mulcaire had frequently “bragged” about hacking and Edmondson was aware
that this was one of the tools of his trade when tasking him.
She added, however, that Edmondson had been acting “under direct instructions by senior executives to use Mulcaire”.
Mark Bryant Heron QC, for the prosecution, told the court that
Edmondson was not the most prolific tasker of Mulcaire during the
six-year phone hacking conspiracy at the paper.
At one stage he even wanted to sack him, telling his bosses that the
£2,019 a week for “special investigations” being paid to Mulcaire’s Nine
Consultancy “had to stop”.
But, said the prosecutor, once Mulcaire’s previous handler Miskiw –
also a former news editor – left the paper, Edmondson became a
“frequent” tasker of the private investigator.
Between July 2005 and August 2006 records showed there were 800 callsand texts, or 90 a month Bryant Heron said.
The court also heard for the first time of a tape recording of a
conversation between Edmondson and a News of the World colleague. The
tape was undated but from its contents it was evidence the conversation
took place following the arrest of the royal editor Clive Goodman in
2006 on suspicion of phone hacking.
The colleague said: “But you know what the vital difference is you
haven’t done anything yourself or from your number. That is not what
Clive’s caught on, he’s fucking done it himself ...”
Edmondson replied: “ Yeah – I’ve done it myself ...”
The prosecution said that Edmondson’s name was on 334 of the 8,000
notes seized from Mulcaire’s premises linking him to the hacking of
celebrities, politicians and sportspeople.
In addition to Lord Prescott, former culture secretary Tessa Jowell,
and Lord Freddie Windsor, targets linked to Edmondson’s instructions to
Mulcaire included Sienna Miller, her friend Archie Keswick and her
former boyfriend Jude Law, and George Best’s son Callum Best, the court
heard.
He also employed Mulcaire to investigate Sir Paul McCartney and Heather Mills in May 2006.
The NoW published nine articles about the couple between over one
month, said Bryant Heron. “Ian Edmondson wished, unsurprisingly, to get
information on the marital break-up. He employed Mulcaire to do so.”
He told the court: “There was an aggressive newsgathering culture.
The end justified the means to get results, to get the story, in an
extremely competitive market.”
Edmondson worked for the paper in the 1990s, and then rejoined the
tabloid’s news desk in 2004, becoming news editor in 2005, a position he
held until he was suspended in December 2010 and subsequently dismissed
for gross misconduct in January 2011.
He was in charge when Mulcaire and the paper’s royal editor Clive Goodman were arrested in August 2006 on suspicion of hacking.
His suspension four years later came after three emails implicating
him in Mulcaire’s hacking came to light. These suggested that hacking
was not confined to Goodman, who the company had claimed was operating
as a single “rogue reporter” and led to the launch of Operation Weeting,
Scotland Yard’s phone-hacking investigation in January 2011.
They contained the mobile and pin numbers for Joan Hammell, a special
adviser to Lord Prescott, former culture secretary Tessa Jowell and
royal Freddie Windsor.
The jury heard that during Edmondson’s reign on the news desk the
paper also hacking rival journalists on the Mail on Sunday in an attempt
to discover what they knew about Prescott’s affair with his diary
secretary Tracey Temple in a “dog-eat-dog” fight for stories.
After the paper hacked Temple and her ex-husband and got nowhere, the
prosecution said that Edmondson then got hold of Hammell’s number and
passed it to Mulcaire. Mulcaire went on to get her pin and listened to
45 messages. He then emailed Edmondson telling him: “This is how you can
hack the phone so that you too can hear them”, according to emails
disclosed during the trial.
“In the dog-eat-dog world of journalism, in this frenzy to get the
huge story and to try to get something other than everybody else, that
is what you do, we suggest, if you are Ian Edmondson – you hack the
competition,” prosecutor Andrew Edis QC told jurors in his opening
speech.
One defendant had claimed that hacking was so widespread that
Edmondson was even accessing Coulson’s voicemail to find out which
stories he favoured.
When Mulcaire’s home was raided by police in 2006, officers
discovered a large cache of notes recording who had tasked him to hack
phones, including “Ian”.
His decision to plead guilty means that eight of the 10 so far
charged and dealt with for phone hacking at the NoW have been convicted
or pleaded guilty.
Before the trial had got underway had sought disclosure of internal emails distancing himself from the work of Mulcaire.
He sought the emails to prove that he thought Mulcaire was
“inefficient” and “a waste of money” and wanted him sacked and that
after he arrived at NoW in November 2004 that he cut down on the cash
payments.
Editor’s note:Noam Schwartz is leading Business
Development in SimilarWeb. His previous company Tapdog was acquired by
SimilarWeb in the beginning of 2014.
Ad fraud is a well-known “secret” in the online marketing world, and
it’s been around ever since ads have existed on the Internet. Experts
estimate that for every $1 a company spends on online advertising,
almost half is lost to digital ad fraud.
But in 2014, ad fraud has taken center stage. This month the Interactive Advertising Bureau (IAB) released their “Anti-Fraud Principles,”
meant to reduce robotic traffic, or bots, and other forms of online
traffic fraud. And earlier this year, IAB chairman and Ziff Davis CEO
Vivek Shah publicly admitted that 36% of all web traffic is non-human traffic. (Other ad execs say it’s closer to 50%.)
What more, the problem seems to be growing. Last year, Google disabled ads from more than 400,000 sites hiding malware, up from 123,000 sites in 2012.
Bots, Stuffing, and Stacking Scams
So how exactly do fraudsters hijack your marketing budget?
Unfortunately, there are a lot of ways to perpetrate traffic fraud,
including the following:
Clickjacking malware. This kind of malware sends real users to
websites they never planned to visit in the first place. Another method
is to have bots imitate real users by “clicking” on ads or repeatedly
loading a page.
iFrame stuffing. iFrame stuffing compresses an ad into a tiny
one-by-one pixel size. The ad is served up on a site as a real ad and
reported as a view, even though a real user would never be able to view
such a tiny ad.
Ad stacking. In this type of scam, multiple ads are placed on top
of each other in a single ad placement. Only the top ad is in view, but
all of the ads are reported as viewed.
These kinds of traffic fraud manipulate metrics like page views and
click-through rate, making cost-per-impression a dangerous pricing model
for advertisers.
To get an idea of just how dangerous it can be, let’s look at one of
the most elegant scams out there today, one that works using illegal bot
activity. To set up the scam, a fraudster could create a magazine-style
website for the sole purpose of hosting ads. Content is added
automatically from content farms or copied from real publishers.
Then, the fraudster distributes malicious software (or piggybacks on
existing ones), that causes the infected computers to open numerous
browser windows in the background, completely hidden from the user.
The browsers are directed to the fraudster’s fake webpage and emulate
human behavior by hopping from link to link, virtually moving the
cursor, scrolling, and occasionally clicking on ads.
Here you can see a video of illegal bots in action:
So here’s where advertisers take a hit in the marketing budget. Let’s
say that the fraudster manages to distribute malicious software to just
100,000 computers. If each of these computers opens 50 hidden browsers
every day, spending 30 seconds on each page and clicking an ad once
every 200 pages, the fraudster can generate 72 million fake clicks in a
single day! And advertisers are paying for every one of those clicks.
Online Ads Are Easy Targets
Online advertising is a fraudster’s heaven, and even the savviest advertisers lose millions of dollars each month.
So what makes ads so easy to target?
For one thing, advertisers often have no idea fraud has even
occurred. Typically, advertisers only get standard metrics on their ad
campaigns, like cost per lead and conversion rate. There’s no way to
detect ad fraud or to know just how much it cost you because it’s just
rolled into the cost of acquiring real customers.
Also, ad networks don’t ask a lot of questions when a new ad
publisher registers their site. Usually the ad network only asks for a
publisher’s basic traffic, engagement, and demographic stats, and that’s
it. Then the publisher gets the code that will allow them to present
ads from the ad network inventory. The ad networks have nothing to
lose—if the publisher generates clicks, it’s a win. If not, the ad
server will push the ads elsewhere.
Finally, those same ad networks actually benefit from ad fraud. They
get paid for each click or impression, regardless of whether the ad is
served to a real person or a fraudulent bot. So eliminating 36-50% of
those bad clicks would negatively affect their bottom line.
What Advertisers Can Do About Ad Fraud
Few substantial and scalable solutions exist for ad fraud.
Ad fraud detection companies such as Telemetry, Forensiq, White Ops,
Spider.io (recently acquired by Google), and SimilarWeb’s Traffic
Guardian use several approaches, including comparing visit patterns with
known behavior, monitoring malicious software, proxy unmasking, device
verification, and manipulation recognition.
For instance, an algorithm can determine whether a website is
legitimate or fraudulent by comparing the way real people are using that
website to actual online behavior. Advertisers can view that data
themselves, which can help them decide whether one of their publishers
needs to be red-flagged, or even rejected immediately.
Unfortunately, the outcome of the online ad game will not decided by a
knockout. New technologies and state-of-the-art algorithms are
continually being developed both by fraudsters and those trying to fight
them.
And while it’s promising that agencies and publishers have started
talking about the problem, advertisers have to be involved, too. After
all, they’re the ones with the most skin in the game.
The Manhattan headquarters of JPMorgan Chase, which securities filings revealed was attacked by hackers over the summer.
A cyberattack this summer on JPMorgan Chase
compromised the accounts of 76 million households and seven million
small businesses, a tally that dwarfs previous estimates by the bank and
puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing
on Thursday — emerge at a time when consumer confidence in the digital
operations of corporate America has already been shaken. Target, Home Depot
and a number of other retailers have sustained major data breaches.
Last year, the information of 40 million cardholders and 70 million
others were compromised at Target, while an attack at Home Depot in
September affected 56 million cards.
But unlike retailers,
JPMorgan, as the largest bank in the nation, has financial information
in its computer systems that goes beyond customers’ credit card details
and potentially includes more sensitive data.
“We’ve migrated so
much of our economy to computer networks because they are faster and
more efficient, but there are side effects,” said Dan Kaminsky, a
researcher who works as chief scientist at White Ops, a security
company.
Until just a few weeks
ago, executives at JPMorgan said they believed that only one million
accounts were affected, according to several people with knowledge of
the attacks.
As the severity of the
intrusion — which began in June but was not discovered until July —
became more clear in recent days, bank executives scrambled for the
second time in three months to contain the fallout and to reassure
skittish customers that no money had been taken and that their financial
information remained secure.
The hackers appeared
to have obtained a list of the applications and programs that run on
JPMorgan’s computers — a road map of sorts — which they could crosscheck
with known vulnerabilities in each program and web application, in
search of an entry point back into the bank’s systems, according to
several people with knowledge of the results of the bank’s forensics
investigation, all of whom spoke on the condition of anonymity.
Operating overseas,
the hackers gained access to the names, addresses, phone numbers and
emails of JPMorgan account holders. In its regulatory filing on
Thursday, JPMorgan said that there was no evidence that account
information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information.
Still, until the
JPMorgan breach surfaced in July, banks were viewed as relatively safe
from online assaults because of their investment in defenses and trained
security staff. Most previous breaches at banks have involved stealing
personal identification numbers for A.T.M. accounts, not burrowing deep
into the internal workings of a bank’s computer systems.
Even if no customer
financial information was taken, the apparent breadth and depth of the
JPMorgan attack shows how vulnerable Wall Street institutions are to
cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
Photo
Jamie Dimon, chief executive of JPMorgan Chase, says that the digital threat is on the rise.Credit Richard Drew/Associated Press
Jamie Dimon,
JPMorgan’s chairman and chief executive, has acknowledged the growing
digital threat. In his annual letter to shareholders, Mr. Dimon said,
“We’re making good progress on these and other efforts, but cyberattacks
are growing every day in strength and velocity across the globe.”
Even though the bank
has fortified its defenses against the attacks, Mr. Dimon wrote, the
battle is “continual and likely never-ending.”
On Thursday, some
lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a
member of the Senate Commerce Committee, said “the data breach at
JPMorgan Chase is yet another example of how Americans’ most sensitive
personal information is in danger.”
Hackers drilled deep
into the bank’s vast computer systems, reaching more than 90 servers,
the people with knowledge of the investigation said. As they analyze the
contours of the breach, investigators in law enforcement remain
puzzled, partly because there is no evidence that the attackers looted
any money from customer accounts.
That lack of any
apparent profit motive has generated speculation among the law
enforcement officials and security experts that the hackers, which some
thought to be from Southern Europe, may have been sponsored by elements
of the Russian government, the people with knowledge of the
investigation said.
By the time the bank’s
security team discovered the breach in late July, hackers had already
obtained the highest level of administrative privilege to dozens of the
bank’s computer servers, according to the people with knowledge of the
investigation. It is still unclear how hackers managed to gain such deep
access.
The people with
knowledge of the investigation said it would take months for the bank to
swap out its programs and applications and renegotiate licensing deals
with its technology suppliers, possibly giving the hackers time to mine
the bank’s systems for unpatched, or undiscovered, vulnerabilities that
would allow them re-entry into JPMorgan’s systems.
Beyond its
disclosures, JPMorgan did not comment on what its investigation had
found. Kristin Lemkau, a JPMorgan spokeswoman, said that describing the
bank’s breach as among the largest was “comparing apples and oranges.”
Preparing for the disclosure on Thursday, JPMorgan retained the law firm WilmerHale to help with its regulatory filing with the Securities and Exchange Commission,
people with knowledge of the matter said. Earlier on Thursday, some
executives — Barry Sommers, the chief executive of Chase’s consumer bank
— flew back to New York from Naples, Fla., where they had convened for a
leadership conference, these people said.
The initial discovery of the hack sent chills down Wall Street and prompted an investigation by the Federal Bureau of Investigation. The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach.
Faced with the rising
threat of online crime, JPMorgan has said it plans to spend $250 million
on digital security annually, but had been losing many of its security
staff to other banks over the last year, with others expected to leave
soon.
A RUSSIAN SECURITY FIRM has
discovered a botnet that has hit over 17,000 Apple Mac computers, using
information posted in messages on social media website Reddit to
navigate.
Researchers at Russian antivirus company Dr Web said in a report
that the sophisticated "multi-purpose backdoor" malware that it dubbed
"Mac.Backdoor.iWorm" has infected more than 17,000 computers running Mac
OS X by allowing criminals to issue commands to carry out a wide range
of instructions on the infected machines.
"Criminals developed this malware using C++ and Lua. It should also
be noted that the backdoor makes extensive use of encryption in its
routines," said Dr Web in its report. "During installation it is
extracted into /Library/Application Support/JavaW, after which the
dropper generates a p-list file so that the backdoor is launched
automatically."
Compromised computers receive commands from servers under the control
of botmasters using information posted in messages on Reddit as
navigational aids. Then Mac.Backdoor.iWorm opens a port on an infected
computer and awaits an incoming connection. It sends a request to a
remote website to acquire a list of command and control (C&C)
servers, and then connects to the remote servers and waits for
instructions.
"It is worth mentioning that in order to acquire a control server
address list, the bot uses the search service at reddit.com, and - as a
search query - specifies hexadecimal values of the first 8 bytes of the
MD5 hash of the current date," said Dr Web. "The reddit.com search
returns a web page containing a list of botnet C&C servers and ports
published by criminals in comments to the post minecraftserverlists
under the account vtnhiaovyd."
Security expert Graham Cluely said on his blog that while it isn't presently documented how the malware spreads, the consequences clearly can be serious.
"Like any computers that have been recruited into a botnet, Macs that
have been hijacked in this attack could have information stolen from
them, further malware planted upon them, or be used to spread more
malware or launch spam campaigns and denial of service attacks," Cluley
explained.
Security firm Lancope CTO TK Keanini added that the botnet "will
begin to co-evolve as countermeasures are put in place and they
engineering and innovate around them".
The US Defense Advanced Research Projects Agency (DARPA) has warned that users of the internet will never be fully secure.
DARPA director Arati Prabhakar made the claim during the Washington Post's
Cybersecurity Summit, arguing that the only way fully to secure the
internet is to seal it off and make it available only to selected
people.
"The power of information technology, and the reason we put up with
all these problems, is that it is phenomenally capable for all the
things that change how we live and how we work and how we create
national security," she said.
"You don't want to cut out any of that capability in the process of building cyber security."
Prabhakar added that, while wholly securing the internet is
impossible, DARPA is working on new ways to track hackers and criminals
operating on the Dark Web.
She listed the need for increased computing power and more advanced,
scalable big data analytics tools as key challenges in this endeavour.
"[When searching for cyber criminals] you start by creating a
different way to look at this vast information environment," she said.
"The moon shot for cyber security, in my view, is to find techniques that scale faster than the explosion in information."
Prabhakar revealed that DARPA began working on advanced big data solutions in March, and is also working on several projects designed to bolster global cyber security levels.
She highlighted a research project to create an "unhackable system"
as particularly important owing to its potential application in critical
infrastructure.
"What [the unhackable software project] means is there is a
mathematical proof that this particular function can't be hacked from a
pathway that wasn't intended," she said. "That won't solve the entire
problem, but it might make it more manageable."
Attacks on critical infrastructure are a problem facing governments
across the globe owing to their use of insecure SCADA systems.
These concerns peaked in September when researchers uncovered a critical bug, codenamed Shellshock, in the bash code used in Unix and Unix-like systems that could theoretically be exploited to hack SCADA systems.
Malicious and benign attacks against systems vulnerable to Shellshock
had halved by Sunday after peaking three days following the bug's
disclosure, Akamai researchers say.
The variety of payloads
targeting vulnerable sites increased dramatically over the same period
before tapering off, in a possible sign that hackers were bored with the
bug.
The number of unique payloads increased from 43 on day zero to a
whopping 10,716 just 24 hours later. It peaked on 27 September at 20,753
before falling off.
The numbers demonstrated the effectiveness of
Shellshock as an attack vector, researchers Ezra Caltum, Adi Ludmer and
Ory Segal wrote in a co-authored post.
"One
of the troubling aspects of the Shellshock vulnerability is the ease of
exploitation, which can be seen by the dramatic increase in the number
of unique payloads between the first and the second days," they said.
"The
sheer number of creative payloads also demonstrates how effective and
deadly this vulnerability can be – most of the scanning and exploitation
process is already fully automated.
"With such a low barrier to
entry, and the simplicity of writing powerful exploits, we believe that
Shellshock-based attacks are going to stay around for months if not
years, and will probably top the botnet infection method charts in the
near future."
Two-thirds of the 22,487 unique attacking IP addresses were
from the US, with Germany, Britain and seven other countries sharing the
remainder.
Almost 300,000 gaming domains made up the vast
majority of Shellshock targets, with consumer electronics, email
marketing among the less affected industries.
More than half of
all detected Shellshock probes however were illegitimate scans of the
sort conducted in unpaid security research which did not involve
exploitation, while about a third were legit.
Akamai found eight percent of payloads were attempts by
internet idiots to exploit Shellshock to open CD trays, play audio
files, and dump nonsensical payloads.
More malicious acts including Bitcoin and database stealers made up less than one percent of payloads.
Marriott has been fined $600,000 by the FCC for paralyzing guests'
personal Wi-Fi hotspots, forcing them to use the hotel giant's expensive
network instead.
The US watchdog today said the Marriott Gaylord
Opryland in Nashville, Tennessee, used equipment to illegally boot hotel
and convention center guests off their own networks, which were
typically smartphone hotspots.
Meanwhile, Marriott managers encouraged everyone to connect to the
hotel's Wi-Fi network, which cost from $250 to $1,000 to access.
According to the commission, the Gaylord Opryland installed an Allot NetEnforcer, and configured it to continually flood the surrounding ether with de-authentication packets.
An attacker does not have to know a Wi-Fi network's password, or be
authenticated in any way, to send a successful de-auth packet. All
devices and computers that receive the management frame over the air are
instructed to disassociate from their network.
Essentially, it was virtually impossible to use Wi-Fi, unless it was the Marriott's.
"It
is unacceptable for any hotel to intentionally disable personal
hotspots while also charging consumers and small businesses high fees to
use the hotel’s own Wi-Fi network," said FCC enforcement bureau chief Travis LeBlanc.
"This
practice puts consumers in the untenable position of either paying
twice for the same service or forgoing internet access altogether."
The fine is part of a consent decree [PDF]
Marriott has signed in order to end the watchdog's investigation into
Wi-Fi jamming. Marriott has also agreed to send a report on its Wi-Fi
"containment functionality" tools to the commission.
Allott
Communications, which makes the NetEnforcer hardware used by Marriott,
did not respond to a request for comment on the matter. It markets the
devices as "purpose-built appliances for monitoring and managing data
traffic on enterprise, cloud and broadband service provider networks."
Allott
has boasted that it provides network services to the Gaylord Opryland
as well Gaylord hotels in Florida, Texas and Maryland.
"In each of
the facilities, dedicated internet service is provided by a Gigabit
fiber-optic backbone with 100 megabit edge connections for meeting
rooms, ballrooms and exhibit hall space," the company writes [PDF].
"Each resort provides an always-up installation that serves thousands of internet users every day of the year."
Thousands of users ... willing or not, it seems.
